In a Dilbert comic strip, the engineer is asked to develop a procedure for creating policies. Dilbert asks his boss if the company has a policy on how to develop procedures. His boss sends Dilbert to look for a white paper dealing with a policy for developing procedures to create policies. After a day of what appears to be a meaningless exercise, Dilbert later tries to convince a woman that creating policies and procedures is sexy.
Unfortunately, there is nothing sexy about creating policies and procedures. Nevertheless, policies and procedures are an effective tool for ensuring compliance. An RIA’s policies and procedures—often referred to as the firm’s compliance manual—can protect investors and assure securities regulators that the investment advisor is working diligently to comply with all of the rules and regulations necessary for sound business.
On November 28, 2011, the SEC charged three RIAs with failing to implement policies and procedures designed to prevent securities law violations. These cases arose from an SEC initiative to ensure that viable compliance programs are in place at RIAs in an effort to prevent investor harm. According to Robert Khuzami, director of the SEC’s Division of Enforcement, “Not all compliance failures result in fraud, but many frauds take root in compliance deficiencies.” In that same release, Khuzami went on to say, “That simple truth underlies our renewed focus on identifying and charging firms and individuals that fail their legal obligations to maintain adequate compliance programs.”
Rule 206(4)-7: The Compliance Program Rule
An RIA’s obligation to maintain an adequate compliance program stems from Rule 206(4)-7 under the Investment Advisers Act. Rule 206(4)-7—better known as the Compliance Program Rule—requires advisors registered with the SEC to adopt and implement written compliance policies and procedures. These are designed to protect the interests of investors and prevent violations of federal securities laws. The rule requires each RIA to designate a Chief Compliance Officer (CCO) to develop and enforce its compliance policies and procedures.
An RIA’s rules and practices should mandate the use of compliance tests to detect any unusual patterns indicating noncompliant behavior. These tests analyze information over time in order to identify out-of-the-ordinary results. They are commonly referred to as “forensic tests.” For example, a forensic test might analyze the quality of brokerage executions. They also might uncover high portfolio turnover, indicating overtrading of securities. Favoritism and misallocation can be detected in investment opportunities among similarly managed accounts, signifying a breach of fiduciary duty.
Federally registered RIAs must conduct an annual audit of their policies and procedures to ensure that they are thorough and effective. Although federally unrequired, RIAs should conduct interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments. Annual audits of policies and procedures are a best practice for state-registered investment advisors, even though most of them are not obligated to do so.
The failure to adopt compliance policies and procedures is a violation of Rule 206(4)-7. An RIA may not defend itself by saying that there is no harm, no foul. Even if no investors were harmed by the failure to implement policies and procedures, an RIA is in serious trouble. In the release adopting the Compliance Program Rule, the SEC stated that the failure of an advisor to have adequate compliance policies and procedures in place constitutes a violation of the Commission’s rules, independent of any other securities law violation. Therefore, the SEC has the authority to address the failure of an RIA to implement adequate compliance controls before those inadequacies have the opportunity to harm clients or investors.
As a prelude to an examination, the SEC may ask for information about the compliance risks that the RIA has identified. Each RIA should compile an inventory of compliance risks, as well as the written policies and procedures the firm has implemented to address them. Each compliance risk should have a corresponding control. For example, if many of an RIA’s clients are retired or approaching retirement, the firm should implement policies and procedures to make certain those accounts receive enhanced supervision and heightened scrutiny ensuring that all investments recommended are suitable. The firm can specify which clients are ages sixty or older and require additional supervision. An RIA should also implement quality controls to measure how effective its policies and procedures are.
As is the case with most SEC rules, a firm must keep books and records proving to examiners that they have conducted their annual audit of the firm’s policies and procedures. Rule 204-2, the Books and Records Rule, requires an RIA to maintain copies of all compliance policies and procedures currently in effect or in effect during the last five years. These policies and procedures may be maintained in paper or electronic form and must be kept in an easily accessible place. In addition, Rule 204-2 requires an RIA to keep all records—either electronically or hard copy—documenting its annual review and the list of compliance risks it compiled.
