The Securities and Exchange Commission estimates that approximately 1,300 hedge and private equity fund managers registered as investment advisers with the agency as a result of the Dodd-Frank Wall Street Reform and Consumer Protection Act's rule changes. Many of those firms registered just ahead of the March 31, 2012 registration deadline and recently ''celebrated'' their one-year anniversary operating as SEC-registered investment advisers.

Anniversaries prompt reflection on where one has been and what lies ahead, and, indeed, SEC compliance program rules direct investment adviser compliance officers to do just that.1 The rules require an annual review of an asset management firm's compliance program and specify two goals for that review:

1. Looking backward, the review should deliver an assessment of the effectiveness of the compliance program as implemented; and

2. Looking forward, the review should identify potential revisions to the program as a result of compliance matters that arose during the year, changes in the business activities of the firm or its affiliates, and regulatory developments. SEC staffers have said that a compliance program should not be static and that the goal of every review should be to seek a better approach to detecting and preventing compliance violations than the one already in place.

The first annual review must be completed within 18 months of the date when the program was adopted. For firms that registered in the months leading up to March 31, 2012, that 18 month period means that the required annual review should be completed over the next several months. Since the review typically takes a month or more to conduct and document, many firms have started the process already.2

The SEC staff takes the annual review process seriously and will ask questions about the review when inspecting an investment adviser firm. Illustrating the agency's interest, one recent speech by a senior official in the SEC's adviser inspection office listed getting the annual review right first among ''ten suggested -take-aways'' for newly registered advisers.3 Firms have been sanctioned by the SEC both for failure to maintain an appropriate compliance program and, as an independent violation, failure to perform the required annual compliance review.4

A. Who Conducts the Annual Review?

The rules are silent on who should conduct the annual review, and there is no ''one size fits all'' approach. That said, it is important that the firm's designated chief compliance officer (CCO) visibly lead the process. If the review is conducted internally, the CCO should conduct or supervise the review, but can be supported by resources (e.g., operations, accounting, internal audit)from outside the compliance department. If an independent firm is retained to conduct an external review, the CCO would be expected to supervise the work of that firm.

There are advantages and disadvantages to engaging an independent firm to conduct the annual review:

Pros:

  • Independence and fresh perspective of the reviewer (whose findings may, among other things, be more persuasive for a regulator that the firm is operating in good faith compliance with its compliance program).
  • Opportunity for increased insight into industry practice or expertise in specific areas in which the investment adviser has fewer ready resources.

Cons:

  • Limited familiarity of the reviewer with the investment adviser's specific business needs and compliance practices. A consideration in retaining an independent firm is that the firm could miss important issues because its personnel are not permanently housed in the investment adviser's offices; thus, the CCO should monitor the review carefully to ensure that gaps in the independent reviewer's knowledge of the company do not lead to oversights.
  • Cost (which may be reduced by limiting the scope of the independent review).

B. Planning the Annual Review

Key Steps in Planning the Review Include:

1. Determining who conducts the review (as just described);

2. Setting expectations for reporting the review results (described later in this paper);

3. Setting scope and picking areas of focus;

4. Identifying information to be collected or generated in support of the review; and

5. Determining whether to affirmatively test specific policies and procedures as part of the review and, if so, which policies and procedures and what types of tests.

As to areas of focus, in addition to ''overall firm compliance'' and any firm-specific compliance needs, the SEC has said that a firm's annual review should focus on the effectiveness of the compliance program in addressing a laundry list of core business functions. These include portfolio management, trade allocation and brokerage practices, proprietary and personal trading, mapping of affiliates, accuracy of disclosures and account statements, accuracy of books and records, marketing, valuation, safeguarding assets, protection of client and other non-public information, and business continuity.

As to the collection and generation of information, that process will include assessment of available technology and recordkeeping resources, identification of persons who should be interviewed (and scheduling those interviews), and deciding whether reports or certifications from department or business heads or from third-party service providers will be required. Failure to develop needed information in time can stop or sidetrack a review, so it is critical to lay this groundwork early.

Given the breadth of the information potentially covered in an annual review, it may be helpful to first establish a preliminary ''compliance profile'' for the firm (or for each business unit in the case of a complex business) and then to use the profile as a planning and factfinding guide. A firm's compliance profile might incorporate the following:

General Business Matters

  • Has the firm entered new lines of business, developed significant new customers or modified its investment practices and strategies?
  • Has the firm hired any new professionals whose activities should be covered by the compliance program?
  • Has the firm implemented new software/ automation initiatives?
  • Has the firm's ownership changed (as a result of a sale of the business or merger)? Has the firm acquired any new subsidiaries or affiliates?
  • Have there been other business or organizational changes?

Industry and Regulatory Development

  • Have there been changes in industry ''best practices'' or other standards?
  • Has the SEC, the Financial Industry Regulatory Authority or another relevant regulator proposed or adopted any rules relating to the firm's business?
  • Have regulators otherwise signaled their current compliance priorities?5
  • Has a regulator inspected the firm?

Compliance Exceptions and Remedial Actions

  • Is there a pattern of client complaints or compliance exceptions?
  • Were remedial actions taken promptly? Is there a pattern in the remedial actions taken?
  • Were complaints or exceptions escalated properly?

