As registered investment advisers, under Advisers Act Rule 206(4)-7—the “Compliance Rule”—hedge fund managers are required to review their compliance policies and procedures for adequacy at least annually. Despite the Compliance Rule’s requirements to implement, maintain and review policies and procedures designed to prevent violations of federal securities laws, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations recently released a risk alert detailing fairly pervasive non-compliance among advisers. Specifically, OCIE said of compliance review deficiencies, “Annual reviews are not performed or did not address the adequacy of the adviser’s policies and procedures. The staff observed that certain advisers did not conduct annual reviews of their compliance policies and procedures, as required by the Compliance Rule. In addition, the staff identified advisers that conducted annual reviews that did not address the adequacy of the advisers’ policies and procedures and the effectiveness of their implementation. Staff also observed that advisers did not address or correct problems identified in their annual reviews.”
The Compliance Rule infractions OCIE raised in the risk alert effectively serve as forewarning of the deficiencies it will investigate in hedge fund manager examinations this year. Accordingly, this article, the first in a two-part series, outlines best practices for hedge fund managers conducting an annual review, including when it should be conducted, how to prepare and who should be involved. The second article in the series will address the steps hedge fund managers should take if compliance issues are uncovered and how to measure the effectiveness of a compliance review.
The Compliance Rule
Rule 206(4)-7 under the Advisers Act makes it unlawful for a registered hedge fund manager to provide investment advice to clients unless it adopts and implements written policies and procedures reasonably designed to prevent violations of the Advisers Act, and conducts annual compliance reviews to test the effectiveness of its compliance program. Registered private fund managers also are required to designate a chief compliance officer to be responsible for administering the policies and procedures the adviser implements.
According to Steven Gatti, a partner at Clifford Chance, “[Rule] 206(4)-7 essentially requires regulated advisers to take a look back and a look forward on an annual basis. Through that process, managers can certify that the compliance policies and procedures that are required under the Compliance Rule are implemented, verified and tested.”
Jason Ewasko, compliance director and CCO at Cipperman Compliance Services, added, “Regulators want you to have a compliance program that is effective, robust and addresses the full scope of your business. Reasonably, it is something that should be looked at every year to make sure the compliance program is keeping up to date with new regulatory developments and changes within your firm and the way you do business.”
“Without any doubt, your compliance manual is the cornerstone of your business and is something that should be reviewed, touched upon and adjusted throughout the year,” concurred Robert Prucnal, president of Cipperman Compliance Services. “A compliance program is built on an endless number of regulations and responsibilities, and as things like your cybersecurity program or code of ethics change throughout the year, and as new regulations are introduced, you need to be looking at your compliance manual to be sure it reflects these changes.”
Annual Compliance Reviews: When and Why
The Compliance Rule mandates that each registered adviser conduct an annual review to identify weaknesses, areas for improvement or modifications that may be required because of changes in laws or regulations. Additionally, a compliance review should be designed to identify particular compliance issues that arose over the course of the prior year and need to be addressed.
“The objective of the annual review is to take an assessment of the compliance program and identify your areas of risk and whether those risks have changed,” explained Carlos Guillen, president and CEO of BasisCode Compliance. “The annual review gives you a chance to look at what you’re doing within your compliance program and with your policies and procedures to make sure that the firm has a robust and effective compliance program.”
As Prucnal noted, “The annual compliance review is a report card. It takes all of the compliance activities that a compliance officer creates, monitors and manages, and tests the quality of the compliance program for the firm. The annual compliance review allows issues and areas of weakness to surface and gives the CCO and the firm a chance to properly address those issues. Through the annual compliance review, you’re trying to understand where your firm is strong and where there might be weaknesses and room for improvement.”
The compliance review should ensure that the policies and procedures that the firm has adopted have kept up with the changing regulatory and business environment and with the changes within the firm’s business. Ultimately, the goal of an annual review is to determine whether or not the firm’s compliance program continues to reasonably and effectively prevent compliance issues from occurring.
The Compliance Rule does not specify exactly when a hedge fund manager should complete its compliance review. However, many hedge fund managers conduct their reviews at year-end. Some managers also choose to schedule their annual compliance reviews to coincide with other year-end review processes, such as the annual financial audit, as the CCO and other executives within the firm will be reviewing various functions or information that is also critical to the compliance review. Still others may prefer to conduct the annual compliance review during a less busy time of the year.
