Escolar Documentos
Profissional Documentos
Cultura Documentos
10
Jane A. Kanter is a partner, and Michael L. Sherman is an associate in the Financial Services Group of Dechert LLP; Frank Watson is President of Fairview Investment Services.
11
feel that they are all stakeholders in the firms compliance culture and strive to create a positive tone at the top in terms of the firms adherence to its compliance program. According to Ms. Lori Richards, a positive culture of compliance exists when compliance is (1) respected within the organization and supported at the top, (2) well-resourced and manned by an expert staff, (3) skeptical, creatively thinking about and attempting to stave off compliance breaches, and (4) constantly aware of conflicts of interest. Risk Assessment The SEC and its staff favors a riskbased approach to compliance. CCOs should consider the extent to which the RIA may be subject to specific compliance risks in areas repeatedly highlighted by the SEC and its staff, including: (1) personal or proprietary trading; (2) directed brokerage, best execution and soft dollars; (3) gifts; (4) conflicts involving affiliated broker-dealers; (5) cross-trading; (6) bunching orders; (7) service on boards; (8) custody; (9) side-by-side management; (10) investment in scarce, illiquid, restricted or difficult-to-value securities; (11) performance fees; (12) private funds, including proprietary and personal interests in the fund and side letters; (13) outside business activities; (14) marketing materials; (15) solicitation arrangements; and (16) disclosure documents. The CCOs risk assessment process should include: (1) identification of potential conflicts of interest and risks, (2) prioritization of compliance issues, conflicts of interest and risks arising from the RIAs operations, and (3) taking the result of that analysis and creating an inventory or matrix to detail identified risks. Risk assessment is valuable and necessary both when implementing or updating a compliance program and during the annual review. The assessment should include a review of processes and controls related to each of the identified risks in order to identify any gaps or weaknesses in the compliance program and an evaluation of whether existing policies and procedures address, and ultimately eliminate or mitigate, those risks. If not, the CCO should fill any gaps or weaknesses in the compliance program with new or revised policies and procedures. The OCIE Staff has compiled a list of questions that CCOs might wish to ask when conducting a risk assessment in the context of creating and/or reviewing compliance programs. The complete list is available at http://www.sec.gov/info/cco/adviser_ compliance_questions.htm and includes self-assessment questions about, among other things, an RIAs advisory services, brokerage arrangements and trade executions, allocation of investment opportunities, code of ethics and personal trading, valuation of client assets, marketing and performance advertising and recordkeeping. Although the risk assessment process may begin with this or other canned checklists of potential risks common to the industry, the SEC staff has cautioned that each RIA should also consider whether it has unique risk exposures due to [its] personnel, business model, structure, or affiliations. Unique risks are unlikely to appear on a standard risk checklist and may not be readily apparent to compliance personnel. Thus, personnel outside the compliance department should be involved. Mr. Charles Fishkin, former head of the SECs Office of Risk Assessment, suggests that risk assessment really needs to be owned by everyone in an organization and CCOs should encourage all RIA personnel to participate in risk assessment as part of their daily routine. By doing so, an RIA may preempt many problems that occur when employees are not cognizant of the firms day-to-day compliance risks. Testing An effective compliance program includes testing to verify that the program meets the goal, set forth in the Rule of prevent[ing] violations from occurring, detect[ing] violations that have occurred, and correct[ing] promptly any violations that have occurred. Testing may be most effective when performed on a rolling basis with higher risk areas analyzed more frequently.
Investment Management
K&L Gates is proud to sponsor the National Society of Compliance Professionals, East Coast Regional Meeting. To learn how our Investment Management practice partners with the investment and brokerage industry to provide comprehensive compliance review and counseling services, please send an e-mail inquiry to investmentmanagement@ klgates.com.