Problems With the Compliance Program

  • Have there been any issues with interpretation or confusion about the application of specific policies and procedures?
  • Have there been any compliance concerns not anticipated by the compliance program or violations of specific policies and procedures for which a remedial process was not identified?
  • Have there been any problems in enforcing the compliance program (for example, difficulties with respect to specific individuals or matters)?

The SEC staff in discussing how a firm should conduct its annual review refers to this type of guide as a continuing ''risk assessment'' or ''risk inventory,'' which the staff views as important to maintaining a comprehensive compliance program over time. The SEC staff has posted to the agency's website its own list of questions that a firm might consider in the course of that assessment. While somewhat dated (it was published in 2006), this list remains a valuable resource that includes more than 100 planning questions for a CCO to consider.6

C. Documenting the Annual Review

SEC compliance rules require an adviser to maintain records documenting the annual review. Relevant documentation might include:

  • An inventory of policies/procedures reviewed;
  • An inventory of files and other records reviewed;
  • An inventory of tests performed;
  • Employee, service provider or other certifications, acknowledgments, questionnaires or representations reviewed;
  • Consultant reports;
  • Checklists, reconciliation workbooks, exception records and similar material reviewed;
  • Records of approvals of variations from established policies/procedures;
  • Records of interviews (identifying persons involved and topics covered);
  • A list of remedial actions reviewed;
  • Changes made to specific policies/procedures during the previous year; and
  • Copies of written reports to management summarizing the annual review process (discussed below).

D. How – and to Whom – Does the CCO

Report His or Her Findings?

The compliance program rule for registered investment companies requires annual reporting to the investment company board by the CCO of the company. That rule also specifies the content of the CCO's annual report as covering: (a) the operation of the policies and procedures of the investment company and its investment adviser, sub-advisers, and other key service providers, (b) any material changes in those policies and procedures since the last report, (c) any recommendations for material changes in the policies and procedures as a result of the annual review, and (d) any ''material compliance matters'' since the date of the last report.7

In a quirk of the rules, there is no specified reporting for registered investment adviser CCOs. The rule for investment adviser CCOs refers only to an annual review and is silent as to whether the review need be followed by a report. Reporting to key executives and otherwise involving senior management in the review process can, however, be important in = demonstrating to the SEC that the adviser has taken steps to assure itself that it is in compliance with SEC rules. A written report also memorializes that the firm qualitatively evaluated the effectiveness of its compliance program.

Generally, the primary audience for the CCO's report will be senior management of the investment adviser. Other audiences could include management or boards of affiliates, joint venture partners, etc. Key clients of the firm also may request copies (or summaries) of the report, though practice varies widely as to how willing a firm is to share this sort of information outside its own corporate group.

It is important to note that there may be no attorney client privilege or work- product doctrine protecting annual review documentation (e.g., the records or work papers listed above or a final CCO report) from review by the SEC staff.8 Care therefore must be taken in the management and presentation of this material. Some firms opt for a ''skeleton'' approach that might be just a list of review processes performed and a high-level executive summary. Others embrace more robust reporting and, to mix metaphors, accept the risk of providing the proverbial ''road map for the regulators'' so long as doing so also delivers significant value to the organization's ongoing compliance and management efforts.

Once a decision is made as to level of detail, the CCO next should consider topics to cover in the report. These could include:

  • A general overview of the methodology used in conducting the review, including the role of the CCO and any delegates relied upon by the CCO and the amount of time committed to the review (also discussed might be summaries of any tests performed on specific policies and procedures and the results of those tests);
  • A concise summary of the activity during the review period undertaken by any office having parallel responsibilities to the CCO (while generally applicable to larger firms, this might include work by an internal audit department or firm ombudsman);
  • Concise summaries of oversight and liaison activities undertaken with respect to firm service providers, including lists of certifications and similar formal representations obtained during the review period;
  • Concise summaries of key compliance policies and procedures, including notations as to who within the firm, or at the firm's service providers, is responsible for their day-to-day implementation (perhaps coupled with a table or other schematic ''roadmap'' linking key compliance policies and procedures to their corresponding business units or departments);
  • Lists of material changes made to the various policies and procedures during the review period, including a summary of the rationale for each such change;
  • Discussions of any material compliance matters that arose during the review period, including summaries of corrective actions taken;
  • Discussions of significant industry-wide compliance matters that arose during the review period, even if the firm itself was not directly affected;
  • Discussions of compliance implications presented by any significant changes in the firm's business during the review period, such as new or discontinued business lines or products, key personnel changes (hires, promotions, terminations or resignations), new clients, etc.;
  • An outline of the firm's employee training, outreach and education efforts in respect of its compliance program;
  • Status reports relating to regulatory, internal audit and similar reviews of the firm conducted during the review period;
  • Status reports relating to the firm's whistleblower procedures, if such procedures are maintained;
  • An assessment of the adequacy of the resources available to the CCO (or the relevant service provider, as the case may be) in the day-to-day implementation of the policies and procedures under review;
  • A CCO self-assessment, including consideration of the CCO's access to senior management, ability to exercise authority within the organization and ongoing personal education and ''skills maintenance'' activities (such as attendance at conferences, organizational memberships, etc.); and
  • Recommendations for the future relating both to specific aspects of the firm's compliance policies and procedures and to the sufficiency of compliance resources within the firm generally.

