Chief Compliance Officers face the challenge of running a comprehensive yet efficient compliance program that nimbly adapts to changing regulatory requirements and business practices. As compliance consultants, we see our fair share of missteps. First, we will cover how to build a relevant and engaging compliance manual. Next, we will delve into the details of developing clear compliance procedures. Finally, we will discuss some examples of compliance failures and how to remedy them.
-
The Neglected Compliance Manual
For many advisory firms, the compliance manual often languishes, becoming a dusty door stop rather than the dynamic guide it's meant to be. Are you confident that your firm employees actually read and understand your compliance manual? Does it truly reflect the intricacies of your unique business model? Let’s delve into the common pitfalls of the "neglected compliance manual" and explore how to transform it into a living, breathing resource that engages your entire firm and lays a solid foundation for your compliance efforts.
A common compliance program mistake is what we call the “neglected compliance manual.” Neglect happens because the manual goes unread and isn't tailored to the firm's unique business model.
Before an SEC exam, the staff will read your compliance manual and expect it to reflect how your firm operates. Some manuals have only been read by the law firm or consultant that prepared it and the Chief Compliance Officer (“CCO”), generally resulting in policies and procedures that are not factually correct, include sections that do not apply to the firm’s business, or are hopelessly outdated. Some manuals are too vague, stating that “the firm” is responsible for ensuring policies are followed. Other firms mistakenly assign responsibility for all policies and procedures to the CCO. Not only is this impractical, but it is not humanly possible.
Think of the compliance manual like a GPS for your team—it should clearly map out how to navigate the regulatory landscape, turn by turn. Let’s discuss how to give the compliance manual the attention it deserves.
Engage Everyone
The sad truth at most firms is that almost no one, aside from the compliance officer, reads the compliance manual. Firms often use off-the-shelf or attorney-drafted manuals that hit the required topics but still include phrases like “insert firm name here” or “select relevant option,” tipping off regulators that the manual has not been read, customized or updated (see this case as an example.) In a risk alert from 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE,” now known as the Division of Examinations or “EXAMS”), found during routine examinations that “certain compliance programs did not take into account important individualized business practices such as the adviser’s particular investment strategies, types of clients, trading practices, valuation procedures and advisory fees. Moreover, examiners continue to observe that some advisers use “off-the-shelf” compliance manuals that have not been tailored to the adviser’s individual business practices.”
To make the firm “own” compliance, we recommend that the CCO get managers and employees involved in drafting and revising the manual. Let’s be honest—most employees would rather read the terms and conditions of a cell phone contract than your compliance manual. That’s why you’ve got to make it matter. Set up a meeting with each area within the firm to go over the sections of the manual that apply to them. For example, provide the traders with the allocation and aggregation policies and procedures and review the language. Ask them to describe the trading process from start to finish to see if the procedure reflects the actual practice. For example, who gives the order for the trade? How does the trader select the broker to execute the trade? How does the trader aggregate and allocate the order across participating accounts? Who checks to confirm that the trades were implemented and allocated correctly? Who reviews the trade blotter at the end of the day? These are questions that should be addressed in the manual.
The CCO should revise the procedures based on input received and require the supervisor to review and approve them. Supervisors then have accountability for those procedures. The goal is to have a procedure that reflects what actually happens, identifies who is supposed to perform various tasks, and assigns responsibility for supervising the activity. Avoid detailing every possible contingency or naming specific reports or software tools unless essential, as this can quickly become outdated or overly rigid.
Yes, it’s a heavy lift. But skipping these steps now just means carrying a heavier burden during your next SEC exam. But it serves several purposes. First, it gets people to read the manual. Nothing is more embarrassing (and demoralizing) than having the SEC staff read a policy aloud during an exam and having firm employees admit that they were unaware that the manual included that particular provision. Second, it helps reinforce the message that compliance is a firm-wide obligation embedded in the firm's day-to-day operations. Third, it is a great learning experience for the CCO. It is an opportunity to get to know others within the firm, what they do, how they do it, and what obstacles they face. Finally, it requires different areas of the firm to take ownership of the policies and procedures applicable to them.
Customize the Manual to Reflect Your Firm’s Business Model and Risks
The SEC continues to warn firms that their compliance manuals should reflect the firm’s business practices and address its specific risks. For example, in November 2020, the SEC settled actions against three investment advisers and two dual registrants for violations of Rule 206(4)-7 in connection with sales of complex exchange-traded products (ETPs) to retail investors. The firms were recommending volatility-linked ETPs, which attempt to track short-term volatility expectations in the market. The offering documents disclosed that these products were meant to be held short-term and that they incurred significant costs when held for longer periods, meaning the costs could eat into returns when held for longer periods. Unfortunately, in these instances, that’s exactly what occurred. The SEC found that the investment professionals recommending these products did not understand their risks and did not explain them to their clients.
