Publicly embarrassed by a series of undetected frauds by investment firms, the Securities and Exchange Commission has sharpened its investigative and regulatory inspections. RIA firms too small in terms of assets under management to warrant SEC attention are subject to state regulators who follow the SEC’s lead, so essentially the same rules apply.
In addition to considering a plethora of new regulations, the SEC is refocusing its attention on some requirements about which they have formerly been relatively forgiving. Specifically, all investment companies and registered investment advisors must have written policies designed to protect investors, and they must have a designated Chief Compliance Officer. The CCO position must be “empowered with full responsibility and authority to develop and enforce…[and a] position of sufficient seniority & authority to compel.”
These requirements place a substantial burden on small financial advisors and until now have been substantially neglected by many small firms. But with the SEC and state officials focusing attention on small firms–in the wake of the financial crisis and the Madoff fraud–that formerly sailed below the regulators’ radar, these firms must now take the requirement to have a Chief Compliance Officer and a comprehensive compliance manual seriously. Here is how a small firm can mount an effective compliance program without breaking the bank.
Maybe Not Your Spouse
In the past, the response to the specifics of regulation by a significant number of firms has been to simply ignore the regulation completely or by a clumsy attempt to circumvent its intention. One of the most frequent examples was naming a CCO who had neither the skill nor the authority to effectively exercise the responsibilities of an actual CCO, and oftentimes by having no written policies at all.
A review of filed Form ADVs reveals that in case after case, in small firms the CCO has the same last name as the owner. Naming a spouse as CCO does not mean that this person has the training, the skill, or–most important–the authority to carry out the legal requirements of the job. The practice of calling one’s administrative assistant the CCO of the firm has even less possibility of surviving an SEC or state audit.
These clumsy attempts to evade requirements are dangerous and unnecessary. It is possible for the small shop to have a legitimate and effective compliance operation without additional staff or consuming large amounts of time necessary for managing client accounts.
To stay compliant, every RIA firm regardless of size needs:
o A real CCO
o Two written documents
o A process for assuring that the procedures in those documents are carried out
o Scheduled written compliance reviews to document that they have actually followed their own procedures.
We will address each of these requirements in turn.
Requirement Number 1: A Real Chief Compliance Officer
The CCO position requires a commitment of time, and the position must have the authority to enforce regulations. Small shop owners should know that they can be their own compliance officer. In fact, if the firm consists of an owner and an admin, the owner is the CCO, like it or not. While looking over your own shoulder may be difficult, it can be done. We’ll discuss how to do that in a moment.
Those with the luxury of a small staff should choose a senior member for the CCO job. But no matter how experienced, he or she will need a certain amount of time to become and stay familiar with regulations. Then your CCO will need time to establish procedures specific to your firm and time to review those procedures periodically. The time demands will decrease with experience, but they never disappear.
The new CCO is not alone. The SEC actually devotes considerable time and attention to helping new CCOs. It maintains a portion of its Web site (sec.gov/info/iaicccoutreach.htm) where it publishes guidelines and provides a list of phone numbers for questions. When you call the SEC, you will likely get the Commission’s voice mail, but its attorneys typically return phoned-in questions within one day. In addition, the SEC conducts training sessions tailored for new CCOs. Despite views to the contrary, the SEC really would prefer that RIAs do compliance right in the first place; there are enough real crooks out there to keep regulators busy.
Requirement Number 2: Two Written Documents
All firms must have an organization-specific Policies and Procedures Manual (PPM) and a Code of Ethics. If you can locate an attorney who specializes in SEC regulations, you can pay to have a PPM prepared; or you can buy one already written. First-rate material can be found on the Web for around $500, a fraction of what an attorney-written model will cost. The pre-written material will require modifications to fit your particular business procedures, but reviewing the “canned” documents and making appropriate revisions will be invaluable training for your CCO.
Requirement Number 3: Compliance Review Process
One step that the CCO will need to take is detailing the specific procedures that will let you know that your policies are actually being followed. You will need a compliance review process added to your off-the-shelf manual. Policies must be managed and enforced through an ongoing series of reviews that are conducted and recorded on an established schedule supervised by the Chief Compliance Officer.