RIA Compliance and Practice Management Blog

SEC RIA Compliance Risk Alert Highlights RIA Compliance Rule Issues

Posted by RIA in a Box

Nov 23, 2020 1:56:19 PM

SEC investment adviser risk alert on credential stuffing cyber attacksOn November 19, 2020, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new risk alert regarding registered investment adviser ("RIA") compliance deficiencies related to Rule 206(4)-7, also known as the "Compliance Rule", under the Investment Advisers Act of 1940 ("Advisers Act"). Many of the deficiencies center around inadequate policies and procedures which is the primary document that RIA firms should design, implement, and regularly revise to avoid violating the Compliance Rule. 

10 Steps to Prepare for a Reguatory Exam

In this latest SEC RIA risk alert, the SEC staff notes:

The Compliance Rule does not enumerate specific elements that advisers must include in their policies and procedures. Each adviser should adopt policies and procedures that take into consideration the nature of that firm's operations. The policies and procedures should be designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.

The Compliance Rule also requires each adviser to review its policies and procedures no less frequently than annually to determine their adequacy and the effectiveness of their implementation. The review should consider any compliance matters that arose during the previous year, any changes in the business activities of the adviser or its affiliates, and any changes in the Advisers Act or applicable regulations that might suggest a need to revise the policies or procedures. Although the Compliance Rule requires only annual reviews, advisers should consider the need for interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments.

Finally, the Compliance Rule requires each adviser to designate a chief compliance officer (“CCO”) to administer its compliance policies and procedures. An adviser's CCO should be competent and knowledgeable regarding the Advisers Act and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm. The CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.

In particular the SEC staff notes three key requirements of the Compliance Rule:

  1. The need to adopt policies and procedures that are tailored to the firm's operations;
  2. The need to conduct an annual compliance program review; and
  3. The need to designate a CCO to administer the firm's compliance program who is competent and knowledgeable regarding the Advisers Act and empower with full responsibility and authority. 

While the Compliance Rule is less than 150 words in length, it is frequently cited in enforcement actions and forms the building blocks of establishing the proper culture of compliance.

In particular, the risk alert lists a number of Compliance Rule-related compliance deficiencies observed during recent SEC investment adviser examinations including: 

  • Inadequate Compliance Resources: OCIE staff observed advisers that did not devote
    adequate resources, such as information technology, staff and training, to their
    compliance programs.
  • Insufficient Authority of CCOs: OCIE staff observed CCOs who lacked sufficient
    authority within the adviser to develop and enforce appropriate policies and procedures
    for the adviser.
  • Annual Review Deficiencies: OCIE staff observed advisers that were unable to
    demonstrate that they performed an annual review or whose annual reviews failed to
    identify significant existing compliance or regulatory problems.
  • Implementing Actions Required by Written Policies and Procedures: OCIE staff
    observed advisers that did not implement or perform actions required by their written
    policies and procedures.
  • Maintaining Accurate and Complete Information in Policies and Procedures: The staff
    observed advisers’ policies and procedures that contained outdated or inaccurate
    information about the adviser, including off-the-shelf policies that contained unrelated or
    incomplete information.
  • Maintaining or Establishing Reasonably Designed Written Policies and Procedures: OCIE staff observed advisers that did not maintain written policies and procedures or that failed to establish, implement, or appropriately tailor written policies and procedures that were reasonably designed to prevent violations of the Advisers Act. For example, staff observed advisers that claimed to rely on cursory or informal processes instead of maintaining written policies and procedures. In addition, staff observed advisers that utilized policies of an affiliated entity, such as a broker-dealer, that were not tailored to the business of the advisers. Where firms maintained written policies and procedures, OCIE staff observed deficiencies or weaknesses with establishing, implementing or appropriately tailoring their written policies and procedures in the following areas:
    • Portfolio Management
    • Marketing
    • Trading Practices
    • Disclosures
    • Advisory Fees and Valuation 
    • Safeguards for Client Privacy
    • Required Books and Records
    • Safeguarding of Client Assets
    • Business Continuity Plans

In conclusion, the SEC staff "encourages advisers to review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are tailored to the advisers' business and adequately reviewed and implemented."

How an RIA Firm Can Create a Culture of Compliance Checklist

Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.

Topics: RIA Operations, RIA Compliance

RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.

RIA Compliance & Practice Management

Stay up to date on the latest RIA compliance, operations, and technology topics.

Hear from industry experts as they keep you up to date on the latest regulatory developments and practice management topics.

Subscribe to Email Updates

Recent Posts