Now that you’ve seen what ACA Insight has to offer, don’t be without it. Subscribe now!

The weekly news source for investment management legal and compliance professionals

Current subscribers - please log in to the website in the upper right-hand corner

News August 30, 2004 Issue

A Six-Week Plan for Developing an Effective Compliance Program

Taking the do-it-yourself approach to drafting a compliance manual? Feeling a bit behind the eight ball?

Hereís a plan designed to help small and medium-sized advisers get a compliance program up and running by the October 5 due date. It focuses on process, rather than substance. And itís designed for advisers that do not manage registered investment companies.

Step 1: Roll up your sleeves and clear your schedule.

This is a big project that requires time and energy. Back in March, SEC Office of Compliance Inspections and Examinations director Lori Richards urged advisers not to "slap together a compliance program at the last minute." Hastily-constructed compliance programs, as well as programs consisting of an untailored, off-the-shelf, one-size-fits-all compliance manual, she said, "are not likely to be effective." If SEC examiners find that an adviser has taken an ineffective, quick-fix approach, warned Richards, they may conduct a top-to-bottom, in-depth inspection of the firm and, if appropriate, make a referral to the SECís Division of Enforcement.

Despite that warning, IM Insight is hearing that many small and mid-sized firms are just now getting started on their compliance programs. Even some larger firms that diligently began months ago are now scrambling toward the finish line, after being sidetracked by SEC enforcement inquiries and OCIE sweep letters.

Some good news: SEC staffers have made clear that small firmsí compliance programs can be simpler than larger firms. Moreover, SEC examiners will not be looking for perfection on October 6. In a June 2004 speech, Richards acknowledged that the process of developing compliance policies and procedures "will be an evolving one" as the investment management industry "progresses toward best practices in the compliance area." SEC examiners will be looking to see if advisers have made an "honest effort" to establish an effective compliance program and whether CCOs have "diligently and intelligently" administered their programs, added Richards.

The upshot: to get an "A" for effort, you need to get to work.

Step 2: Read up.

At a minimum, there are two things that everyone working on a compliance program should read:

  • The SECís compliance program adopting release. Focus on sections II.A.1., II.B.1., II.C.1., and II.D., which cover advisers, as well as the text of the compliance program rule itself, Advisers Act Rule 206(4)-7.
  • Richardsí March 15 speech. It is free, practical, and lists a number of problem areas by topic.

Step 3: Make sure you have buy-in from the top.

Hopefully, after last yearís fund scandals, this wonít be an issue for you. But if you get a sense that your firmís senior management isnít on board, you may want to show them the SECís adopting release and explain that this is something the firm is now required by law to do. If your higher-ups seem to need a bit more encouragement, you could try handing them copies of the SECís enforcement cases against Garrett Van Wagoner, Richard Strong, Gary Pilgrim and Harold Baxter, perhaps observing that regulators really are fired up these days about going after senior management. That should do the trick. (But if they are still pooh-poohing the new compliance program, forge ahead anyway.)

Step 4: Staff up.

If you havenít already, designate the individual who will serve as your firmís CCO. In a nutshell: the ideal CCO is a member of senior management who is knowledgeable about the firmís business and applicable law (or at least is committed to learning about it) and who commands respect within the firm. The CCO has to be one individual. You can tap someone internally: you donít necessarily have to hire anyone new.

Also, decide who will be responsible for developing the firmís compliance program. A good approach: create a working group consisting of the CCO, a scribe, and other individuals. Some firms have created a "Compliance Task Force" comprised of the head of each department in the firm. Not only does the group approach encourage buy-in from affected constituencies, it also helps reveal issues that may be buried deep within operational areas.

Step 5: Set a schedule.

Harness the motivational power of deadlines. Break out the calendar and, working backwards from October 5, schedule project due dates. Hereís a sample schedule, which assumes that you can devote nearly all your time over the next six weeks to the compliance program (details on the action items are described below, in Steps 6 Ė 14).

