NSCP

Currents May/June 2007

10

Creating and Maintaining Effective RIA Compliance Programs

By Jane A. Kanter, Michael L. Sherman, and Frank Watson
This article provides general information on the subject matters discussed and should not be relied upon for legal advice on any matter. The views expressed are those of the authors and do not necessarily reflect those of their employers, clients or colleagues. In the wake of industry scandals, the Securities and Exchange Commission (SEC) adopted a rule (Rule) under the Advisers Act (Act) requiring each registered investment adviser (RIA) to implement a compliance program designed to meet the particular needs of the RIA and to designate a Chief Compliance Officer (CCO) to oversee that program. In adopting the Rule, the SEC recognized the importance of such programs in preventing violations of federal securities laws and protecting the interests of clients or investors and hoped that the Rule would strengthen the hand of . . . compliance personnel. In proposing the Rule, the SEC made no secret of its interests in encouraging RIAs to maintain strong compliance departments: [The SECs] experience is that . . . advisers with effective internal compliance programs administered by competent compliance personnel are much less likely to violate the federal securities laws. . . . Accordingly, our staff focuses its examination efforts on testing the effectiveness of controls and related compliance procedures [of RIAS], and requests that management correct any weaknesses that the staff discovers. This focus allows us to leverage our limited examination resources; we are able to direct additional resources to firms with weaker compliance controls, and may examine them more closely and more frequently. Compliance Policies and Procedures The Rule requires each RIA to adopt written compliance policies and procedures (compliance program) although RIAs are not required to consolidate all compliance policies and procedures into a single document. Nonetheless, many RIAs have created a compliance manual and/or systemsbased approach to their compliance programs. The Rule does not take a one size fits all approach or enumerate specific policies and procedures that every RIA must adopt. Instead, CCOs must initially consider the following factors: the nature of the RIAs specific fiduciary and regulatory obligations that are imposed upon the RIA by the Advisers Act and related rules, and any compliance risks relevant to the RIA. Because this process is not intended to be static, the SEC expects that RIAs will continually monitor and evaluate their compliance programs (and the factors noted above) in determining the adequacy of their compliance programs. While CCOs must seek to tailor their compliance program to the RIAs particular situation and personality, any compliance program must be reasonably designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred. In the SEC staffs view, a successful compliance program will consist of compliance policies and procedures that each include a: clear assignment of responsibility for activities and control points to individuals; separation of functions to establish a system of checks and balances; exception reporting to identify outlier conditions; and a process for escalation or taking situations up the chain of command for consideration and resolution at an appropriate level of authority. Experience suggests, however, that successful compliance programs are more than just a collection of well designed policies and procedures. Rather, the RIAs compliance culture, both within and outside the walls of the compliance department, is critical to establishing a sound compliance program. The CCOs Roles Although the CCO is charged, by the Rule, with administering the compliance program, specific CCO duties and responsibilities vary from RIA to RIA. Gene Gohlke has indicated that CCO duties might include, among others: establishing a positive tone at the top and culture of compliance (as described below); overseeing and reviewing the continuing adequacy of the compliance program; managing the RIAs code of ethics; identifying, analyzing and reacting to potential compliance risks; and keeping senior management apprised of significant compliance issues. In each case, however, the CCO is the lynchpin of an RIAs compliance program. As such, the CCO should: be competent and knowledgeable with respect to the Act; understand the RIAs business model and practices; understand the objectives of the compliance program and how it is intended to be monitored and administered; have sufficient standing within the organization to request and receive sufficient resources for the administration and oversight of the firms compliance program; and be in a position to adequately monitor implementation of the firms compliance program. Moreover, while the CCO must play a significant role in establishing the RIAs compliance culture he or she should not go it alone. It is critical that the RIAs senior management should

Jane A. Kanter is a partner, and Michael L. Sherman is an associate in the Financial Services Group of Dechert LLP; Frank Watson is President of Fairview Investment Services.

