Rule 206(4)-7 under the Investment Advisers Act, better known as the Compliance Program Rule, requires advisors registered with the SEC to implement written compliance policies and procedures.

These compliance policies and procedures should be designed to prevent violations of federal securities laws and protect investors.

The rule requires Registered Investment Advisors (RIAs) to designate a Chief Compliance Officer (CCO) to develop and enforce their compliance policies and procedures. 

State-registered investment advisors (IAs) may be subject to similar requirements. Even if they are not subject to a similar rule, however, state-registered IAs should implement thorough and effective policies and procedures as a best practice. 

Robust policies and procedures can:

– Prevent violations from occurring;

– Detect violations that have already occurred; and

– Correct those violations.

Policies and procedures are meaningless unless the firm vigorously enforces them. Violations of policies and procedures must be dealt with promptly. 

How to Handle Violations 

Depending on the facts and circumstances of a particular situation, RIAs may need to discipline personnel who violate their policies and procedures. For example, an RIA’s privacy or information security policy may dictate that computers should be logged off when an employee leaves for lunch or takes a break.

When policies and procedures violations occur, the firm’s CCO should be proactive instead of ignoring them. While counseling is an appropriate first step, a CCO may need to take stronger measures to ensure compliance if violations continue to occur. For example, a CCO may decide to administer a verbal or written reprimand. The CCO should create and retain documentation to demonstrate that the firm has taken steps to enforce its policies and procedures. 

The nature of the violation should impact what the firm’s response will be. As an example, a code of ethics violation is very serious and should be addressed immediately.

The situation is even worse if someone has violated the firm’s insider trading policy, which is usually found in an RIA’s code of ethics. When that misconduct occurs, the CCO, and other senior representatives of the firm, will usually meet with the access person to review the findings and obtain additional information related to the situation. Where necessary, one or more of the following remedial actions may be taken:

  • Written warning, which will become a part of the access person’s permanent record;
  • Disgorgement of profits;
  • Monetary fine; and/or
  • Termination of employment. 

In addition to taking disciplinary action against an employee, an RIA may need to self-report violations to securities regulators. 

Other policies and procedures violations can be equally serious. An administrative assistant for one RIA mailed financial statements to the wrong clients on two occasions. The statements included Social Security numbers and personal client information. In response to these deviations from policies and procedures, the RIA disciplined the administrative assistant and informed the affected clients that a breach had occurred.

The firm also changed its policies and procedures to ensure that Social Security and account numbers were redacted from these statements, except for the last four digits. 

Training Staff on Policies and Procedures 

Rule 206(4)-7 requires federally-covered RIAs to conduct an annual review of their firms’ policies and procedures. It is also a best practice for state-registered advisors to audit their policies and procedures regularly and make improvements. As improvements in policies and procedures are made, there should be a mechanism in place for making certain that everyone associated with the firm is made aware of these changes. 

While everyone working at an advisory firm is usually very busy, it is imperative that RIAs make time to hold training sessions regarding the firm’s policies and procedures. At training sessions, the firm’s CCO or a designee can emphasize any policies and procedures that advisory personnel may be ignoring. Once a particular policy and procedure has been highlighted at a training session, an RIA will need to impose more severe disciplinary measures on habitual violators who are not complying with the firm’s compliance manual. 

Conclusion

RIAs must be consistent in their handling of policies and procedures violations. If the facts and circumstances are the same, the disciplinary measures taken should be similar. As an example, the disciplinary action taken against an investment advisor representative who brings in a great deal of business should be similar to the discipline imposed on a low-level employee who commits the same infraction. An RIA might hesitate to discipline star performers for fear that they might leave the firm.

Discipline should be applied consistently in situations where there has been the same kind of violation.

Depending upon the nature of the violation, RIAs should consider whether an examiner will view the disciplinary action as being too lenient. It’s doubtful an examiner will criticize a firm for dealing too harshly with someone who violates the RIA’s policies and procedures, especially if the violation puts clients’ privacy or finances at risk. 

The firm’s CCO should thoroughly document what steps were taken in response to a violation. It is also important to document what steps were taken to prevent violations from occurring again. When violations occur, an RIA should revise and improve its policies and procedures. 

Disciplining the person committing the violation is certainly not the only remedy. Furthermore, before taking disciplinary action, an RIA should consult with its employment attorney regarding any legal issues that may arise or repercussions that may occur. There have been lawsuits alleging discriminatory discipline. To cite one possibility, terminated employees may claim they were let go for some other reason, such as age, and not for violating a particular policy and procedure. 

Disciplinary action should be the same for violations of comparable seriousness. If not, an RIA should document why violators were treated differently. A firm can document its rationale in a memo to the file, which should be retained with the RIA’s books and records.