Effective Compliance Policies & Procedures and Annual Reviews: Meeting the Reasonably Designed Standards
Sometimes it seems that enough is never really enough. While compliance officers have grown intimately familiar with SEC Rule 206(4)-7 over the past 15 years since the Rule became effective, deficiencies in connection with the Compliance Program Rule continue to rank among the most frequently cited issues identified in OCIE examinations of investment advisers. It seems that the bar is constantly rising.
Simply having written policies and procedures, and conducting an annual review is not enough! As CCOs, we must implement compliance policies and procedures that are “reasonably designed to prevent violations” and review their “adequacy” and the “effectiveness” of their implementation. Conspicuously, the Rule does not explicitly direct CCOs to identify and address violations; rather, the goal is prevention.
It’s a bit of a chicken-and-egg situation: if you have a violation, you have to ask whether your policies and procedures were reasonably designed to prevent the violation. According to the People’s Law Dictionary, “reasonable” means just, rational, appropriate, ordinary or usual in the circumstances. “Reasonable,” of course, is in the eye of the beholder. In this case, the beholder is the SEC.
In considering the reasonably designed standard, confirm that your compliance policies and procedures address the topics noted in the Rule’s adopting release. Also, determine what additional policies and procedures your firm may need to address conflicts and risk exposures relating to its particular operations. They need to be tailored to your firm and you must ensure they are appropriate in light of staff and other resources, such as technology. Remember that if you’re violating your own policies, this is going to be cited, so don’t set yourself up to fail.
It’s important to keep abreast of business developments in order to timely update or implement new policies and procedures. Be sure to attend and actively participate in meetings you’re invited to, and consider inviting yourself to be a guest at meetings you don’t normally participate in. These can be great opportunities to think about how the firm’s policies and procedures are functioning on a day-to-day basis. As a practical matter, when updating your compliance manual or implementing new policies and procedures, ask the people who will be performing the tasks to review and provide input.
By Rule, a review of the compliance program must occur no less than annually. In reality, most CCOs review policies and procedures continually throughout the year by performing testing and overseeing the implementation of and compliance with policies and procedures. Conducting an effective review requires questioning such as:
- Have problems with the subject matter area addressed by the policy been detected?
- Based on what has been detected, should the policy be revised or amended?
- Is there a better approach to preventing violations of the policy?
Approaches to testing should vary and the frequency of testing is generally determined by the risk associated with the function. Leverage technology to the extent possible. Determine the capabilities of existing software including reporting capabilities. Exception reports can automate certain reviews, for example, to flag for violations of investment guidelines. As a reminder, when testing the compliance policies and procedures, be sure to test the technology systems you rely upon to ensure they are functioning as intended.
While Rule 206(4)-7 does not require the Annual Review to be memorialized in a written report, it’s awfully hard to prove that the review occurred if it isn’t memorialized in some form. Some CCOs prepare a detailed report outlining the testing that occurred, results, violations and recommendations, while others prefer more of a high-level summary. Regardless of the format, the Annual Review Report should be a compilation of the ongoing compliance program reviews conducted throughout the course of the past year.
Remember: the SEC will ask for your annual reviews. Even if you take a high-level summary approach, be prepared and knowledgeable about what the review entailed, what issues were identified, and be sure you’re taking action on all recommendations. Your annual review, and the report memorializing the review, will be key in demonstrating the reasonableness and effectiveness of your compliance program.
Interested in learning more tips on Meeting the Reasonably Designed Standard? Listen to our recent ComplianceCast webinar.