On November 19, 2020, the Office of Compliance, Inspections and Examinations (OCIE) issued a Risk Alert on an overview of notable compliance issues identified by the OCIE related to Rule 206(4)-7 under the Investment Advisers Act of 1940. The Risk Alert reflects issues identified in a sample of deficiency letters from recent adviser exams and can be reviewed in its entirety at: [https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs_0.pdf]
Some key takeaways:
Advisers should consider the need for interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments.
Advisers did not devote adequate resources, such as information technology, staff and training.
Advisers should adopt policies and procedures that take into consideration the nature of that firm’s operations.
Advisers policies and procedures should be designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.
Advisers annual compliance review should consider any compliance matters that arose during the previous year, any changes in the business activities of the adviser or its affiliates, and any changes in the Advisers Act or applicable regulations that might suggest a need to revise the policies or procedures.
Advisers did not maintain written policies and procedures or that failed to establish, implement, or appropriately tailor written policies and procedures that were reasonably designed to prevent violations of the Advisers Act.
Advisers claimed to engage in ongoing compliance reviews but could not provide evidence that reviews occurred.
Adviser’s CCO should be competent and knowledgeable regarding the Advisers Act. OCIE observed instances where such CCOs did not appear to have time to develop their knowledge of the Advisers Act.
Advisers were unable to demonstrate that they performed an annual review or whose annual reviews failed to identify significant existing compliance or regulatory problems.
Advisers failed to identify or review key risk areas applicable to the adviser.
Advisers failed to review significant areas of their business, such as policies and procedures surrounding the oversight and review of recommended third-party managers, cybersecurity, and the calculation of fees and allocation of expenses.
Advisers did not implement or perform actions required by their written policies and procedures.
Advisers failed to complete compliance checklists and other processes, including back testing fee calculations and testing business continuity plans.