While the Securities and Exchange Commission (SEC) continues to release new rules and examination risk alerts that impact registered investment adviser (RIA) firms, there is still a simple rule that continues to trip up SEC-registered RIA firms of all sizes. Rule 206(4)-7 requires an investment advisory firm to adopt and implement written compliance policies and procedures, perform an annual review, and designate a Chief Compliance Officer (CCO). While at first glance, this long-standing rule appears rather straight forward, it continues to trip up investment advisers leading to enforcement actions.
"Rule 206(4)-7 - Compliance procedures and practices" reads as follows:
If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b-3), it shall be unlawful within the meaning of section 206 of the Act (15 U.S.C. 80b-6) for you to provide investment advice to clients unless you:
(a) Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act;
(b) Annual review. Review, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation; and
(c) Chief compliance officer. Designate an individual (who is a supervised person) responsible for administering the policies and procedures that you adopt under paragraph (a) of this section.
As RIA compliance consultants, we see these common mistakes related to Rule 206(4)-7 that often lead to serious compliance issues:
- A newly-registered firm creates a policies and procedures manual at the time of initial RIA registration, but fails to actually implement or follow it. Simply having a compliance manual is not enough, the firm needs to do what it says it's going to do.
- A newly-registered firm creates a policies and procedures manual at the time of initial RIA registration, however it's generic and not tailored and does not accurately apply to the particular firm's business practices and potential risks. In this scenario, the policies and procedures unfortunately are insufficient to prevent violations.
- A firm does a sufficient job of updating its Form ADV and other filings but fails to establish an actual compliance program. Properly maintaining and updating the Form ADV is critical, but only one part of implementing a robust compliance program.
- New and long-established firms fail to conduct and document an annual compliance review. Even if the firm has implemented a strong compliance program, the annual review is a requirement that cannot be overlooked. It must be conducted thoughtfully and documented by performing an annual risk assessment, staff training, testing, and other reviews.
- A firm conducts an annual compliance review each year in theory, but has little in practice to show for it. The firm's policies and procedures manual is a living document that should be regularly updated to match a firm's business model evolution and to ensure that any new regulatory requirements are being properly addressed.
- A firm designates a Chief Compliance Officer, but the CCO is insufficiently qualified and does not receive proper training. Appointing an administrative assistant with no prior experience that is not properly empowered and is preoccupied with his or her existing responsibilities can lead to serious problems.
We strongly encourage the principals of all SEC and state-registered RIA firms to review these common mistakes to ensure that none are present. While Rule 206(4)-7 is less than 150 words in length, it is frequently cited in enforcement actions and forms the building blocks of establishing the proper culture of compliance.