Its common knowledge in the securities industry that an investment adviser registered with the Securities and Exchange Commission (“SEC”) is required to have a compliance program in place, which must be structured and maintained to prevent violations of applicable federal securities laws. Specifically, Rule 206(4)-7 under the Investment Advisers Act of 1940 (the “Advisers Act”), as amended (the “Compliance Rule”), is the regulation that mandates this requirement.
The Compliance Rule specifies that investment advisers need to perform an annual review of their policies and procedures. The purpose of the review is to ensure that the policies and procedures continue to address all applicable regulations and firm business practices and remain reasonably designed to prevent violations. As stated, that may sound somewhat easy; however, it is not.
In order to confirm that policies and procedures are adequately designed to prevent violations, advisory firms must perform extensive testing and reviews, not only annually, but throughout each year. This allows the firm to more timely address any potential or actual violations. In addition, a firm should review their policies and procedures any time there is a change to business practices and/or a new or amended regulation has been issued.
Last month’s Risk Management Update (“RMU”) discussed important elements for strengthening a firm’s Compliance Program,[1] including adopting risk-based policies and procedures, leveraging technology, and enhancing supervision and surveillance. This month’s RMU drills down into the types of testing and surveillance to consider for monitoring various high-risk areas, which will help you maintain a vigilant and strong Compliance Program.
Testing Procedures
Generally, there are three main types of tests that should be performed by investment advisers to monitor compliance. These include:
- Transactional tests that are performed at the time of the activity;
- Periodic tests that are performed at a set frequency (e.g., monthly, quarterly, or annually); and
- Forensic tests that compare data over a period of time.
While there may be areas that do not need all three types of tests performed, it is extremely important to ensure that the types of testing utilized are geared to detect anomalies.
Below are some examples of tests to perform in a few areas that the SEC has deemed to be high-risk:[2]
Valuation and Fee Billing
Testing: (i) compare a sampling of securities prices from custodian against the prices from a reliable third-party source, (ii) run a report from your portfolio accounting system for stale pricing (i.e. unchanged securities’ prices), (iii) if using market value from custodian, reconcile market value of client accounts being used for fee calculation with the market value from the custodian, (iv) check that the fee percentage being used to calculate clients’ fees matches the fee percentage in client agreements, and (v) review the calculation method in your portfolio accounting system to confirm it is in line with client disclosures (i.e., Form ADV and client agreement).
Trading and Best Execution
Testing: (i) check trade blotter for any principal trades[3] or cross trades[4] executed, and if so, confirm they were completed in line with firm policies and procedures and regulatory requirements, (ii) perform sample testing of execution prices received for trades vs. an appropriate benchmark (e.g., volume weighted average price (VWAP)), (iii) review total amount of soft dollar commissions against total commissions generated to see if ratio appears appropriate and in line with disclosures, (iv) perform back-end review of trade rotation executions to see if any clients are being disadvantaged over time, and (v) analyze mutual fund purchases to determine whether clients are being invested in the most economical share class at time of trade.
Portfolio Management and Due Diligence of Investments
Testing: (i) analyze the performance of clients’ accounts invested in the same strategy to identify any outliers, (ii) compare client investments with stated investment objectives, risk tolerance, and any restrictions, (iii) select certain investments made for clients and confirm whether documentation on file supports the firm’s trade activity in each investment, (iv) review strategy investments to determine if they are in line with marketing materials, and (v) create sample transactions to test automated pre-trade compliance checks.
Trade Aggregation and Allocations
Testing: (i) check that trade aggregations and allocations are being performed in line with firm written policies and procedures, (ii) compare the performance of accounts with performance-based fees vs. those charged a non-performance based fee for any disparities that may indicate favoritism in allocations, (iii) review trade blotter for aggregated trades and confirm participating clients received same average price, (iv) check allocations of partially filled aggregated trade orders to confirm the allocations made were fair and equitable, and (v) test the allocation of limited offerings (e.g., IPOs, private investments) among eligible client accounts to determine if any were inappropriately left out.
Performance Advertising
Testing: (i) review sampling of records to confirm the retention of data necessary to substantiate advertised performance; (ii) compare holdings within accounts in a composite to confirm appropriateness of the account’s inclusion, (iii) require pre-clearance of all marketing materials prior to dissemination, (iv) check backup documentation against statistical information in materials for correctness, and (v) analyze strong outperformance vs. the selected index to determine if the index used is representative of the investment strategy.
Electronic Communications
Testing: (i) perform periodic sampling reviews of business emails, social media posts, instant messaging, and text messages for potential violations or other compliance issues, (ii) perform internet search of firm name and key personnel to see if any unauthorized sites are being used, (iii) check that copies of approved business website and social media postings are being retained, (iv) interview key personnel to confirm whether they are adhering to the firm’s policies and procedures, and (v) review third-party software (e.g., Bloomberg, FactSet, Salesforce) used by the firm to determine if their instant messaging capabilities are turned-on and any communications are being retained.
Safeguarding Client Non-Public Information
Testing: (i) review operational process for releasing client account information to third-parties to confirm appropriate written authorization is being obtained and on file, (ii) check to determine that the safeguarding protocols outlined in policies and procedures, including those pertaining to disposal of non-public information are being followed, (iii) check that file cabinets and rooms containing non-public information are locked and other authorized personnel have access, (iv) have employees complete periodic (e.g. quarterly or semi-annually) certifications of adherence to the firm’s privacy policy and all the mandated safeguarding procedures, and (v) perform sampling review of client account activity to determine if any identity theft red flags appear.
Surveillance Process
Surveillance also is an important component as it consists of the ongoing observation of both the risk areas and the results of the testing carried out. From a high-level, surveillance steps should include confirming that tests are performed at appropriate frequencies, monitoring the results of the tests, and ensuring that any identified issues are promptly addressed.
To perform effective surveillance, the use of technology is a necessity, and it should be programmed to analyze the data, identify anomalies, and produce exception reports for review by appropriate staff.
Conclusion
Having a strong Compliance Program requires a lot of time and effort. Together, testing and surveillance, when properly administered, are instrumental in early detection of potential and actual violations, which in turn allows a firm to mitigate, or even prevent client harm and costly violations.
The Core Compliance consulting team has extensive experience in assisting firms with implementing and strengthening their compliance testing and surveillance programs and performing annual reviews. We also offer compliance technology solutions, which play a crucial role. For more information, please contact us at info@corecls.com, at (619) 278- 0020 or visit us at www.corecls.com.
Author: Tina Mitchell, Managing Director, Consultation Services; Editor: Matt Rothchild, Sr. Compliance Consultant, Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, and private fund managers on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon regarding any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
[1] See Strengthening Your Compliance Program: A Risk Management Perspective – Core Compliance
[2] Please note the list is not all inclusive of areas the SEC considers to be high-risk.
[3] A buy and sell transaction between a proprietary or employee account and any client account.
[4] One client buys and one client sells same security, same number of shares, on same day at same broker.