11
feel that they are all stakeholders in the firms compliance culture and strive to create a positive tone at the top in terms of the firms adherence to its compliance program. According to Ms. Lori Richards, a positive culture of compliance exists when compliance is (1) respected within the organization and supported at the top, (2) well-resourced and manned by an expert staff, (3) skeptical, creatively thinking about and attempting to stave off compliance breaches, and (4) constantly aware of conflicts of interest. Risk Assessment The SEC and its staff favors a riskbased approach to compliance. CCOs should consider the extent to which the RIA may be subject to specific compliance risks in areas repeatedly highlighted by the SEC and its staff, including: (1) personal or proprietary trading; (2) directed brokerage, best execution and soft dollars; (3) gifts; (4) conflicts involving affiliated broker-dealers; (5) cross-trading; (6) bunching orders; (7) service on boards; (8) custody; (9) side-by-side management; (10) investment in scarce, illiquid, restricted or difficult-to-value securities; (11) performance fees; (12) private funds, including proprietary and personal interests in the fund and side letters; (13) outside business activities; (14) marketing materials; (15) solicitation arrangements; and (16) disclosure documents. The CCOs risk assessment process should include: (1) identification of potential conflicts of interest and risks, (2) prioritization of compliance issues, conflicts of interest and risks arising from the RIAs operations, and (3) taking the result of that analysis and creating an inventory or matrix to detail identified risks. Risk assessment is valuable and necessary both when implementing or updating a compliance program and during the annual review. The assessment should include a review of processes and controls related to each of the identified risks in order to identify any gaps or weaknesses in the compliance program and an evaluation of whether existing policies and procedures address, and ultimately eliminate or mitigate, those risks. If not, the CCO should fill any gaps or weaknesses in the compliance program with new or revised policies and procedures. The OCIE Staff has compiled a list of questions that CCOs might wish to ask when conducting a risk assessment in the context of creating and/or reviewing compliance programs. The complete list is available at http://www.sec.gov/info/cco/adviser_ compliance_questions.htm and includes self-assessment questions about, among other things, an RIAs advisory services, brokerage arrangements and trade executions, allocation of investment opportunities, code of ethics and personal trading, valuation of client assets, marketing and performance advertising and recordkeeping. Although the risk assessment process may begin with this or other canned checklists of potential risks common to the industry, the SEC staff has cautioned that each RIA should also consider whether it has unique risk exposures due to [its] personnel, business model, structure, or affiliations. Unique risks are unlikely to appear on a standard risk checklist and may not be readily apparent to compliance personnel. Thus, personnel outside the compliance department should be involved. Mr. Charles Fishkin, former head of the SECs Office of Risk Assessment, suggests that risk assessment really needs to be owned by everyone in an organization and CCOs should encourage all RIA personnel to participate in risk assessment as part of their daily routine. By doing so, an RIA may preempt many problems that occur when employees are not cognizant of the firms day-to-day compliance risks. Testing An effective compliance program includes testing to verify that the program meets the goal, set forth in the Rule of prevent[ing] violations from occurring, detect[ing] violations that have occurred, and correct[ing] promptly any violations that have occurred. Testing may be most effective when performed on a rolling basis with higher risk areas analyzed more frequently.

NSCP Currents May/June 2007

Investment Management
K&L Gates is proud to sponsor the National Society of Compliance Professionals, East Coast Regional Meeting. To learn how our Investment Management practice partners with the investment and brokerage industry to provide comprehensive compliance review and counseling services, please send an e-mail inquiry to investmentmanagement@ klgates.com.

