I posted several blogs this summer about our victory over the SEC in the Robare case (which, naturally, has been appealed by the SEC’s unhappy Division of Enforcement). One of the key elements in our ability to prevail in that matter was my client’s extensive use of outside securities consultants to assist in the preparation and ongoing review of its Form ADV. Last week, the SEC’s Office of Inspections and Examinations – OCIE – issued a National Exam Program Risk Alert that touched upon the same subject of outsourced compliance functions by investment advisors. Although it was pretty specific in scope, addressing in particular the outsourcing of the Chief Compliance Officer position, it contained some general observations about compliance that are important for every advisor to understand, whether or not they outsource any aspect of their compliance responsibilities. In fact, many of these observations about compliance are equally applicable to broker-dealers, so they, too, should study this Alert.

Here is what the SEC had to say about compliance, generally, and CCOs:

  • “Frequent” and “personal” interactions between compliance staff and advisors (as opposed to “impersonal interaction, such as electronic communication or pre-defined checklists”[1]) are preferable, and result in a better understanding by compliance of the firm’s “business, operations, and risks.” This may not be an especially illuminating observation, but given how easy it is to abide by this guidance, it would be foolish to ignore it. Of course, as with anything compliance related, it is not enough just to do it; you have to memorialize the fact that you did it. So, don’t just hold “personal” meetings, document when they happen, who is in attendance, and what is discussed. And don’t minimize the importance of the frequency of such meetings. While the SEC has not quantified what it deems to be reasonable, once or twice a year is not “frequent” by anyone’s definition.
  • Firms that fail to provide their compliance officers with “sufficient resources to perform compliance duties” do so at their own risk. This is particularly true when a CCO does not work fulltime, but is registered with several registrants, and, as a result, is given limited time within which to accomplish the designated compliance tasks. You can guarantee that if questioned by a regulator, a CCO will be asked if he or she was provided adequate time and resources to accomplish the delegated tasks, so you never want to run the risk that the answer will be “no.”
  • The failure to have policies, procedures or disclosures “necessary to address all of the conflicts of interest” SEC staff has previously identified is problematic. This covers such areas as compensation practices, portfolio valuation, brokerage and execution, and personal securities transactions. I have blogged repeatedly about the regulators’ obsession with the identification and management of conflicts. Ignore conflicts of interest at your own peril, and that’s true even for broker-dealers, who, unlike advisors, have no obligation to disclose their conflicts on Form ADV.
  • Firms that fail to follow their own existing policies and procedures just plain look stupid and sloppy. Make sure that everyone is provided up-to-date versions of the latest procedure manual, and make sure that everyone actually reads it. They need not memorize it, but you want to avoid a situation where, under oath, an advisor concedes that he hasn’t seen the manual, and has no idea about its contents. It is simply impossible to unring the bell of lousy supervision once that happens.
  • It is equally bad when there is an inconsistency between a firm’s stated policies and procedures and its actual practices. Again, in this circumstance, you are inviting the regulator to conclude that your written policies and procedures are meaningless.
  • Make sure that the written policies and procedures are specifically tailored to the business the firm actually conducts. It is dangerous, and silly, to use an unedited off-the-shelf set of procedures because they may contain sections with no relevance to a firm’s business, or, worse, because they do not include sections that are necessary. Either way, to use a procedures manual that is not specific to your particular business model is to create the impression – and not necessarily an invalid impression – that, at best, you are careless, or, at worst, that you are indifferent to your compliance responsibilities.
  • The annual review of existing policies and procedures cannot be perfunctory. Too many advisors and BDs simply rubber-stamp this “testing” requirement, figuring that the absence of a problem must mean the WSPs were effective. That is not enough. Rules change, standards are tweaked, guidance is issued, products and/or business lines are added or dropped. Firms must, at least annually, take a fresh look at their policies and procedures to ensure that they are current, in light of whatever changes manifest themselves during the course of a year. AND DOCUMENT THAT ANALYSIS!

This stuff is not necessarily ground-breaking. For instance, I can remember offering counsel to BD clients 30 years ago about the importance of keeping WSPs current. But, given that OCIE felt compelled to issue this Alert now, it is readily evident that these basic lessons have not been universally learned. Don’t wait for an SEC or FINRA examiner to point out your deficiencies; at that point, even if you fix them, it’s too late to avoid the regulatory implications.

[1] The Alert was clearly against the use of such standardized checklists. OCIE cited a recent Enforcement action in which an outsourced CCO was alleged to have contributed to a false filing because he “did not personally review [the adviser’s] records” to validate them, but, instead, relied “exclusively on information provided to him by” advisers. The best practice is to provide CCOs, outsourced or otherwise, the power “to independently obtain the records they deemed necessary for conducting” reviews, rather than allowing the subjects of such reviews “to selectively provide records” to the CCO.