At the beginning of 2021, the Securities and Exchange Commission (“SEC”) released its exam priorities report for the year. In the release, the SEC stated the following:
“The Division will continue to review the compliance programs of RIAs, including whether those programs and their policies and procedures are reasonably designed, implemented, and maintained.”
This statement was in line with the Risk Alert they had previously issued in November 2020 on investment adviser compliance programs. In the Alert, the SEC noted the main deficiencies found during their recent exam of advisers, which included lack of appropriate resources devoted to compliance, insufficient authority given to the Chief Compliance Officer (“CCO”), inability to demonstrate the performance of required annual reviews, and inadequate and appropriately customized written policies and procedures.
To further solidify the message of their focus on firm compliance programs, to date in 2021 the SEC has brought numerous enforcement cases against investment advisers for not having appropriate compliance controls and written policies and procedures covering areas that include but are not limited to mutual fund share class selection, best execution, revenue sharing arrangements, conflicts of interest, cybersecurity, custody, charging advisory and performance fees, and disclosures.
To assist CCOs with ensuring the soundness of their firm’s compliance programs, this Risk Management Update provides a detailed list of compliance tasks that should be completed by year end (as applicable), along with suggested risk management tips to consider.
- Complete a risk assessment and conflicts inventory to confirm all identified risks and conflicts have been adequately addressed and disclosed. Risk Management Tip: Map each risk and conflict to policies and procedures that outline the appropriate elimination or mitigation steps being taken.
- Determine whether the firm’s compliance policies and procedures address the high-risk areas outlined in the SEC’s Risk Alerts and exam priorities list that are applicable to the firm’s business practices, along with any regulatory changes that have taken place during the year. Risk Management Tip: Be sure that the polices and procedures in the high-risk areas address remote workers, as applicable.
- Review current registration and client disclosure documents (i.e., Form ADV and CRS) to ensure they reflect current information and contain required disclosures. Risk Management Tip: Read the SEC issued instructions for each document to ensure all required information is included. Also, consider recent SEC enforcement actions available on the SEC’s website (sec.gov) to better understand the types of disclosures the SEC requires.
- Confirm compliance testing protocols are working properly and set up to detect both gaps in processes and trends and patterns that show potential systemic risk. Risk Management Tip: Ensure testing is being performed covering the high-risk areas identified by the SEC that are applicable to the firm.
- Examine the firm’s annual review process performed over the last couple of years and make enhancements to help ensure it remains sufficient in determining the adequacy and effectiveness of firm policies, procedures, and controls in preventing violations of applicable securities regulations. Risk Management Tip: Consider using a third-party service provider to periodically perform annual reviews. Having an independent review often brings to light areas that were unintentionally missed.
- Complete compliance reviews of all branch offices. Risk Management Tip: Document the details of the reviews, including what areas were examined, interviews performed, findings, and updates needed.
- Ensure that the firm is in compliance with the Department of Labor’s new Fiduciary Advice Exemption (PTE 2020-02) to the extent available and applicable by the December 20th deadline. Risk Management Tip: For more detail, review our Risk Management Update.
- Review your Compliance Calendar to confirm all compliance tasks outlined in your firm’s policies and procedures have been/will be completed. Risk Management Tip: Utilize compliance technology to help ensure all tasks are performed within required time periods.
- Perform an audit of the firm’s fee calculation and billing process to ensure advisory fees are calculated and billed to clients in accordance with client agreements and disclosures. Risk Management Tip: Interview employees that perform billing to confirm their knowledge of firm’s billing policies and procedures and required safeguards to help ensure accuracy.
- Confirm that business presentations, commentaries, websites, social media sites, and other marketing materials are up to date, contain all necessary disclosures, have been reviewed by compliance and are retained as part of the firm’s required books and records. Risk Management Tip: Now is the time to begin analyzing how the requirements under the new Marketing Rule will affect your firm’s marketing practices.
- Have legal counsel review standard client agreements for required and necessary provisions and consistency with disclosures in Form ADV. Risk Management Tip: Utilize legal counsel that is fully versed in federal and state securities laws.
- Perform an assessment of your cybersecurity policies, procedures, and prevention controls to confirm risk areas have been addressed and ensure adequacy and effectiveness of the program. Risk Management Tip: Provide user awareness training to employee that includes information on current cyber-crimes and how to handle cases of identified cyber threats.
- Ensure that vulnerability scans and penetration testing are performed before year-end on all networks and electronic systems being used for business purposes. Risk Management Tip: Utilize an IT firm that specializes in this area.
- Test safeguarding protocols and controls in place to ensure that client non-public information is being protected. Risk Management Tip: Ensure that employees working at home have implemented adequate safeguards to prevent unauthorized access to such information.
