The Importance of an Adviser’s Annual Review
By Kris Gruben, Senior Compliance Consultant, Core Compliance & Legal Services, Inc.
This article was previously published in the National Society of Compliance Professional (NSCP) Currents, a national non-profit organization primarily focused on RIAs and BDs, Hedge and Private Fund compliance.
Whether you are a new Chief Compliance Officer (“CCO”) for a newly formed registered investment adviser or a firm that has been in business for more than a decade, conducting the Annual Review allows for an opportunity to reflect upon the strength of your advisory compliance program.Pursuant to Rule 206(4)-7 of the Advisers Act of 1940, as amended (“Advisers Act”), all Securities and Exchange Commission (“SEC”) registered investment advisory firms must perform, no less than annually, a review of its compliance program.This includes testing its efficacy to ensure that the internal controls of the organization prevent violations and circumvention of federal securities laws.The Annual Review is a critical component of your compliance program and is subject to review by the SEC during an examination.
What the Annual Review Should Encompass
Pursuant to Rule 206(4)-7, all federal registrants must develop the following policies and procedures customized to the firm’s practices, which are designed to prevent securities law violations:
- Portfolio Management Processes
- Trading Practices
- Proprietary Trading of the Adviser and Personal Trading Activities of Supervised Persons
- Accuracy of Disclosures to Clients and Regulators
- Safeguarding of Client Assets
- Accurate Creation and Secure Maintenance of Required Records
- Marketing of Advisory Services, Including the Use of Solicitors
- Processes to Value Client Holdings and Assess Fees Based on Valuations
- Privacy Protections of Client Records and Information
- Business Continuity Plan
In addition, Investment Advisers are required to consider new rules that have been promulgated since the passing of the Rule 206(4)-7, which went into effect February 5, 2004, as well as those areas that involve fiduciary obligations to clients and investors.This may include, among other things, the development of policies and procedures covering the prevention of money laundering, proxy voting, due diligence, political contributions, pay to play, and whistleblowing.
The advisory firm’s Annual Review should take into consideration whether the current policies and procedures are still adequate and effective, particularly as its business grows and possibly changes. In addition, the development of potential and actual conflicts along with new technology deployments should be considered when evaluating potential new risks of the organization and its clients.
The Importance of Risk Assessments
While not required, prior to commencing the Annual Review, the adviser should consider conducting a risk assessment. This process will help the CCO identify higher risk areas for the organization, including areas of potential conflicts of interest. The format for capturing data points of this review typically is on a spreadsheet that would contain the following information:
- Area Evaluated
- Summary of the Policy / Procedure
- Risks Identified
- Risk Category (high, medium, low)
- Action Items
To begin, the policies and procedures governing the evaluated area should be reviewed to ascertain whether the protocols outlined adequately reflect rule changes and/or operational evolutions of the organization. Interviews with the manager of that area should be conducted and compliance exception reports reviewed to help ascertain whether there are any “gaps” that may need to be addressed.Throughout this process, consider whether the existing procedures are adequate to mitigate conflicts of interest created by the business of the firm. Also consider any compliance matters that arose in the past year, changes in business activities or affiliations, prior examination deficiency letters and regulatory and industry developments that may impact the firm.
Stay abreast of new regulatory focus areas, as seen in No-Action Letters, rulemaking, examinations and enforcement cases. Review SEC commissioner speeches and check the SEC’s website periodically to learn more about the Commission’s current focuses on possible areas of risk.
How to Begin the Annual Review
Whether or not a risk assessment has been conducted, it is essential to review the advisory firm’s policies and procedures manual with the area designated supervisors for assessing whether the existing documented protocols are accurately reflecting current operational procedures. Before you begin, be sure to outline what rule changes may impact existing policies and what technology solutions the firm may be using as an internal control to ensure the firm’s policies are being followed. Check with the designated supervisors to see whether they reviewed required items adequately, what exceptions were noted throughout the last 12-months, and whether any material findings were made.Check to see that any findings were documented and conclusions escalated to the appropriate senior managers.
For larger organizations, consider whether there is supervisory overlap within multiple departments, and note what internal controls have been developed by each department. Consider hosting a team meeting to review collectively exception reports to help identify any trends or patterns that could signal a potential circumvention of firm policies. Document findings and conduct additional inquiries as necessary.
Considerations for Conducting Your Compliance Testing
Once your policies and procedures have been thoroughly reviewed, now, it is time to begin testing. In a 2005 speech, Gene Gohlke (retired), formerly of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), provided guidance on how the SEC may evaluate advisers during examinations in the way of Annual Review testing. He explained that traditionally, there are three forms of compliance testing: transactional, periodic and forensic.
A transactional compliance test is performed around the time an activity occurs, thereby occurring through the year as opposed to a set time period. For example, a transaction test occurs when a portfolio manager performs a transaction on behalf of a client account and ensures there is compliance with client guidelines and restrictions prior to commencing the trade. Another transactional test occurs when comparing each allocation of an investment among client accounts in accordance with the firm’s allocation policy. Obtaining pre-approval for a personal trade before the time of execution by Compliance’s review of the request against the restricted and watch list is another type of transactional test.
A periodic compliance test is performed at appropriate intervals rather than concurrently with each transaction to verify compliance with relevant requirements. For example, a periodic test occurs when client imposed guidelines and restrictions are reviewed against guidelines recorded in the order management system and the client’s advisory contract to ensure they are accurate. Another periodic test occurs when reviewing soft dollar transactions and denoting those with unusually high commissions to ascertain which broker-dealer firms are most frequency used and why. Reviewing quarterly personal trading statements for potential front running abuses or insider trading is another type of periodic test.