  • By Sept. 6 Ė Designate CCO. Decide who will work on compliance program project. Block out a schedule of weekly working group meetings to run through
    mid-October. Schedule firm-wide compliance program kick-off meeting for October 5. Collect model procedures. Inventory existing procedures. Inventory needed procedures.
  • By Sept. 8 Ė Schedule meetings between the working group and the firmís various departments (trading, portfolio management, marketing, etc.), to be finished by Sept. 17.
  • By Sept. 17 Ė Finish all meetings. As you go, develop policies and procedures based on each meeting.
  • By Sept. 21 Ė Circulate draft policies and procedures to members of working group and affected departments/individuals, with a deadline for comments by Sept. 24.
  • By Sept. 28 Ė Revise policies and procedures per Round 1 comments. Recirculate for Round 2 comments, due Oct. 1.
  • By Oct. 4 Ė Revise policies and procedures per Round 2 comments.
  • By Oct. 5 Ė Formally adopt the compliance program. Determine how version control will be maintained. Hold the firm-wide compliance program kick-off meeting.
  • By Oct. 6 Ė Sit down with a calendar and plan follow-up meetings with all affected departments in the next few months to test effectiveness of procedures. Plan annual review.

Step 6: Collect model procedures.

While the SEC doesnít want advisers to insert their names on a model and be done with it, it did expressly contemplate that smaller firms might base their procedures on models and templates that they tailor to their own circumstances.

So: try to beg, borrow, or buy some good models. If you are an member of the Investment Counsel Association of America, print out the ICAA Compliance Program guide. NRS ( sells model policies and procedures for $695, which includes one year of quarterly updates (annual subscriptions thereafter are $299). Adviser Compliance Associates ( also offers a template for a standard compliance manual.

Even if you get your hands on a model, you should still go through the remaining steps.

Step 7: Decide what topics your compliance program needs to cover.

Basically, what you want to do is get a sheet of paper and write "Procedures We Need" at the top. For now, ignore your existing procedures and focus on what topics your compliance program should cover.

First, decide whether your compliance program will focus only on the Advisers Act, or will cover all applicable laws. Technically speaking, the SECís compliance program rule requires that an adviserís compliance program be "reasonably designed" to prevent violation, by the adviser and its supervised persons, of the Advisers Act and rules thereunder. But it may make sense to have your firmís program cover other applicable laws. Hereís a good list to consider, courtesy of the ICAAís Compliance Program guide:

  • Exchange Act (such as beneficial ownership reports);
  • ERISA;
  • Investment Company Act;
  • Commodities Exchange Act;
  • Internal Revenue Code;
  • Other federal laws (such as AML rules by the U.S. Department of Treasury);
  • State laws (such as state notice filings); and
  • Foreign laws.

Second, write down the following mandatory topics on your list:

  • personal trading codes of ethics;
  • insider trading;
  • privacy;
  • safeguarding of client information; and
  • proxy voting (mandatory for nearly all advisers).

Third, look at the ten bullet-pointed subjects listed in Section II.A.1. of the SECís compliance program adopting release. The SEC said it expects advisers to have procedures covering these topics, to the extent they are relevant to the firmís business. The conservative approach: for now, add each of these topics to your list, unless you can think of a good reason why your firm doesnít need them. During your meetings, if people seem to think one of these bullet points is irrelevant, you can consider removing it (youíll want to document why you didnít cover it).

Fourth, think of anything else that is crucial to cover in your procedures. Consider:

  • the risks and conflicts presented by your firmís business and investment activities, its service providers, and its affiliates and partners;
  • issues raised in your firmís past deficiency letters;
  • current SEC "hot topics"; and
  • promises made in disclosures (if you tell clients you do things a certain way, consider whether you need policies and procedures in place to be able to live up to those promises).

Because you are under the gun, you may not be able to do the outside-the-box thinking this last category requires. Donít sweat it: itís likely that youíll have enough work to do with the subjects you came up with under the first three categories. Take your Procedures We Need list with you to meetings, and ask your various colleagues about the types of risks and conflict situations that should be addressed by procedures. Their answers may suggest additional topics to be added.