E. Responding to Problematic Conduct

Identified by the Annual Review

One of the most sensitive aspects of the annual review is the reality that it may turn up genuine issues. Problematic conduct or activities, such as possible violations of law or of the firm's compliance program, identified during a review present risks to the firm if not handled appropriately. These issues should be discussed with internal or external legal counsel, but the following outline offers a general approach to the firm's response.

1. Problematic conduct should be documented in the annual review, followed promptly by appropriate remedial action.

2. Sanctions should be applied as required by the compliance program and appropriately documented. Deviations from any required sanctions, reporting or other escalation process should be considered carefully as they may raise flags for SEC inspection staff. Exceptions benefiting senior personnel, such as family members or ''star'' portfolio managers, will be subject to special staff scrutiny.

3. For anything other than isolated and non-material problematic conduct, the compliance program should be reviewed as to whether revisions are necessary to prevent recurrence. Any revisions implemented will require training as to the new requirements for relevant personnel. If a problem appears to be isolated, additional training may be warranted even if amendments to the procedures are not necessary.

4. If the firm is subject to Sarbanes-Oxley financial reporting standards, as are SEC registered investment companies, the person designated by the firm as responsible for those matters (frequently the chief financial officer) should be advised of any problematic conduct relating to those standards.

5. After the annual review is completed, targeted follow-up testing should be conducted to ensure the conduct has ceased.

F. Conclusion

Just as each asset management firm and its compliance department must tailor its compliance program to the particular attributes of the firm, the process surrounding a CCO's annual review can vary widely. The key is to approach the review with care and planning, so that the end result is valuable to the firm as a whole and will demonstrate to both internal and outside audiences the conscientiousness with which the firm approaches compliance risks and challenges.

Footnotes

1 Investment Advisers Act of 1940 Rule 206(4)-7 (2003) (requiring Securities and Exchange Commission-registered investment advisers to adopt and maintain a compliance program); Investment Company Act of 1940 Rule 38a-1 (2003) (implementing a parallel requirement for SEC-registered investment companies); see Final Rule: Compliance Programs of Investment Companies and Investment Advisers, SEC Release Nos. IA-2204, IC-26299 (Dec. 17, 2003), available at http://www.sec.gov/rules/final/ia-2204.htm .

2 Reviews subsequent to the first review must be completed at least annually. The SEC compliance rule adopting release is clear, however, that an annual review cycle is a minimum standard. Significant compliance events, significant changes in a firm's business or similar events warrant review on a more frequent basis.

3 Norm Champ, Deputy Dir., Sec. & Exch. Comm'n Office of Compliance Inspections & Examinations, Address at the New York City Bar: What SEC Registration Means for Hedge Fund Advisers (May, 11, 2012), available at http://www.sec.gov/news/speech/2012/spch051112nc.htm .

4 See, e.g., In re Vector Wealth Mgmt., LLC, SEC Release No. IA-3587 (Apr. 18, 2013), available at http://www.sec.gov/litigation/admin/2013/ia-3587.pdf .

5 Enforcement actions and public comments by a regulator's senior staff can provide useful ''color commentary'' relative to more formal – and less frequent – rule proposals by regulators. See, e.g., SEC. & EXCH. COMM'N OFFICE OF COMPLIANCE INSPECTIONS & EXAMINATIONS, EXAMINATION PRIORITIES FOR 2013 (Feb. 21, 2013), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2013.pdf ; Bruce Karpati, Chief, Sec. & Exch. Comm'n Enforcement Div. Asset Mgmt. Unit, Comments at a Private Equity International Conference: Private Equity Enforcement Concerns (Jan. 23, 2013), available at http://www.sec.gov/news/speech/2013/spch012313bk.htm ; Champ, supra note 3.

6 Questions Advisers Should Ask While Establishing or Reviewing Their Compliance Programs, SEC Staff Report (May2006), available at http://www.sec.gov/info/cco/adviser_compliance_questions.htm ; see also National Exam Program Risk Alert: Significant Deficiencies Involving Adviser Custody and Safety of Client Assets, SEC Staff Report (March 4, 2013), available at http://www.sec.gov/news/press/2013/2013-33.htm (publishing guidance for CCOs specific to particular issues, includinga recent ''risk alert'' that outlined custody rule issuesidentified by SEC investment adviser inspection teams).

7 Investment Company Act Rule 38a-1 (defining ''material compliance matters'' as those compliance matters about which the investment company's board reasonably needs to know in order to oversee the company's compliance program).

8 See Final Rule, supra note 1, at FN 94 (stating with respect to Rule 38a-1: ''All reports required by our rules are meant to be made available to the Commission and the Commission staff and, thus, they are not subject to the attorney-client privilege, the work-product doctrine, or other similar protections'').

Previously published in Bloomberg BNA's Securities Regulation & Law Report, June 10, 2013.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.