This User’s Guide is designed to help you complete your annual compliance review using the resources found on CCO Companion.
In order to streamline the compliance tasks you are required to undertake in any one twelve-month period, we have combined the annual compliance review and the required annual risk assessment into one comprehensive process.
Pursuant to Advisers Act Rule 206(4)-7 (commonly known as the “Compliance Rule”), every investment adviser registered with the SEC is required to establish and maintain policies and procedures reasonably designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred. The Compliance Rule also requires advisers to review, no less frequently than annually, the adequacy of those policies and procedures and the effectiveness of their implementation.
While the Compliance Rule is silent on how an adviser should conduct the annual review, in the years since the Compliance Rule was first enacted, best practices have emerged. These best practices include:
- Incorporating compliance testing, including forensic (i.e., looking at trends over time) and transactional (i.e., spot or quality control) tests to detect gaps in your compliance program or instances in which your policies and procedures were not operating effectively or may have been circumvented; and
- Documenting the work that was performed, the findings from the annual review, and any recommendations for improvements.
The seriousness with which the SEC views the annual review is evidenced by the standard document request that the SEC’s Office of Compliance Inspections and Examinations (OCIE) typically sends to investment advisers prior to a regulatory examination. This document request includes:
- A copy of all written annual and interim reports regarding the review of your firm’s compliance program including (i) any forensic tests conducted; (ii) any significant findings; and (iii) any information about corrective or remedial actions taken regarding these findings; and
- The schedule of internal audit reviews for the examination period, a list of any completed audits, subject of the audits and, the date(s) of the reports.
The importance attributed to the annual review process can also be gleaned from the severity of the sanctions imposed by the SEC on firms that failed to conduct a thorough annual compliance review.
CCO Companion Resources
CCO Companion contains all the resources you need to undertake your annual compliance review.
The Reference Library (go to Compliance Topic – Compliance – Annual Compliance Review) is where you can find the most important annual review information, including all relevant SEC Enforcement Actions and Speeches. Our view is that if a senior SEC official takes the time to speak about a compliance matter publicly, it is well worth your time to read what they have to say. We also find it prudent to read the SEC’s Administrative Proceedings and Litigation Releases as such actions establish the parameters of what will or will not satisfy SEC expectations when it comes time to assess your firm’s annual review activities.
CCO Companion’s Testing library can be found in the Resource Type section of the Reference Library (go to Resource Type – Testing).
The Testing library contains examples of all different types of compliance tests. Because the time-frame or data used for the testing can alter the nature of the test, they have not been classified as transactional, periodic or forensic. The tests are, however, broken down by Compliance Topic (i.e., Advertising, Books and Records, etc.) and then divided further into Compliance Sub-Topics (i.e., Performance Advertising, Social Media, Electronic Records, etc.).
The Testing folder in the Tools section of CCO Companion (go to Tools – Testing) contains a Compliance Testing Plan template that is pre-loaded with all the tests found in the Testing library. The tests are broken down by Compliance Topic and, for greater specificity, by Compliance Sub-Topic.
All of the tests on the template are numbered to correspond to the Annual Review Checklist and Risk Assessment you will use to document your annual review (see explanation below).
CCO Companion also contains various compliance checklists (go to Tools – Checklists) that you can use to supplement certain areas of your compliance testing.
The following chart correlates each checklist to a different area of compliance testing:
|Advertising & Marketing||Advertising & Marketing||Advertising||1.1.3 – 1.1.5|
|Performance Advertising||Advertising & Marketing||Performance Advertising||1.3.5 / 1.3.6 / 1.3.9|
|Using Social Media||Advertising & Marketing||Social Media||1.5.2 – 1.5.7|
|Web Site Review||Advertising & Marketing||Web Site||1.7.3 – 1.7.5|
|Books & Records||Books & Records||General||2.2.3 – 2.2.10|
|Books & Records||Books & Records||Performance Advertising||2.3.4 / 2.3.8 / 2.3.9|
|Form ADV Part 2A||Brochure & Brochure Supplements||Brochure||3.1.6|
|Form ADV Part 2B||Brochure & Brochure Supplements||Brochure Supplements||3.2.5|
|Personal Trading||Code of Ethics||Personal Trading||7.4.8 – 7.4.13 / 7.4.20 / 7.4.24|
|Compliance Program||Compliance||Compliance Program||8.8.3|
|Service Provider Due Diligence||Portfolio Management||Service Providers||10.4.3 – 10.4.8 / 11.3.20 – 11.3.23|
|Cybersecurity Preparedness||Privacy & Data Security||Safeguarding Information||11.3.13 – 11.3.17|
|Information Security Program||Privacy & Data Security||Safeguarding Information||11.3.4 – 11.3.19|
|Red Flags Identity Theft||Privacy & Data Security||Safeguarding Information||11.3.24- 11.3.28|
You can use each one of these checklists to satisfy the requirements of the particular test that is indicated in the Test Number column of the above chart.
