2020 was a busy year for the SEC’s Office of Compliance Inspections and Examinations. On November 19, 2020, Peter Driscoll, Director of the SEC’s Office Compliance Inspections and Examinations (OCIE), gave a speech at the National Investment Adviser/Investment Company Compliance Outreach 2020. Driscoll’s remarks focused on the role of the Chief Compliance Officer (CCO), as well as the Compliance Rule. In his speech, Driscoll noted that during fiscal year 2020, staff members conducted over 300 outreach events, issued a Cybersecurity and Resiliency Observations report, and published eight risk alerts. As Registered Investment Advisers (RIAs) complete their annual reviews of their policies and procedures, it will be helpful for them to review OCIE’s publications, a few of which are highlighted here.
OCIE Risk Alert dealing with the Compliance Rule
On the same day as Driscoll’s speech, OCIE published a Risk Alert dealing with the Compliance Rule. The Compliance Rule, found in Rule 206(4)-7 under the Investment Advisers Act of 1940, requires RIAs to adopt and implement written policies and procedures. These policies and procedures must be reasonably designed to prevent, detect, and correct violations of the statute and its rules. RIAs must review the firm’s policies and procedures annually to determine their adequacy and effectiveness. Violations of the Compliance Rule are frequently cited by OCIE examiners.
According to the Risk Alert, examiners found the following deficiencies and weaknesses:
- Insufficient compliance resources;
- Too little authority given to CCOs;
- Annual review deficiencies;
- Failure to implement or perform actions required by policies and procedures;
- Failure to maintain accurate and complete information in policies and procedures; and a
- Failure to maintain or establish reasonably designed written policies and procedure
Those deficiencies and weaknesses arose in the following areas:
- Portfolio management, including due diligence and oversight of outside managers;
- Marketing, including the oversight of solicitors;
- Trading practices, including best execution and allocation of soft dollars;
- Advisory fees and valuation;
- Client privacy safeguards;
- Required books and records;
- Safeguarding of clients’ assets; and
- Business continuity plans.
Weak and deficient policies and procedures can lead to major compliance violations and may result in an enforcement action being brought against an investment adviser. Furthermore, unless firms maintain thorough and complete books and records, RIAs will not be able to prove they complied fully with the Compliance Rule.
The Risk Alert is available at HERE.
OCIE Risk Alert containing supervision and compliance advice for RIAs with multiple branch offices
On November 9, 2020, OCIE warned RIAs with multiple branch offices about potential compliance issues. OCIE’s guidance was based on a series of examinations that focused on SEC-registered advisers with numerous branch offices that are not in close proximity to the RIA’s principal or main office. The Multi-Branch Initiative examined certain practices governing compliance programs and supervision, as well as investment advice. The guidance in the Risk Alert will also benefit RIAs that do not have branch offices.
In the compliance programs and supervision area, examiners looked at whether the RIA had adopted and implemented reasonably designed written policies and procedures. They evaluated the RIA’s compliance programs in their main and branch offices. In addition, they scrutinized the oversight of advisory services provided by personnel in branch offices. Examiners paid particular attention to compliance with certain regulations, such as the Custody Rule, and consistency with fiduciary obligations, including fees, expenses, and advertising.
In the investment advice area, examiners evaluated the processes used by RIAs to manage clients’ portfolios and to formulate recommendations. Examiners focused on:
- Oversight of investment recommendations within specific branch offices and across all of the RIA’s branch offices;
- Management and disclosure of conflicts of interest; and
- Allocation of investment opportunities.
OCIE examiners observed that the branch office model creates certain risk factors that should be addressed when designing and implementing policies and procedures and when supervising branch processes and personnel. These risks may increase when the main and branch offices do not follow the same practices. As an example, RIAs that do not monitor, review, or test their branch office processes may not be aware that their compliance controls are deficient.
The vast majority of the examined RIAs were cited for at least one deficiency pertaining to the Compliance Rule. More than half of the RIAs examined had deficient policies and procedures that were:
- Inaccurate because they included outdated information, such as references to people who had changed roles and references to entities no longer in existence;
- Not applied in a consistent manner at every branch office;
- Implemented inadequately, because the compliance department did not receive the records called for in the firm’s policies and procedures; and
- Not enforced.
More than half of the examined RIAs were cited for deficiencies pertaining to portfolio management practices involving:
- Oversight of investment decisions made within branch offices:
- Disclosure of conflicts of interest; and
- Trading allocation decisions.
Examiners noted that there was often minimal oversight of investment decisions occurring in branch offices. For example, RIAs failed to oversee investment recommendations related to mutual fund share class selection and the disclosures that must accompany them.
OCIE’s Risk Alert can be found HERE.
OCIE’s Risk Alert compliance issues related to private fund advisers
On June 23, 2020, the SEC published a Risk Alert, which summarized compliance issues discovered during hundreds of examinations of investment advisers managing private equity funds or hedge funds. In the Risk Alert, OCIE reported that over 36 percent of investment advisers registered with the SEC manage private funds. The Risk Alert focused on three areas:
- Conflicts of interest;
- Fees and expenses; and
- Material non-public information (MNPI) policies and procedures.
Examiners observed that these deficiencies caused investors to incur higher costs, and they did not receive full disclosure of the adviser’s conflicts of interest.
Rule 206(4)-8 under the Investment Advisers Act prohibits advisers to pooled investment vehicles from making untrue statements of a material fact or omitting material facts. These untrue statements and omissions may mislead a prospective investor or a current one. Examiners observed that some private fund advisers failed to disclose conflicts of interest pertaining to:
- Allocations of investments;
- Multiple clients investing in the same portfolio company;
- Financial relationships between the adviser and investors or clients;
- Side letters granting preferential liquidity rights;
- Interests in recommended investments;
- Co-investment vehicles and co-investors;
- Service providers;
- Cross-transactions; and
- Fund restructurings.
