Risk Management Updates (RMU) | Securities and Exchange Commission (SEC)

Risk Management Update: Compliance Year-End Preparation Checklist

October 31, 2017 by

It’s time to start thinking about all the compliance projects that need to be completed before the end of the year.  While the Securities and Exchange Commission (“SEC”) slowed their pace on adopting new regulations during 2017, they continue to bring enforcement actions against investment advisers for compliance violations.  Some of these included:

  • Inadequate disclosures and compliance deficiencies for investing client assets in mutual fund share classes with higher fees when share classes with lower fees were available;[1]
  • Failure to establish, maintain, and enforce policies and procedures reasonably designed to prevent the misuse of material, nonpublic information;[2] and
  • Recommending that advisory clients invest in certain risky exchange-traded funds without implementing applicable written compliance policies and procedures.[3]

The SEC’s Office of Compliance and Inspections and Examinations also issued a National Examination Program Risk Alert in February 2017,[4] which outlined five compliance areas that are the most frequently identified deficiencies pursuant to the Investment Advisers Act of 1940 issued to investment advisers. These deficiency and weakness areas included: (i) the Compliance Program Rule (Rule 206(4)-7), (ii) Code of Ethics Rule (Rule 204A-1), (iii) Books and Records Rule (Rule 204-2), (iv) Custody Rule (Rule 206(4)-2), and (v) required regulatory filings.

In addition, in October 2017, the revised Form ADV became effective requiring investment advisers to include additional and more specific information, pertaining to, among other things, regulatory assets under management and types of clients.[5]

To help firms ensure they perform required compliance tasks during 2017 and get prepared for the New Year, we are providing the below checklist.  Please note the list is not all inclusive, and is meant to provide you guidance on what you should be thinking about and discussing with senior management in preparation for 2018.

 

Compliance Checklist:

Registration and Regulatory Filings

  • Pull the IARD Preliminary Renewal Statement on or after November 13th and pay the annual required filing fees within the required deadline.
    • Risk Management Tip: This year’s deadline for payment is December 18, 2017 The method of payment instructions can be found at https://www.iard.com/ren_payment.
  • Ensure all applicable required federal and/or state filings have been made. Examples include Form 13F, Form 13H (Large Trader), Schedule 13D/G, Form PF and Form D (private funds), state net capital filings, state registrations, state notice filings and state blue sky filings.
    • Risk Management Tip: Program all deadlines in Outlook or other electronic calendar and also consider software and third-party outsourcing solutions to assist with these filings.
  • Review current registration forms and client disclosure documents (g., Form BD, Form N1-A, Form ADV,[6] client agreements, prospectus and statement of additional information, and private placement memorandums) to confirm they reflect current information and contain required and applicable disclosures.
    • Risk Management Tip: Read the SEC issued instructions for the applicable document to ensure you are including all required informa Also, consider recent SEC enforcement actions available at www.sec.gov to better understand the types of disclosures the SEC requires.
  • Have all registered personnel review their currently filed Form U-4 and confirm in writing whether it contains up to date and accurate information or needs updating.
    • Risk Management Tip: Pull a copy of the last filed Form U-4 from the CRD system for each registered supervised person and distribute to them for review

{{cta(‘c63e7150-e91b-4de1-85ca-82f4d0a52866′,’justifycenter’)}}

Compliance Program

  • Confirm all recommended courses of action from the adviser’s 2016 annual review have been addressed and ensure that the 2017 annual review was performed and documented.
    • Risk Management Tip: Consider performing an assessment of the annual review process to determine whether it remains adequately designed to prevent violations of applicable federal and state regulations; to the extent that your forensic tests are “light” discuss more robust and different methodologies with your compliance consultant.[7]
  • Ensure all necessary compliance steps outlined in your firm’s policies and procedures are performed, including but not limited to, testing and surveillance processes, regulatory filings, branch office audits, and supervisory review
    • Risk Management Tip: Utilize compliance software that prioritizes, tracks and documents reviews and updates.
  • Make sure all annual Code of Ethics reporting is completed by access persons, including reports of securities holdings, outside business activities, political contributions and gifts and entertainment reports and attestations.
    • Risk Management Tip: Have each employee complete an annual questionnaire and accompanying attestation of compliance with the firm’s Code.
  • Determine whether the firm’s written policies and procedures cover all applicable conflict and risk areas.
    • Risk Management Tip: Perform a risk assessment and conflict inventory at least annually to determine whether the firm’s policies require expansion or update and address all areas of the business.

