OCIE Identifies Common Compliance and Supervisory Deficiencies of Investment Advisers

The U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) recently released two risk alerts applicable to investment advisers: (1) a Risk Alert (Branch Office Alert)^[1] identifying common supervisory and compliance-related issues observed in investment adviser firms that operate from multiple offices, and (2) a Risk Alert (Compliance Rule Alert)^[2] addressing notable compliance issues related to Advisers Act Rule 206(4)-7 (the Compliance Rule).^[3]

OCIE Observations Related to Supervision, Compliance, and Multiple Branch Offices

The Branch Office Alert summarizes OCIE’s observations from a recent series of examinations focused on SEC-registered investment advisers operating from multiple branch offices and “with operations geographically dispersed from the adviser’s principal or main office” (“Initiative”).^[4] These examinations were conducted between 2016 and 2018 and included nearly 40 examinations of advisers’ main offices plus one or more examinations of the associated branch offices. Most firms examined under this Initiative conducted their advisory business out of ten or more branch offices. This Initiative focused on, among other things, (1) assessing whether the advisers had adopted and implemented appropriate compliance programs under the Compliance Rule in both their main offices and branch offices, and (2) evaluating the processes used by supervised persons located in branch offices to provide investment advice to advisory clients of the firm.

OCIE staff noted a range of deficiencies across these examinations, including advisers that had not fully implemented policies and procedures to address the advisory activities occurring in branch offices and geographically dispersed advisory activities and operations. The Branch Office Alert outlines common deficiencies identified by OCIE staff and provides examples of practices and procedures implemented by advisers to improve compliance and advisory practices at the firms.

1.     Compliance and Supervision

OCIE staff noted that “[t]he vast majority of the examined advisers were cited for at least one deficiency related to the Compliance Rule.”^[5] More than half of these advisers had compliance policies and procedures that were “(1) inaccurate because they included outdated information, such as references to entities no longer in existence and personnel that had changed roles and responsibilities; (2) not applied consistently in all branch offices; (3) inadequately implemented because, among other things, the compliance department did not receive records called for in the policies and procedures; or (4) not enforced.”^[6]

Compliance Rule issues were often related to advisers failing to recognize they had custody of client assets such that they must comply with Advisers Act Rule 206(4)-2 (the “Custody Rule”),^[7] including through practices such as comingling assets with those of its clients or acting as the general partner to an advised limited partnership.^[8] Advisers failing to adequately implement and oversee fee-billing practices, such as by failing to adopt and implement policies and procedures to identify and remediate instances where clients were charged undisclosed fees, was also an important consideration noted by OCIE staff.^[9] Other compliance deficiencies observed by OCIE staff related to (1) oversight and supervision of supervised persons, such as by failing to disclose material information (including disciplinary events of supervised persons), or supervised persons making portfolio recommendations that were not in the client’s best interest; (2) advertising, such as by omitting material disclosures or including superlatives or unsupported claims; and (3) code of ethics deficiencies, including failure to comply with reporting requirements, review transactions and holdings reports, identify access persons properly, or include all required code of ethics provisions.

2.     Investment Advice

More than half of the advisers examined under the Initiative were cited for deficiencies related to portfolio management practices. These deficiencies were often related to “(1) oversight of investment decisions, including the oversight of investment decisions occurring within branch offices; (2) disclosure of conflicts of interest; and (3) trading allocation decisions.”^[10]

