With the third quarter of 2018 coming to a close, it’s time for Chief Compliance Officers (“CCOs”) to start taking inventory and determine what compliance projects still need to be addressed. To assist with this process, we’re providing a detailed checklist that includes risk management tips geared to facilitate each task through the reminder of the year.
Before you begin, it’s important to look at some of the year’s regulatory activity to best gauge which areas may need additional attention. Since January, the Securities and Exchange Commission (“SEC”) has issued two Risk Alerts, one covering best execution and the other on assessment and disclosure of advisory fees. In addition, the SEC has brought over 50 enforcement actions against investment advisers for violations of the Investment Advisers Act of 1940, which run the gamut of topics and include:
- Using testimonials in advertising
- Showing hypothetical performance without adequate disclosures
- Having undisclosed conflicts of interest
- Providing misleading disclosures in Form ADV
- Disproportionately allocating trades among clients
- Not disclosing “trading away” practices
- Violating custody rule requirements
- Improperly calculating assets under management
- Having deficiencies in compliance policies and procedures
Notably, some well-known firms are named respondents in the enforcement actions, such as Gemini Fund Services, Voya Investments, Cadaret, Grant & Co., and Lockwood Advisors. Anyone utilizing these firms as service providers should perform due diligence to determine what additional controls and protections have been implemented to ensure the violations do not reoccur.
Assess the Strength of Your Compliance Program
- Determine whether the firm has policies, procedures and controls covering applicable SEC exam priority areas.
- Risk Management Tip: Review the SEC’s exam priorities report published for guidance and suggested compliance steps.
- Check that the firm’s written policies and procedures cover all applicable conflict and risk areas.
- Risk Management Tip: Perform a risk assessment and conflict inventory at least annually to determine whether the firm’s policies require expansion or update and address all risk areas of the business.
- Confirm all recommendations from last year’s annual review have been addressed and ensure that the 2018 annual review gets performed and documented.
- Risk Management Tip: Consider performing an assessment of the annual review process to determine whether it remains adequately designed to prevent violations of applicable federal and state regulations; to the extent that your forensic tests are “light” discuss more robust and different methodologies with your compliance consultant.
- Ensure all necessary compliance steps outlined in your firm’s policies and procedures have been/will be performed, including but not limited to, testing and surveillance processes, regulatory filings, branch office audits, and supervisory reviews.
- Risk Management Tip: Utilize compliance software that prioritizes, tracks and documents reviews and updates.
- Get all year-end Code of Ethics reporting ready for completion by access persons, including reports of securities holdings, outside business activities, political contributions, gifts and entertainment report, and insider trading attestations.
- Risk Management Tip: Have each employee complete an annual questionnaire and accompanying attestation of compliance with the firm’s Code.
- Review surveillance reports, exception reports, and checklists for detection of trends and patterns indicating potential systemic risk areas and take appropriate actions as needed.
- Risk Management Tip: Consider having a third-party compliance consulting firm perform a review and provide recommendations on what steps should be taken to advance exception reporting and obtain more meaningful data.
Consider the Dynamics of Your Cybersecurity Program
- Confirm Incident Response Plan is comprehensive and outlines roles and responsibilities and includes preventative measures and response priorities.
- Risk Management Tip: Be sure to test your plan periodically with assistance from your IT provider.
- Ensure that vulnerability assessments and penetration testing are performed at least annually.
- Risk Management Tip: Have these tests performed by an information security firm that specializes in this area; if possible, for a more independent evaluation, select a reputable company that is not affiliated with your current IT provider.
- Perform a risk assessment of your cybersecurity policies, procedures and safeguarding protocols to ensure adequate controls are in place.
Confirm Marketing and Advertising is Being Reviewed
- Ensure that business presentations, commentaries, websites, social media sites, and other marketing materials are up-to-date, contain all necessary disclosures, have been reviewed by compliance, and are retained as part of the firm’s required books and records.
- Risk Management Tip: Perform testing via email reviews to help confirm that employees are only using currently approved marketing and promotional materials.
Prepare for Year-End Registration and Regulatory Filings
- Pull the IARD Preliminary Renewal Statement on or after November 13th and pay the annual required filing fees within the required deadline.
- Risk Management Tip: This year’s deadline for payment is December 18, 201 The method of payment instructions can be found at https://www.iard.com/ren_payment.
- Ensure all applicable required federal and/or state filings are made. Examples include Form 13F, Form 13H (Large Trader), Schedule 13D/G, Form PF and Form D (private funds), state net capital filings, state registrations, state notice filings and state blue sky filings.
- Risk Management Tip: Program all deadlines in Outlook or other electronic calendar and consider software and third-party outsourcing solutions to assist with these filings.
- Review current registration forms and client disclosure documents (g., Form BD, Form N1-A, Form ADV, client agreements, prospectus and statement of additional information, and private placement memorandums) to confirm they reflect current information and contain required and applicable disclosures.
- Risk Management Tip: Read the SEC issued instructions for the applicable document to ensure you are including all required informa Also consider recent SEC enforcement actions to better understand the types of disclosures the SEC requires.