While managers do not have a prescribed completion date, Gatti said, “Most firms do conduct the annual review on a regularized basis. They will have a date by which they will complete the annual review, and they will start the review process some time before that to ensure completion by the prescribed date.”
Managers may conduct a compliance review for reasons apart from regulatory obligation as well. Glen Barrentine, a partner at Winston & Strawn said, “The reason it would make sense to conduct an annual compliance review even if there wasn’t a rule is that it’s a good way to focus and think through one’s compliance program. Programs get stale, there are new rules the manager is subject to and businesses change, so the review is a chance to look over the compliance program and make sure all aspects are still relevant and still work.”
SEC Enforcement Actions Relating to Annual Compliance Reviews
The SEC has a considerable record of pursuing enforcement actions for failure to conduct annual compliance reviews. In October 2016, Kentucky-based registered investment adviser, Dupree Financial Group settled charges with the SEC that the firm failed to conduct annual compliance reviews over a multi-year period. During an August 2014 examination of Dupree Financial, OCIE discovered that the firm had not, since first registering in mid-2010, conducted an annual compliance review, in violation of the provisions in Rule 206(4)-7 mandating one, and in spite of the firm’s stated policies and procedures. Dupree Financial was censured and agreed to pay a penalty of $25,000. (For a summary of the SEC’s action against Dupree, see “Pair of Enforcement Actions, 2016 SEC Enforcement Results Reveal Regulator’s Focus”)
In June 2015, the SEC charged Eugene Mason, the CCO of SFX Financial Advisory Management Enterprises, with violating the Advisers Act for causing the firm’s compliance failures by negligently failing to conduct certain reviews required by the firm’s compliance policies and failing to perform an annual compliance review. The SEC also charged the firm’s former president, Brian Ourand, with stealing $670,000 in client funds over a five-year period. The firm and Mason separately agreed to settle charges that they were responsible for compliance failures and other violations. In settling the case, SFX and Mason agreed to pay penalties of $150,000 and $25,000, respectively.
In October 2013, the SEC brought separate actions against advisory firms for repeatedly ignoring problems with their compliance programs. In a press release, the SEC said the enforcement actions arose from the agency’s Compliance Program Initiative, which targeted firms that have been previously warned by SEC examiners about their compliance deficiencies but have failed to effectively act upon those warnings to remediate violations.
In one action, the SEC fined Modern Portfolio Management and its owners G. Thomas Damasco II and Bryan Ohm $175,000 to settle charges that they failed to correct ongoing compliance violations at the firm despite prior warnings from SEC examiners. In particular, they failed to complete annual compliance reviews in 2006 and 2009 and made misleading statements on MPM’s website and investor brochure.
In another case, the SEC charged New Orleans-based Equitas Capital Advisers and Equitas Partners, as well as owner David Thomas, Jr., chief compliance officer Susan Christina, and former owner and chief compliance officer Stephen Derby Gisclair, with failing to adopt and implement written compliance policies and procedures and conduct annual compliance reviews to satisfy the Compliance Rule. Thomas and Gisclair agreed to pay a total of $225,000 in additional penalties. The Equitas firms agreed to censures and hired independent compliance consultants.
Preparing for the Annual Compliance Review
Each firm will prepare for the annual compliance review differently depending on its business, but best practice is to first review any changes made to the firm’s compliance policies and procedures throughout the year, as well as any regulatory changes that have been instituted that impact the firm and review the firm’s policies and procedures to make sure they are still relevant and applicable. Additionally, it is important for managers to include a risk assessment in the compliance review preparations to identify key areas to focus on during the review.
Ewasko explained, “Every compliance review is going to be different at every firm. There may be similarities, but each firm brings its own set of challenges and its own people, so there are obviously going to be variances. But starting with the compliance program is the way to go. Firms can also prioritize issues based on regulatory changes or focus by SEC examiners or changes in the business.
Additionally, quarterly reports on trading, valuations and other programs can identify issues to be looked at more closely during the review.”
One of the first things that the CCO (or other individual tasked with completing the compliance review) needs to do is review the firm’s written compliance policies and procedures, and then confer with any other compliance personnel and the heads of the various departments within the firm, such as operations, trading or portfolio management, to discuss whether the policies and procedures are being followed and whether they’ve worked in practice.
