Developing, implementing, and maintaining a robust compliance program is vital to an advisory firm’s ability to effectively detect and prevent compliance violations and to avoid getting in trouble with regulators. But compliance is also hard. Compliance programs are complex and challenging to develop, implement, and administer given the complexity of investment adviser and other securities regulations that apply to advisory firms.
In this article, we highlight the top ten mistakes that we have seen over the years when reviewing investment adviser compliance programs with an eye towards helping advisers determine if they are vulnerable to any such mistakes and how they can fix them if identified.
At the outset, before we discuss the top ten mistakes, it’s vital that we define what we mean by an investment adviser compliance program. In general terms, the investment adviser compliance program encompasses the documents, processes, and personnel that help an investment adviser detect and prevent violations of the securities laws applicable to the adviser’s business. Core compliance program documents include compliance risk assessments, the adviser’s compliance policies and procedures, compliance logs, reports on compliance matters (including, without limitation, results of any compliance reviews and testing conducted), etc. Processes include those workflows that reflect how compliance tasks are completed based on the procedures included in the firm’s compliance policies and procedures. Personnel include a “Chief Compliance Officer” (CCO) along with any other individuals tasked with administering the firm’s compliance program which generally includes reviewing compliance issues and testing to ensure that the compliance program is operating as intended. For an article describing the components of an investment adviser compliance program in more detail, please click here.
The first mistake we see with investment adviser compliance programs is that advisers sometimes fail to conduct an adequate risk assessment prior to developing the firm’s compliance policies and procedures. Risk assessments are vital as they inform how much time and effort should be devoted to specific compliance matters, based on the adviser’s business model, organizational structure, and operating infrastructure as well as regulatory priorities of regulators. Advisers that fail to conduct an adequate risk assessment may create compliance policies and procedures that do not place an appropriate amount of attention on high-risk areas for the firm.
In conducting risk assessments, advisers can pull from many internal resources to evaluate the compliance risks faced by their firms including, without limitation, reviewing the adviser’s service and product offerings, fee structures, investment and trading strategies, and business arrangements with affiliated and non-affiliated entities. Advisers can also understand key regulatory priorities for regulators by keeping abreast of communications from regulators and evaluating the extent to which such topics impact the adviser. Conducting such risk assessments in advance of developing compliance and procedures can invariably help an adviser adopt more meaningful policies and procedures to address the areas where the firm is most at risk.
The second mistake we often see is advisers that develop compliance manuals that are light on actual procedures. This often occurs where advisers utilize template compliance documents in order to prepare their compliance policies and procedures. Compliance manuals typically contain both policies and procedures, and while policy statements outlining the firm’s general position on compliance matters are important, the procedures are the actual steps the adviser follows to ensure the adviser is following its policies. The failure to adopt clearly-defined procedures leaves personnel with little guidance as to how they should carry out their compliance responsibilities, and gaps in procedures will invariably lead to compliance violations. Therefore, before drafting compliance procedures, advisers should go through the exercise of thoroughly mapping out the steps that personnel should follow to ensure compliance in a specific area and reflect those in a meaningful way in their compliance policies and procedures.
A third and related mistake is the failure to appropriately assign responsibility for compliance tasks to specific individuals where appropriate. Compliance procedures should clearly delineate who has responsibility for specific tasks – otherwise, confusion ensues as to who is responsible for performing certain functions, which can lead to compliance violations where duties fall through the cracks. While the Chief Compliance Officer has overall supervisory responsibility for an adviser’s compliance program, other firm personnel can and should take on specific compliance responsibilities, particularly where they may have more experience than the Chief Compliance Officer on specific matters, such as investments and financial affairs. On the flip side, assigning responsibility to specific individuals can help create clarity for personnel.
A fourth mistake we see is compliance policies and procedures that are overly complex. While we noted that it’s important that a firm’s compliance procedures be sufficiently robust to ensure that compliance functions are performed effectively, it’s also important to note that creating overly-complex procedures can also breed risk. The more complex procedures are, the more likely it is that firm personnel will not follow all such procedures, which can lead to inadvertent violations of the compliance policies and procedures. Regulators will penalize advisers for having compliance procedures that they are not following. Therefore, when feasible, advisers should periodically take stock of their compliance procedures to evaluate if steps can be removed without reducing the efficacy of such procedures.