Kirkpatrick & Lockhart Preston Gates Ellis LLP 1400 Law yErs on thrEE contInEnts

www.klgates.com

Bingham McCutchen LLP

Securities Area

Compliance (BD/IA/IC) Consulting Hedge Funds Internal Investigations Investment Management Market Regulation Private Client

Defense/Arbitration

Securities Enforcement Securities Litigation

www.bingham.com

(Continued on page 12)

NSCP Currents May/June 2007

RIA COMPLIANCE PROGRAMS
(Continued from page 11)

1
Reviewing for Both Implementation and Adequacy Many CCOs begin their annual review with implementation and consider and review any reports or documents that are required under the compliance program to verify that such documentation has been timely produced and reviewed. Some compliance programs, especially those of smaller RIAs, will require the CCO to be directly responsible for carrying out (or at least signing off on) many, if not all, of the relevant policies and procedures. In any event, the CCO or other relevant persons should regularly document performance of, or actions taken in accordance with, the relevant policies and procedures. Such documentation may include: (1) exception reports with documentation of follow-up; (2) surveillance reports; (3) completed compliance checklists; (4) reconciliations; (5) reports to management; (6) approvals of supervisory overrides; and (7) warning or sanction notices to the firms personnel. If the documentation is sufficiently complete and thorough, reviewing the implementation of the compliance policies and procedures may be as simple as reviewing the documentation. The next step is typically adequacy. The SEC staff has suggested that CCOs should use forensic testing for this purpose. (Gene Gohlke has suggested that RIAs consider implementing a forensic test of the month program.) In this regard, any questionable or irregular transactions would require follow up and review to detect and prevent future securities laws violations and mitigate or remediate any that have already occurred. At a minimum, if any compliance issues, weaknesses or breaches are discovered (through forensic testing or otherwise), the CCO should prepare a compliance memorandum that addresses: (1) the nature of the issue; (2) how the issue was discovered; (3) the date or period during which the issue arose; (4) the personnel involved; (5) the impact, if any, on the firms clients; (6) how the issue was resolved; (7) whether the issue was reported to management; and

Although discussed separately, a CCO should (1) seek to test their firms compliance program in a manner that Quality control testing (i.e., will identify weaknesses in both the transaction by transaction testing, adequacy and implementation of the coupled with exception reporting program and (2) use those test results to to management responsible for an improve both areas, as discussed above. activity), is one important means for The scope of the annual review will assuring that the compliance program is depend on the nature of the RIAs operating effectively. business, the particular compliance RIAs have also been urged to use risks created thereby and the specifics forensic testing (i.e., testing that is of the compliance program adopted to focused on evaluating whether the address those risks. The SEC indicated outcomes of operational and investment that any such review should consider activities over time are consistent with any compliance matters that arose expectations) in order to ensure that during the previous year, any changes the compliance program is detecting in the business activities of the adviser potential compliance issues. or its affiliates, and any changes in the The Adopting Release indicates that, Advisers Act or applicable regulations to detect violations, the compliance that might suggest a need to revise the program should include tests that policies or procedures. Thus, while a identify unusual patterns in certain CCOs or RIAs first annual review will activities. For example, a compliance typically be grounded in the established program may include an analysis of compliance program, subsequent annual brokerage executions for purposes of reviews of the RIA by the CCO should identifying any irregular activity in an focus on: (1) the existing compliance RIAs compliance with the duty of best program and the results and findings execution. of all prior reviews; (2) new and/or To the extent such tests expose different risk areas for the RIA and compliance weaknesses that could the adequacy of all new policies and have been, but were not, detected by procedures that have been put in place to existing procedures, the CCO should address those risks; and (3) any policies consider how to implement the existing and procedures that have not performed procedures in a more effective manner. as originally envisioned. Conversely, if the test reveals a As part of the annual review process, potentially harmful pattern that was not the CCO may wish to interview relevant previously addressed, the CCO should employees to assess the competency consider what additional policies or of the personnel involved in the RIAs procedures are necessary to ensure an compliance program, the employees adequate compliance program going understanding of their compliance forward. The testing or review process duties and responsibilities, and how that revealed the issue in question supervisors oversee the activities of may also assist the CCO in correcting their employees. Firsthand observation and improving the RIAs compliance of how the compliance polices and program. For this reason, tests (and any procedures are implemented in an resulting recommendations for improved operating business environment are compliance) should be documented and generally very useful. Following the reviewed with senior management. annual review, the CCO should discuss The Annual Review the results with senior management The annual review may be and focus on any steps that the RIA the CCOs most important tool for should take to proactively address any administering the RIAs compliance compliance shortcomings identified as program. The Rule requires each CCO part of that review. to [r]eview, no less frequently than CCOs should document all changes annually, the adequacy of the policies made to the compliance program, and procedures established pursuant whether as a result of the annual review to the [Compliance Rules] and the process or otherwise. effectiveness of their implementation.