More specifically, these deficiencies largely related to oversight of, or the reasonable basis for, making certain investment recommendations in connection with (among other things) (1) mutual fund share-class-selection practices and disclosure of such practices, including advisers purchasing share classes of mutual funds that charged 12b-1 fees instead of share classes of the same mutual funds that were available to clients and charged lower fees, which benefited the advisers and created a conflict of interest that was not disclosed to clients; (2) wrap fee programs, including failure to adequately assess whether such programs were in the best interests of clients or misrepresenting or failing to adequately disclosure details of wrap fee programs; and (3) account rebalancing, including advisers implementing automated rebalancing of accounts that caused clients to incur short-term redemption fees from mutual funds, or failing to consider whether these automated processes were in the best interest of clients. Other deficiencies included issues related to the failure to fully and fairly disclose conflicts of interest, such as expense allocations that appeared to benefit proprietary fund clients over non-proprietary fund clients, or financial incentives for the advisers and/or their supervised persons to recommend certain investments. Finally, many advisers were cited for issues relating to their trading practices and allocation of investment opportunities, including lack of documentation of the advisers’ analysis of best execution for their clients, completing principal transactions involving securities sold from the firms’ inventory without first obtaining client consent, and inadequate monitoring of supervised persons’ trading, including improperly allocating block-trade losses to clients rather than supervised persons.

3.     OCIE Staff Observations Regarding Compliance Practices

Over the course of the observations conducted during this Initiative, OCIE staff observed many practices that firms may find helpful in designing and implementing their own policies and procedures under the Compliance Rule, including the following:

• Advisers adopted and implemented written compliance policies and procedures that applied to all office locations and all supervised persons, included unique aspects associated with individual branch offices, and specifically addressed compliance practices necessary for the effective oversight of branch offices. Many advisers had policies and procedures for compliance monitoring and oversight of branch offices, which typically included compliance reporting by the branch offices. Examples of helpful policies include the following:
  • Uniform policies and procedures for main office oversight of monitoring and approving advertising.
  • Centralized, uniform processes to manage client fee billing, which tended to limit exceptions from these centralized processes and mitigated instances in which branch offices or supervised persons had independent billing options or fee arrangements that deviated from client agreements or disclosures.
  • Centralized processes for monitoring and approving personal trading activities for the advisers’ supervised persons located in all office locations. Some such programs included an automated review and approval of personal trading requests and transactions and/or training for supervised persons related to the advisers’ codes of ethics and personal-trading policies.
• Advisers performed compliance testing or periodic reviews of key activities at all branch offices. These reviews were conducted at least annually, with some advisers conducting reviews more frequently. Examples of such reviews include the following:
  • Confirming that branch offices undertook compliance or supervision reviews of their portfolio management decisions, both initially and on an ongoing basis.
  • Designating individuals at branch offices to provide portfolio management monitoring, particularly to assess whether the branch offices’ investment recommendations were consistent with clients’ investment objectives or recommendations.
  • Consolidating branch office trading activities into the advisers’ overall testing practices.
  • Conducting compliance reviews that did not solely rely on self-reporting by advisory personnel.
• Advisers established compliance policies and procedures to check for prior disciplinary events of supervised persons, both when initially hiring personnel and to periodically confirm the accuracy of disclosures regarding such information.
• Advisers required branch office employees to undergo compliance training specifically targeting areas identified as needing improvement based on their branch office reviews. Such training was typically required semi-annually or at least annually.

OCIE Observations Related to the Compliance Rule

The Compliance Rule Alert provides an overview of notable compliance issues related to the Compliance Rule,^[11] which the staff explained is an area with the most common deficiencies.^[12] The Compliance Rule requires SEC-registered advisers to (1) adopt and implement written policies and procedures; (2) review these policies and procedures at least annually; and (3) designate a Chief Compliance Officer (CCO) to administer the adviser’s compliance policies and procedures.