A forensic compliance test is performed over time to see if patterns are emerging that could indicate circumvention of firm policies or federal securities laws. While at first these tests may only raise suspicion and not conclusively indicate that a violation occurred, over time forensic testing can help to detect trends that evidence misconduct. For example, a forensic test occurs when a portfolio manager compares the performance of a client’s account with relevant benchmarks or reviews dispersion amongst client accounts that are managed in the same style or manner. Reviewing personal trades for profitable trades over time for the same securities or in comparison with client trades is another example of a forensic test.
For each of the firm’s policies, it is important to develop these tests, which should evolve each year to ensure that the adviser’s compliance program is not being circumvented.One approach you may wish to consider using in order to track compliance testing is the development of a compliance testing calendar. This will help to categorize which items to review monthly, quarterly or annually, and can help to ensure that periodic and forensic tests, which comprise the Annual Review, are conducted throughout the year rather than all within one brief interval of time. Once the review is complete, document what was tested, how, and your findings, and report up to senior management as appropriate.
Summarizing Testing Results
As discussed above, forensic testing is a critical component of the annual review.But how does one best summarize what was tested, when and by whom?How are potential action items shared and communicated with designated area supervisors? To accomplish this, many CCOs develop an excel spreadsheet report, which summarizes the subject area tested, where the related policy may be found, how and what was tested and analyzed, what the findings were, and the related risk associated with the finding. In addition, often times a column indicating a proposed enhancement may be included, even if such enhancement is, “meet with the committee to discuss ways to provide efficiencies in this area.” Often times a written report will accompany the excel worksheet to further explain the advancements of the compliance program over the past 12-months as well as any potential gaps that may have been detected and the plan of action to correct or mitigate such gaps or potential risks.
After a certain amount of time, CCOs may not know what to test the following year or how to conduct further forensics. In these instances, many times the firm may elect to engage a vendor, such as a compliance consultant, attorney or auditor to conduct an independent evaluation of the firm. This may help to further identify risks that may have not otherwise been detected and to have “another set of eyes” analyze the strength of the compliance program.
Should the firm elect to engage a vendor for this process, it is strongly suggested that the firm discuss the manner in which the annual review report shall be presented.
Is a Written Annual Review Report Required? Should it Be Documented?
While Rule 206(4)-7 under the Adviser’s Act and Rule 38a-1 under the Investment Company Act of 1940, as amended (“the ’40 Act”) were released simultaneously, the two sets of rules have similar but not mirrored requirements. For example, for investment companies, the fund’s board of directors must be presented with an annual written report that addresses, “the operation of the policies and procedures of the fund and of each investment adviser, principal underwriter, administrator and transfer agent of the fund….and each material compliance matter that occurred since the date of the report.”1 Fund CCOs report directly to the board of directors and are required to discuss the findings memorialized within the written report with the board. Notably, while Rule 206(4)-7 does not require a written report, it is generally a best practice to memorialize the Annual Review results to allow for sufficient documentation evidencing that a review was actually conducted, and ideally the findings of the report along with proposed recommendations should be discussed with senior management in furtherance of the firm’s compliance program objectives. Regardless if an investment adviser or investment company, during a regulatory exam, the SEC will likely request to see documentation evidencing any findings as a result of the company’s annual review.
Implementation Steps Following the Annual Review
Once the Annual Review is completed, there may be a series of action steps for the firm to undertake in order to further enhance the compliance program. Importantly, this does not necessarily mean that anything is fundamentally wrong with the compliance program. Rather, the compliance program is designed to be dynamic, constantly evolving to strengthen internal controls within the organization. Consequently, it is likely that a firm may detect some areas where enhancements could be made, particularly as the firm adds (or takes away) product lines and services. New technology, employees and regulatory changes may also impact the necessity for change. As changes are occurring, you may want to note any updates and/or revisions to the firm’s policies and/or procedures. If a change cannot be readily made but is identified as a necessary enhancement, explain why it cannot be immediately implemented (such as for budgetary reasons, needs to hire additional employees, requirements for IT programming, etc.) Ultimately, the CCO should have active dialogue with senior management on proposal for suggested implementation steps following the annual review, and then document the timing, the resources and the managers that will oversee such implementation. The CCO’s role should be one of oversight, and not necessarily the implementer.
Care should be taken when writing to document all follow-up items to any gaps or violations. Perhaps refer back to your risk assessment matrix and create a column with a set time frame to make any needed corrections, updates or training.
While there is no specific format to follow for the Annual Review, the above risk management tips are provided as considerations on how to orchestrate your review and testing in an effective and efficient manner. By making the Annual Review an ongoing, interactive process, this may help to build consensus on those areas that may potentially need enhancement, which can then be addressed through new internal control development.
Ms.Gruben has extensive compliance experience in all aspects of the institutional advisory, broker-dealer, and mutual fund marketplace. With her expertise in the areas of broker-dealer and investment adviser marketing and advertising reviews, licensing and registration, mock regulatory examinations and drafting Codes of Ethics and AML, she brings practical compliance solutions for managing client needs. Core Compliance & Legal Services, Inc. offers compliance services for broker-dealers, registered investment adviser firms, hedge and private funds, private equity firms and other types of businesses of various sizes. Services include customized compliance programs, operational risk management and policy and procedure development.
1. Company Act Rule 38a-1(a)(4)(iii)(A)and (B).