The Basics of an Annual Compliance Review

Rule 206(4)-7 under the Investment Advisers Act of 1940 requires registered investment advisers ("RIAs") to annually test the adequacy and effectiveness of their compliance policies and procedures.  Compliance with the annual review requirement is an area of focus for the Securities and Exchange Commission.  Documentation of an investment adviser's annual compliance review will always be asked for as part of an examination.  State securities regulators will ask about it, too.  

Knowing that risks, business practices, and other factors vary between RIAs, the annual compliance review rule does not direct investment advisers exactly how and when to conduct the review.  Many RIAs conduct annual compliance reviews to coincide with other year-end activities. Other RIAs may choose to conduct the review in the summer after the ADV annual update or during the process of the annual update.  When it gets done does not really matter, but it needs to be done.  Additionally, interim reviews throughout the year are encouraged and are a best practice. 

The SEC has provided a list of business and risk areas that investment advisers should incorporate into a compliance manual.  These risk areas are:

  • Portfolio management processes, including allocation of investment opportunities among clients and consistency of portfolios with clients’ investment objectives, disclosures by the adviser, and applicable regulatory restrictions;

  • Trading practices, including best execution, soft dollar arrangements, and trade allocation;
    Proprietary trading of the adviser and personal trading activities of its employees and access persons;

  • The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements;

  • Safeguarding of client assets from conversion or inappropriate use by advisory personnel;

  • The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction;

  • Marketing advisory services, including the use of solicitors;

  • Processes to value client holdings and assess fees based on those valuations;

  • Safeguards for the privacy protection of client records and information; and

  • Business continuity plans

Annual compliance reviews, and the compliance policies and procedures created or updated because of a review, need to address the above areas.  Compliance reviews should almost always be risk-based, and a RIAs compliance policies and procedures should correlate with the risk.  For example, if an investment adviser bases its fees on the value of non-liquid assets or real estate, the investment adviser would be expected to have more detailed policies, procedures, and testing concerning valuation than an investment adviser who only bases its fees on the value of exchange-traded securities.

A common finding is outdated policies, lack of testing of policies, and little or no direction in a compliance manual concerning what to do about a violation.  "Violation" is a strong word, but it simply means a deviation from a policy.  A violation could be as innocuous as someone forgetting to submit a report on time, but it is a violation, nonetheless.  What is important in your RIA's compliance program is that something was done about it.  Investment adviser firms often confuse the implementation of a policy and the testing of a policy.