1
(8) what disciplinary action, if any, was taken. Supporting documentation should be maintained with the compliance memorandum and may serve as a basis to determine (1) whether the issue was adequately detected and corrected through existing procedures and (2) what changes, if any, are needed to prevent similar issues from arising in the future. CCOs must also be aware of legal and business developments to ensure that the compliance program remains adequate in light of any new laws, rules, regulations, requirements, obligations or interpretations that arise through legislative, judicial or administrative actions. Similarly, new lines of business may expose an RIA to new or different compliance risks or obligations. If possible, the CCO should be in a position to anticipate emerging regulatory issues. Some CCOs prepare for new regulatory developments by coordinating with others within the firm or the industry at large to forecast and monitor regulatory trends. CCOs should have a system to facilitate timely compliance with new obligations and to stay out in front of issues. In order to ensure that compliance programs properly address new lines of business the CCO or other representatives from the compliance department should be involved with new business prior to implementation. CCOs should document relevant business changes, and resulting changes to the compliance program. An effective compliance program will respond to business changes with updated disclosures, revised policies and procedures and necessary training prior to implementing the business change. Examinations While CCOs are not required to report compliance breaches to the SEC itself, when the SEC staff examines an RIA, it will ask to be provided with information relating to the compliance program and, particularly, documentation of the annual review, including: (1) the nature of any compliance issues regarding the RIA and how they were first detected; (2) how any compliance issues and/or errors were brought to managements attention; (3) the monetary impact of any compliance errors on the firms clients; and (4) how any compliance errors were resolved. Though the Rule does not explicitly require that the annual review be in writing, CCOs should document in writing all compliance-related issues in the annual review (or more frequently, if warranted). Contemporaneous documentation indicating how the RIA addressed compliance issues will be focused on by the SEC examination staff and can help to demonstrate to the SEC staff that the RIA is in front of compliance issues (i.e., that compliance controls are working, as expected, to identify issues that arise) and any issues identified issues are dealt with appropriately. This may lead to a decreased risk profile and, potentially, less frequent visits from the SEC staff. Potential Liability Although the Rule imposes the ultimate responsibility for an RIAs compliance program on the RIA itself, the CCO, as an employee of the RIA, may be found personally liable for failure to ensure that the RIA adopts an adequate compliance program under certain circumstances. For example, in the first enforcement action brought under the Rule, the SEC found that an RIA had violated the Rule by failing to adopt any written procedures reasonably designed to prevent violations of the Advisers Act and that the CCO aided and abetted the violation because, [a]s a head of compliance, [the CCO] failed to ensure that [the adviser] adopted such procedures. Under the Act, RIAs have a duty to supervise the activities of persons who act on their behalf and an RIAs officers and employees may be sanctioned for failure to supervise others. The determination of whether an employee has supervisory responsibilities depends on various elements, such as the duties assigned to the employee. Although the SEC has made clear that a CCO does not have supervisory responsibilities solely by virtue of being CCO, a CCO who has assumed supervisory responsibilities may be held liable in the event of a violation of the Act by an employee under his or her supervision. Given the responsibilities typically assigned to a CCO, it will often be difficult to conclude that the CCO is not a supervisor. q

NSCP Currents May/June 2007

SENTINEL
pre-and post-trade investment compliance management
www.latentzero.com

Advisory
Web-bAsed
Workshops
Topics focus on timely issues pertinent to todays heightened regulatory environment. To enroll, please visit www.advisercompliance.com