Rule 206(4)-7 under the Investment Advisers Act of 1940 requires advisors registered or required to be registered with the Securities and Exchange Commission to ‘review, no less frequently than annually, the adequacy of policies and procedures… and the effectiveness of their implementation.’ Although the SEC has not prescribed a specific timeline for newly registered advisors, advisors should generally conduct their first annual review within a year of becoming registered with the SEC.
What form should the annual review take?
The SEC has not prescribed any particular form for the annual review. Instead, the SEC and its staff have repeatedly stated that the investment advisor should tailor its review to its particular business risks. Despite the need for tailoring the approach to particular risks of the advisor’s business, there are some issues that the SEC will expect every annual review to consider. For example:
- What was the nature and frequency of any of the compliance matters that arose during the period covered by the review? Does this data suggest that a change in either is warranted? Examples of ‘compliance matters’ include violations of the code of ethics or compliance manual, sanctions applied, complaints received and litigation, regulatory action or investigation commenced.
- How has the advisor’s business changed over the year since the last annual review was conducted? Are there new business personnel, risks, products, issues, units or affiliates that require a change to its policies and procedures?
- How does the advisor go about identifying conflicts? What new conflicts has the advisor identified during the period under review? What new measures, if any, are needed to address the conflicts identified?
- What changes in the laws and regulations applicable to advisors have occurred during the period under review, or are expected to come into effect in the near future?
Who should conduct the annual review?
Most private fund advisors carry out the required annual review under the direction of the firm’s chief compliance officer. Based on a risk inventory, the CCO creates the game plan for the review and oversees the performance of particular tests, reviews, inquiries, interviews and other tools necessary to carry out the review. In a larger firm, the chief compliance officer and his or her staff may have sufficient resources to carry out the annual review without assistance from employees in the business units. However, in a firm of any size, the better practice is for the CCO to set a plan and tone with the business unit employees carrying out much of the testing under the direction of compliance staff who then review the results. This approach leverages compliance resources to allow a more comprehensive review and emphasizes that compliance is the responsibility of everyone, not just designated compliance professionals. However, compliance must always ensure that the business unit employee carrying out the review is independent (that is, business unit employees should not review their own work).
“Third-party reviewers may not only have the advantage of experience with a wide variety of advisors and approaches, but also are often former SEC examiners.”
Some investment advisors hire third parties (primarily compliance consultants and law firms) to conduct annual reviews on their behalf. The third-party reviewer may not only have the advantage of experience with a wide variety of advisors and approaches, but also are often former SEC examiners. For an advisor with no or a small staff, an outside review provides a fresh look at the compliance program. Typically, based on a risk inventory, the third-party reviewer works with the chief compliance officer to establish an agreed-on scope for the annual review. The reviewer’s findings are incorporated into a report to management.
From time to time, such reviews may consist of a full ‘mock SEC examination,’ in which the third party provides a document request and simulates the experience of a visit by SEC examiners. While this approach may be very comprehensive, it is also expensive. Therefore, other more limited or targeted reviews may be appropriate. For example, an advisor may conduct a mock review every four to five years, but have a more targeted review in each of the other years.
What steps should advisors take to conduct the annual review?
The person co-ordinating the annual review (for brevity’s sake, this article assumes a CCO) should consider the following steps:
- Step 1. Assess any compliance and regulatory developments that became effective during the review period.
- Step 2. Conduct or update a risk inventory.
- Step 3. Review the results of the prior year’s annual review (if any) and any compliance matters that have arisen since.
- Step 4. Review any prior deficiency letter and the state of implementation of any corrective action taken in response.
- Step 5. Create a game plan for the review, including deciding the areas of focus, the specific assessment tools for each such area to be reviewed, the sample sizes and frequency of each test, the approximate timeline, and an estimate and identification of the resources needed.
- Step 6. Oversee the review and adjust the game plan as needed.
- Step 7. Address any compliance issues identified.
- Step 8. Assess adequacy of current policies and procedures in light of review results and develop recommendations.
- Step 9. Share findings and recommendations with senior management.
- Step 10. Implement necessary changes as approved by management.
Some tips for the CCO to help ensure a comprehensive and effective review include the following:
- To help ensure all risks are covered, create a matrix with columns identifying: risks from the risk inventory; controls (including policies and procedures); specific assessments; perceived risk level; frequency of assessment; and person responsible for testing.
- Use interviews and observations to make sure actual practice is consistent with written policies and procedures. Failing to follow written policies and procedures is one of the most common deficiencies the SEC identifies in its advisor examinations.
- Leverage compliance software (which is commonly used for personal trading, gifts and entertainment record keeping, and political contribution pre-clearance) to store documentation of the results of testing. Typically, this is a matter of creating a ‘case’ describing the test (or other assessment tool) and finding a resolution to the case that describes the test results and incorporates via electronic upload any written documentation.
- Incorporate testing and controls that business units already undertake, provided that the reviewer is not reviewing his or her own work, and ensure any issues are escalated to compliance.
- Include a resource assessment, focusing on whether personnel, technology and other resources are sufficient.
- Include a frank assessment of the ‘tone at the top’ with respect to compliance. How can the firm’s senior management become more involved in communicating a clear message that compliance matters?
- Document implementation of any recommendations.
- Do not neglect state regulatory developments and issues that have relevance for advisors, including privacy regulations governing material non-public personal information, pay-to-play restrictions and reporting required by states, municipalities and, in some cases, pension plans themselves.
- Leverage service providers as compliance partners by clearly communicating expectations and contractually requiring and providing a venue or point of contact for reporting any suspected compliance issues.
What should an advisor look for?
Annual reviews should focus both on whether written policies and procedures have been implemented (that is, practices match policies and procedures) and whether policies and procedures that have been implemented are effective to mitigate the risks in the business and support compliance with the Advisers Act and the rules promulgated under it.
With respect to adequacy, the annual review should enable the advisor to a private equity fund to answer the following questions:
- Do existing policies and procedures deter and detect misconduct?
- Are issues being escalated swiftly and appropriately?
- Are alternate policies and procedures more effective in deterring and detecting misconduct?
- Are actions taken in response to misconduct adequate to remedy any resulting harm and prevent (by deterrence) additional misconduct?
- Do existing policies and procedures address any misconduct swiftly and ethically?
- Does any misconduct detected suggest revision of the policies and procedures?
Scott Pomfret is regulatory counsel and chief compliance Officer at Highfields Capital in Boston. Prior to Highfields, he was a director of the PwC Financial Services Regulatory Group, and an enforcement branch chief at the SEC.