Fund restructurings are transactions in which a private fund adviser arranges a sale to a purchaser of an existing private fund or the fund’s portfolio.
Examiners found that investors sometimes paid inflated fees and expenses, because private fund advisers improperly allocated shared expenses. The advisers’ allocations were inconsistent with policies and procedures, as well as their disclosures to investors. Some advisers did not adequately disclose operating partners’ role and compensation. In some instances, clients were charged for expenses that were not allowed by the fund’s operating agreements. Advisers also failed to comply with the contractual limits on certain expenses and did not adhere to their travel and entertainment expense policies and procedures. In addition, certain advisers received fees from portfolio companies and neglected to apply or calculate management fee offsets. Some advisers’ valuation processes did not match the firm’s policies and procedures or its disclosures.
The Risk Alert noted that private fund advisers did not always implement, maintain, and enforce their code of ethics to guard against the misuse of MNPI. Some advisers failed to enforce the firm’s securities trading restrictions. They also did not implement well-drafted policies and procedures for adding and deleting securities from the restricted list. In addition, they did not require access persons to submit transactions and holdings reports within the appropriate timeframe or to submit personal securities transactions for preclearance in accordance with the firm’s code of ethics. Some private fund advisers failed to identify access persons correctly and did not enforce the gifts and entertainment provisions in their code of ethics.
The advisers examined did not address the MNPI that arise when employees interact with public company insiders, outside consultants arranged by an expert network firm, or value-added investors, such as corporate executives or financial professional investors. They did not evaluate whether non-public information could have been exchanged.
The Risk Alert can be found HERE.
OCIE Risk Alert discussing filing requirements for Form CRS (Client Relationship Summary)
On April 7, 2020, OCIE published a Risk Alert for RIAs and broker-dealers to help them understand Form CRS, the client relationship summary. The relationship summary provides information about the firm, which must be delivered to retail investors. Firms must also file their initial CRS, as well as any amendments, with the SEC using the Central Registration Depository (“Web CRD”) or Investment Adviser Registration Depository (“IARD”). If firms have a website, they must also post the current relationship summary there.
There are five topics that must be discussed in the Form CRS using standardized headings:
- Relationship and services;
- Fees, costs, conflicts and standards of conduct;
- Disciplinary history of the firm and its financial professionals; and
- Additional information, such as where the client can learn more about the firm.
Form CRS should articulate where the retail investor can obtain additional information about the firm.
After the compliance date, OCIE began conducting examinations to evaluate whether firms made a good faith effort to implement Form CRS. The Risk Alert can be found HERE.
RIAs should be aware of OCIE’s observations on cybersecurity and resiliency practices
In his speech, Driscoll touted OCIE’s publication dealing with market participants’ cybersecurity and operational resiliency practices. Resiliency means more than just preventing or responding to a cyber-attack. Resiliency also encompasses a firm’s ability to operate during a cyber-attack and to recover from it.
OCIE’s observations highlight some of the approaches taken by market participants in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. The observations highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to potentially safeguard against threats and to respond in the event of an incident. Successful cybersecurity programs incorporate elements such as:
- A risk assessment to identify, analyze, and prioritize the organization’s cybersecurity risks;
- Written cybersecurity policies and procedures designed to control those risks; and
- Effective implementation and enforcement of the cybersecurity policies and procedures.
To improve cybersecurity, organizations use numerous risk management and governance measures such as:
- Senior level engagement;
- Risk assessment;
- Policies and procedures;
- Monitoring and testing;
- Ongoing evaluation and adaptation to changes; and
RIAs should frequently test and monitor the effectiveness of their cybersecurity policies and procedures.
OCIE’s observations can be found HERE.
Accredited investor definition was also expanded during this busy year
In addition to cybersecurity and resiliency observations and Risk Alerts published by OCIE, the SEC expanded the definition of “accredited investor” on August 26, 2020. This definition is one of the primary tests for determining who is eligible to participate in private capital markets. The SEC’s position is that the new definition will more effectively identify institutional and individual investors possessing the knowledge and expertise to participate in private capital markets. The SEC’s final rule can be found HERE .
Because of the amendments, the definition of accredited investor now includes natural persons with specified professional certifications, designations, and credentials, including Series 7, Series 65, and Securities 82 licenses. The accredited investor definition was also broadened to include knowledgeable employees of a private fund, so they are permitted to invest in it. In addition, the SEC incorporated the term, “spousal equivalent,” in the definition. Spousal equivalents are now permitted to pool their finances in order to qualify as accredited investors. A spousal equivalent is defined as a cohabitant who has a relationship, which generally equates to that of a spouse.
The term “accredited investor” should not be confused with “qualified client.” The definition of qualified client is much different. An investment adviser may not enter into, renew, or extend an advisory contract providing for performance-based compensation unless the agreement is with a qualified client.
Despite Covid-19, OCIE is continuing its oversight of RIAs, so firms and CCOs should be prepared for a possible examination. In Fiscal Year 2020, OCIE has thus far conducted more than 2,950 examinations including 15 percent of SEC-registered investment advisers.
Although Chief Compliance Officers (CCOs) are extremely busy throughout the year, they must make time to stay abreast of Risk Alerts and other OCIE publications, as well as changes in securities laws and rules. Examiners expect CCOs to be familiar with the guidance offered in these publications. CCOs should use OCIE’s observations and advice to improve their firms’ policies and procedures and to prepare their firms for potential future examinations.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.