Annual Review Tools
The Annual Review folder in the Tools section of CCO Companion contains an Annual Review Checklist and Risk Assessment template (go to Tools – Annual Review). The Annual Review Checklist and Risk Assessment template is broken down by Compliance Topic and, for greater specificity, by Compliance Sub-Topic.
You will see that in each section of the “Basis for Rating” column of the template, tests are listed by number (i.e., 4.1.1, 4.1.2, etc.). These test numbers correspond to the numbering of the tests in the Compliance Testing Plan template.
Methodology for Conducting the Annual Review Process
As stated above, the primary goal of the annual review is determine the adequacy and effectiveness of your policies and procedures. We have broken this down into a 6 step process. Steps 1 and 2 focus on determining the adequacy of your policies and procedures while Steps 3 and 4 assess their effectiveness. Step 5 discusses how to best document the annual review and finally, Step 6 addresses post-review matters.
Step 1: Prepare an Inventory of Compliance Obligations
The key to assessing the adequacy of your policies and procedures is determining whether they address all applicable areas of your advisory business. Before you can get to this step, however, you must first determine what are those “applicable” areas. You do this by looking at all the various aspects of your advisory business (i.e., advisory services offered, composition of your firm’s client-base, regulatory requirements, etc.), assess how they have changed over the past year, and understand how such changes trigger additional compliance obligations.
The SEC has made it clear that an adviser’s policies and procedures should, at the very least, address the following areas (as applicable):
- Portfolio management processes;
- Trading practices;
- Proprietary trading of the investment adviser and personal trading activities of supervised persons;
- The accuracy of disclosures made to investors, clients and regulators;
- Safeguarding of client assets;
- The accurate creation and maintenance of required records;
- The marketing of advisory services, including the use of solicitors;
- The process of valuing client holdings and assessing fees based on those valuations;
- Safeguards for the privacy protection of client records and information; and
- The adoption of a business continuity plan.
Because the above represents a uniform list of core advisory functions applicable to most advisers, additional analysis is needed in order to determine the full scope of your compliance obligations. Consideration of the following issues will help flesh out these obligations:
- Any deficiencies cited during a regulatory exam that was conducting during the past year, along with any follow-up or corrective action taken;
- The results of any internal compliance reviews or other internal audits conducted during the past year, along with any follow-up or corrective action taken;
- Any serious compliance issues that arose in your firm during the past year;
- Any serious compliance issues that arose in the investment advisory industry in the past year;
- Any changes in your firm’s operations, client-base, ownership, personnel or organizational structure during the past year;
- Any new statutory or regulatory requirements applicable to your advisory firm; and
- Any “hot topics” identified by the SEC staff.
Consideration of these issues will help you create an inventory of your current compliance obligations. For example, if you determine that a new rule was implemented since your last annual review requiring investment advisers to adopt anti-money laundering procedures, this would become an item in your inventory. It would be the same thing if your firm began managing private equity funds in the last year or moved from non-discretionary to discretionary management. In short, any change to the business or regulatory environment (either on the firm level or in the industry as a whole) is probably going to create new compliance obligations.
CCO Companion offers resources that can assist you with a great deal of the above analysis. In recent years, the SEC has been helpful in informing advisers as to the latest industry hot topics. The Reference Library (go to Compliance Topic – SEC Examinations – SEC Guidance) contains the following National Examination Program releases that discuss these hot topics:
- Examination Priorities for 2013
- Examination Priorities for 2014
- Examination Priorities for 2015
- Examination Priorities for 2016
In addition, the Reference Library (go to Compliance Topic – SEC Examinations – SEC Guidance) contains two highly topical National Exam Program Risk Alerts discussing OCIE’s cybersecurity examination initiatives. Finally, you can quickly scan through all recent SEC rule releases (Final, Proposed, Interim) as well as any other SEC releases (Interpretive, Concept) in the Reference Library (go to Resource Type – SEC Releases) to find any releases issued in the past 12 months. You should also do the same for No-Action Letters (go to Resource Type – No-Action Letters), Enforcement Actions (go to Resource Type – Enforcement) and Speeches (go to Resource Type – Speeches) in order to get a sense of any recent changes to the regulatory landscape or best practices.
The end result of this activity should be an extensive inventory of compliance obligations that will set the standard against which your policies and procedures are measured for adequacy in Step 2.
Step 2: Compare Inventory Against Existing Policies and Procedures
Now that you have established your firm’s inventory of compliance obligations, you can assess whether your policies and procedures sufficiently address those obligations (i.e., are they adequate). At this point you are trying to determine whether:
- Your procedures address all applicable areas of your firm’s advisory business;
- All applicable laws and rules have been cited; and
- Your procedures require your firm to do what the rules require.
You can use the Compliance Program Checklist to answer the above questions for each area of compliance. The Compliance Program Checklist addresses each compliance area, cites the applicable statute or law, and requires you to determine whether existing policies and procedures meet the stated requirements.
Once you have determined the adequacy of your existing policies and procedures you are now ready to determine their effectiveness.
