CSS Hosts OCIE Director Pete Driscoll for a Virtual Fireside Chat
SEC’s Office of Compliance Inspections and Examinations Cites Inadequate Compliance Programs
On December 1, 2020, CSS hosted a discussion with Peter Driscoll, Director of the SEC’s Office of Compliance Inspections and Examinations (OCIE). Stephanie Monaco, Partner of Mayer Brown, LLP engaged in a productive discussion with Mr. Driscoll, followed by commentary from Jim Anderson of Willkie, Farr & Gallagher LLP, CCO Annie Lazarus of Landmark Partners, and CCO Adan Araujo of Jasper Ridge Partners. A recording of the ComplianceCastTM is available here.
On November 19, 2020, the OCIE had released its 9th Risk Alert of the year, “OCIE Observations: Investment Adviser Compliance Program.” This latest risk alert identified examples of “notable” deficiencies observed by OCIE staff in examinations. The SEC’s observations reflect investment advisers’ difficulty maintaining adequate regulatory expertise and resources to implement compliance program requirements.
Director Driscoll and Attorney Monaco discussed the finer points of the recent risk alert, the SEC’s new Event and Emerging Risk Examination Team (EERT), Form CRS takeaways, and OCIE’s 2021 priorities. Among the topics in the deep dive were OCIE staff expectations for evidence of annual reviews, the transparency of reporting internally discovered compliance violations to OCIE staff, and any perceived risks for CCOs with dual roles and responsibilities.
On November 19, 2020, the SEC also held its annual Compliance Outreach Program National Seminar, and OCIE Director Pete Driscoll led off by discussing the risk alert. Key among his talking points that day was a discussion of the necessary senior management commitment to maintain a culture of compliance, and the mandate that CCO’s are empowered and have adequate seniority and authority within a firm. OCIE Director Driscoll provided the following staff observations about CCOs:
We notice on exams when firms hire someone for the role to check the box but do not support or empower them. We notice when a CCO holds one or more roles in a firm and is inattentive to their compliance responsibilities. We notice when a firm positions a CCO too low in the organization to make meaningful change and have a substantive impact, such as a mid-level officer or placed under the CFO function. We notice when CCOs are expected to create policies and procedures, but are not given the resources to hire personnel or engage vendors to provide systems to implement those policies and procedures. We notice when a CCO is replaced because they challenge questionable activities or behavior. We notice when a CCO is trotted out for an examination or sits silently in the corner in compliance discussions, overshadowed by firm senior officers. We notice when a firm puts responsibility on the CCO for a failure of an employee or an officer to follow a firm policy or procedure.
The risk alert summarized six key failings observed by OCIE staff:
- Inadequate Compliance Resources, including CCOs without time or knowledge to fulfill their responsibilities as CCO, compliance staff without adequate resources, and insufficient compliance staff to account for firms’ growth.
- Insufficient Authority of CCOs, including CCOs without access to critical information, limited interaction with senior management, and lack of involvement of CCOs by senior management regarding matters that had compliance implications.
- Annual Review Deficiencies, including a lack of documentation, annual reviews that did not address key risks, and annual reviews that did not address key areas of the business.
- Implementing Actions Required by Written Policies and Procedures, including advisers that did not train employees, implement procedures covering critical areas, review advertising materials, follow compliance checklists and processes, and review client accounts.
- Maintaining Accurate and Complete Information in Policies and Procedures that included outdate or inaccurate information about the adviser, including off-the-shelf policies and procedures.
- Maintaining or Establishing Reasonably Designed Written Policies and Procedures, including written policies and procedures that were cursory or were not tailored to the firm’s business. The risk alert cited each of the primary areas that the original Compliance Programs Rule adopting release suggested as requiring written policies and procedures.
In his remarks at the National Outreach Program, OCIE Director Driscoll also commented on the overall success of the industry and OCIE to adapt to pandemic working circumstances. He noted that a majority of firms had activated existing business continuity plans and that critical areas of operation were typically covered. He further noted that OCIE had continued with remote examinations and conducted over 2,950 exams in fiscal year 2020 (Sept. 30-Oct. 1), covering 15% of all investment advisers.
In a forewarning, Director Driscoll noted that “remote due diligence on service providers and sub-advisers will require considerable attention,” and new technology adopted during the pandemic brings risks that will require further evaluation by “skilled and knowledgeable compliance departments.”
The post-discussion panel includes remarks by CCO’s Lazarus and Araujo regarding their management of the CCO role and advice to participants. Attorney Anderson also added valuable commentary about handling difficult examinations.
CSS Executive Directors Jacqueline Hallihan and Keith Marks moderated the discussions.