- Confirm that the firm’s cybersecurity incident response plan is customized to business practices and includes details on roles and responsibilities of the response team, a description of preventative measures, and response priorities and protocols. Risk Management Tip: Discuss the process with a cybersecurity expert to ensure all applicable areas are covered.
- Ensure that there are strong controls in place for confirming client identity when a client is requesting money transfers via phone or email. Risk Management Tip: Perform testing of firm protocols to ensure that no steps are being circumvented.
- Determine whether any clients have Standing Letters of Authorizations with their custodian that authorizes the firm to transfer client assets to third parties. Risk Management Tip: Confirm that these assets are reflected in Item 9 of Form ADV Part 1 and the firm’s policies and procedures outline controls in place to address this type of custody.
- If the firm is deemed to have custody that requires an annual surprise custody audit, ensure it is performed and the Form ADV-E gets filed with the SEC prior to year-end. Risk Management Tip: Ensure the engagement agreement with the auditing firm contains the information required by Rule 206(4)-2 (a)(4) under the Advisers Act, and when required, the auditing firm is registered with, and subject to, the Public Company Accounting Oversight Board (PCAOB).
- Pull the IARD Preliminary Renewal Statement on or after November 8th and pay the annual required filing fees. Risk Management Tip: This year’s deadline for payment is December 13, 2021. The method of payment instructions can be found at https://www.iard.com/accounting#Renewal_Account. Also review current investment adviser representative registrations to determine if any post-dated U-5 filings should be made to terminate unnecessary state registrations.
- Confirm that all applicable required federal and/or state filings are made. Examples include Form 13F, Form 13H (Large Trader), Schedule 13D/G, Form PF, and Form D (private funds), NFA filings, state net capital filings, state registrations, state notice filings and state blue sky filings. Risk Management Tip: Program all deadlines in your Compliance Calendar and consider compliance technology and third-party outsourcing solutions to assist with these filings.
- Ensure that all registered personnel have reviewed their current Form U-4 and Form ADV Part 2Bs, as applicable, and confirmed that information is accurate. Risk Management Tip: Have each representative provide written certifications that they have no new disciplinary or legal issues to disclose.
- Analyze maintenance and safeguarding controls for required books and records, including client, corporate and financial records. Risk Management Tip: Ensure employees understand the requirements on what to maintain – and how.
- If the firm manages private investment funds, confirm that an annual audit of affiliated private fund financials has been scheduled/performed and internal controls are in place to ensure timely delivery of the audited financial statements to investors within the required period. Risk Management Tip: Coordinate with each fund’s third-party service providers and employees to allow enough time to prepare for and facilitate the audit.
- Ensure that due diligence reviews of service providers have been performed and documented, with particular focus on the service provider’s business continuity, cybersecurity, privacy, and supervision of remote employees. Risk Management Tip: Implement an automated due diligence calendar and monitoring system for tracking purposes.
- Ensure compliance training has been provided to employees covering firm policies and procedures, cybersecurity, business continuity, and privacy safeguards and include additional considerations regarding senior clients. Risk Management Tip: Training can be delivered in several ways, including webinars, in person compliance meetings, conferences, simulated phishing exercises and sending periodic compliance reminder emails.
- Confirm by year end that all annual compliance reporting has been completed by employees, including, but not limited to, reports covering annual securities holdings, outside business activities, political contributions, gifts, and entertainment. Risk Management Tip: Consider implementing compliance technology to facilitate and document the reporting and annual certification process.
The amount of money an advisory firm must devote to compliance in order to maintain a solid compliance program continues to grow each year. Mainly, this is due to the complexity of current and new regulations and the extensive amount of administrative work involved, as evidenced by the checklist provided herein. While a firm cannot control the issuance of regulations, there are ways to control costs. Over the last few years, implementing compliance technology has become a very cost-efficient way to administer compliance throughout a firm. Outsourcing various compliance functions, including the role of CCO also provides an effective way to save money in this area. Importantly, when determining the amount that should be allocated to the compliance function, senior management should consider the price tag for non-compliance. For example, for fiscal year ended 2020, the SEC imposed penalties totaling in aggregate over $1.1 billion and ordered disgorgement payments in the amount of $3 billion.
To find out about technology solutions and outsourcing services offered by Core Compliance, and how we can further assist with year-end compliance planning and beyond, please contact us at (619) 278- 0020.
Author: Tina Mitchell, Managing Director, Consultation Services; Editor: Janice Powell, Sr. Compliance Consultant, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and managers to private funds on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 This list is not all inclusive and is only meant to provide guidance on what CCOs should be considering.