- Have all registered personnel review their currently filed Form U-4 and confirm in writing whether it contains up to date and accurate information or needs updating.
- Risk Management Tip: Pull a copy of the last filed Form U-4 from the CRD system for each registered supervised person and distribute to them for revie
Analyze Current Testing and Assessment Steps
- Sample test client files to confirm that investment objectives have been documented and appear current and in-line with portfolio investments.
- Risk Management Tip: Implement an electronic process for tracking the timely receipt of new account opening documentation, including investment objective forms.
- Audit the billing process to ensure fees are calculated correctly.
- Risk Management Tip: Perform random checks of fees on invoices versus fees in client agreements to test for consistency and ensure disclosures on billing process are detailed on Form ADV Part 2A. Don’t forget to address in disclosures whether you bill on cash positions and/or pro-rate for additions and withdraws.
- Review solicitor arrangements to confirm that agreements are up-to-date and in compliance with Rule 206(4)-3 of the Advisers Act. Also verify that solicited clients received a copy of the solicitor’s disclosure statement.
- Risk Management Tip: Require each solicitor to provide written annual certifications confirming they remain in compliance with and are adhering to all requirements.
- Make sure the firm’s business continuity plan has been/will be fully tested and include both localized business disruptions and wide spread disasters.
- Risk Management Tip: Don’t forget to conduct due diligence on whether service providers have tested their plans and obtain a summary of results, including what enhancements they made in light of their test(s).
- Review maintenance and safeguarding controls for required books and records, including client, corporate and financial records, as well as consideration for the revised performance advertising books and records requirements.
- Risk Management Tip: Ensure employees understand the requirements on what they are responsible to maintain – and how.
- Confirm all branch offices have/will receive a compliance review in accordance with firm policies.
- Risk Management Tip: Perform onsite visits and consider the strength of internal controls for surveying offsite activitie
Confirm Scheduling of Financial and Custody Audits
- For private funds, verify that the annual audit of the fund’s financials is scheduled, and that internal controls are in place to ensure timely mailing of the audited financial statements to investors within the required per
- Risk Management Tip: Coordinate with the Fund’s third-party service providers and employees to allow enough time to prepare and facilitate the a
- Make sure, if applicable, that the annual surprise custody audit has been performed and Form ADV-E filed with the SEC via the firm’s IARD account.
- Risk Management Tip: CCOs should be familiar with SEC guidance issued in 2017 and ensure that all required assets are being included in the audits.
- Confirm the accounting firm hired to perform an annual financial audit or surprise exam is registered with, and subject to the Public Company Accounting Oversight Board (PCAOB), as required by the custody rule.
- Risk Management Tip: Perform an independent search on the PCAOB website at https://pcaobus.org/Registration/Firms/Pages/RegisteredFirms.aspx
Perform Employee Training
- Ensure compliance training has been provided to firm personnel covering firm policies and procedures, Code of Ethics and fiduciary responsibility, business continuity, cybersecurity, identify theft and safeguarding client non-public information.
- Risk Management Tip: Training can be delivered in several ways throughout each year, including webinars, in person compliance meetings, conferences, and periodic compliance emails. Importantly, be sure to provide training to new employees.
Don’t Forget Ad Hoc Activities
- Have legal counsel review standard client agreement(s) for necessary provisions and consistency with disclosures in Form ADV Part 2A as well as on the clarity of the services and fees associated with the servicing mandate
- Risk Management Tip: Have the agreement(s) reviewed by legal counsel well versed in federal and state securities laws.
- Confirm that due diligence reviews of service providers have been performed and documente
- Risk Management Tip: Automate a due diligence calendar and monitoring system for tracking purposes.
Transparency and strength are cornerstones of a solid compliance program. Communication and training to employees on compliance requirements help them understand and better adhere to regulations. Trust, but verify that controls are working properly and promptly correct identified gaps. Use technology to the extent possible to monitor and review compliance areas.
Our hope is that this checklist will prove to be a useful tool for referencing internal controls evaluations to be completed this year. The list also can be used as a foundation for providing senior management with a summary report that outlines the reviews and testing performed, the steps taken to ensure compliance, and any recommendations of enhancements for the coming year.
For more information, or for assistance with your year-end compliance projects and evaluations, please contact us at firstname.lastname@example.org, at (619) 278-0020 or visit us at www.corecls.com for more information.
Author: Tina Mitchell, Lead Sr. Compliance Consultant; Editor: Michelle Jacko, CEO, Core Compliance & Legal Services, Inc. (“CCLS”). CCLS works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 This list is not all inclusive. It is meant only to provide guidance on what CCOs should be thinking about.
 See CCLS Risk Management at http://www.corecls.com/news-events/annual-reviews-risk-management-update.
 See SEC Office of Compliance Inspections and Examinations National Examination Risk Alert (Aug. 7, 2017) found at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.
 Effective October 1, 2017, the books and records rule was amended relating to maintenance of certain records supporting performance advertisements and communications; see IA Rel. No. IA-4509 available at https://www.sec.gov/rules/final/2016/ia-4509.pdf.