A fifth mistake often seen in adviser compliance programs is the failure to adequately update policies and procedures in a timely fashion. Some advisers have adopted a mindset that once the compliance policies and procedures are in place, the adviser can move on to address other matters impacting the firm without having to revisit compliance policies and procedures regularly. However, this can be a dangerous mindset particularly since advisory businesses or operations and adviser regulations evolve more quickly than most advisers anticipate, and such changes will typically impact the firm’s compliance policies and procedures in some manner. Compliance must be proactive and not merely reactive. The failure to appropriately and timely update such compliance policies and procedures as developments arise can cause a regulator to cite the adviser for failing to have up-to-date compliance policies and procedures that are tailored to the firm’s business.
As such, advisers should regularly review their compliance policies and procedures to evaluate whether any recent business or regulatory changes warrant modifications to the policies and procedures.
A sixth mistake often seen in adviser compliance programs is the failure to designate an individual (or individuals) who is sufficiently qualified and has sufficient time to administer the firm’s compliance program. Regulators such as the SEC expect that those who are tasked with administering an adviser’s compliance program have sufficient training, experience, knowledge, and time to carry out those functions. Otherwise, the compliance program will not perform as expected to identify and prevent compliance violations. Compliance policies and procedures, standing alone, do not represent a sufficiently robust compliance program, and the failure to follow policies and procedures can lead to serious regulatory violations and even, in some cases, personal liability for the person tasked with administering the compliance program. Therefore, it’s vital that advisers choose someone who is sufficiently trained, experienced, and knowledgeable to administer their compliance program. For an article that discusses how advisers should go about choosing who should serve as their Chief Compliance Officer, please click here.
A seventh mistake commonly seen in adviser compliance programs is the failure to adequately prioritize the areas requiring the most time and attention in administration of the compliance program. In practice, this means that advisers are not focusing enough attention on high-risk areas and spending too much time on low-risk areas, which increases the likelihood of more serious compliance violations.
Time and resources devoted to compliance for many advisory firms is limited, and therefore, advisers must maximize efficiency and effectiveness in how such time and resources are utilized. That’s why it’s vital to ensure that time and resources are allocated to reviews and testing with respect to those areas of highest risk for the adviser, which makes conducting risk assessments periodically over time even more important for advisers.
An eighth mistake that we see in many advisory compliance programs is the failure to adequately document an adviser’s compliance efforts. Often, advisers will conduct reviews and tests but fail to document their efforts because documentation takes time and can be tedious. Nonetheless, regulators, such as the SEC, take the position that if there is no documentation evidencing an adviser’s compliance efforts, the SEC can only assume that the reviews and testing did not occur. Therefore, it’s vital for advisers to include in their policies and procedures steps to require documentation of any reviews, tests, or other duties performed in connection with the administration of the compliance program. Advisers should routinely remind personnel of the need to document their compliance efforts as it’s easy for employees to forget, particularly if they have a significant number of other responsibilities.
A ninth mistake we often see in adviser compliance programs is the failure to provide employees with adequate training on compliance matters. Compliance is hard, even for compliance professionals, and so it’s understandable why it takes firm personnel a long time to grasp compliance concepts. That’s why it’s vital for those responsible for the compliance program to ensure that there is enough training to be provided to firm personnel, particularly because in many instances firm personnel do not speak up when they do not adequately understand the firm’s policies and procedures. Repetition is vital, and so it’s important for those responsible for the compliance program to provide multiple avenues for firm personnel to get a better handle on the firm’s compliance obligations and their individual responsibilities as it pertains to the compliance program.
A tenth mistake we often see in adviser compliance programs is failing to devote enough time and resources to compliance. As we noted at the outset and throughout this article, compliance is hard, and it should not be underestimated how much time and resources must be devoted to ensuring that a firm remains in compliance with applicable laws, rules, and regulations, particularly now given that regulators have become increasingly aggressive in pursuing advisory firms for compliance failures. Therefore, compliance must be made a priority in the allocation of time and resources in order for the compliance program to achieve its goals and to ensure that the firm does not become subject to regulatory sanctions.
Fortunately, there are now more resources than ever to help advisers to effectively develop, implement, and administer their compliance programs in a manner that is more cost-effective than maintaining such responsibilities in-house. Firms like ours can provide a number of services to support an adviser’s compliance program.
What questions do you have about developing, implementing, and administering an investment adviser compliance program? Please reach out, and we’d be happy to answer them for you.
© Brightstar Law Group. All rights reserved.