Kirkpatrick & Lockhart Preston Gates Ellis LLP 1400 Law yErs on thrEE contInEnts
www.klgates.com
Compliance (BD/IA/IC) Consulting Hedge Funds Internal Investigations Investment Management Market Regulation Private Client
Defense/Arbitration
www.bingham.com
1
Reviewing for Both Implementation and Adequacy Many CCOs begin their annual review with implementation and consider and review any reports or documents that are required under the compliance program to verify that such documentation has been timely produced and reviewed. Some compliance programs, especially those of smaller RIAs, will require the CCO to be directly responsible for carrying out (or at least signing off on) many, if not all, of the relevant policies and procedures. In any event, the CCO or other relevant persons should regularly document performance of, or actions taken in accordance with, the relevant policies and procedures. Such documentation may include: (1) exception reports with documentation of follow-up; (2) surveillance reports; (3) completed compliance checklists; (4) reconciliations; (5) reports to management; (6) approvals of supervisory overrides; and (7) warning or sanction notices to the firms personnel. If the documentation is sufficiently complete and thorough, reviewing the implementation of the compliance policies and procedures may be as simple as reviewing the documentation. The next step is typically adequacy. The SEC staff has suggested that CCOs should use forensic testing for this purpose. (Gene Gohlke has suggested that RIAs consider implementing a forensic test of the month program.) In this regard, any questionable or irregular transactions would require follow up and review to detect and prevent future securities laws violations and mitigate or remediate any that have already occurred. At a minimum, if any compliance issues, weaknesses or breaches are discovered (through forensic testing or otherwise), the CCO should prepare a compliance memorandum that addresses: (1) the nature of the issue; (2) how the issue was discovered; (3) the date or period during which the issue arose; (4) the personnel involved; (5) the impact, if any, on the firms clients; (6) how the issue was resolved; (7) whether the issue was reported to management; and
Although discussed separately, a CCO should (1) seek to test their firms compliance program in a manner that Quality control testing (i.e., will identify weaknesses in both the transaction by transaction testing, adequacy and implementation of the coupled with exception reporting program and (2) use those test results to to management responsible for an improve both areas, as discussed above. activity), is one important means for The scope of the annual review will assuring that the compliance program is depend on the nature of the RIAs operating effectively. business, the particular compliance RIAs have also been urged to use risks created thereby and the specifics forensic testing (i.e., testing that is of the compliance program adopted to focused on evaluating whether the address those risks. The SEC indicated outcomes of operational and investment that any such review should consider activities over time are consistent with any compliance matters that arose expectations) in order to ensure that during the previous year, any changes the compliance program is detecting in the business activities of the adviser potential compliance issues. or its affiliates, and any changes in the The Adopting Release indicates that, Advisers Act or applicable regulations to detect violations, the compliance that might suggest a need to revise the program should include tests that policies or procedures. Thus, while a identify unusual patterns in certain CCOs or RIAs first annual review will activities. For example, a compliance typically be grounded in the established program may include an analysis of compliance program, subsequent annual brokerage executions for purposes of reviews of the RIA by the CCO should identifying any irregular activity in an focus on: (1) the existing compliance RIAs compliance with the duty of best program and the results and findings execution. of all prior reviews; (2) new and/or To the extent such tests expose different risk areas for the RIA and compliance weaknesses that could the adequacy of all new policies and have been, but were not, detected by procedures that have been put in place to existing procedures, the CCO should address those risks; and (3) any policies consider how to implement the existing and procedures that have not performed procedures in a more effective manner. as originally envisioned. Conversely, if the test reveals a As part of the annual review process, potentially harmful pattern that was not the CCO may wish to interview relevant previously addressed, the CCO should employees to assess the competency consider what additional policies or of the personnel involved in the RIAs procedures are necessary to ensure an compliance program, the employees adequate compliance program going understanding of their compliance forward. The testing or review process duties and responsibilities, and how that revealed the issue in question supervisors oversee the activities of may also assist the CCO in correcting their employees. Firsthand observation and improving the RIAs compliance of how the compliance polices and program. For this reason, tests (and any procedures are implemented in an resulting recommendations for improved operating business environment are compliance) should be documented and generally very useful. Following the reviewed with senior management. annual review, the CCO should discuss The Annual Review the results with senior management The annual review may be and focus on any steps that the RIA the CCOs most important tool for should take to proactively address any administering the RIAs compliance compliance shortcomings identified as program. The Rule requires each CCO part of that review. to [r]eview, no less frequently than CCOs should document all changes annually, the adequacy of the policies made to the compliance program, and procedures established pursuant whether as a result of the annual review to the [Compliance Rules] and the process or otherwise. effectiveness of their implementation.
