According to Rule 206(4)-7 of the Investment Advisers Act of 1940, registered investment Adviser (“RIA”) firms must do the following: 1) implement written policies and procedures reasonably designed to prevent violation by the firm’s employees, 2) conduct an annual review (at minimum) of the adequacy and effectiveness of the policies and procedures in place, and 3) designate a Chief Compliance Officer ("CCO") to administer the policies and procedures.
In this blog post, we discuss key components of an RIA firm's policies and procedures manual in terms of archiving practices and how to prepare for the annual compliance program review.
An RIA firm's policies and procedures manual needs to detail how the firm will archive its communications and how often the data will be reviewed. In a risk alert released this past November, the Securities and Exchange Commission ("SEC") staff stated that a firm’s policies and procedures should address “the accurate creation of required records and their maintenance in a manner that protects them from unauthorized alteration or use and protects them from untimely destruction."
Policies and procedures must also be reviewed annually and updated to address changes in business practices or compliance matters as they occur. Among the SEC's Division of Examination’s list of most common investment adviser regulatory compliance deficiencies was the lack of proof that an annual review was conducted or failure to identify significant compliance concerns during the annual compliance program review. Regulators expect firms to complete compliance tasks throughout the year and to have these tasks documented for review in their annual report.
Keep in mind, the CCO is ultimately responsible for administering the firm’s compliance policies and procedures.
Below is a list of some of our top tips and questions to address during the process of writing and/or reviewing the archiving segment in your RIA firm's policies and procedures manual:
- What mediums of communication are permitted and not permitted at your firm (business and personal email, texts, messaging applications like slack, etc.)?
- Describe your firm’s archiving system: Regulators will assess the quality and effectiveness of the system in place.
- How will the archived content, like emails, be readily available for review to supervisors or regulators?
- Where is the data stored and for how long? The Books and Records Rule requires firms to store data for no less than five years.
- How do you ensure the correspondence is unable to be modified?
- Name the Supervisors: Indicate who at your firm has supervisory status to view, retrieve, and monitor collected data.
- If the CCO is also an advisor, indicate who is reviewing his or her communications.
- Provide details on how much and how often data is reviewed: Describe the frequency of supervisory reviews and how the data is selected (keywords, sample sizes, etc.)
- Describe how issues are addressed: Regulators will look closely at how your CCO or supervisor addresses and logs any issues flagged during content/data reviews.
- Prove your system is secure: The archived data likely contains sensitive information to the firm and its clients, meaning regulators will also focus on the security of your system. Your system needs protection from unauthorized users accessing private data.
- The CCO should maintain a list of keywords and phrases used to flag issues during reviews and how often the list is updated. The list generally does not need to be included in the policies and procedures manual.