Step 8: Inventory your existing procedures.

Now itís time to figure out what you have. Take another sheet of paper and write: "Procedures We Have." Collect your firmís existing procedures, whether they exist in a formal compliance manual, a series of compliance memos, or elsewhere. Donít be surprised if you learn of other procedures ("That e-mail Sue sent around in 2002") as you meet with your colleagues.

Step 9: Match the lists up and make a to-do list.

Take your "Procedures We Need" and "Procedures We Have" lists, and compare them. Make a list of the gaps: these are the procedures youíll need to add.

Hereís a tip: keep these lists to yourself, (i.e., donít "send" or "receive" them per Rule 204-2(a)(7)), to help ensure that they cannot somehow be construed as SEC required records. Depending on whatís on your lists, you may want to be able to destroy them when you are done with them (you also may want check with your favorite lawyer about this).

You also need to decide what to do about your existing procedures. Some firms are simply three-hole punching their existing procedures and putting them, unreviewed and unrevised, under the applicable tab in their new compliance manuals. Be warned: if SEC examiners find out youíve done this, they wonít like it. At best, the three-hole punch approach should be viewed as emergency triage. If you go this route, plan to revisit your existing procedures as soon as youíve filled in the obvious gaps.

The recommended approach: use existing procedures as a base to develop even better policies and procedures as part of a comprehensive compliance program. If you follow this approach, add the list of existing procedures that you want to revise to your
to-do list.

Step 10: Meet with relevant staff and develop policies, procedures, and controls.

For each topic (soft dollars, advertising, privacy, recordkeeping, etc.), youíll need a policy, some procedures, and controls.

A bit about policies: Most policies are obvious and fairly easy to write ("We will seek best execution," "We will use only accurate and representational advertising that complies with SEC regulations," etc.). If you are stuck on what a policy should be in a particular area, look at the applicable SEC rule for inspiration, or ask the folks on the ground what their aspirational goals are to ensure excellent customer service or their philosophy about how they do their job.

What to know about procedures: Writing procedures is an art, not a science. Some tips:

For each topic, do your homework. Familiarize yourself with applicable law. Look at your firmís existing procedures. Look at model procedures. Review your firmís disclosures on a particular topic.

Use your meetings to get most of the work done. Prior to each meeting, develop some draft procedures. Donít spend too much time on these: the goal is to come up with something to use as a springboard for discussion.

During each meeting:

  • Find out what employees think of your firmís existing procedures (if any). Are they being followed? Are they working? Are they unduly burdensome? Do they serve a purpose? Weed out deadwood procedures: if procedures are irrelevant or inapplicable, they should be removed entirely (make sure to document the reasons why youíve taken out a procedure).
  • Ask employees if there are any other written procedures they are aware of (that e-mail from Sue in 2002, for example).
  • Find out what good practices your employees are already following, and memorialize them in writing (this is the best way to create procedures). Listen for things like: "We always run things by Dave." That becomes: "The Director of Marketing must approve all advertising materials before use."
  • Encourage employees to think about what they should be doing. What makes them uneasy? What might go wrong? Whereís the weak link in the chain? What procedures do they think make sense?

Donít leave the meeting until you have a good idea about what sort of procedures you want to draft.

Go back to your office, and while the meeting is still fresh, draft your policies and procedures. Specify who will be responsible for supervising compliance with each procedure (that same person could be charged with notifying the CCO that the procedure needs updating). Depending on the topic and the size of your firm, your policies and procedures on a particular topic might range from a page or two all the way up to a dozen pages. In general, the shorter and more concise, the better. As the SEC itself put it: The new compliance program rule does not "require advisers to memorialize every action that must be taken in order to remain in compliance with the Advisers Act. In some cases, it may be enough for the compliance policies and procedures to allocate responsibility within the organization for the timely performance of many obligations, such as the filing or updating of required forms."