Intent of Policies and Procedures
Policies and procedures are an RIA’s bible. There are basically three commandments that apply to an RIA’s compliance manual, and RIAs should adopt compliance policies and procedures designed to achieve the following:
- Prevent violations from occurring
- Detect violations that have already occurred
- Correct such violations
Rule 206(4)-7 gives RIAs flexibility in designing compliance rules and practices that meet their needs. A firm’s policies and procedures should address the following issues if they are relevant:
- Portfolio management processes
- Trading practices
- Proprietary trading of the RIA and personal trading activities of supervised persons
- Accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements
- Safeguarding of client assets from conversion or inappropriate use by advisory personnel
- Creation of required records and their maintenance in a manner that protects them from unauthorized alteration or use and unwarranted destruction
- Marketing advisory services, including the use of solicitors
- Processes to value client holdings and assess fees based on those valuations
- Safeguards for protecting client privacy
- Business continuity plans
Business continuity plans include disaster recovery planning. The plan can be incorporated by reference in the RIA’s policies and procedures. A good time for RIAs to test their disaster plans is in conjunction with their annual audits of their policies and procedures pursuant to Rule 206(4)-7. It is also a good idea for state-registered RIAs to review their policies and procedures on a regular basis and test their disaster plans. We will thoroughly review disaster recovery plans in Disaster Recovery Plans and Succession Planning.
Superfluous Procedures Are Not the Answer
There is no one-size-fits-all compliance manual, and in fact, boiler-plate policies and procedures often do more harm than good. Examiners may look at the RIA’s compliance manual and find that these procedures were ignored. A streamlined manual with meaningful policies followed to the letter is preferred to one filled with procedures that do not apply to the RIA’s business model. Firms with less complicated business models will usually require simpler policies and procedures.
One CCO and his pension consulting firm utilized a pre-packaged policies and procedures manual created for use by RIAs offering discretionary money management services to non-institutional clients. The problem was that the RIA’s client base consisted primarily of institutions, as well as public and private pension funds. Therefore, the pre-packaged policies and procedures were mostly irrelevant to this particular RIA’s business model. With good reason, the SEC concluded that the firm’s policies and procedures did not adequately address the RIA’s unique risk factors and conflicts of interest.
In the December 2011 issue of Investment Advisor, attorney Thomas D. Giachetti stated that far too many compliance manuals are “micro” in scope and content. Giachetti warned that many manuals spell out overly-ambitious compliance processes that far exceed what is required. At the same time, these policies and procedures manuals often overlook important issues that securities regulators are concerned about in the post-Madoff era. According to Giachetti, these manuals do not address issues such as:
- policies to maintain the confidentiality of client information as it relates to those individuals who have access to an RIA’s offices and data, including staff and outside vendors;
- monitoring of employees’ outside business activities;
- due diligence of unaffiliated separate account managers and private fund sponsors;
- supervision of branch offices and personnel;
- initial and ongoing determination that investments are suitable for clients.
Giachetti added that an out-of-date or obsolete compliance manual demonstrates to securities regulators a lack of a compliance culture.
The Big Picture
When examiners discover a problem in an RIA’s operation, it is usually found within the firm’s policies and procedures. In almost every deficiency letter issued by securities regulators, the examination team points to inadequate policies and procedures. In many cases, the deficiency letter will urge the RIA to implement stronger policies and procedures to correct the problems, therefore helping the firm to avoid repeating the same mistakes that got it into trouble. As the Commission stated in a press release dated November 28, 2011, RIAs “that essentially ignore SEC examination warnings risk being the subject of SEC enforcement actions.”
There will be some employees who believe that reviewing and updating policies and procedures is a waste of their valuable time. In reality improving the firm’s policies and procedures can benefit the RIA and its clients by reminding everyone of their fiduciary obligations. Policies and procedures serve as a reminder of the rules and regulations that members of the firm are expected to follow. They help to keep IARs and other associated persons from taking shortcuts that might unintentionally harm investors.
Whether an advisor is SEC or state-registered, RIAs must revise their policies and procedures to address significant compliance problems occurring during the year, changes in business arrangements, and regulatory developments. For example, as we will see in Pay-to-Play Rule, RIAs impacted by the pay-to-play rule passed in June 2010, should have revised their policies and procedures to ensure compliance. Recently, when the SEC passed the final version of its whistleblower rules on May 25, 2011, RIAs should have determined whether policies and procedures changes were necessary. In addition, any change in an RIA’s business model, strategies, and service providers should prompt new or revised policies and procedures.
As examiners inspect an RIA’s books and records, they will be looking to see if policies and procedures have been revised. Policies and procedures should evolve over time in order to prevent violations and detect those that have already occurred. Additionally an RIA’s compliance manual put a process in place to correct violations that have already occurred. If examiners find that an advisory firm’s compliance manual is stagnant, they will suspect that the RIA’s annual review is just a dog-and-pony show and is not producing meaningful improvements.