Compliance is a journey requiring adaptation, refinement, and attention to detail. While establishing a solid manual and clear procedures are essential first steps, the true test of a robust compliance program lies in consistent execution, thorough documentation, and a commitment to continuous improvement.

In our final post, we’ll explore the critical elements that ensure your compliance efforts are not just a one-time project, but a deeply embedded aspect of your firm’s culture. We’ll cover everything from the necessity of documented reviews and consistent disclosures to the strategic use of technology and the vital practice of following up on recommendations and regulatory feedback.

The undocumented review

As far as the SEC is concerned, if you can’t prove it, it didn’t happen. CCOs must carefully review the compliance manual to determine where documentation is needed. Focus on higher-risk areas first. For example, if the manual requires the firm to review best execution, there should be a report in the file describing the review process and the firm’s conclusion.

Here’s our advice: Above all, make the review process easy. Consider the most efficient way to document compliance with the procedure. For example, if the firm’s policy requires that IARs perform a review of their client accounts quarterly, create a simple form that hits the highlights. The firm’s client relationship management system can be a useful workflow tool in this regard.  Consider creating an automated report for each IAR summarizing activity in their accounts for the past quarter to assist in this effort. Want employees to take the process seriously? Let them help build it. If they help shape the form, they’re far more likely to use it—and use it correctly.

Firms can also leverage existing reports and reviews. For example, rather than develop a new trade report to address best execution obligations related to share class selection, many firms already perform a daily trade review that could be leveraged by flagging client transactions in higher-cost share classes for additional research.

Similarly, many firms activate their business continuity plans during natural disasters, severe weather or local events that prevent employees from going to the office (e.g., water main breaks). This is the perfect time to document the parts of the plan that are working and those that aren’t. Acknowledge failures and revise your processes accordingly.

Key Documentation Practices:

• Date of Review;
• Review Period;
• Scope and method;
• Person conducting review;
• Findings;
• Follow-up actions; and
• Supporting documentation (or its location).

Inconsistency among disclosures

During an examination, the SEC compares your Form ADV disclosures with advisory agreements, fund documents, the firm’s website, marketing materials, and the compliance manual. And the staff will ask about any inconsistencies.

For example, one area where we find many inconsistencies among the Form ADV, the compliance manual, the advisory agreement, and actual practice is the description of the fee billing process. Common examples include:

• The advisory agreement states that a firm bills its clients in arrears, and Form ADV (and firm practice) states that the firm bills in advance.
• The Form ADV Part 2A discloses that bills are calculated based on the value of the account’s assets at the end of the billing cycle, and the advisory agreement states that the fee is based on the average daily balance of the account over the billing cycle.
• The Form ADV discloses certain breakpoints that ensure clients are billed a lower rate as their assets grow, and the firm’s actual practice does not ensure this occurs.

Resolving this issue requires a thorough review of all documents that address the topic and comparing them to actual firm practices. The CCO is in the best position to identify potential inconsistencies and find out the right answers.  For example, the CCO could highlight the sections of Form ADV Part 2A and the compliance manual that are inconsistent, and ask the person responsible to review and correct them. Seeing the documents side by side makes it easier to identify the problem.

SEC examiners will expect consistency and accuracy across all disclosures, and inconsistencies are often interpreted as signs of weak controls.  

Code of ethics fails

Many firms fall short in their compliance with the firm’s code of ethics. Some common failures include:

• Failure to identify access persons. The firm does not identify all individuals with access to client and trading information as access persons. For example, private fund managers are often reluctant to treat individuals who are not employees or officers as access persons even if they participate in the selection and oversight of portfolio companies.
• Missing accounts. Access persons do not report all accounts. Often forgotten are accounts of children and spouses, and other accounts where an access person has control, such as acting as a co- trustee for a relative’s account.
• Failure to pre-clear trades. Access persons do not pre-clear securities transactions as required by the code, sometimes forgetting that private investments are considered “limited offerings” under Rule 204A- 1 of the Advisers Act.
• Failure to review records. Compliance does not review personal securities transaction records or falls behind.
• Lack of timely initial holdings reports. Compliance does not train new hires on their Code of Ethics obligations or obtain a timely initial holdings report.

We advise getting management to support compliance efforts to enforce the Code of Ethics. The truth is that if it’s not important to the boss, it’s not important to anyone. If the Chief Executive Officer says that anyone who fails to complete their annual holdings report on time will have to answer to him or her, employees are more likely to get it done.

We recommend taking advantage of automation. Reviewing employees’ personal trading activity takes time that could be better spent on riskier areas of the compliance program. For firms with 15 or more employees, it usually makes sense to use compliance software to monitor employee trading.

Take the time to train employees on their compliance responsibilities. Provide regular training, but also identify the consistent rule-breakers and give them individual lessons on how to comply with their reporting obligations.

Imposing sanctions for code violations shows the SEC that the firm is serious about compliance. At the same time, determining punishment puts the compliance officer in a tight spot. Consider creating a committee that includes managers from other areas of the firm to determine sanctions. Managers on the committee will understand the code better and will be invested in the process.  The committee can then decide on the sanctions. 

Overestimating the power of technology

Although technology can help streamline repetitive tasks, firms must also understand how the system works, the configuration and maintenance that is required, and the testing necessary to confirm whether it is working as expected. For example, using a compliance system to monitor employee trading can save compliance officers time, but there is a cost.

Most of these systems rely on automated feeds from brokerage firms that are uploaded into the system daily. For the system to work effectively, employees must maintain accounts with broker-dealers that offer a feed. Many brokerage firms charge for these feeds, and some do not provide them at all.

Additionally, ongoing maintenance is required, and the system must be configured to address each firm’s reporting requirements.

Compliance software can be incredibly helpful in analyzing data, automating routine tasks, and maintaining records. But technology is a tool, not a strategy. Keep in mind that people are required to administer, configure, maintain and update the system.

Systems for email review, proxy voting, and compliance program management all have similar issues to those highlighted in the example above. Allocate sufficient time and resources for your staff to learn the system, make the required changes, and test whether the system is working as intended.

Keep communicating with your vendors. Vendors make updates to systems over time. Maintaining regular contact with your vendor can help you better understand the reasons for system updates (such as to address a particular compliance challenge or security issue), advocate for system changes, manage costs, and ultimately ensure the efficient operations of the system.

Many systems also have active user communities, which can be a great resource.

Failure to follow up on annual review recommendations and SEC examination deficiencies

Many compliance officers give a huge sigh of relief after completing the annual review or an SEC examination. Compliance is not a one-time project—it’s a continuous process that evolves alongside your business and regulatory expectations. It is important to incorporate into the compliance program and calendar tasks for following up on any recommendations from the annual review of the compliance program and any deficiencies cited in the most recent SEC examination.

The SEC examinations team routinely requests a copy of the firm’s annual review of the compliance program required under Advisers Act Rule 206(4)-7 and will ask about the status of any issues or recommendations discussed in that document. Firms should be able to provide documentation of the steps taken to address the issues. Therefore, keeping track of the firm’s progress and having periodic written updates is important. 

The most common outcome of an SEC examination is a deficiency letter, where the examination staff details its findings and includes a thirty-day time limit to respond. An adviser should resolve what it can within the 30-day time frame. However, if an issue cannot be resolved quickly, the adviser should include a timeline outlining the steps being taken and the expected completion date. Before an examination, the SEC will review a firm’s most recent deficiency letter and ask how the issues cited were resolved. The SEC has been known to take enforcement action against recidivist activity.

Compliance is a process

Conclusion

A strong compliance program is more than just a set of documents—it’s a living, evolving framework that reflects your firm’s practices, risks, and values. While it’s easy to overlook areas like documentation, accountability, or follow-up, these details often determine how your firm is viewed during an SEC examination.

By addressing the common pitfalls discussed in this article—neglected manuals, vague procedures, untracked follow-ups, and overreliance on technology—firms can strengthen their compliance infrastructure and better demonstrate their commitment to regulatory responsibility.

Remember, a well-run compliance program is not only a regulatory requirement—it’s a foundation for building trust with clients, regulators, and employees alike.

Also, see Part 1 Top compliance program mistakes (and how to avoid them) on building an engaging compliance manual; and Part 2 Top compliance program mistakes (and how to avoid them): The devil’s in the details on common compliance mistakes investment advisers make.