According to Christopher Wells, a partner at Proskauer Rose, “When preparing for your compliance review, you need to consider all of the different areas which affect the business—personal trading by employees, issues related to insider trading, expenses, trade allocations, marketing, and all of the other things that you deal with on a daily basis—and in particular, any issues that came up in prior years and during the most recent year.”
In preparing for the annual compliance review, the manager will want to review the firm’s current compliance policies and procedures, code of ethics and the most recent risk assessment. If the manager has been examined since the previous year’s compliance review, the review needs to take into account any SEC deficiency letters and the firm’s response to those letters.
Barrentine said managers should look at different parts of the compliance program throughout the year and keep track of what has been done, so when it is time to conduct the review the manager is not starting from scratch. He also noted, “You can start the review process by looking at the review from the previous year and seeing what recommendations were made, what was fixed and where those issues stand. You can also get a sense of where to focus from OCIE’s priorities letter and frequent SEC compliance topics to see what you should look at to start. You should also keep track of the hot topics throughout the year.”
Gatti added, “Throughout the course of the year, compliance officers should be identifying areas for further review and keeping a checklist of what they’ll want to return to as they’re putting together their annual compliance review. It is prudent to make notes of areas ripe for enhancement and further review.”
What Should the Annual Compliance Review Cover?
The Compliance Rule does not include specific guidance as to what should be covered during the review; however, the Adopting Release for Rule 206(4)-7 suggests, “The review should consider any compliance matters that arose during the previous year, any changes in the business activities of the adviser or its affiliates, and any changes in the Advisers Act or applicable regulations that might suggest a need to revise the policies or procedures.”
On this point, Wells noted, “I think one of the first things you should do is look to see if there have been any compliance or regulatory developments during the year that affect your business, and at how your business may have changed during the year. Then take a look at your policies and procedures and do a risk assessment to identify what should be your priorities, and then focus on specific policies or procedures that need to be updated or improved.”
Added Art Zwickel, a partner at Paul Hastings, “Basically, as part of the annual compliance review, managers should review the entire compliance program. Don’t just review the areas you think the SEC is going to focus on if they come to examine your firm. It’s supposed to be a comprehensive review of your compliance program. Look at the previous 12 months, and see if there are any gaps that you’ve identified through your ongoing compliance testing. You should identify changes in the business to see if they pose any additional risks to the firm that the compliance program needs to address. You should also identify any regulatory changes that impact your business.”
The CCO typically creates a program that details the issues the review should encompass. The weight accorded to each issue typically is based on a risk assessment. Bao Nguyen, director of risk advisory services with Kaufman Rossin, advised, “You should review areas that pose a substantial risk to the firm from both the regulatory perspective and the investor perspective. Areas like fees and expenses need to be reviewed from a robust standpoint because of the potential risk of misallocations to the client and the underlying investors.”
Barrentine agreed, and said managers need to identify areas that might be problematic. “You don’t need to do a review of every rule, but you need to look at those that impact your business. I suggest you ask senior management what they think should be looked at.”
According to Brian O’Neill, a senior attorney at Bradley Arant Boult Cummings, “Managers have to essentially conduct an audit of the disclosures and representations they have made in the compliance program to determine whether the firm is complying with what has been disclosed. This is where a lot of the exposure has been recently through SEC enforcement actions.”
Offering his advice, Gatti added, “We recommend that firms choose particular areas of focus; areas where either the firm has identified through normal business operations an area of weakness or concern, or that regulators have identified as a particular area that may be of concern or where there are new regulatory or legal developments that have to be addressed in the compliance program.”
Guillen said the compliance review should start with a review and summary of the most recent compliance review. He added, “You should also look to see where the regulators are focusing their attention, and make sure you have proper policies and procedures in place to address things like valuation, fees and expenses, conflicts of interest and affiliated transactions. Technology makes the review process easier. It enables firms to summarize what needs to be done and when, and lets managers be sure that everything that is on their calendar is assigned to an owner and is completed.”
And while each review is going to vary from firm to firm, Wells noted, “There are a few key elements to every review: The CCO has to meet with senior management and review a report that highlights the key issues and risks facing the firm, any specific compliance problems that have come up over the course of the year, what has been done to address them, and any changes in regulations or the business that have or will need to be addressed.”
Who Should Conduct the Annual Compliance Review?
Another area where Rule 206(4)-7 and the SEC are silent is the question of who should conduct the annual compliance review. Many hedge fund managers have the CCO conduct the annual compliance review, while others hire third-party service providers or their outside law firm for the task.