Testing and Assessments

  • Sample test client files to confirm that investment objectives have been documented and appear current and in line with portfolio investment
    • Risk Management Tip: Implement an electronic process for tracking the timely receipt of new account opening documentation, including investment objective forms.
  • Audit the billing process to ensure fees are calculated correctly and clients are not being overbilled.
    • Risk Management Tip: Perform random checks of fees on invoices versus fees in client agreements to test for consistency and ensure disclosures on the billing process are detailed on Form ADV Part 2A.
  • Review solicitor arrangements to verify that agreements are up-to-date and in compliance with Rule 206(4)-3 of the Advisers Act and verify that solicited clients received a copy of the solicitor’s disclosure statement.
    • Risk Management Tip: Require each solicitor to provide written annual certifications confirming they remain in compliance with and are adhering to all requirements under the solicitation agreement.
  • Review surveillance reports, exception reports, and checklists for detection of trends and patterns indicating systemic risk areas and take appropriate actions as needed.
    • Risk Management Tip: Consider having an independent third party perform a review and request recommendations on what steps should be taken to advance exception reporting and obtain more meaningful data.
  • Confirm the firm’s business continuity plan has been fully tested and includes both localized business disruptions and widespread disasters.
    • Risk Management Tip: Don’t forget to conduct due diligence on whether service providers have tested their plans and if so, obtain a summary of results, including what enhancements were made in light of the test(s).
  • Perform a risk assessment of your cybersecurity policies, procedures, and safeguarding protocols to ensure adequate controls are in place.
    • Risk Management Tip: Consider guidance issued by the National Institute of Standards and Technology[8] and recent guidance from the SEC in its Observations from Cybersecurity Examinations.[9]
  • Analyze maintenance and safeguarding controls for required books and records, including client, corporate and financial records, as well as due consideration for the new performance advertising books and records requirements.[10]
    • Risk Management Tip: Ensure employees understand the requirements on what to maintain – and how.
  • Confirm all branch offices have received a compliance review.
    • Risk Management Tip: Perform onsite visits and consider the strength of internal controls for surveying offsite activitie

Employee Training

  • Ensure compliance training has been provided to firm personnel covering firm policies and procedures, Code of Ethics and fiduciary responsibility, business continuity, cybersecurity, identify theft and safeguarding client non-public information.
    • Risk Management Tip: Training can be delivered in a number of ways throughout each year, including webinars, in-person compliance meetings, conferences, and periodic compliance emails. Also, be sure to provide training to new employees.

Marketing and Advertising

  • Ensure that business presentations, commentaries, websites, social media sites, and other marketing materials are up-to-date, contain all necessary disclosures, have been reviewed by compliance, and are retained as part of the firm’s required books and records.
    • Risk Management Tip: Perform testing via email reviews to help confirm that employees are only using currently approved marketing and promotional materials.

Financial and Custody Audits

  • For private funds, verify that the annual audit of the fund’s financials is scheduled and that internal controls are in place to ensure timely mailing of the audited financial statements to investors within the required per
    • Risk Management Tip: Coordinate with the Fund’s third-party service providers and employees to allow sufficient time to prepare and facilitate the a
  • Make sure, if applicable, that the annual surprise custody audit has been performed and Form ADV-E filed with the SEC via the firm’s IARD account.
    • Risk Management Tip: CCOs should be familiar with SEC guidance issued in 2017[11] and ensure that all required assets are being included in the audits.

Ad Hoc

  • Have legal counsel review standard client agreement(s) for necessary provisions and focus on the clarity of the services and fees associated with the servicing mandate
    • Risk Management Tip: Have the agreement(s) reviewed by legal counsel well versed in federal and state securities laws.
  • Confirm that due diligence reviews of service providers were performed and documented
    • Risk Management Tip: Set up a due diligence calendar and monitoring system for tracking purposes.

Conclusion

Maintaining a healthy and dynamic compliance program, with solid policies, procedures, and controls in place helps the adviser to adhere to applicable federal rules and state regulations and prevents violations from occurring.  Moreover, a system of checks and balances will assist the adviser in being well-prepared for both regulatory examinations and onsite due diligence visits.  CCOs are encouraged to provide their senior management team with a year-end summary of their compliance program efforts, and this checklist could serve as the checklist to do just that.

For more information, or for assistance with your year-end compliance projects and evaluations, please contact us at (619) 278-0020, or visit us at www.corecls.com for more information.

Author: Tina Mitchell, Managing Director, Consultation Services; Editor: Michelle Jacko, CEO, Core Compliance & Legal Services, Inc. (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

[1] See In the Matter of Envoy Advisory, Inc., Release No. 4764 (Sep. 8, 2017) available at

https://www.sec.gov/litigation/admin/2017/ia-4764.pdf.

[2] See In the Matter of Deerfield Management Company L.P., Release No. 4749 (Aug. 21, 2017) available at  https://www.sec.gov/litigation/admin/2017/ia-4749.pdf.

[3] See In the Matter of Morgan Stanley Smith Barney, LLC, Release No. 4649 (Feb. 14, 2017) available at

https://www.sec.gov/litigation/admin/2017/ia-4649.pdf.

[4] See https://www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf.

[5] See Core Compliance Risk Management Update at  http://www.corecls.com/news-events/what-advisers-need-to-do-to-prepare-for-upcoming-changes-to-form-adv; see also IA Rel. No. IA-4509 available at https://www.sec.gov/rules/final/2016/ia-4509.pdf.

[6] In addition, make sure all applicable additional information required for the newly revised Form ADV has been identified and gathered.

[7] See Core ComplianceRisk Management at http://www.corecls.com/news-events/annual-reviews-risk-management-update.

[8] See http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.

[9] See SEC Office of Compliance Inspections and Examinations National Examination Risk Alert (Aug. 7, 2017) available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.

[10] Effective October 1, 2017, the books and records rule was amended relating to maintenance of certain records supporting performance advertisements and communications; see IA Rel. No. IA-4509 available at https://www.sec.gov/rules/final/2016/ia-4509.pdf.

[11] See https://www.sec.gov/divisions/investment/noaction/2017/investment-adviser-association-022117-206-4.htm  and

https://www.sec.gov/investment/im-guidance-2017-01.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *