Top 10 Tips for Updating your Compliance Program for 2021

As 2020 finally comes to a close, compliance officers face the unenviable job of performing their compliance program’s annual review under Advisers Act Rule 206(4)-7). An essential element of that review is updating the firm’s compliance policies and procedures to reflect relevant changes to regulations and regulatory guidance. Here’s a cheat sheet for Chief Compliance Officers summarizing the SEC’s big-ticket items from 2020.

Despite the massive disruption caused by the COVID-19 pandemic, the SEC didn’t skip a beat, moving ahead with examinations, enforcement actions, and regulatory initiatives in 2020. The SEC’s Division of Examinations (the Division, formerly known as Office of Compliance Inspections and Examinations, or OCIE), shifted to remote examinations and focused on threats posed by COVID-19, such as fraud, insider trading, and inadequate disclosure. Although some deadlines and requirements were extended because of state-imposed lockdowns, the SEC gave investment advisers little slack, expecting prompt compliance with Form CRS implementation and most regulatory deadlines. The SEC also expanded its routine examinations to ask about investment advisers’ ability to serve clients and effectively supervise their staff during state-imposed lockdowns. Public messaging from the Staff included an intense focus on how financial firms and the public can guard against increasing threats from cyber criminals taking advantage of the chaos caused by the pandemic.

There were only a few significant rule changes in 2020. The SEC’s adoption of a new advertising and cash solicitation rule made the biggest regulatory splash with sweeping changes to the current hodge-podge of SEC no-action letters and other guidance. Advisers will have at least 18 months to review the 434-page release and prepare.

Other rule changes were incremental. For example, the SEC gave a small present to private equity and hedge fund managers by expanding the pool of individuals that can invest in private placements and Rule 144A offerings. The SEC adopted changes to the definition of “accredited investor” in Rule 215 and Rule 501(a) of Regulation D under the Securities Act of 1933, expanding it to include sophisticated investors with knowledge and expertise to evaluate unregistered securities investments, even if they do not meet the net worth or income tests. The new definition includes individuals with specific professional designations or other credentials, knowledgeable employees of private funds, family offices, LLCs, and certain other entities with at least $5 million in assets. Spousal equivalents may also pool their finances to qualify as accredited investors. The definition of “qualified institutional buyer” (“QIB”) in Rule 144A was amended to conform to the updated accredited investor definition, although the $100 million threshold still applies. These changes became effective on December 8, 2020.

The Commodities Futures Trading Commission (CFTC) was a bit stingier, adopting a rule change that added additional hurdles to mutual and private fund managers claiming the de minimis exemption from registration as a commodity pool operator (“CPO”). CFTC Rule 4.13(a)(3) was amended, effective September 8, 2020, to require that a person filing a notice of exemption must represent that neither the person making the filing nor any of its principals are subject to any statutory disqualification included in Section 8a(2) of the Commodity Exchange Act. Many mutual fund and private fund managers with limited exposure to commodity interests rely on this exemption to avoid registration as a CPO. Firms should consider performing background checks on their principals before their next filing of a Rule 4.13 exemption notice (whether initial or annual). This amendment already applies to new filers (as of September 8, 2020). Existing exempt CPOs are expected to comply with the new requirement when they make their annual affirmations due March 1, 2021.

The Division of Examinations cranked out ten Risk Alerts this year (three more than last year). Four alerts were forward-looking, providing advisers with a roadmap for upcoming examination requests; addressing Regulation Best Interest (for dual registrants), Form CRS, the transition from using LIBOR, and COVID-19-related issues. Two alerts warned of specific cybersecurity threats, including ransomware, and credential stuffing. The remaining alerts detailed the Division’s findings in four different areas: private funds, supervision and compliance for RIAs with multiple branches, investment adviser compliance programs, and Large Trader Obligations.

Compliance officers should review all of the Division’s Risk Alerts, but I would put OCIE Observations: Investment Adviser Compliance Programs at the top of the list. For retail advisers, Observations from OCIE’s Examinations of Investment Advisers: Supervision, Compliance and Multiple Branches should be next, followed by Examinations that Focus on Compliance with Form CRS. Similarly, private fund advisers should make reviewing Observations from Examinations of Investment Advisers Managing Private Funds a high priority. Cybersecurity continues to be a hot button for the SEC, so all advisers should work on updating security measures and training their staff on how to identify and deal with cyber threats. For guidance, check out the Division’s ten-page report on Cybersecurity and Resiliency Observations, which includes industry best practices for managing cybersecurity risks.

The Division of Enforcement continued to pursue advisers and broker-dealers for undisclosed conflicts of interest, moving on from the 12b-1 fees to revenue sharing payments from money market sweep products (see SCF Investment Advisors, Inc.) In many cases, the Enforcement Division stuck to its tried and true formulas of going after advisers for misleading investors (see Morgan Stanley Smith Barney LLC), inadequate disclosures (see WBI Investments and Millington Securities, Inc.), and compliance program failures (see JonesTrading Institutional Services LLC). Fund managers were subject to the usual allegations of unfair expense allocations (see Rialto Capital Management, LLC), misleading valuations (see Semper Capital Management, L.P.), and the inappropriate use of the word “may” in Form ADV disclosures (see Monomoy Capital Management, L.P.).

On the state level, New Jersey, West Virginia, and Florida joined at least 30 other states in enacting financial exploitation statutes to protect seniors and dependent adults from financial fraud. Some states mandate that broker-dealers and investment advisers promptly report suspected financial exploitation of a vulnerable adult or senior citizen to the state securities division and the local adult protective services agency. Bressler Amery & Ross put together this 50-state survey so advisers can check out the requirements of relevant states in one convenient location.

Based on this regulatory background, here are my recommendations for updating your compliance program in 2021:

All Advisers

  1. Document the changes to policies, procedures and business practices implemented to address the work-from-home environment.

Review the Risk Alert on COVID-19 risks, take stock of lessons learned since March, and update your compliance program to reflect:

  • Updates to the business continuity plan addressing issues noted, anticipated (or narrowly avoided) as a result of COVID-19;

  • Changes to procedures for supervising firm personnel working from alternative or remote locations during the pandemic;

  • Increased training, procedures, and technology to combat the increased risk of cyberattacks and events; and

  • Additional actions taken to enhance firm data security and protect sensitive information as a consequence of personnel working remotely.

Since working from home may become permanent for some, firms should consider whether to register investment adviser representatives (IARs) in states where they relocated because of the COVID-19 pandemic. As discussed in our recent blog post, many states waived registration requirements for financial professionals who were displaced due to “stay at home” orders. Some states have ended these waivers; however, some financial professionals continue working from home. Advisers should take inventory of office and IAR locations now, consider if state waivers have expired, and update filings as needed. Consider whether employees and IARs will be working from home on a more permanent basis (as opposed to a temporary situation related to COVID-19) in states different from their current registrations. In that case, advisers should communicate any new exam or other hurdles to IARs so they can complete new state registrations. Advisers should also determine whether their clients have moved to new states and whether additional notice filings are required.

  1. Review the compliance manual to address issues raised in OCIE Observations: Investment Adviser Compliance Programs.

The vast majority of administrative proceedings against investment advisers for the past 16 years have included a charge of failing to comply with Rule 206(4)-7, a/k/the Compliance Program Rule. One of the biggest mistakes? Advisers fail to follow their own policies and procedures, such as training employees, correcting trade errors per firm procedure, reviewing advertising materials to ensure accuracy, evaluating best execution, and analyzing conflicts of interest and developing accompanying disclosures. Advisers should read this risk alert and compare the firm’s policies and procedures against the list included. Your firm’s compliance manual should address the areas mentioned (if applicable) and accurately portray your current practices. This risk alert is a roadmap for compliance with Rule 206(4)-7; advisers need to follow it. For additional pointers, check out our blog post, Write the Best Compliance Manual Ever!

  1. Continue to be vigilant about cybersecurity threats with ongoing employee training, evaluating emerging risks, and adapting to changes.

With cyberattacks skyrocketing during the COVID-19 pandemic, cybersecurity remains a top priority for the Division of Examinations. Advisers should review OCIE’s Cybersecurity and Resiliency Observations and compare them to their current policies and procedures. The table of contents provides a summary of the topics that an investment adviser’s cybersecurity program should address:

  • Governance and risk management

  • Access rights and controls

  • Data loss prevention

  • Mobile security

  • Incident response and resiliency

  • Vendor management

  • Training and awareness

  1. Start reviewing the SEC’s new advertising and cash solicitation rule and revise current policies and procedures to address the changes to prepare for implementation in mid-2022.

In late December 2020, the SEC adopted amendments to Rule 206(4)-1 (the Advertising Rule) and Rule 206(4)-3 (the Cash Solicitation Rule) under the Advisers Act, creating the new Marketing Rule. Briefly, the Marketing Rule:

  • Amends the definition of advertising to include communications that offer advisory services to existing or prospective clients or investors in a private fund advised by the adviser and excludes one-on-one communications, oral communications, and information in a statutory or regulatory notice, filing, or other required communication;

  • Prohibits certain practices, such as making untrue or misleading statements;

  • Requires that advisers present investment advice and performance data in a fair and balanced manner;

  • Allows the use of testimonials and endorsements in advertisements provided that certain conditions are met;

  • Permits advisers to use third-party ratings in advertisements provided that certain conditions are met; and

  • Requires specific disclosures to be included in any advertisement including investment performance.

Retail Advisers

  1. a. Assess your firm’s compliance with Form CRS obligations.

In light of the SEC’s focus on Form CRS, advisers should review their compliance with the new disclosure and delivery requirements. Check out our own Doug MacKinnon’s article in NSCP Currents, Form CRS and Reg BI are Here: Now What?, for some suggestions. Advisers should consider taking the following actions:

  • Test a sample of accounts to validate whether Form CRS is being delivered as part of the new account opening process;

  • Establish a process for training new employees on Form CRS delivery obligations:

  • Ask financial professionals how the new Form CRS delivery process is working and where improvements can be made;

  • Review client feedback on Form CRS;

  • Check in with firm supervisors to find out how oversight of the new delivery process is going and whether they have any compliance concerns; and

  • Review policies and procedures surrounding Form CRS to verify whether they match up with the firm’s practices.

  1. b. Advisers should assess their policies and procedures for compliance with their fiduciary obligations.

This is a leftover from last year, but worth repeating. The SEC has been focusing in recent examinations on whether advisers are meeting their obligations under the Commission Interpretation Regarding Standard of Conduct for Investment Advisers” (the “Interpretation”). The SEC wants to know what information firms gather when opening new client accounts and how that information is used to develop investment recommendations. Examiners have also been asking about due diligence performed on investment products recommended and training materials provided to IARs with instruction on how to select investments for clients to meet their investment objectives and risk tolerances. Our blog post What Your Next Deficiency Letter is Going to Say: SEC Tells Advisers What Fiduciary Duty Means provide more details on how to meet the fiduciary standard, and here are a few highlights to consider:

  • Document due diligence performed on investment products being offered to clients, including the services of sub-advisers. Has a comparison been made to determine whether the products and services being offered meet the client’s investment goals, have a decent performance record, and whether the fees being charged are reasonable compared to the market? Has the firm considered the risks and conflicts associated with the products and services, and does it have procedures in place to monitor risks and police any such associated conflicts of interest? The answers to these questions should be documented.

  • Consider assembling a Product or Investment Committee to perform due diligence on investment products and engage representatives from portfolio managers, finance, operations, sales and client service, and compliance to participate.

  • Evaluate the types of products and services the firm offers to determine whether they are appropriate for specific types of clients. Consider developing guidelines for financial advisors, including a recommended list. Recommendations of products should be based on pre-determined guidelines, not on incentives, to mitigate conflicts of interest.

  • Train and supervise financial advisors to make sure that the recommendations are appropriate.

  1. For advisers with multiple offices, test and review branch office activities to ensure compliance controls are working.

The Risk Alert on Observations from OCIE’s Examinations of Investment Advisers: Supervision, Compliance and Multiple Branch Offices discusses not only common deficiencies but identifies best practices from several years of examinations. Investment advisers should seriously consider adopting at least some of the key recommendations, including establishing:

  • Centralized, uniform processes for fee billing

  • Centralized oversight for monitoring and approving advertising

  • Uniform portfolio management policies and procedures

  • Reviews of portfolio management decisions and suitability of investment recommendations for each branch

  • Centralized trading desk

  • Compliance training programs for branch offices based on deficiencies found during audits

Firms may be reluctant to impose uniform policies and procedures, especially if the investment adviser representatives (IARs) running branch offices successfully bring in assets. But allowing each branch office to operate as its own fiefdom makes supervision and quality control incredibly complicated. Adopting standard processes and using centralized resources can simplify managing client accounts, freeing up time for IARs to develop client relationships. And if you are still not persuaded, consider how branch office managers will explain their investment management processes to SEC examination staff and whether they will have the documentation evidencing that process.

  1. Confirm whether your policies and procedures to protect senior and other vulnerable investors address state law requirements.

As noted last year and the year before, more than 30 states have adopted laws addressing the financial exploitation of seniors and other vulnerable clients. Some states, like New Jersey, mandate that investment advisers report suspected or actual financial exploitation of seniors and vulnerable clients to state adult protective services agencies. Make sure your procedures include training employees and representatives on how to identify and report such abuse.

Private and Hedge Fund Advisers

  1. Consider updating subscription documents to reflect amendments to the definition of “accredited investor” in Rule 215 and Rule 501(a) of Regulation D under the Securities Act.

Sponsors to private funds that qualify for the Section 3(c)(1) exemption under the Investment Company Act can take advantage of the expanded definition of “accredited investor.” The updated Rule allows investors with knowledge and expertise to invest in private funds, even if they do not meet the Rule’s existing income and net worth requirements. The amended definition includes individuals with specific professional designations or other credentials, knowledgeable employees of private funds, family offices, LLCs, and certain other entities with at least $5 million in assets. Spousal equivalents may also pool their finances to qualify as accredited investors.

  1. Mutual and private fund advisers relying on the de minimis exemption from registration as a commodity pool operator (“CPO”) should perform background checks to determine whether current principals have any of the black marks on their records listed in Section 8a(2) of the Commodities Exchange Act.

The CFTC added a new hurdle to firms taking advantage of Rule 4.13(a)(3) CPO exemption. Firms claiming the exemption now have to represent that neither the person making the filing nor any of its principals are subject to any statutory disqualification included in Section 8a(2) of the Commodity Exchange Act, as amended (the “CEA”) (each a “Covered Statutory Disqualification”). The list of disqualifications includes: (i) suspension of a prior registration, (ii) rejection of an attempted registration, (iii) an injunction against acting as a CPO, (iv) a felony conviction involving the sale of commodities; and (v) being found guilty of a violation of the securities laws involving theft, extortion, fraud, or misappropriation of funds.

  1. Private Fund managers should carefully review the Risk Alert on Observations from Examinations of Investment Advisers Managing Private Funds and confirm that their policies, procedures, and practices address the deficiencies noted.

The Division of Examinations continues to dig deep into private funds and aggressively pursue conflicts of interest, the allocation of fees and expenses, and policies and procedures relating to material non-public information (“MNPI”). Advisers should read this alert carefully to determine whether their current practices sufficiently address the deficiencies cited. Private fund managers should focus on:

  • The disclosure of conflicts of interest (e.g., investment allocations that favor proprietary or higher-fee paying accounts, preferential liquidity rights offered through side letters, and selectively offering co-investment opportunities to preferred investors);

  • the allocation of fees and expenses among funds, co-investment vehicles, and the adviser;

  • the disclosure of payments made to operating partners;

  • the valuation of fund holdings; and

  • the process for calculating and applying fee offsets and accelerating fees upon the sale of portfolio companies.

The examination staff also noted deficiencies in adequately identifying and managing risks of the misuse of MNPI by private fund managers, including failing to monitor discussions with corporate insiders and inadequate oversight of consultants arranged by expert network firms. SOURCE

Advisor Armor