Because of the CCO’s knowledge of the hedge fund’s infrastructure, policies and procedures and business operations, most hedge fund managers see the CCO as the most appropriate person to conduct the annual compliance review. According to Zwickel, “The CCO is the person who coordinates and oversees the whole process. Depending on the size of the firm and the resources it has available, the CCO can be assisted by other compliance professionals at the firm or by an outside compliance consulting firm. Other key officers, such as the CFO or COO, should participate in the process and can assist with gathering information for the review.”
While the Rule doesn’t say who should conduct the annual review, Barrentine noted, “It’s usually the CCO. While having the CCO conduct the annual compliance review is efficient, the problem is that the CCO is too close to the program and may not have the most clear-eyed or objective view of the compliance program because he or she has an interest in the success of the program. You should definitely have the business side and senior management involved. Legal and audit should be involved. It’s good to get input from others about where issues are and what works and what doesn’t.”
Added Gatti, “In our experience, it is important that the chief compliance officer leads the process. It is not, however, a one-person job, and the CCO will be pulling in resources as necessary from throughout the firm to look at various policies and procedures and to get their feedback and input.”
Third parties, such as compliance firms, administrators and auditors also can credibly perform the annual compliance review for the hedge fund manager. Because third-party firms work with many different types of clients and may specialize in these reviews, they tend to have personnel with knowledge of the review process and industry best practices—which could be a boon for managers. Nguyen explained an ancillary benefit of having an outside service provider conduct the review. “I would equate a CCO trying to conduct the annual review on his or her own to someone trying to proofread their own paper. It’s very difficult because you are so close to everything that you may miss something. You always want a second eye to take a look at what you’ve done, because they can look at things from a different perspective.”
In weighing the benefits of conducting the review in-house or outsourcing it, Ewasko said, “Who should do it is going to depend largely on the size of your firm. Larger firms may have an internal compliance staff that can take on the compliance review and will be responsible for it and documenting the results of the review. Smaller firms without a compliance team and with limited resources will rely on third-party service providers to conduct that review. If you’re going to rely on a compliance services firm or other third party to conduct your annual review for you, you want to make sure the people at the firm have the compliance background and the experience conducting compliance reviews to have a solid testing program so they can thoroughly review your compliance program.”
The SEC has taken the view that it is better to have an outside provider conduct the review. As Wells pointed out, “I think the SEC staff actually likes to see firms bring in outside parties, like lawyers or consultants, to help in their annual compliance review. A third party may be able to spot issues that the CCO doesn’t see simply because he or she is too close to the business.”
Gatti noted, though, that third parties should not just supplant the CCO. “Even if an outside consultant or law firm is participating in the review process, advisers should avoid fully outsourcing the review. The annual review process can be very helpful to the adviser in understanding their business in detail and knowing its strengths and weaknesses.”
Nguyen added, “The benefit of having an independent third party review your compliance program is that you’re getting a fresh, objective perspective. When selecting a third party, you want to make sure the firm has expertise in your industry, your business and your strategy. Every fund is run differently, and every back office is different, so a third party should know the risks associated with the manager and the manager’s business from a regulatory compliance standpoint.”
Managers also have to be prepared to heed the recommendations of the third party reviewer, O’Neill said. “When your annual compliance review is conducted by a third party, those results are very much binding on you. If the third party finds something during the review or makes recommendations for adjusting your program, a regulator who comes in is going to want to see that report and will want to see that you’ve implemented the changes that were recommended and how you addressed issues that were uncovered.”
Regardless of who conducts the review, it’s ultimately the CCO’s responsibility, Wells said. “The CCO is ultimately responsible for the review and should take the lead. The CCO can delegate certain tasks to other people within the firm, but ultimately it’s the CCO who has to bring it all together, write up a report, make any recommendations and meet with senior management to review them.”
On this firm-wide effort, Guillen noted, “In an environment that has a good culture of compliance, folks throughout the firm, such as a portfolio managers or the COO or chief technology officer, are stakeholders in the compliance process, and they should be involved throughout the year, not just during the annual compliance review. In the most successful compliance programs that I’ve seen, the compliance officer and other business owners are involved and invested in the compliance program throughout the year, and when it is time to review the program, they are all providing input and submitting information to make the CCO’s review process run more smoothly.”