The Compliance Rule does not enumerate specific elements that must be included in an adviser’s policies and procedures. Instead, it requires that each adviser adopt policies and procedures “reasonably designed to prevent violation,” which should be tailored to the adviser’s specific operations. These policies and procedures “should be designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.”^[13] The Compliance Rule also requires advisers to review their policies and procedures at least annually to evaluate their adequacy and the effectiveness of their implementation. This review should consider the activities of the adviser during the prior year, including any compliance matters that arose, any changes in the business activity of the adviser or its affiliates, and any changes to the Advisers Act or the regulations thereunder that may necessitate a revision of an adviser’s policies and procedures. OCIE also notes that, while the Compliance Rule only requires advisers to conduct an annual review, “advisers should consider the need for interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments.”^[14] Finally, the Compliance Rule requires investment advisers to designate a CCO with the necessary competence and familiarity with the Advisers Act and authority within the organization to develop and enforce the adviser’s compliance policies and procedures.

OCIE identified deficiencies and weaknesses in connection with the Compliance Rule in six general categories: (1) inadequate compliance resources; (2) insufficient CCO authority; (3) annual review deficiencies; (4) failure to implement actions required by written policies and procedures; (5) failure to maintain accurate and complete information in policies and procedures; and (6) failure to maintain or establish reasonably designed written policies and procedures.

1.     Inadequate Compliance Resources

OCIE observed advisers that failed to devote adequate resources, such as information technology, staff, and training, to their compliance programs, including the following:

• Some CCOs had numerous other professional responsibilities that interfered with their ability to develop their knowledge of the Advisers Act and otherwise fulfill their responsibilities as CCO.
• Certain advisers had insufficient or insufficiently trained staff, which negatively impacted implementation of the adviser’s compliance policies and procedures and compliance with fundamental regulatory requirements, such as performing annual reviews, completing regulatory filings, and timely responding to requests from OCIE staff.
• Certain advisers failed to update their compliance infrastructure, including staff and information technology, to account for developments in the adviser’s business. This resulted in failures to appropriately implement or tailor the adviser’s policies and procedures.

2.     Insufficient CCO Authority

OCIE observed CCOs who lacked sufficient authority within the organization to develop appropriate policies and procedures for the adviser and ensure other personnel complied therewith. For example, OCIE observed CCOs with insufficient knowledge of and access to information concerning the adviser’s strategy, business, and operations.

3.     Annual Review Deficiencies

OCIE observed advisers that were either unable to provide evidence that their annual review occurred or that conducted reviews that failed to identify significant existing compliance risks. For example, OCIE noted that certain advisers had failed to identify or review key risk areas, such as conflicts or protection of client assets, and others had failed to review significant areas of their business, such as policies and procedures surrounding cybersecurity, the calculation of fees and allocation of expenses, and the oversight and review of adviser-recommended third-party managers.

4.     Failure to Implement Actions Required by Written Policies and Procedures

OCIE observed advisers that did not perform actions required by their written policies and procedures, including the failure to train employees, review advertising materials, follow compliance checklists and other processes, such as back testing fee calculations and testing business continuity plans, reviewing client accounts on a periodic basis to assess consistency of portfolios with clients’ investment objectives or on a basis consistent with the schedule required by the adviser’s policies, or implement compliance procedures regarding trade errors, advertising, best execution, conflicts, disclosures, or other requirements.

5.     Failure to Maintain Accurate and Complete Information in Policies and Procedures

OCIE observed advisers with policies and procedures that contained outdated or inaccurate information about the adviser, including off-the-shelf policies that contained information that was incomplete or unrelated to the adviser’s activities.

6.     Failure to Maintain or Establish Reasonably Designed Written Policies and Procedures

OCIE observed advisers that either failed to maintain or failed to establish, implement, or appropriately tailor their written policies or procedures to their business. For example, some advisers claimed to rely on cursory or informal policies instead of maintaining written policies and procedures as required by the Compliance Rule. Other advisers relied on the policies of an affiliated entity, such as a broker-dealer, without tailoring the policies to the adviser’s business. In some situations, firms maintained written policies and procedures but failed to establish, implement, or appropriately tailor their written policies and procedures, including deficiencies in the following areas:

