Let’s chalk this one up to “great minds think alike,” or maybe just “minds think alike.” You may recall that in his recent letter to member firms that accompanied FINRA’s 2017 Exam Priorities Letter, FINRA CEO Robert Cook said, “starting this year, we will publish a summary report that outlines key findings from examinations in selected areas.” Cool idea, right? Well, last week, the SEC’s Office of Compliance Inspections and Examinations, or OCIE, beat FINRA to the punch and released a Risk Alert called “The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers.” If you’re an SEC-registered IA, or, like me, someone who represent IAs, it is a must-read. Now, I am not necessarily saying that anything it contains is particularly eye-opening, but it does provide a tidy roadmap to those things on which your compliance efforts should be focused, even if those things are, arguably, pretty obvious.
Compliance Rule. The Compliance Rule – Rule 206(4)-7 under the Investment Advisers Act of 1940 – basically provides that adviser must (1) have written policies and procedures reasonably designed to prevent violations of the Advisers Act and the rules that the SEC has adopted under the Act; (2) review, no less frequently than annually, the adequacy of those policies and procedures; and (3) designate a CCO responsible for administering the compliance policies and procedures. What OCIE has found (over the course of over 1,000 exams of IAs over the last two years) are these common deficiencies:
- Compliance manuals are not reasonably tailored to the adviser’s business practices. This is not just a common problem, but an old one. It can be more than just embarrassing to present an examiner with an “off-the-shelf” compliance manual that contains sections that have no relation to the firm’s actual business, or, worse, doesn’t contain sections that are pertinent.
- Annual reviews are not performed or do not address the adequacy of the adviser’s policies and procedures. Like some BDs, it seems that some advisers simply don’t conduct annual reviews of their compliance policies and procedures, as required by the Compliance Rule. Others do the reviews, but they are insufficiently introspective, and fail to address the adequacy of the advisers’ policies and procedures and the effectiveness of their implementation. Finally, if a review reveals a problem, that cannot be ignored. Steps – demonstrable, memorialized steps – must be taken to address or correct the problem.
- Adviser does not follow compliance policies and procedures. What good is having a robust policy if it is ignored? Indeed, arguably, it is worse than not having a policy at all.
- Compliance manuals are not current. As noted in the first bullet point, it is sloppy to continue to maintain a compliance manual that contains outdated information or policies, such as “investment strategies that were no longer pursued or personnel no longer associated with the adviser and stale information about the firm.”
Regulatory filings. OCIE focused principally on Form ADV filings here, although it also mentioned Form PF and Form D. Essentially, the advice boils down to this nugget of wisdom: make sure that your filings are (1) timely, (2) accurate, and (3) complete. Ooh, why didn’t I think of that?
Custody Rule. The Custody Rule – Advisers Act Rule 206(4)-2 – covers advisors who have custody of clients’ cash or securities. Unfortunately, it is pretty much a strict liability situation if it is determined that an adviser had custody and failed to jump through the Rule’s hoops. The common problems that advisers have with the Custody Rule are as follows:
- There are situations where advisers did not recognize that they may have custody. OCIE identified a few situations where an advisor is deemed to have custody, but the advisor failed to realize it.
- If a client provides an adviser online access to client accounts using the client’s personal usernames and passwords, including the ability to withdraw funds and securities from the client accounts;
- If an adviser (or a related person) has powers of attorney authorizing him to withdraw client cash and securities; and
- If an adviser (or a related person) serves as trustee of clients’ trusts or general partners of client PIVs.
- Faulty surprise exams. A requirement under the Custody Rule is that an independent public accountant perform a surprise exam. According to OCIE, however, some of these exams have not exactly been a surprise (e.g., exams were conducted at the same time each year). Also, some advisers failed to provide the auditor with a complete list of accounts over which the adviser had custody or other information necessary for the exam to be conducted timely.
Code of Ethics Rule. Advisors are required to have a Code of Ethics. Advisers Act Rule 204A-1. OCIE identified these common issues regarding the Code of Ethics requirement:
- Access persons not identified. Access persons (e.g., certain employees, partners or directors) must periodically report their personal securities transactions and holdings to the CCO, and obtain pre-approval before investing in an IPO or private placement. Some advisers did not identify all of their access persons. In addition, some access persons submitted transactions and holdings less frequently than required by the Rule.
- Codes of ethics missing required information. Some advisers’ Codes of Ethics did not specify review of the holdings and transactions reports, or identify the specific submission timeframes.
- Form ADV omissions. Certain advisers did not describe their Codes of Ethics in Part 2A of their Forms ADV and did not articulate that their Codes of Ethics were available to any client or prospective client upon request.
Books and Records Rule. The Books and Records Rule – Advisers Act Rule 204-2 – is the last common problem area. And the problems are exactly what you would expect to hear: (1) incomplete records, (2) inaccurate records, (3) records not updated in a timely manner, and (4) internally inconsistent records.
 These sound very much like a BD’s requirements under FINRA’s supervision rule, Conduct Rule 3110.