The SEC requires registered investment advisers to conduct an annual review to assess the adequacy and effectiveness of their compliance program, and this review must be documented in writing. The goal is for the firm to determine if its policies reasonably prevent, detect, and correct compliance issues.
What the SEC Actually Expects
The SEC expects firms to take a critical look at their compliance program to ensure it remains reasonably designed to prevent violations of the Advisers Act. Key expectations include:
- Evidence of testing: Regulators look for proof that you actually tested your procedures, not just read through them. This involves examining transaction records, reviewing marketing materials, and validating that your written procedures match actual practices.
- Active identification and remediation of issues: A successful compliance program is expected to find weaknesses and address them. Identifying and correcting issues is seen as a sign of a well-functioning program.
- Documentation: All aspects of the review, including findings, must be documented in writing and produced promptly during an examination.
- Adaptability: The program should evolve with regulatory changes, business developments, and new technologies.
What Must Be Reviewed vs. What Should Be Reviewed
The SEC doesn't prescribe a universal checklist for all firms, but outlines key risk areas that must be addressed, tailored to each firm's specific business operations.
Must Be Reviewed (Core Areas)
- Policies and Procedures: Determine if your existing policies and procedures are adequate and consistently followed.
- Risk Assessment: Evaluate current risks and conflicts of interest.
- Regulatory Filings and Disclosures: Ensure accuracy and timeliness of filings like Form ADV, Form CRS, and others.
- Safeguarding Client Assets: Review custody and protection of client funds and information.
- Books and Records: Verify compliance with record-keeping rules (Rule 204-2).
- Supervision and Training: Evaluate the effectiveness of supervisory procedures and employee training programs.
Should Be Reviewed (Priorities and Best Practices)
- Current SEC Exam Priorities: Incorporate areas of focus highlighted in recent SEC risk alerts and exam priorities, such as cybersecurity, new Marketing Rule compliance, ESG disclosures, and fee transparency.
- Business Changes: Account for new services, technologies, or organizational changes (e.g., mergers, new personnel) that may alter the firm's risk profile.
- Prior Year's Recommendations: Discuss the progress made on recommendations from the previous annual review.
Policies, Procedures, and Evidence Expectations
The SEC expects the people who are supposed to be following the procedures to actually perform a review of those areas (e.g., portfolio managers reviewing portfolio management policies).
- Policies & Procedures: Should be detailed enough for supervised persons to know how to comply and tailored to the firm's specific operations. A full, cover-to-cover manual review isn't always necessary if continuous monitoring is in place.
- Evidence: Documentation is critical. SEC examiners expect to see written records of:
- Risks that were identified and how they are managed.
- Type and timing of tests performed, including results and any exceptions.
- Corrective actions taken, supported by evidence like exception reports, trade logs, and updated policies.
How to Document Findings and Common Mistakes
Documentation should reflect a bona fide effort to scrutinize the compliance program.
Documentation
- Format Flexibility: Documentation can be a long-form report, aggregated quarterly reports, meeting notes, or board presentations.
- Action Items: The result should be a list of action items, including who is responsible and the timeline for completion.
- Honesty: Do not spin the report to hide issues; a successful program finds and fixes flaws. Be honest about deficiencies and plans to remedy them.
Common Mistakes
- Lack of Written Documentation: The most significant mistake, as the SEC explicitly requires the review to be in writing.
- Failing to Act on Findings: The SEC expects to see follow-up and remediation for identified issues. Promising deadlines you cannot keep is a mistake; it is better to state you will explore options and provide periodic reports.
- Generic Reviews: Using a one-size-fits-all checklist instead of one tailored to your firm's specific risks and business model.
- Lack of Testing: Merely reading policies without testing their operational effectiveness will trigger follow-up questions.
- Failing to Review Regulatory Changes: Ignoring new rules or SEC priorities can lead to deficiencies during an exam.