1
(8) what disciplinary action, if any, was taken. Supporting documentation should be maintained with the compliance memorandum and may serve as a basis to determine (1) whether the issue was adequately detected and corrected through existing procedures and (2) what changes, if any, are needed to prevent similar issues from arising in the future. CCOs must also be aware of legal and business developments to ensure that the compliance program remains adequate in light of any new laws, rules, regulations, requirements, obligations or interpretations that arise through legislative, judicial or administrative actions. Similarly, new lines of business may expose an RIA to new or different compliance risks or obligations. If possible, the CCO should be in a position to anticipate emerging regulatory issues. Some CCOs prepare for new regulatory developments by coordinating with others within the firm or the industry at large to forecast and monitor regulatory trends. CCOs should have a system to facilitate timely compliance with new obligations and to stay out in front of issues. In order to ensure that compliance programs properly address new lines of business the CCO or other representatives from the compliance department should be involved with new business prior to implementation. CCOs should document relevant business changes, and resulting changes to the compliance program. An effective compliance program will respond to business changes with updated disclosures, revised policies and procedures and necessary training prior to implementing the business change. Examinations While CCOs are not required to report compliance breaches to the SEC itself, when the SEC staff examines an RIA, it will ask to be provided with information relating to the compliance program and, particularly, documentation of the annual review, including: (1) the nature of any compliance issues regarding the RIA and how they were first detected; (2) how any compliance issues and/or errors were brought to managements attention; (3) the monetary impact of any compliance errors on the firms clients; and (4) how any compliance errors were resolved. Though the Rule does not explicitly require that the annual review be in writing, CCOs should document in writing all compliance-related issues in the annual review (or more frequently, if warranted). Contemporaneous documentation indicating how the RIA addressed compliance issues will be focused on by the SEC examination staff and can help to demonstrate to the SEC staff that the RIA is in front of compliance issues (i.e., that compliance controls are working, as expected, to identify issues that arise) and any issues identified issues are dealt with appropriately. This may lead to a decreased risk profile and, potentially, less frequent visits from the SEC staff. Potential Liability Although the Rule imposes the ultimate responsibility for an RIAs compliance program on the RIA itself, the CCO, as an employee of the RIA, may be found personally liable for failure to ensure that the RIA adopts an adequate compliance program under certain circumstances. For example, in the first enforcement action brought under the Rule, the SEC found that an RIA had violated the Rule by failing to adopt any written procedures reasonably designed to prevent violations of the Advisers Act and that the CCO aided and abetted the violation because, [a]s a head of compliance, [the CCO] failed to ensure that [the adviser] adopted such procedures. Under the Act, RIAs have a duty to supervise the activities of persons who act on their behalf and an RIAs officers and employees may be sanctioned for failure to supervise others. The determination of whether an employee has supervisory responsibilities depends on various elements, such as the duties assigned to the employee. Although the SEC has made clear that a CCO does not have supervisory responsibilities solely by virtue of being CCO, a CCO who has assumed supervisory responsibilities may be held liable in the event of a violation of the Act by an employee under his or her supervision. Given the responsibilities typically assigned to a CCO, it will often be difficult to conclude that the CCO is not a supervisor. q
SENTINEL
pre-and post-trade investment compliance management
www.latentzero.com
Advisory
Web-bAsed
Workshops
Topics focus on timely issues pertinent to todays heightened regulatory environment. To enroll, please visit www.advisercompliance.com