The next day, take a fresh eye and edit what youíve written. Think: Will employees realistically follow this procedure? What is the procedure designed to prevent or detect? What will supervisors do to make sure the procedure is being followed?

Try to avoid:

  • Lengthy recitations of the law. Thatís a sure-fire way to make sure your compliance manual isnít read. Jump quickly to what people are supposed to do.
  • Dense text. Break things out. Use bullet points,
    sub-headings, and lots of white space.
  • Legalese and important sounding language. The best writing is pretty simple. If you are struggling with how to say something, write it down as best you can and move on. When you come back to it fresh the next day, the words you were looking for should jump right out at you.
  • Flat prohibitions. Remember, for every rule, there is an exception (thatís why your manual should have a general exception policy, see below)

And lastly, controls: Controls are front-end prohibitions (like software that blocks certain trades from being bunched in with others), or back-end tests (like exception reports, or a monthly sampling of billing statements) that are used to check that a particular policy or procedures is working. This is where automation is your friend.

As you go through your meetings, ask employees to imagine that they have a rogue employee working for them. What might that rogue employee do to screw things up? How could he/she be caught? What front-end and back-end controls will prevent or detect misbehavior, even if employees arenít following the procedures? Collect these ideas, and use them to develop a set of controls that the compliance department can use.

You may want to list your various controls in a compliance department-only manual (thereís no need to let employees know how you will be checking up on them).

Step 11: Add the general items.

Your manual also should address the following topics:

  • Fiduciary standard and general compliance policy. It makes sense to put a general statement at the front of the manual about the firmís status as a fiduciary and its expectation that employees take compliance seriously.
  • Exception policy: Tell employees who is authorized to grant exceptions, and state that all exceptions must be in writing. Consider specifying the criteria on which exceptions will be granted. Make sure to keep a copy of all exceptions granted and document their rationale.
  • Sanctions: List the escalating chain of sanctions (such as oral warning up to termination) if procedures arenít followed.
  • New procedures: The manual should specify a formal process of creating new procedures. While suggestions on improving procedures should be welcomed from all levels within the firm, only certain specified individuals (the CCO, for example) should be authorized to approve a new or changed procedure.
  • Supervising and updating: For each topic, the manual should specify who is responsible for supervising employeesí compliance with the procedures. The manual also might specify who is responsible for monitoring applicable business and regulatory developments and suggesting updates to the procedures.
  • Guidance to employees. The ICAA suggests that advisers include some general language that the manual "is not all-inclusive" and that "directs advisory persons to seek assistance from senior management or a compliance officer when more information is needed."

Step 12: Plan for the future.

  • Version control. The SEC wants to know what version of the policies and procedures was in effect at any given time. Youíll need to come up with a system to track that. The NRS model procedures, which are electronic, automatically track version control.
  • ADV update. Review your ADV to determine whether you need to update it to reflect changes in procedures. Make sure to update your Form ADV Schedule A (by filing Schedule C) to name your CCO.
  • Ongoing revision. Over time, procedures that arenít working should be revised. As OCIE director Richards put it: "Compliance staff should continually be asking: Are we detecting problematic conduct with this policy? Based on what weíve detected, should we alter our policy? Is there a better way to detect problematic conduct? Are we preventing problematic conduct with this policy? Is there a better way to prevent problematic conduct? Were the actions we took, once problematic conduct was detected, adequate to deter problematic conduct by this individual or others?" (emphasis added).
    • Go ahead and schedule meetings with affected departments in the next few months. Consider this an insurance policy: If the SEC walks in October or November, and thinks your compliance program is weak, they will be happier if you are already planning to revisit and improve your procedures.
    • Consider posting the firmís manual on the firmís intranet, so that updates can be quickly made without having to recirculate paper copies to all firm employees.
  • Plan ongoing training. Itís not enough to circulate your manual once. Many firms circulate periodic compliance memos (just make sure they are consistent with your manual, and that you collect them all in one place). Many firms hold quarterly compliance training meetings.
  • Annual review. Eighteen months seems a far way off, but then again, so did October 5, 2004, didnít it? For now, keep in mind that youíll want to keep an eye towards new business arrangements and regulatory developments over the course of the year. And thereís no requirement that you wait until the last minute to perform your review: you can spend late summer reviewing trading, early fall reviewing advertising, etc. At a minimum, you should plan annual meetings with the various departments to discuss how procedures are working in practice and whether new developments necessitate changes to the procedures.