• Portfolio Management. Including due diligence and oversight of outside managers and third-party service providers, due diligence and oversight of investments, monitoring compliance with client investment and tax planning strategies, oversight of branch offices and investment advisory representatives to ensure compliance with advisory policies and procedures, compliance with regulatory and client investment restrictions, and adherence to investment advisory agreements.
• Marketing.^[15] Including oversight of solicitation arrangements, preventing the use of misleading marketing presentations or website materials, and oversight of the use and accuracy of performance advertising.
• Trading Practices. Including allocation of soft dollars, best execution,^[16] trade errors, and restricted securities.
• Disclosures. Including accuracy of Form ADV and client communications.
• Advisory Fees and Valuation. Including fee billing processes, such as how fees are calculated, tested, or monitored for accuracy; expense reimbursement policies and procedures; and valuation of client assets.
• Safeguards for Client Privacy. Including Regulation S-P,^[17] Regulation S-ID, physical and electronic security of client information, and general cybersecurity policies.
• Required Books and Records. Including written policies and procedures to make and maintain accurate books and records as required by Advisers Act Rule 204-2.
• Safeguarding of Client Assets. Including written policies and procedures surrounding custody and safety of client assets.
• Business Continuity Plans.^[18] Including the maintenance of adequate disaster recovery plans, such as business continuity plans that were not tested or did not contain contact information or designate responsibility for business continuity plan actions.

Firms should consider OCIE’s guidance and assess their compliance policies and procedures accordingly. Firms should also document any steps taken to evaluate and address these concerns or other concerns related to the Branch Office Alert or the Compliance Rule Alert.

For additional information regarding any of the above, please contact the authors or your Winston & Strawn relationship attorney.

---

^[1] _{OCIE Risk Alert, Observations from OCIE’s Examinations of Investment Advisers: Supervision, Compliance and Multiple Branch Offices (Nov. 9, 2020), available here.}

^[2] _{OCIE Risk Alert, OCIE Observations: Investment Adviser Compliance Programs (Nov. 19, 2020), available here.}

^[3] _{Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended.}

^[4] _{Branch Office Alert at 1.}

^[5] _{Id. at 3.}

^[6] _Id.

^[7] _{The Custody Rule requires SEC-registered advisers that have custody of client funds or securities to safeguard those funds against theft, misappropriation, or other losses.}

^[8] _{See OCIE Risk Alert, Significant Deficiencies Involving Adviser Custody and Safety of Client Assets (March 4, 2013) (highlighting custody-related issues, including failure by advisers to recognize that they have custody), available here.}

^[9] _{See OCIE Risk Alert, Overview of the Most Frequent Advisory Fee and Expense Compliance Issues Identified in Examinations of Investment Advisers (April 12, 2018) (addressing advisory-fee-related issues), available here.}

^[10] _{Branch Office Alert at 5.}

^[11] _{Compliance Alert at 1.}

^[12] _{The Compliance Rule Alert included references to a number of previously issued OCIE Risk Alerts related to the Compliance Rule.  See OCIE Risk Alert, The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers (Feb. 7, 2017), available here; OCIE Risk Alert, Observations from Examinations of Investment Advisers: Compliance, Supervision, and Disclosure of Conflicts of Interest (July 23, 2019), available here; OCIE Risk Alert, Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018), available here.}

^[13] _{Compliance Alert at 1.}

^[14] _{Id. at 2 (citing Release No. IA-2204, Compliance Programs of Investment Companies and Investment Advisers (Dec 17, 2003), available here).}

^[15] _{See OCIE Risk Alert, The Most Frequent Advertising Rule Compliance Issues Identified in OCIE Examinations of Investment Advisers (Sep. 14, 2017).}

^[16] _{See OCIE Risk Alert, Compliance Issues Related to Best Execution by Investment Advisers (July 11, 2018), available here.}

^[17] _{See OCIE Risk Alert, Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies (April 16, 2019), available here.}

^[18] _{See e OCIE Risk Alert, SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year (August 27, 2013), available here.}