• Last month, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (the “SEC”) published a risk alert (the “Risk Alert”) highlighting the most commonly cited deficiencies it has observed in examining registered investment advisers relating to Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940. While the Risk Alert does not identify any new risks or findings, OCIE Director Peter Driscoll, in his opening remarks at the Compliance Outreach Program’s National Seminar 2020 (the “2020 Compliance Seminar”), emphasized the deficiencies that arise when a CCO lacks sufficient authority and resources.
• Of note, Director Driscoll cautioned against firms taking a “check-the-box” approach to the Compliance Rule by hiring a CCO but not supporting or empowering him or her in that function. Instead, he emphasized that a successful and effective CCO is fully integrated into the business, is a part of senior management, has the confidence to raise compliance issues and has the job security to do so with the backing and support of senior management without the fear of termination or risk of being scapegoated when issues arise.
• On the same day as the Risk Alert, the SEC staff at the 2020 Compliance Seminar discussed, among other things, the importance of full and fair disclosure of conflicts of interest, which continues to be a key exam and enforcement focus area, and stressed that private fund advisers should pay particular attention to ensuring that clear disclosure is being provided about practices that could be viewed as departing from industry norms—for example, costs (e.g., with respect to overhead or payment of salaries) that an investor would not otherwise expect to incur. The SEC staff also reminded compliance professionals to remember their obligations with respect to books and records such that any practice of disclosure review should include documenting when certain disclosures were updated and what considerations were taken into account. Finally, with respect to new and growing areas in FinTech, block chain and Environmental, Social and Governance, the SEC staff stressed the importance of (i) ensuring that a firm’s compliance department has sufficient resources to develop alongside the business, (ii) integrating compliance with the new business area, (iii) training compliance professionals on an ongoing basis on the evolution of the business and (iv) ensuring that disclosures are keeping pace with new developments.

On November 19, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (the “SEC”) published a risk alert (the “Risk Alert”) highlighting the most commonly cited deficiencies it has observed in examining registered investment advisers relating to Rule 206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”). On the same day, OCIE, the Division of Investment Management (“IM”) and the Asset Management Unit of the Division of Enforcement jointly held the Compliance Outreach Program’s National Seminar 2020 (the “2020 Compliance Seminar”) to discuss, among other things, the broad and varied issues that have affected compliance professionals during the COVID-19 pandemic. This client update discusses key themes of the Risk Alert and the 2020 Compliance Seminar for the consideration of compliance professionals.

Compliance Rule Deficiencies—Empowerment, Seniority and Authority of CCOs

While the Risk Alert does not identify any new risks or findings, OCIE Director Peter Driscoll, in his opening remarks at the 2020 Compliance Seminar, emphasized the deficiencies that arise when a CCO lacks sufficient authority and resources. Of note, he cautioned against firms taking a “check-the-box” approach to the Compliance Rule by hiring a CCO but not supporting or empowering him or her in that function. Instead, Director Driscoll emphasized that a successful and effective CCO is fully integrated into the business, is a part of senior management, has the confidence to raise compliance issues and has the job security to do so with the backing and support of senior management without the fear of termination or risk of being scapegoated when issues arise.

The Risk Alert describes two ways in which CCOs have been observed to lack sufficient authority. First, advisers may restrict their CCOs from accessing critical compliance information, such as investment advisory agreements with key clients. Second, firms may limit interactions between CCOs and senior management/firm employees such that CCOs (i) may have limited knowledge about the firm’s leadership, strategy, transactions and business operations or (ii) may not be consulted regarding matters that have potential compliance implications. Adding further color, Director Driscoll describes certain scenarios that may raise concerns: CCOs serving as a scapegoat for a firm’s failings; the frequent replacement of CCOs and the replacement of CCOs generally for challenging questionable activities or behavior; and lack of CCO participation during examination or deference to senior management. Director Driscoll also cautions against undermining CCO compensation, noting that it should be proportionate to a CCO’s significant responsibilities.

The Risk Alert also describes three key deficiencies with respect to compliance resources. First, CCOs may have numerous professional responsibilities such that they cannot devote sufficient time to fulfilling their responsibilities as CCOs or to developing their knowledge of Advisers Act issues. Second, compliance staff may not have sufficient resources to implement an effective compliance program when lacking adequate training or having an insufficient staff. And third, compliance programs may not grow and develop in parallel with the firm or with changing market conditions, for example by failing to hire additional compliance staff or to implement adequate information technology to keep pace with a firm’s growth in size or complexity.

