From the June 2009 issue of Investment Advisor • Subscribe!

Expert's Corner: Complacency, Risk and the SEC

Like life, compliance is always subject to change

More On Legal & Compliance

from The Advisor's Professional Library

All too often advisors become complacent with respect to compliance matters, but all registered investment advisors must continue to recognize that compliance is an ongoing process that requires the review/update/amendment of regulatory filings, disclosures, and procedures. Laws and rules applicable to your practice and representatives are subject to change. Agreements and disclosure statements may require review and update due to changes in regulatory or state law or changes to your business operations. Existing restrictive covenant agreements may no longer reflect changes in state law. Policies and Procedures must also be reviewed and revised as required by regulatory changes and changes in your business operations. Documents and disclosures that may have been appropriate or sufficient when you first registered , or even a few years ago, may no longer be adequate or compliant.

The scope of SEC examination issues continues to become more complex. For SEC registered investment advisors, the frequency of compliance inspections, for the most part, will be determined by the Commission's perception of the advisors' compliance risk profile. Examiners will focus reviews on issues that represent the greatest potential threat to investors, and the corresponding frequency of examinations will be based on the scope of the advisor's operations and the results of previous exams. Thus, being adequately prepared for an exam is critical.

In order to be well prepared, the firm should be familiar with both the examination process and the issues that will be raised during the examination. All firms should consider engaging a knowledgeable compliance professional to prepare it for a regulatory examination. By so doing, advisors should be much better able to address and correct current deficiencies, enhance current procedures, and, most importantly, recognize and avoid those issues that could result in potentially adverse regulatory determinations or enforcement matters. Moreover, the firm should gain a better understanding as to what compliance-related tasks are applicable to its operations and those that are not--thereby dispelling any myths, allaying any confusion, and alleviating unnecessary efforts. As a result of the review, the firm should become more confident and efficient with respect to its compliance efforts.

The Benefits of Privilege

Please remember that verbal communications and written reports to and from legal counsel are "privileged" and thus not subject to turnover, disclosure, or production during a regulatory proceeding, including a regulatory compliance examination. Correspondence (including e-mail), results of compliance reviews/mock exams, and verbal communications between an advisory firm and a non-law firm provider are not privileged, and are subject to turnover, disclosure, or production during a regulatory compliance examination, a client lawsuit or arbitration, and a regulatory enforcement proceeding.

Thus, if an RIA obtains substantive compliance-related assistance from a non-law firm provider, it should be guided accordingly. In that regard, if the firm engages a non-law firm provider to conduct a compliance review, avoid the issuance of a written report from the provider to the firm that addresses compliance-related deficiencies. I have never been a proponent of such a process. Rather, it has been my experience over the past 20 years that the best way to prepare a firm for an examination is to actually review each and every exam issue with the chief compliance officer. Upon conclusion of this interactive process (generally a full day long), the CCO will be much better prepared to successfully complete a regulatory exam, (or senior management in the CCO's absence; see sidebar). Moreover, as result of such dialogue regarding the firm's operations and processes, issues that would not otherwise have been addressed will generally be raised and resolved.

As any RIA who has been through a recent SEC examination can attest, the SEC's latest document request list continues to take a "one size fits none" approach by requiring the production of many items that are unfamiliar or inapplicable to most investment advisors. The process continues to further confuse advisors as to what is and what is not required from a compliance and operational standpoint, as opposed to what may be recommended or be represented by examiners as a "best practice." (That's a term that has always bothered me. What is a "best practice," anyway? It certainly is not a rule or regulatory requirement. Unfortunately, too often examiners posture them as "requirements" or advisors perceive them as so. What may be a "best practice" for one firm may not be a best practice for another, or have absolutely no relevance to another firm's practice.)

Some of the exam items that have and will continue to cause the most confusion for RIAs include questions regarding the "risk management process." Most investment advisors tend to think about risk in terms of investments and portfolio management. However, the SEC also requires that advisors assess risk relative to operational and compliance risks. In the most recent SEC exam, we find several questions (many of which appear to be repetitive, confusing, or just unclear as to their meaning) relative to risk assessment, risk mapping, risk testing, etc. The rebuttal to such risk-related questions is to ask "What are these exercises?" and "Where is the Rule requiring such exercises?" and also to ask "Where is the guidance as to what they should entail?" While these risk-related exercises are not specifically required by the Advisers Act, RIAs are well advised to make "reasonable" efforts to demonstrate to the Commission that it has identified and assessed (and will continue to do so on an ongoing basis) the risks relative to its operations. By so doing, the RIA will have engaged in a worthwhile exercise that will better prepare it to successfully complete a regulatory examination.

An Annual Risk Review

We advise RIAs to perform an annual risk assessment as part of its annual CCO review, which, despite the aforementioned repetitive and confusing risk-related questions on the most recent SEC exam, is the only formal compliance and operational review required under the Advisers Act. We generally address these risk assessment matters (as well as the annual CCO review) when we perform mock exams. The most positive collateral result of such exercise for most firms is that if done properly, it should enable the firm to succinctly demonstrate to the Commission that a majority of the issues set forth on the examination list do not apply to the firm's advisory operations, especially those potential "conflict of interest" issues that typically (but need not to if properly addressed, supervised, and disclosed) cause the Commission to place the firm on a higher risk level (i.e., sale of commission-related products, soft dollar arrangements, performance fee arrangements, affiliated private investment funds, directed brokerage arrangements, affiliated brokerage arrangements, custody-related issues, referral fee arrangements, and so forth).

Unfortunately, the SEC has yet to provide any substantive guidance as to what an annual CCO review should look like (however, it has not stopped examiners from raising disappointment with the adequacy of such annual reviews during examinations). Please remember that pursuant to the requirements of Rule 206(4)-7, each advisory firm must complete an annual review of its compliance policies and procedures. The purpose of the review is to ascertain the adequacy of the firm's compliance-related efforts and processes and extent to which changes are required. The review should be conducted by the chief compliance officer, and should address, among other issues, the extent to which such review resulted in identifying or implementing any amendments or changes to the firm's Form ADV, written disclosure statement, advisory agreements, policies and procedures, best execution analysis, privacy and confidentiality of client information efforts, and business continuity plan.

Although complacency is the Achilles heel for many investment advisors, it does not have to be. Good compliance need not be confusing nor overly time intensive. Rather, it merely requires the attention of a smart individual who understands what is and is not required relative to the firm's advisory operations. As reference above, compliance is an ongoing process. Investing your resources prudently to devise and implement compliance-related procedures appropriate for your firm (one size does not fit all), including being adequately prepared for the regulatory examination process, will pay future dividends. It's all up to you.


Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark, a law firm with offices in Princeton, New York, and Philadelphia that represents investment advisors, financial planners, broker/dealers, CPA firms, registered reps, and investment companies, and a regular contributor to Investment Advisor. He can be reached at tgiachetti@stark-stark.com.
Reprints Discuss this story
This is where the comments go.