Refreshing the Annual Review Process to Address Business and Regulatory Risks

Refreshing the Annual Review Process to Address Business and Regulatory Risks

Rule 206(4)-7 requires each registered adviser to review its policies and procedures no less frequently than annually, to determine their adequacy and the effectiveness of their implementation. But what’s the best way to approach this review? How are other firms meeting this requirement? At the recent Ascendant Compliance Solutions Strategies 2019 Spring Conference in Miami Beach, a panel of compliance experts offered their insights during the pre-conference workshop, “Refreshing the Annual Review Process to Address Business and Regulatory Risks.”

The session began with a reminder that Rule 206(4)-7 requires each adviser to adopt and implement written policies and procedures, to conduct an annual review, and to designate a Chief Compliance Officer to administer its compliance policies and procedure. The panel stressed that each firm’s compliance manual must be customized. John Gentile, Director of Private Fund Manager Services and Director of Broker-Dealer Services for CSS, noted that when he was an SEC examiner, he “found firms didn’t always do what’s in the compliance manual, and that was a problem.” You may have a great compliance manual written by a top law firm, but if the manual is not tailored to your firm, and your firm is not doing what it says, the firm will start off a regulatory examination on the wrong foot. Heather Kaden, Head of Investment Advisory Compliance for Jennison Associates LLC, advised that CCOs “must know every word of your compliance manual.”

In addition to tailoring policies and procedures to your firm’s business, the panel advised that firms avoid designating the CCO as the one responsible for doing everything. To the extent practicable, structure the firm’s policies and procedures where the CCO serves as a consultant to support the business, and committees or supervisors carry out the day-to-day responsibilities. This advice extends to the annual review process as well—the CCO should not operate in a vacuum!

Eugenie Warner, a Senior Consultant, Content Expert and Associate General Counsel with CSS, suggested beginning the annual review right after the SEC issues its exam priorities notice, and stressed that “annual’ is a misnomer—the best practice is to conduct continuous reviews and compile the results and recommendations annually.”

Begin the process with a formal review of your risk assessment and be sure to include management in the process, then set testing plan based upon these results. Including management at this stage can also lead to greater buy-in—they’ll understand why you’re asking for materials and it can help guide you to schedule testing to better align with their schedules. They may even have their own testing priorities. The risk assessment should consider your business model and recent SEC risk alerts/regulatory hot topics.

Remember that the annual review should not fall solely on the CCO. Include business personnel (Operations, trading), auditors (SOC 1), and consider retaining outside assistance. The testing plan should identify where the CCO will test and where the CCO will incorporate or verify testing completed by others. Leverage available technology and consider where additional software can increase efficiency and decrease potential errors. Ask custodians if there are any additional reports they can provide to you. If your firm is a dual registrant, clearing firms will have multiple monitoring reports that can help, such as reverse churning reports.

Steps to conduct the testing should be documented, along with the results. However, you should avoid writing legal conclusions in your report. Ms. Kaden advised that “having a review where you have no exceptions is probably a red flag for the SEC,” but the report should not include conclusive terms such as violation, fraud, deficiency, crook, or other similar words. While using your work plan to guide testing over the course of the year, if you miss something, be sure to document that the testing was completed at a later date. Never backdate the testing. Once all the testing is completed, prepare a summary of the work, gaps identified and recommendations.

Mr. Gentile also stressed the importance of documentation. “If the review is well-documented, you have something tangible you can send (the SEC). This can demonstrate you don’t need the SEC exam to prompt effective testing. You’re doing it effectively yourself. It may result in an easier exam.” In addition to being prepared to provide a copy of the annual review to the SEC when they examine you, bear in mind that clients may also request the report, especially institutional clients who need to provide it to their boards.

In wrapping up the workshop, the panel offered best practices for forensic testing. If you’re looking to refresh your annual review to better address business and regulatory risks, consider incorporating some of these ideas!

Gifts and Entertainment (Given)
  • Review of T&E reports
  • Email Lexicon reviews
  • CRM activity – for lobbying, FCPA activity
Gifts and Entertainment (Received)
  • Entertainment trends (frequency, value) with brokers
  • Broker trading activity patterns
  • Employee entertainment volume analysis
Pay to Play
  • Sample review of public campaign websites (,,
  • Post contribution check against pre-clearance request
Conflicts of Interest
  • Email surveillance
  • Personal trading reviews
Personal Trading
  • Front running (review personal trades within X days of firm trades)
  • Employee personal trade volume analysis
  • Expert networks
  • Corporate management meetings
  • Top 10/ Bottom 10
  • Review trades in opposite directions
Trade Allocation
  • Performance dispersion
  • Trade order sequencing
Marketing Materials
  • Sample review of compliance comments v. final materials
Social Media
  • Spot check employee LinkedIn profiles


Ascendant, the compliance services division of CSS, offers help in completing the required annual compliance review under SEC rules, including documentation and recommendations for enhancements to the company’s policies and procedures, and other best practices for consideration. For more explore our solutions or contact us.