While not discussed in detail in this client update, the Risk Alert describes other common compliance deficiencies relating to (i) advisers that are unable to demonstrate that they performed an annual review or that fail to identify significant existing compliance or regulatory issues, (ii) advisers that fail to implement or perform actions required by their written policies and procedures, (iii) advisers that do not keep accurate or up-to-date records and (iv) advisers that do not maintain or failed to establish, implement and appropriately tailor written policies and procedures.

2020 Compliance Seminar

Disclosure of Conflicts of Interests

Unsurprisingly, the disclosure of conflicts of interest continues to be a key area of focus for the SEC. With respect to private funds, the SEC staff encourages compliance professionals to review the risk alert published during Summer 2020 that focused on compliance issues observed by OCIE in its examination of SEC-registered private fund advisers. In addition, SEC IM staff stressed that private fund advisers should pay particular attention to ensuring that clear disclosure is being provided about practices that that could be viewed as departing from industry norms—for example, costs (e.g., with respect to overhead or payment of salaries) that an investor would not otherwise expect to incur.

In ensuring that disclosures of conflicts of interests are up-to-date and accurate, the SEC staff reminded compliance professionals to remember their obligations with respect to books and records. As such, any practice of disclosure review should include documenting when certain disclosures were updated and what considerations were taken into account. In addition to established periodic reviews, key business events like the hiring of a new service provider or the establishment of a new business line should trigger interim reviews of disclosures. For private fund sponsors that manage multiple funds or older vintage funds, the SEC staff stressed the importance of ensuring that disclosures for a particular fund reflect the specific practices and business and are reviewed on an ongoing basis to ensure that no updates to disclosures are necessary.

COVID-19 Considerations

While the SEC staff commended registrants for their response to the COVID-19 pandemic and their successful implementation of business continuity plans (including making modifications as circumstances changed), the 2020 Compliance Seminar highlighted key areas of ongoing concern or that may pose specific challenges:

• Information Security. As employees continue to work outside of the office, the SEC staff stressed the importance of good governance and training to ensure that employees are aware of their obligations to keep their devices and firm information safe. Firms may also consider reviewing their security protocols, such as by enabling a firm’s ability to turn off or wipe devices remotely if there is evidence that they have been compromised.
• Cybersecurity. The SEC staff encouraged firms to have a security incident plan that takes into account their obligations (which may include, for example, when to notify law enforcement and regulators (whether state or federal), when to bring in outside counsel and when to communicate to clients) and run mock exercises with key players (whether internal or external) to identify potential weaknesses. In this respect, cybersecurity policies and procedures should be “end-to-end”—i.e., they should cover all possible parties, whether internal or external, depending on a firm’s business and specific circumstances.
• Due Diligence of Service Providers. The SEC staff emphasized the importance of understanding a service provider’s information security measures and of having suitable contractual protections. While no on-site diligence may be possible at this time, firms may wish to prioritize diligence based on high-risk areas, which may change depending on the type of vendor.
• Supervision of Employees. The SEC staff encouraged firms to continue reviewing their policies and procedures relating to supervision and leveraging technology, such as by the use of video conferencing or by uploading documents for review and approval.

In all respects, the SEC staff stressed the importance of open communication between information technology and compliance departments such that each understands a firm’s compliance requirements and how to adhere to those requirements taking into account technology constraints.

Hot Topics

As business and technology evolve, compliance professionals are faced with new challenges. For example, registrants are currently engaged with new and growing areas in FinTech, block chain and Environmental, Social and Governance (“ESG”) matters. Regardless of the new business area or technology that compliance professionals must address, the SEC staff stressed the importance of (i) ensuring that a firm’s compliance department has sufficient resources to develop alongside the business, (ii) integrating compliance with the new business area, (iii) training compliance professionals on an ongoing basis on the evolution of the business and (iv) ensuring that disclosures are keeping pace with new developments. While these themes are not new, it is important for firms to recognize that these new areas (like ESG, which continues to evolve as new opinions and guidance by various regulators, trade groups and associations are published) may require, depending on the circumstances, additional firm resources and attention to ensure that a firm’s compliance department is evolving and reacting to industry changes as quickly as its business professionals.