In its settlements, the SEC found that these firms’ compliance programs suffered from material deficiencies. The firms failed to (i) adopt policies and procedures regarding complex products other than ETFs, (2) require financial professionals trained on the risks of ETPs, (3) develop a process to review or approve new products, and (4) adopt procedures for identifying and tracking holdings periods. By failing to have policies and procedures to address the risks of these complex products, these firms violated Advisers Act Rule 206(4)-7.
In similar settlement orders with investment advisers, the SEC often charges firms with violating Advisers Act Section 206(4) and Rule 206(4)-7 because of their failure to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules. To avoid this result, firms should periodically review SEC cases, risk alerts published by EXAMS, and EXAMS' most recent examination priorities. It is also important to update your firm’s risk inventory to address changes to the firm’s operations, new product offerings, expansion into new states (or countries), and any other new risks that affect your business. Advisers should also update the risk assessment to reflect significant findings from compliance testing and monitoring, issues that occur at the firm, and SEC examination results.
-
The Devil’s in the Details – Avoiding Vague Procedures and Absolute Language in Your Compliance Manual
Advisers often spend significant time drafting compliance manuals, but are these policies truly effective in daily operations and risk mitigation? The strength of a compliance program lies in the precision of its language. Vague directives and rigid rules can cause confusion, hinder accountability, and attract regulatory scrutiny. In this second installment, we'll explore the importance of clear and specific compliance procedures, effective responsibility assignment, and the need for flexibility. Learn how to write actionable compliance procedures, assign specific responsibilities, and maintain adaptable policies.
The Manual is Too Vague
Many firms’ compliance manuals do not specifically assign responsibility for ensuring that their policies are followed. Other firms simply assign responsibility for everything in the manual to the CCO. For example, a policy stating that “The Firm ensures that its investment adviser representatives (IARs) recommend an appropriate account type (e.g., wrap fee or other separately managed account) based on the client’s individual financial situation and requirements” does not “ensure” that the appropriate recommendations are actually made since it fails to assign responsibility to the firm’s IARs. When errors occur, the CCO has no way to hold the appropriate parties accountable, ultimately leading to increased regulatory risk.
We recommend that compliance procedures include sufficient detail on the process and assign responsibility for its execution and oversight. For example, if investment adviser representatives are responsible for making investment recommendations for clients, the procedures should include standard criteria for making the recommendation, require the IAR to document the reasons for the recommendation, and include a periodic review of the process by others. Failure to follow the process should have consequences. An account opening request that is missing the required documentation could result in a NIGO (not in good order) status, halting the account opening until the deficiencies are rectified.
Responsibility for compliance with policies and procedures should be embedded in the firm’s supervisory structure. The CCO should rely on firm supervisors to do their jobs and then conduct testing periodically to confirm that the policies and procedures are being followed and working as expected. For example, daily trading blotter review, investment performance calculations, fee calculations, portfolio management and best execution should be handled by the firm’s existing supervisory structure. In these areas, firm supervisors are in a better position to see what is going on, identify potential issues and have the authority to resolve them.
Policies and Procedures Written in Absolute Terms
At the other end of the spectrum are compliance manuals that are too specific. Compliance procedures are often written in absolute terms, requiring the performance of specific tasks on an impractical schedule or when not required by regulation. Aside from wasting time and resources, failing to comply with the firm’s written processes can result in regulatory issues. During the examination process, the SEC staff reads the compliance policies and procedures. If the firm is not complying with its written procedures, the SEC can cite the adviser for noncompliance with the Compliance Program Rule (Advisers Act Rule 206(4)-7). Even absent client harm or legal violations, such discrepancies can still result in regulatory citations.
Here are a few real-life examples:
- The CCO shall ensure that the firm’s branch offices adhere to all applicable compliance policies and procedures and that advisory services are provided in accordance with the Advisers Act and the regulations thereunder.
- At the conclusion of each business day, the IAR or his/her designees will review the following documents related to client trades: daily blotter, copies of confirmations, and order tickets.
In the first example, the designated supervisor of the branch office should be responsible for ensuring that compliance policies and procedures are being followed. The CCO is not in a position to effectively supervise employees in the branch office. In the second example, the firm’s IARs act as portfolio managers for client accounts and enter client trades into the system. In practice, the firm’s IARs may periodically check to ensure that trades were executed, but many are not reviewing the daily trading blotter, confirmations, or trade tickets. The review may actually take place, but it may be performed by the Head Trader.
Leave room for operational reality—and good faith errors
Our advice is to look for the logical person(s) when determining who should be responsible for overseeing a procedure. In the first example, the head of the branch office should be accountable for ensuring compliance in that location, not the CCO. The procedure should reflect what actually happens, not what some law firm thinks should happen.
Compliance doesn’t have to be perfect—but it does have to be real. In the second example, consider how the IAR can practically confirm that the trades they initiated were executed correctly. Instead of reviewing the daily trading blotter, confirmations and statements, the firm’s operations team may be able to efficiently issue other daily reports to the IARs to facilitate their review.
Photo by Chris Lawton on Unsplash
