SEC OCIE Issues Risk Alert on Observations on Investment Adviser Compliance Programs

November 30, 2020

The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert to provide an overview of notable compliance issues of registered investment advisers (“Advisers”) identified by OCIE related to Rule 206(4)-7 (commonly referred to as the “Compliance Rule”) under the Investment Advisers Act of 1940 (the “Advisers Act”).1

Compliance Rule Deficiencies and Weaknesses

  • Inadequate Compliance Resources. OCIE staff observed Advisers that failed to devote adequate resources to their compliance programs. Chief Compliance Officers (“CCOs”) with numerous other responsibilities did not dedicate enough time to fulfilling their responsibilities as CCO or develop their knowledge of the Advisers Act. Compliance departments lacked sufficient resources, such as training or staff, to implement an effective compliance program. Advisers that had grown significantly in size or complexity did not hire additional compliance staff or add information technology in keeping with their growth.
  • Insufficient Authority of CCOs. CCOs lacked sufficient authority within the Adviser to develop and enforce policies and procedures. For example, Advisers did not give their CCOs full access to critical compliance information, such as trading exception reports and certain client advisory agreements, and failed to consult their CCOs regarding matters with potential compliance implications. Limited interaction between Advisers’ senior management and their CCOs resulted in CCOs having limited knowledge of the firm’s leadership, strategy, transactions, and business operations.
  • Annual Review Deficiencies. Advisers were unable to demonstrate that they conducted an annual review. In other cases, Advisers’ annual reviews failed to identify significant compliance or regulatory issues. For example, Advisers claimed to have performed ongoing or annual compliance reviews but could not produce documentation of the reviews; failed to identify key applicable risk areas in the Annual Review; and failed to adequately review significant areas of their business, such as the oversight and review of third-party managers, cybersecurity, and fees and expenses.
  • Implementing Actions Required by Written Policies and Procedures. Advisers failed to implement or perform actions required by their written policies and procedures, such as: training employees; implementing compliance procedures regarding trade errors, advertising, best execution, conflicts, disclosure and other requirements; reviewing advertising materials; following compliance checklists and other processes, including back-testing fee calculations and testing business continuity plans; and assessing the consistency of portfolios with client investment objectives.
  • Maintaining Accurate and Complete Information in Policies and Procedures. Advisers’ policies and procedures contained outdated or inaccurate information. Some Advisers used off-the-shelf policies that were not applicable to their business.
  • Maintaining or Establishing Reasonably Designed Written Policies and Procedures. Advisers did not maintain written policies and procedures or failed to establish, implement, or appropriately tailor written policies and procedures that were reasonably designed to prevent violations of the Advisers Act. For example, Advisers relied on cursory or informal processes instead of maintaining written policies and procedures, or utilized policies of an affiliated entity, such as a broker-dealer, that were not tailored to the business of the Adviser. When Advisers did maintain written policies and procedures, OCIE observed deficiencies or weaknesses in establishing, implementing, or appropriately tailoring written policies and procedures in the areas of portfolio management; marketing; trading practices; disclosures; advisory fees and valuation; safeguards for client privacy; required books and records; safeguarding client assets and custody; and business continuity plans.2

In concluding the Risk Alert, OCIE encouraged Advisers to review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are tailored to the Adviser’s business and adequately reviewed and implemented.

S&K Observations

The Risk Alert demonstrates that OCIE is very focused on the empowerment of Advisers’ compliance teams to adopt and implement effective compliance programs as the Adviser’s business and industry evolve. Maintaining a stagnant set of often-ignored compliance procedures will result in regulatory issues.

Seward & Kissel LLP, and our compliance consulting service SKRC (Seward & Kissel Regulatory Compliance), are available to assist Advisers with the issues identified in the Risk Alert.


1 The Compliance Rule requires Advisers to (i) adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder; (ii) review, no less frequently than annually, the adequacy of these policies and procedures and the effectiveness of their implementation and (iii) designate a chief compliance officer responsible for administering these policies and procedures. The Risk Alert reiterated the SEC’s position that the chief compliance officer should be competent and knowledgeable regarding the Advisers Act and be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures. See Compliance Programs of Investment Companies and Investment Advisers, SEC Rel. No. IA-2204 (Dec 17, 2003) available at

2 According to the Risk Alert, the area of (i) portfolio management includes due diligence and oversight of outside managers, monitoring compliance with client investment and tax planning strategies, oversight of third-party service providers, due diligence and oversight of investments, including alternative assets, oversight of branch offices and investment advisory representatives to ensure they are complying with the Adviser’s policies and procedures, compliance with regulatory and client investment restrictions, and adherence with investment advisory agreements; (ii) marketing includes oversight of solicitation arrangements, prevention of the use of misleading marketing presentations, including on websites, and oversight of the use and accuracy of performance advertising; (iii) trading practices includes allocation of soft dollars, best execution, trade errors, and restricted securities; (iv) disclosures include accuracy of Form ADV, and accuracy of client communications; (v) advisory fees and valuation includes fee billing processes, including how fees are calculated, tested, or monitored for accuracy, expense reimbursement policies and procedures, and valuation of advisory client assets; and (vi) safeguards for client privacy includes Regulation S-P, Regulation S-ID, physical security of client information, electronic security of client information, including encryption policies, general cybersecurity, including access rights and controls, data loss prevention, penetration testing and/or vulnerability scans, vendor management, employee training or incident response plans. With respect to business continuity plans, the Risk Alert mentions business continuity plans that were not tested or did not contain contact information or designate responsibility for business continuity plan actions.