With the advent of SEC Rule 206(4) 7, which requires SEC-registered investment advisors to implement and maintain policies and procedures appropriate for their investment advisory business, it is more critical than ever for all RIAs to recognize that compliance is an ongoing process that requires continual review/update/amendment of regulatory filings, disclosures, and procedures. Laws and rules applicable to your practice and representatives are subject to change. Agreements and disclosure statements may require review and update due to changes in regulatory or state law and/or changes to your business operations. Existing restrictive covenant agreements may no longer reflect state law changes. Please do not become complacent with respect to compliance matters. The scope of SEC examination issues continues to grow and becomes more complex and your compliance policies and procedures must reflect their amendment and appropriateness given the then-current state of the law and your business operations.
But how does the advisory firm protect itself from an adverse regulatory and/or client litigation/arbitration proceeding? In future columns, I will address various practice protection issues. This month's installment will address the recent SEC initiative that requires advisors to identify and monitor risks associated with their advisory practices, and to demonstrate the effectiveness of such procedures, during a regulatory examination.
The SEC has begun to replace its five-year examination cycle-based approach with a risk-based approach. For SEC registered investment advisors, the frequency and scope of compliance inspections is, for the most part, determined by the Commission's perception of the advisors' compliance risk profile. Examiners will focus reviews on issues that represent the greatest potential threat to investors, and the corresponding frequency of examinations will be based upon the scope of the advisor's operations and the results of previous exams. In order to be prepared, the firm should be familiar with both the examination process and the issues that will be raised during the examination. By conducting a mock examination, advisors are better able to address and correct current deficiencies, enhance current procedures, and, most importantly, recognize and avoid those issues that could result in potentially adverse regulatory determinations and/or enforcement matters. The SEC's latest examination document request list requires the production of many items that are unfamiliar or inapplicable to most investment advisers. While many of these items are not required by the Investment Advisers Act, an advisor should be appropriately prepared to respond to all items that are applicable to its practice. Otherwise, the firm could face the possibility of substantially longer and/or more frequent SEC inspections.
Some of the items requested that have caused the most confusion for RIAs include questions regarding the "risk management process." Most investment advisers tend to think about risk in terms of investments and portfolio management. However, the SEC inquiries that require the production of risk-related documents focus on operational and compliance risks. For example, one section of the most recent examination checklist requires the production of the adviser's Standard Operating Procedures for its risk assessment process (i.e., a matrix or spreadsheet that maps the adviser's inventory of risks and the adviser's most current inventory of risks). The SEC will require that the advisory firm demonstrate the processes by which it identifies and monitors those areas that expose the firm to operational and compliance risk. As a result, we are now advising RIAs to establish Standard Operating Procedures to assess operational and compliance risks relative to their advisory and business operations. Such procedures should encompass the major areas that RIAs are required to address pursuant to the Rule 206(4)-7 policies and procedures requirements (i.e., portfolio management processes, trading practices, personal trading, books and records, safeguarding of client information, marketing, contingency planning, etc.). Given that all advisory firms differ in some respect, each firm's level of risk in any particular operational and compliance area may vary.
As a result of the SEC's focus on the risk assessment process, we have devised a risk assessment methodology and matrix that we use to identify those areas of risk exposure. From this analysis, policies and procedures are established that are intended to mitigate and/or reduce the risk presented from a compliance standpoint. The documentation must evidence a consideration of those compliance areas that are relevant given the firm's operations, and the scope should be narrowly tailored to only those areas relevant to the firm. There must be a clear assessment of that level of risk exposure that the firm has with respect to those relevant compliance areas.
All registered investment advisers should conduct an internal assessment of their risk in a number of compliance areas. Examiners will review the firm's documentation in this area, including its inventory of compliance risks, minutes from any risk committee meetings, and standard operating procedures for risk identification and assessment. On a substantive level, and irrespective of an advisory firm's operations, the following compliance areas should be addressed at a minimum by the advisory firm's risk assessment committee: portfolio management; trading practices, personal securities transactions; accuracy of firm's disclosures; safeguarding of client assets; record retention; marketing; valuation of fees and client holdings; privacy; and disaster planning.
Some recommendations for pre-, during, and post-examination practices to enhance your regulatory risk profile:
Previous Audit Deficiencies. Make sure that you have properly addressed all deficiencies cited in previous regulatory examinations. Depending upon the nature of the issue, failure to correct previously cited deficiencies can result in a referral to enforcement. These issues should be reviewed by the Chief Compliance Officer on a periodic basis to detect/prevent reoccurrence.
Insufficient Policies and Pro-cedures. A ripe area for SEC deficiencies is either failure to have Policies and Procedures that appropriately reflect your business operations and/or the failure to follow them. The Rule is designed to protect investors by requiring advisers to have internal programs to enhance compliance with the federal securities laws.
Conduct a "Mock" Examination. By so doing, you will be in a much better position to successfully complete an actual regulatory examination.
Entrance Interview. Conduct an "entrance" interview with the examiner(s) so as to provide an overview of your advisory practices and operations: what you do and don't do. By so doing, you will assist the examiner (and your firm) in narrowing the scope of the issues to be addressed during the examination process.
Correct Deficiencies and Violations. To the extent able, address and correct issues and/or deficiencies (depending upon the nature thereof) raised by the examiner(s) prior to the conclusion of the examination, and advise the examiner(s) accordingly. Also, know when and how to request clarification, disagree and/or respond to issues that you believe have been misconstrued and/or have been cited in error. For this reason, you should speak with legal counsel at least daily to address issues raised during the examination.
Privileged Communications. During a regulatory examination, be sure not to provide correspondence (including emails) to and from your legal counsel. Correspondence and verbal communications and advice to/from counsel is "privileged," and not subject to turnover, disclosure or production during a regulatory proceeding, including a compliance examination. Correspondence, including compliance reviews conducted by non-law firm providers are not privileged, and are subject to turnover, disclosure or production during a regulatory proceeding, including a compliance examination. Thus, be careful as to the scope and/or content of the correspondence between your firm and a non-law firm.
Exit Interview. Request an "exit" interview, pursuant to which the examiner(s) should discuss with you their findings. Take notes. If the firm principal responsible for interacting with the examiner(s) effectively executes his/her role, he/she should already be aware of these issues, and has hopefully been able to address and remedy (or begun to do so, depending upon the issue(s) raised). If any of the issues cited by the examiner(s) are of substantial concern (i.e., could potentially result in referral to the enforcement division), immediately begin to address the issue with your counsel prior to receipt of a follow up informational request(s) or the receipt of a deficiency letter.
Deficiency Letter Response. Timely and appropriately respond to the issues raised in any follow up informational request(s) and/or in the deficiency letter received from the Commission. Again, know when and how to disagree and/or respond to issues that you believe have been misconstrued and/or have been cited in error. Don't expect a written response from the Commission to your responsive letter. All the more important to ensure that your written response is appropriately crafted.
Corrective Action. Finally, make sure that you take the corrective action indicated in your responsive letter. This will be a primary focus point of the Commission's next examination.
Complacency is the Achilles Heel of investment advisers. As referenced above, compliance is an ongoing process. Investing your resources prudently to devise and implement compliance-related procedures appropriate for your firm, including being adequately prepared for the regulatory examination process, will pay future dividends. It's all up to you.
Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark, a 100-attorney firm with offices in Princeton, New York, and Philadelphia that represents investment advisors, financial planners, broker/dealers, CPA firms, registered reps, and public and private investment companies throughout the U.S. He can be reached at firstname.lastname@example.org.