Step 3: Determine the Effectiveness
Determining the effectiveness of your compliance policies and procedures is primarily a function of compliance testing. Testing is the only certain way to assess whether your compliance program is effective or whether changes are warranted. Hopefully, you have already taken advantage of the material available on CCO Companion to build a robust compliance testing plan that you have been implementing throughout the past year. What the SEC does not want to see is an adviser trying to cram an entire year’s worth of compliance testing into the week or month it takes to undertake your annual review.
If you need to develop a compliance testing plan, please see the User’s Guide for Compliance Testing.
As you go about your testing, you should be filling in the Results column of your Compliance Testing Plan.
In conjunction with your testing results, you can now use the Annual Compliance Review Checklist and Risk Assessment Template to assess the effectiveness of your policies and procedures.
The Basis for Rating column of the Annual Compliance Review Checklist lists all the tests that are in your Compliance Testing Plan. Based on the results of each test you conducted, you will need to select the appropriate outcome using the following key:
You will need to make a judgment for each area of compliance as to whether the results of your testing allow you to claim that your policies and procedures are effective. Your conclusions will be written up in an annual review report that references both your Compliance Testing Plan and the Annual Compliance Review Checklist.
However, this does not end the process as there is one more, very important section of the Annual Compliance Review Checklist to be completed.
Step 4: Conduct Your Risk Assessment
The “Risk Rating” column of the Annual Compliance Review Checklist requires you – based on what is showing in the Basis for Rating column – to enter the appropriate risk level. Again, this is strictly a judgment call, but it will be hard to justify a low risk rating if the preponderance of test show that major issues were identified during testing.
Once you have entered risk ratings for all compliance areas, you will have completed the two primary annual regulatory requirements – the annual review and the annual risk assessment.
Step 5: Document the Process and the Results
Though not a specific requirement, documenting your annual compliance review is an absolute must. But because you have completed both your Compliance Testing Plan and the Annual Compliance Review Checklist, you are only steps away from finalizing a robust annual review report.
The annual review report can follow any format and contain any sections that you believe appropriate for your firm. A suggested table of contents for the annual review report looks something like this:
2.0 Summary of Review Procedures
2.1 Review Periods
2.2 Parties Responsible for Conducting The Review
2.3 Scope of the Review
2.4 Scope of Compliance Obligations
2.5 Conduct of the Review
3.1 Culture of Compliance
3.2 Compliance Program
3.3 Senior Management
3.4 Compliance Manual
3.5 Disclosure Documents
3.6 Best Execution
3.7 Web Site
3.8 Advisory Agreements
Exhibit A – Annual Review Checklist
Exhibit B – Compliance Testing Plan
Because there are so many variables in what each of these sections can address, we have created a sample Annual Review Report (go to: Tools – Annual Review) so you can see one suggested way in which to present your annual review report. In that same Annual Review folder in Tools we have also provided you with an Annual Review Template to help you with documenting your own annual compliance review.
Step 6: Follow-Up
There is a concern among advisers that documenting the “issues” that were uncovered during the annual review process is akin to leaving a roadmap for the SEC examiners. Putting aside the fact that the SEC would most likely discover these issues on their own, it is important to remember that your compliance program is not expected to be perfect, but rather, is supposed catch your imperfections.
However, you must distinguish between a technical violation of your compliance program’s policies and procedures (i.e., perhaps a document submitted past the deadline) and violations of the securities laws (i.e., engaging in principal transactions without consent and notice). Anything you discover that rises to the level of a material violation – and this would certainly include all violations of the securities laws – should be discussed with experienced counsel before committing anything to paper. You might even consider self-reporting any such matter to the applicable regulator. Self-reporting may aid in reducing charges, obtaining lighter sanctions, or mitigating language in the documents used to announce and resolve enforcement actions. But again, before taking any such step, you should absolutely seek the advice of experienced counsel.
The annual review provides an excellent opportunity for an adviser to reflect upon the strength of their firm’s compliance program. Although the Compliance Rule requires only annual reviews, you should also consider the need for interim reviews in response to significant compliance events, changes in your advisory firm’s business arrangements, and regulatory developments.
The information provided in CCO Companion is not intended to be a complete list of all compliance tests that might be applicable to any one adviser’s business. The intent is for users to pick and choose those compliance tests that are best suited to the conduct of their specific advisory business. Because each investment adviser runs their firm differently, certain compliance tests may not be applicable to the particulars of every advisory business. Accordingly, it is not suggested that a user attempt to integrate each and every compliance test presented into their compliance testing program.
CCO Companion has been developed to be just that – a companion and not a substitute for an individual assessment of any one particular investment adviser’s advisory business or compliance obligations. Accordingly, the information contained herein is not intended to constitute legal or compliance consulting advice. While CCO Companion was developed to afford users with a wide-range of information, the information provided is not intended to represent the entire universe of legal and regulatory resources. Like most tools, CCO Companion has inherent limitations – unforeseen regulatory changes, the level of expertise of the end-user, the difficulty with factoring in all existing types of advisory business models and the impossibility of anticipating all types of compliance issues that may be applicable to any one particular investment adviser.