The annual review is one of the three (3) pillars of Rule 206(4)-7 (“the Compliance Rule”) of the Investment Advisers Act of 1940 (“the Advisers Act”).
The rule requires SEC registered investment advisers (“RIAs”) to annually review “the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation.”[i]
Annual reviews have been cited by the Office of Compliance Inspections & Examinations (“OCIE”) as one of the top five (5) “most frequent compliance topics” during SEC exams.
Among their observations, OCIE has found that RIAs have failed to perform annual reviews outright; sufficiently reviewed and tested the adequacy of their policies and procedures (“P&Ps”); and, failed to implement changes or make updates to their P&Ps based on their annual reviews. [ii]
In fact, the SEC has brought enforcement actions against RIAs that failed to conduct annual reviews, including cease-and-desist orders, censure, and civil-monetary penalties, such as the case of Hudson Housing Capital, LLC, wherein the adviser failed to both implement and review their P&Ps as required by the Compliance Rule.[iii]
In consideration of the importance of the Compliance Rule’s requirement for conducting an annual review of your P&Ps, cybersecurity and privacy is an arena we believe RIAs should evaluate when conducting their annual reviews.
Cybersecurity and privacy continue to be hot-button issues for the SEC, so much so that cybersecurity has remained one of the SEC’s top examination priorities for the past (6) years. Cybersecurity P&Ps should contemplate privacy requirements under Regulation S-P (“Reg S-P”)[iv] and Regulation S-ID (“Reg S-ID”)[v].
Reg S-P requires that financial institutions properly store confidential client information and ensure protection against unauthorized access or use of client information that could cause harm to the client.
Reg S-ID requires investment advisers to ensure that controls are in place to detect identity theft red flags and protect client assets and report instances of identity theft. These requirements extend not just to your networks but also to your third-party service providers
In their 2017 cybersecurity risk alert, the SEC provided guidelines of robust cybersecurity P&Ps. [iii] In light of their recommendations, and bearing in mind Reg S-P and S-ID’s requirements, a review of your cybersecurity controls, consider reviewing the following areas related to cybersecurity: (1) a review of your maintenance controls for your data, hardware and software inventories, and your vendors; (2) detailed cybersecurity instructions related to vulnerability and penetration testing, security monitoring and network audits, access rights, and reporting; (3) a review of maintenance schedules and testing data integrity and vulnerabilities; (4) reviewing third-party access controls; (5) training of employees; and, (6) a review of the overall level of engagement by senior management when it comes to cybersecurity.
Other Areas for Consideration for Your Annual Review
Cybersecurity may be a focus for right now, but there are several areas of an RIA's compliance program that may need to be taken into consideration when conducting an annual review.
Core Compliance can help your firm with your annual reviews, including providing guidance on how to conduct an annual review, assisting with testing different areas of your compliance program, or conducting the annual review in its entirety on behalf of your firm.
[v] Office of Compliance Inspections and Examinations. “Risk Alert: The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers.” SEC.Gov, U.S. Securities and Exchange Commission, 7 Feb. 2017, www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf.