Chief Compliance Officers face the challenge of running a comprehensive yet efficient compliance program that nimbly adapts to changing regulatory requirements and business practices. As compliance consultants, we see our fair share of missteps. So we created a three-part series to discuss common compliance program mistakes investment advisers make and how to avoid them.

This is the first in the series and covers how to build a relevant and engaging compliance manual.  In the second post, we will delve into the details of developing clear compliance procedures. The last post discusses some examples of compliance failures and how to remedy them.  

The neglected compliance manual

For many advisory firms, the compliance manual often languishes, becoming a dusty door stop rather than the dynamic guide it’s meant to be. Are you confident that your firm employees actually read and understand your compliance manual? Does it truly reflect the intricacies of your unique business model? In this first post of our series, we’ll delve into the common pitfalls of the “neglected compliance manual” and explore how to transform it into a living, breathing resource that engages your entire firm and lays a solid foundation for your compliance efforts.

A common compliance program mistake is what we call the “neglected compliance manual.”  Neglect happens because the manual goes unread and isn’t tailored to the firm’s unique business model.

Before an SEC exam, the staff will read your compliance manual and expect it to reflect how your firm operates. Some manuals have only been read by the law firm or consultant that prepared it and the Chief Compliance Officer (CCO), generally resulting in policies and procedures that are not factually correct, include sections that do not apply to the firm’s business, or are hopelessly outdated. Some manuals are too vague, stating that “the firm” is responsible for ensuring policies are followed. Other firms mistakenly assign responsibility for all policies and procedures to the CCO. Not only is this impractical, but it is not humanly possible.  

Think of the compliance manual like a GPS for your team—it should clearly map out how to navigate the regulatory landscape, turn by turn. Let’s discuss how to give the compliance manual the attention it deserves.

Engage everyone

The sad truth at most firms is that almost no one, aside from the compliance officer, reads the compliance manual. Firms often use off-the-shelf or attorney-drafted manuals that hit the required topics but still include phrases like “insert firm name here” or “select relevant option,” tipping off regulators that the manual has not been read, customized or updated (see this case as an example.)

In a risk alert from 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE, now known as the Division of Examinations or EXAMS), found during routine examinations that “certain compliance programs did not take into account important individualized business practices such as the adviser’s particular investment strategies, types of clients, trading practices, valuation procedures and advisory fees.  Moreover, examiners continue to observe that some advisers use “off-the-shelf” compliance manuals that have not been tailored to the adviser’s individual business practices.”

Let’s be honest – most employees would rather read the terms and conditions of a cell phone contract than your compliance manual.

To make the firm “own” compliance, we recommend that the CCO get managers and employees involved in drafting and revising the manual. Let’s be honest – most employees would rather read the terms and conditions of a cell phone contract than your compliance manual. That’s why you’ve got to make it matter.

Set up a meeting with each area within the firm to go over the sections of the manual that apply to them. For example, provide the traders with the allocation and aggregation policies and procedures and review the language. Ask them to describe the trading process from start to finish to see if the procedure reflects the actual practice. For example:

• Who gives the order for the trade?
• How does the trader select the broker to execute the trade?
• How does the trader aggregate and allocate the order across participating accounts?
• Who checks to confirm that the trades were implemented and allocated correctly? 
• Who reviews the trade blotter at the end of the day?

These are questions that should be addressed in the manual.

The CCO should revise the procedures based on input received and require the supervisor to review and approve them. Supervisors then have accountability for those procedures. The goal is to have a procedure that reflects what actually happens, identifies who is supposed to perform various tasks, and assigns responsibility for supervising the activity. Avoid detailing every possible contingency or naming specific reports or software tools unless essential, as this can quickly become outdated or overly rigid.

To make the firm “own” compliance, we recommend that the CCO get managers and employees involved in drafting and revising the manual.

Yes, it’s a heavy lift. But skipping these steps now just means carrying a heavier burden during your next SEC exam. But it serves several purposes. First, it gets people to read the manual.  Nothing is more embarrassing (and demoralizing) than having the SEC staff read a policy aloud during an exam and having firm employees admit that they were unaware that the manual included that particular provision.

Second, it helps reinforce the message that compliance is a firm-wide obligation embedded in the firm’s day-to-day operations. Third, it is a great learning experience for the CCO. It is an opportunity to get to know others within the firm, what they do, how they do it, and what obstacles they face. Finally, it requires different areas of the firm to take ownership of the policies and procedures applicable to them.

Customize the manual

The SEC continues to warn firms that their compliance manuals should reflect the firm’s business practices and address its specific risks. For example, in November 2020, the SEC settled actions against three investment advisers and two dual registrants for violations of Rule 206(4)-7 in connection with sales of complex exchange-traded products (ETPs) to retail investors.

The firms were recommending volatility-linked ETPs, which attempt to track short-term volatility expectations in the market. The offering documents disclosed that these products were meant to be held short-term and that they incurred significant costs when held for longer periods, meaning the costs could eat into returns when held for longer periods. Unfortunately, in these instances, that’s exactly what occurred. The SEC found that the investment professionals recommending these products did not understand their risks and did not explain them to their clients.

In its settlements, the SEC found that these firms’ compliance programs suffered from material deficiencies. The firms failed to;

• adopt policies and procedures regarding complex products other than ETFs;
• require financial professionals trained on the risks of ETPs;
• develop a process to review or approve new products;
• adopt procedures for identifying and tracking holdings periods.

By failing to have policies and procedures to address the risks of these complex products, these firms violated Advisers Act Rule 206(4)-7.

In similar settlement orders with investment advisers, the SEC often charges firms with violating Advisers Act Section 206(4) and Rule 206(4)-7 because of their failure to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules.

To avoid this result, firms should periodically review SEC cases, risk alerts published by EXAMS, and EXAMS’ most recent examination priorities.

It is also important to update your firm’s risk inventory to address changes to the firm’s operations, new product offerings, expansion into new states (or countries), and any other new risks that affect your business.  Advisers should also update the risk assessment to reflect significant findings from compliance testing and monitoring, issues that occur at the firm, and SEC examination results.