Annual reviews are a required compliance task that must be completed by all investment advisers registered with the Securities and Exchange Commission (“SEC”). However, many investment advisers may not understand the regulatory intent and expectations for performing the mandatory annual review.
To that end, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a risk alert in February 2017 titled: “The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers”, which identified inadequacy and/or non-performance of annual reviews as a common deficiency and stated the following:
“Annual reviews are not performed or did not address the adequacy of the adviser’s policies and procedures. The staff observed that certain advisers did not conduct annual reviews of their compliance policies and procedures, as required by the Compliance Rule. In addition, the staff identified advisers that conducted annual reviews that did not address the adequacy of the advisers’ policies and procedures and the effectiveness of their implementation. Staff also observed that advisers did not address or correct problems identified in their annual reviews.”[1]
The Rule
As per Rule 206(4)-7 of the Investment Advisers Act of 1940, (the “Act”), a registered investment adviser must perform an annual review of its policies and procedure to ensure they are crafted to effectively meet the Firm’s regulatory requirements. This review requires more than a simple read-through of the Firm’s manual. The review, as described below, is intended to be based on actual testing of the policies and procedures. Additionally, the review should take into consideration changes to the Firm’s business model and new regulations which would require revisions to the policies and procedures.[2]
The Implications
Since the adoption of Rule 206(4)-7, the SEC has filed a number of enforcement actions against SEC-registered investment advisers for not meeting the requirements of, or performing the required annual review. For example, in September 2018, the SEC announced administrative proceedings against Hudson Housing Capital LLC (HHC) for not complying with the custody rule and failing to conduct annual reviews of its compliance policies and procedures. Without admitting or denying the charges, HHC agreed to be censured and to cease and desist from committing or causing any violations and future violations of Section 206(4) of the Advisers Act and Rules 206(4)-2 and 206(4)-7 thereunder, and to pay a civil penalty of $65,000.[3]
How to Correctly Perform the Annual Review
As stated above, Rule 206(4)-7 requires a review of a firm’s policies and procedures to determine their adequacy and effectiveness in meeting the Firm’s regulatory requirements. But how is this done? How do you determine the effectiveness of your Firm’s policies and procedures? The following is an overview of the steps that a Firm should take when performing an annual review:
Step One: Deciding Areas to Test – An effective annual review is based on testing that is performed and reviewed throughout the year. As the Firm’s policies and procedures generally cover the gamut of regulatory requirements, it can be a daunting task to decide which areas to test or prioritize. To begin, the Firm should approach the annual review from the perspective of testing the Firm’s highest areas of risk. Although not required, performing a risk assessment[4] prior to, or in conjunction with performing the annual review can really help the process.
Once risks are identified, they should be graded from highest to lowest in some manner. For example, high, medium, low or 1, 2, 3. The important objective is to identify the Firm’s highest risks and prioritize those areas to begin annual review testing.
Step Two: Design and Perform the Tests – Once a Firm has determined which areas to concentrate on, specific tests for those areas must be designed. Testing generally takes three forms:
- Transactional testing is performed at the time of the activity. An example of a transactional test would be pre-clearance of employee personal trades.
- Periodic testing is performed at certain times/intervals. An example would be a quarterly best execution analysis.
- Forensic testing involves analyzing information over a longer period of time, looking for trends and patterns. An example would be a review of the internal valuation of assets with valuations provided to clients on custodial statements.
Step Three: Document the Review and Report to Senior Management- While Rule 206(4)-7 does not mandate a written report, many firms utilize a spreadsheet or written memo to document and report the annual review findings. Whichever format is used, the following areas should be addressed:
- Area Tested
- Risk Level
- Applicable Rule
- Test Performed
- Findings
- Recommended Corrective Action
- Person Corrective Action Assigned To
- Date Corrective Action Completed (if the spreadsheet format is utilized)
Once completed, the report should be presented to the Firm’s senior management for assessment and approval of recommended corrective action. The report should be maintained in the firm’s books and records for a period of no less than five years from the end of the fiscal year in which the review was performed.
Step Four: Implement Recommended Corrective Actions
As stated above, the annual review report should contain a summary of findings that revealed gaps in the Firm’s policies and procedures, recommended corrective actions, one or more point persons responsible for completing the corrective action, and a timeline for completion. Typically the Chief Compliance Officer is tasked with monitoring the status of corrective actions and reporting completions to senior management. For full documentation, the following year’s annual review report should reference the prior year’s corrective actions taken.
Conclusion
Annual reviews are not just a regulatory requirement to fulfill, but rather an important process that allows firms to not only assess the effectiveness of their policies and procedures but to help ensure the controls in place adequately address risks and conflicts. Performing testing throughout each year allows firms to promptly correct any gaps found in their Compliance Program, which in turn can potentially result in cost savings for the firm. Annual review testing should be varied in order to meet changing regulatory requirements and firm business practices, as applicable. CCOs should have a thorough understanding of the responsibility they have for administering this important part of their firm’s compliance program.
Author: Core Compliance & Legal Services; Editor: Tina Mitchell, Managing Director, Consultation Services; Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity Firms and banks on regulatory compliance issues. This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
[1] See https://www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf
[2] See https://www.sec.gov/rules/final/ia-2204.htm
[3] See https://www.sec.gov/enforce/ia-5047-s
[4] See https://www.corecls.com/news-events/core-steps-for-performing-and-documenting-a-risk-assessment
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.