With the advent of SEC Rule 206(4) 7, which requires SEC-registered investment advisors to implement and maintain policies and procedures appropriate for their investment advisory business, it is more critical than ever for all RIAs to recognize that compliance is an ongoing process that requires continual review/update/amendment of regulatory filings, disclosures, and procedures. Laws and rules applicable to your practice and representatives are subject to change. Agreements and disclosure statements may require review and update due to changes in regulatory or state law and/or changes to your business operations. Existing restrictive covenant agreements may no longer reflect state law changes. Please do not become complacent with respect to compliance matters. The scope of SEC examination issues continues to grow and becomes more complex and your compliance policies and procedures must reflect their amendment and appropriateness given the then-current state of the law and your business operations.
But how does the advisory firm protect itself from an adverse regulatory and/or client litigation/arbitration proceeding? In future columns, I will address various practice protection issues. This month’s installment will address the recent SEC initiative that requires advisors to identify and monitor risks associated with their advisory practices, and to demonstrate the effectiveness of such procedures, during a regulatory examination.
The SEC has begun to replace its five-year examination cycle-based approach with a risk-based approach. For SEC registered investment advisors, the frequency and scope of compliance inspections is, for the most part, determined by the Commission’s perception of the advisors’ compliance risk profile. Examiners will focus reviews on issues that represent the greatest potential threat to investors, and the corresponding frequency of examinations will be based upon the scope of the advisor’s operations and the results of previous exams. In order to be prepared, the firm should be familiar with both the examination process and the issues that will be raised during the examination. By conducting a mock examination, advisors are better able to address and correct current deficiencies, enhance current procedures, and, most importantly, recognize and avoid those issues that could result in potentially adverse regulatory determinations and/or enforcement matters. The SEC’s latest examination document request list requires the production of many items that are unfamiliar or inapplicable to most investment advisers. While many of these items are not required by the Investment Advisers Act, an advisor should be appropriately prepared to respond to all items that are applicable to its practice. Otherwise, the firm could face the possibility of substantially longer and/or more frequent SEC inspections.
Some of the items requested that have caused the most confusion for RIAs include questions regarding the “risk management process.” Most investment advisers tend to think about risk in terms of investments and portfolio management. However, the SEC inquiries that require the production of risk-related documents focus on operational and compliance risks. For example, one section of the most recent examination checklist requires the production of the adviser’s Standard Operating Procedures for its risk assessment process (i.e., a matrix or spreadsheet that maps the adviser’s inventory of risks and the adviser’s most current inventory of risks). The SEC will require that the advisory firm demonstrate the processes by which it identifies and monitors those areas that expose the firm to operational and compliance risk. As a result, we are now advising RIAs to establish Standard Operating Procedures to assess operational and compliance risks relative to their advisory and business operations. Such procedures should encompass the major areas that RIAs are required to address pursuant to the Rule 206(4)-7 policies and procedures requirements (i.e., portfolio management processes, trading practices, personal trading, books and records, safeguarding of client information, marketing, contingency planning, etc.). Given that all advisory firms differ in some respect, each firm’s level of risk in any particular operational and compliance area may vary.
As a result of the SEC’s focus on the risk assessment process, we have devised a risk assessment methodology and matrix that we use to identify those areas of risk exposure. From this analysis, policies and procedures are established that are intended to mitigate and/or reduce the risk presented from a compliance standpoint. The documentation must evidence a consideration of those compliance areas that are relevant given the firm’s operations, and the scope should be narrowly tailored to only those areas relevant to the firm. There must be a clear assessment of that level of risk exposure that the firm has with respect to those relevant compliance areas.
All registered investment advisers should conduct an internal assessment of their risk in a number of compliance areas. Examiners will review the firm’s documentation in this area, including its inventory of compliance risks, minutes from any risk committee meetings, and standard operating procedures for risk identification and assessment. On a substantive level, and irrespective of an advisory firm’s operations, the following compliance areas should be addressed at a minimum by the advisory firm’s risk assessment committee: portfolio management; trading practices, personal securities transactions; accuracy of firm’s disclosures; safeguarding of client assets; record retention; marketing; valuation of fees and client holdings; privacy; and disaster planning.
Some recommendations for pre-, during, and post-examination practices to enhance your regulatory risk profile:
Previous Audit Deficiencies. Make sure that you have properly addressed all deficiencies cited in previous regulatory examinations. Depending upon the nature of the issue, failure to correct previously cited deficiencies can result in a referral to enforcement. These issues should be reviewed by the Chief Compliance Officer on a periodic basis to detect/prevent reoccurrence.
Insufficient Policies and Pro-cedures. A ripe area for SEC deficiencies is either failure to have Policies and Procedures that appropriately reflect your business operations and/or the failure to follow them. The Rule is designed to protect investors by requiring advisers to have internal programs to enhance compliance with the federal securities laws.