Step 13: Adopt and launch!

Formally adopt your firmís compliance program. For some firms, this may involve a corporate formality, such as a board meeting.

Hold a compliance program kick-off meeting. (Keep in mind that OCIE director Richards promised that post-October 5, SEC examiners will be looking to see whether firms have created a "vibrant culture of compliance.")

For maximum employee happiness, keep the meeting short (1/2 hour) and try to provide food. Donít circulate a copy of the new compliance manual until the end of the meeting (unless you want to talk to an audience of page flippers). The last page of the manual could be a detachable acknowledgement form that employees must sign and return, stating they have read and agree to comply with the manual, etc.

Here are a few talking points that could be delivered at the meeting. Ideally, they should be delivered by the firmís CEO or president. If the CCO delivers them, however, the CEO or president should get up and make at least a few remarks to demonstrate tone at the top.

  • We are adopting a new compliance program. A new federal law requires every SEC-registered investment advisory firm to adopt a new compliance program. As you know, weíve been working on putting ours in place by the SECís October 5 deadline. Thank you for your cooperation with this process. Today, we are pleased to announce that with your help, weíre there!
  • The program will help us fulfill our fiduciary obligation to put clients first and treat them fairly. We are proud of our longstanding tradition of serving clients and earning their trust. As advisers, we are fiduciaries. Our clients expect that we will put their interests before our interests.
  • This is good business. Because of the scandals in the securities and mutual fund industries, there has been a flight to quality. Clients simply do not want to do business with tainted firms. Any hint of impropriety would be devastating to our business. The compliance program is designed to prevent problems from occurring, and quickly detect and mitigate them if they do.
  • You are the front lines. If you feel funny about a situation, speak up. Bring it to the attention of your supervisor or the compliance department. For example, do you feel funny about a side letter arrangement a client is proposing? Is your group struggling a bit too hard to accommodate a business partner? Have you been approached with a new payment method that seems unusually creative? Listen to that inner voice. At the end of the day, these may be perfectly acceptable situations, but you should run them by your supervisor or the compliance department just to make sure. The compliance department recognizes that the firm is in business to make money, and pledges to work with you to balance the firmís compliance concerns with the need to accommodate clients.
  • The procedures have to be followed. The new compliance program may impose what feels like a new layer of bureaucracy on your day-to-day functions. You may not be able to make ad hoc, on-the-fly decisions without checking in with your supervisor or compliance. You may be asked to prepare new reports, take additional steps, or refrain from doing things that youíve done in the past. We recognize this, and ask that you approach the new compliance program with the right spirit.
  • At the end of the day, this has to work for you. As you know, we have tried to develop our procedures based on our firmís existing good practices. In large part, they should reflect what many of you are already doing. But if you become frustrated by a particular procedure, let the compliance department know. If a procedure makes no sense, is unduly burdensome, or is being ignored, thatís probably a signal that thereís something wrong with the procedure. Let us know if you think the compliance manual can be improved. And let us know where you have questions.
  • Speaking of questions, are there any questions?

Step 14: Cover your assets.

Document everything the firm has done to create its compliance program. Letís say the firmís policies and procedures boil down to a ten-page manual. You definitely want to be able to demonstrate to the SEC that those ten pages are a diamond of a compliance manual, a refined end product based on input from your entire firm that reflects multiple revisions and generally lots of thought and effort ó rather than a few grains of sand hastily scraped together.