About this time each year – when the SEC’s Office of Compliance Inspections and Examinations (OCIE) releases its annual Examination Priorities – we are reminded of how complex compliance can be for SEC-registered firms. As Duff & Phelps’ Chris Lombardy explains, this year is no exception.
In its 2019 Examination Priorities, issued on December 20, 2018, OCIE has outlined six themes that it will primarily, but not exclusively, focus on in the coming months. One new theme, digital assets, joins the five priorities that repeat from 2018:
- Matters of importance to retail investors, including seniors and those saving for retirement
- Compliance and risk in registrants responsible for critical market infrastructure
- Select areas and programs of FINRA and MSRB
- Digital Assets (cryptocurrencies, coins and tokens)
- Cybersecurity
- Anti-money laundering
(See graphic at the end of this article for a select view of the 2019 OCIE Examination Priorities.)
Combined with recent Risk Alerts issued by OCIE, the Exam Priorities highlights that compliance at SEC-registered firms requires having visibility into not only finance (middle and back office) and trading activities, but also marketing, research and information technology.
In this article, we will explore some recurring key areas in OCIE examinations. We will also address how SEC-registered firms can strengthen their compliance efforts and mitigate the risks of a regulatory investigation or enforcement action.
Key Areas in OCIE Examinations
While the OCIE takes a risk-based approach to any registrant’s examination, the agency observes that this approach often leads to a focus on perennial issues, “such as the disclosure of services, fees, expenses, conflicts of interest for investment advisers and trading and execution quality issues for broker-dealers.”
From our years of experience helping SEC-registered advisers worldwide to address diverse compliance matters, we have noted a number of key areas that consistently arise in OCIE regulatory examinations:
- Sound policies and procedures
- Employee personal trading
- Segregation of duties
- Political contributions and “pay-to-play” issues
- Failure-to-disclose issues (e.g., affiliates, fees, risks)
- Gift and entertainment logs
- Custody rule issues and understanding
- IT and cybersecurity
- Valuation (for hard-to-value assets)
- Annual self-assessments
- Evidence for compliance training
- Meeting relevant filing dates
- Marketing material review and approval
- Succession planning for principals of the adviser
- Research analyst processes
Of these, we believe four areas seem to draw particular interest from the SEC in the investigations and enforcement actions it pursues against investment advisers:
- Failure to adequately disclose fee and expense arrangements
- Failure to adequately disclose conflicts of interest
- Misleading/false performance advertising and marketing materials
- “Cherry-picking” schemes
Understand the rules and priorities? Prepare to prove it.
Many managers will say they understand the OCIE priorities, but often their firms have not established repeatable processes for documenting and reporting the timely completion of required activities. Based on our experience, we recommend that advisers focus on three strategic areas that will help them better achieve and demonstrate compliance to regulators and investors:
1. Develop Operational Policies and Procedures
Operational policies and procedures are critical for establishing effective controls and helping to guide employees and related third parties in making sound decisions in various risk scenarios. Regarding the OCIE priorities from the past few years, we believe that policies and procedures should specifically address operational areas such as cash controls, expense allocation, capital calls, reconciliations, etc.
Similarly, advisers should prohibit business uses of apps and other technologies that can be readily misused by allowing for automatic destruction of messages or prohibiting third-party viewing or back-up.
2. Create a Risk-Based Matrix of Necessary Activities, Complete with Scheduled Start/End Dates
As requirements grow in number and complexity, creating and maintaining a risk-based matrix of necessary activities is imperative. Some of the activities may include when to perform valuations and best execution reviews; staff training; cybersecurity assessments and incident response planning; filing deadlines; and various testing exercises, such as for expense reviews, trade and expense allocation reviews, email reviews and vendor due diligence.
Importantly, each activity should not only indicate the individual or team responsible for its completion/implementation, but also be calendared for greater accountability. This matrix and all documentation supporting the completion of activities can serve as valuable evidence that your firm has been actively addressing risks.
The matrix itself should be regularly reviewed to ensure that tasks and responsibilities are being updated as areas of the business change or when OCIE releases new Risk Alerts. Indeed, the matrix should represent a year-round endeavor that serves as the foundation for ongoing monitoring, which in turn will help the organization react more quickly when issues or industry developments arise.
3. Communicate and Collaborate Throughout the Enterprise
The Examination Priorities and Risk Alerts issued by the OCIE in recent years highlight how the scope of knowledge required for compliance is often more than just one compliance officer or team can fulfill. As we noted earlier, to deliver on regulatory expectations, compliance teams must be actively aware of what is happening in the firm’s finance (middle and back office), trading, marketing, research and information technology departments.
More than just awareness, the compliance team should work closely with leaders and staff in all these departments to help them understand the compliance implications that accompany their decisions/activities and provide training that stipulates or clarifies acceptable behavior.
The Chief Compliance Officer should also regularly meet with senior leadership to discuss the firm’s compliance efforts, including strengths and opportunities for improvement. For their part, executive leadership must also set the “tone at the top” that compliance is everyone’s responsibility, creating and reinforcing a culture of “tone throughout the firm.”
Conclusion
The Examination Priorities and Risk Alerts reflect the OCIE’s goals to promote compliance, prevent fraud, identify and monitor risk and inform future policy. While the priorities and alerts are useful for creating the framework for compliance efforts, keeping abreast of developments and understanding the evolving expectations of OCIE regulators can be extremely time-consuming or beyond the experience of many in-house staff. Engaging independent specialists in SEC compliance can provide a greater level of confidence that the organization is focusing its attention and resources in a timely way on the areas that represent the highest risk to their operations, reputation and bottom line.
Select 2019 OCIE Examination Priorities (View the entire list here.)