Not all registered investment advisors are afforded a Manhattan zip code, enough vice presidents to annex France, or a travel budget the size of our national debt. Quite to the contrary, it’s more the norm for the smaller RIA to have a Des Moines area code, a combined CEO/CFO/CCO/Office Manager and a travel budget big enough to drive to the local Sonic and back for lunch. More to the point: small business owners are not only tasked with running the business they created with sweat equity, they are expected by regulators to be their firm’s Chief Compliance Officer as well, and are subject to all the liabilities that attach to that role. This raises the question: how does one wear the CCO hat without it blowing off and exposing a toupee of a compliance program? To answer that raised question, I present five (relatively) easy steps to get the job done right.
Step One: Build on an Ethical Foundation
This step should go without saying, but the starting point of any RIA is a strong ethical foundation under which the client’s interests are always put ahead of the interests of the advisor (i.e., the very essence of being a fiduciary).
This ethical foundation should not only meet the technical requirements of Rule 204A-1 of the Investment Advisers Act of 1940m it should also be the driving force behind an RIA’s decision-making. Ethical considerations can arise in the seemingly innocuous daily operation of any RIA (investment allocation decisions, acceptance of benefits or compensation from service providers, personal trading activities, etc.), but it is important for the CCO to step into a client’s and a regulator’s shoes when faced with such decision points.
Take some time to review your Code of Ethics and compare it to the Rule 204A-1 requirements, which can be somewhat technical and nuanced. Your comparison should essentially be a gap analysis designed to fill-in any missing components and confirm that appropriate records are being maintained.
For a telling example of how the SEC views the investing public, read SEC Commissioner Elisse Walter’s speech at the 2013 NASAA Public Policy Conference, in which her prototypical investing client is “Aunt Millie”. When stepping into a client’s shoes to analyze an ethical decision point, step into Aunt Millie’s New Balances, not Biff Powersuit’s Berlutis.
Step Two: Assess Your Risk and Your Potential Conflicts of Interest
As the SEC has made explicitly clear, an RIA is expected to assess its risk and potential conflicts of interest, and build its compliance program accordingly. (See, for example, the SEC’s 2013 Examination Priorities: For a plain English translation, check out this document. Shameless plug? Guilty as charged.)
This expectation from the SEC is as equally incumbent upon the Wall Street mastodon firms as it is for solo practitioners, though the risks and conflicts themselves will naturally differ between the two. A risk assessment should identify the risk, assess how severe it is and how likely it is to occur, and what steps the RIA is taking to mitigate the risk, using an Excel spreadsheet as a starting point, for instance. A risk assessment is not static, and should be revisited at least annually or more frequently as new risks arise and others are eliminated.
The same can be said for how a firm evaluates its potential conflicts of interest; potential conflicts should be identified, mitigated, and most importantly, disclosed to clients in the advisory contract and/or Form ADV Part 2. Indeed, the general instructions to the ADV Part 2 read as follows:
As a fiduciary, you also must seek to avoid conflicts of interest with your clients, and, at a minimum, make full disclosure of all material conflicts of interest between you and your clients that could affect the advisory relationship. This obligation requires that you provide the client with sufficiently specific facts so that the client is able to understand the conflicts of interest you have and the business practices in which you engage, and can give informed consent to such conflicts or practices or reject them.
A conflict can arguably even be seen as a risk. The most important aspect of a risk assessment is what the RIA does with it, especially during the construction or reevaluation of the RIA’s compliance program. As one might expect, more severe risks that have the highest likelihood of occurrence should receive the most mitigation attention, and should be the subject of the most supervision and review by the CCO. The risk assessment should also directly influence how the RIA’s policies and procedures are drafted, which is discussed in the next section.
