On November 19, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert dealing with the Compliance Rule. OCIE’s Risk Alert discussed deficiencies and weaknesses identified by examiners. The Risk Alert reported that violations of the Compliance Rule are among the most common cited by OCIE examiners.

 The Compliance Rule, found in Rule 206(4)-7 under the Investment Advisers Act of 1940, requires Registered Investment Advisers (RIAs) to adopt and implement written policies and procedures. These policies and procedures must be reasonably designed to prevent, detect, and correct violations of the statute and its rules. RIAs must review these policies and procedures annually to determine their adequacy and effectiveness.

Although the Risk Alert has no legal force, RIAs should follow the guidance and apply it to their compliance programs.

OCIE’s observations regarding the Compliance Rule

 Examiners found the following deficiencies and weaknesses:

    • Inadequate compliance resources
    • Insufficient authority of Chief Compliance Officers (CCOs)
    • Annual review deficiencies
    • Failure to implement or perform actions required by policies and procedures
    • Failure to maintain accurate and complete information in policies and procedures
    • Failure to maintain or establish reasonably designed written policies and procedures

Inadequate compliance resources

Certain RIAs did not give their compliance department sufficient resources to perform their duties. In some cases, advisory personnel did not receive adequate training. Examiners found that at certain firms, the compliance function was not given sufficient personnel to fulfill important duties, such as conducting annual reviews or filing Form ADV. As RIAs grew in size or complexity, they did not always add compliance staff or enhance the firm’s information technology.

 Insufficient authority of CCOs

Some of the RIAs examined did not give CCOs full authority to handle their job effectively. In certain instances, CCOs did not receive critical compliance information, including trade exception reports and key clients’ advisory agreements. In some cases, senior management and employees did not consult with the CCO regarding matters with potential compliance implications.

Annual review deficiencies

In some instances, although RIAs claimed they engaged in ongoing or annual compliance reviews, they could not substantiate that they actually occurred. Firms failed to identify or review key risk areas applicable to the RIA, such as conflicts of interest and protection of clients’ assets. RIAs’ annual reviews failed to identify significant compliance or regulatory problems.

Failure to implement or perform actions required by policies and procedures

Examiners found that advisers did not adhere to their policies and procedures. Certain advisers ignored policies and procedures by not reviewing advertising materials and clients’ accounts. As an example, they did not review clients’ accounts to ensure that portfolios were consistent with their investment objectives. Some RIAs did not train their employees. There were also firms that did not implement compliance procedures regarding trade errors, best execution, conflicts of interest, and disclosures.

Failure to maintain accurate and complete information in policies and procedures

Certain RIAs’ policies and procedures were outdated and inaccurate. These advisers sometimes used off-the-shelf policies and procedures, which did not always apply specifically to the firm’s business model. An RIA’s use of boiler-plate policies and procedures will not satisfy the Compliance Rule.

Failure to maintain or establish reasonably designed written policies and procedures

Some RIAs purportedly relied on cursory or informal processes instead of maintaining written policies and procedures. Certain RIAs made the mistake of using the policies of an affiliated entity, such as a broker-dealer, which were not tailored to the adviser’s business activities.

Weaknesses and deficiencies discovered by examiners

 Having written policies and procedures is not enough. Examiners identified weaknesses or deficiencies in conjunction with establishing, implementing, or appropriately tailoring RIAs written policies and procedures. These weaknesses or deficiencies arose in the following areas:

    • Portfolio management, including due diligence and oversight of outside managers;
    • Marketing, including the oversight of solicitors;
    • Trading practices, including best execution and allocation of soft dollars;
    • Disclosures;
    • Advisory fees and valuation;
    • Client privacy safeguards;
    • Required books and records;
    • Safeguarding of clients’ assets; and
    • Business continuity plans.

 Weak and deficient policies and procedures can lead to major compliance violations and may result in an enforcement action against the investment adviser. Furthermore, without thorough and complete books and records, RIAs will be unable to demonstrate to examiners that they have complied fully with the Compliance Rule.

 Director Driscoll’s comments on the Risk Alert

On November 19, 2020, Peter Driscoll, OCIE Director, took note of the Risk Alert during his speech at the National Investment Adviser/Investment Company Compliance Outreach 2020. Driscoll emphasized that some RIAs did not allocate adequate resources to their compliance programs. Firms cut corners on information technology, staffing and training. Examiners also observed CCOs who lacked sufficient authority within the firm to develop and enforce the appropriate policies and procedures.

“The CCO needs a meaningful seat at the table,” Driscoll said. A firm’s compliance department should be fully integrated into the business of the RIA for it to be effective. Furthermore, CCOs cannot be effective without the support of management.

Although the responsibilities and challenges are significant, the critical function of compliance should not all fall exclusively on the shoulders of CCOs. One of the most important aspects of an effective compliance program is having the support of management. Executives of an RIA must empower CCOs to perform their jobs effectively.


The stakes are high when RIAs fail to implement a robust compliance program. Strong policies and procedures help to foster a culture of compliance. As Driscoll said in his speech, “Without a culture that truly values the CCO, supported by a sincere ‘tone at the top’ by senior management, a firm stands to lose the hard-earned trust of its clients, investors, customers and other key stakeholders.

The Risk Alert is available HERE.

About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.

RIA Compliance Group, LLC – 701 SE 6th Ave, Suite 201, Delray Beach, FL 33483 – Tel: 561-600-0564 – sales@ria-compliance.com