Step Three: Build Realistic Policies and Procedures
Rule 206(4)-7 of the Act is all of 137 words, but it is perhaps the most important rule in the entire Act insofar as the CCO is concerned. In a nutshell, it says that an RIA must (1) adopt and implement written policies and procedures, (2) review the adequacy of the policies and procedures no less frequently than annually, and (3) designate a CCO responsible for administering the policies and procedures. Importantly, one particular section of the adopting release should be highlighted:
The Commission is sensitive to the burdens the rule may impose upon smaller advisory firms. The rule requires only that the policies and procedures be reasonably designed to prevent violation of the Advisers Act, and thus need only encompass compliance considerations relevant to the operations of the advisor. We would expect smaller advisory firms without conflicting business interests to require much simpler policies and procedures than larger firms that, for example, have multiple potential conflicts as a result of their other lines of business or their affiliations with other financial service firms.
The attorney in me could pontificate endlessly about the use and interpretation of the word “reasonably” in legal lore, but I’ll save the reader from the inevitable urge to gouge out your eyes. The takeaway for CCOs is this: tailor your policies and procedures to your RIA.
If the RIA’s business model and operations are simple and bereft of conflicts of interest, the length and complexity of the policies and procedures manual should reflect this. Unlike most pork-filled House and Senate bills, a policies and procedures manual is not judged by its length or weight, but rather by its content. Important caveat: the SEC specifically enumerated certain minimum expectations in its adopting and interpretive releases, so don’t skip over the basics. (The adopting release provides a fair amount of guidance and explanation, and is worth consultation by both well-established RIAs and those that are just getting off the ground.)
Here’s a tip for drafting your policies and procedures manual: keep it simple. Ask who, what, when, where, why, and how. Said another way:
- Identify and explain the policy and procedure,
- Name who will be responsible for getting it done,
- Set a schedule of how often a task will be performed,
- Describe exactly what the responsible person will be doing,
- Cross-reference where the record or evidence of the task’s completion resides in your books and records, and
- Explain why the policy and procedure exists (to prevent fraud, safeguard assets, detect insider trading, etc.)
An RIA’s policies and procedures manual is low-hanging fruit during an examination, and is ripe for the picking for RIAs that do not take it seriously. Update it when laws or regulations change, or when the RIA’s business becomes more complex. If the CCO decides to purchase a policies and procedures manual “off the shelf” from a vendor, spend the time to customize it to the RIA’s business. One size does not fit all.
Step Four: Actually Follow Said Policies and Procedures
Duh. But seriously… actually follow your policies and procedures. It may seem intuitive, but there are countless examples of RIAs with all sorts of lavish tales in their policies and procedures manuals, none of which were actually occurring in real life (or at least the RIA had no way to prove it). If the policies and procedures manual says that you will review account statements quarterly, actually review account statements quarterly. Important: document your review, and have an easy way to show the SEC during an exam that you were indeed doing what you said you would.
Step Five: Supervise and Review
The CCO hat is not simply adorned when an issue arises or when a regulatory examination is announced, but instead should be worn at all times. To step out of the metaphorical realm, this means that the small RIA owner should set up a system by which employees, intermediaries, clients and his own activities are supervised and reviewed pursuant to a continuous schedule as described in the policies and procedures manual. The goal, as described in the adopting release of Rule 206(4)-7, is to “prevent violations [of the federal securities laws] from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.”
A common practice is to establish a “Compliance Calendar” that establishes when pre-defined tasks, filings, disclosures, internal audits, and other compliance-related obligations are to occur over the course of a calendar or fiscal year. The Compliance Calendar should not be so burdensome that it hamstrings the RIA’s growth opportunities or introduces operational inefficiencies, but it should be reasonably designed to effect compliance with applicable rules and regulations. It should help keep busy small business owners on course as they navigate an increasingly-complex regulatory environment.
Embrace Your Inner CCO
Whenever an opportunity is quashed due to regulatory restrictions, the sales folks generally blame compliance, compliance blames the regulators, the regulators blame Congress and Congressional members blame each other (and/or global warming). It’s a vicious cycle. But just because a small RIA owner is also tasked with being her firm’s CCO, this does not mean that the entrepreneurial spirit has to go out the door. No two compliance programs are identical, nor should they be. Adopt a program tailored to your firm, follow it and wear the CCO hat like a ten-gallon Stetson.