Compliance Best Practices
Addresses topics of significant interest to investment management and compliance professionals. We have expanded “Our Take” on a particular subject, and offer our unique perspective on industry matters and regulatory issues.
10 Characteristics of an Effective Compliance Program
What makes a good compliance program? It seems confusing when executive management listens to SEC speeches, interviews compliance professionals, or reads enforcement actions. Today’s list provides the key characteristics that we examine when assessing a compliance program.
- A qualified and dedicated Chief Compliance Officer: The CCO should have significant (at least 5 years) Advisers Act regulatory knowledge and experience. Additionally, the CCO should be fully dedicated to the compliance function and not undertake other executive management roles.
- Tailored policies and procedures: The policies and procedures must be specifically tailored to the firm’s business and continually reviewed and updated. An “off-the-shelf” manual is about as useful as internet-based medical advice.
- Tone at the top: How committed senior management is to compliance can be measured by 3 key variables: (1) total firm budget allocated to compliance (should be at least 5%); (2) executive time spent on compliance issues (at least quarterly); and (3) discipline for employees that violate compliance policies and procedures.
- Training and communication: A good compliance program must ensure that the entire organization has access to compliance information. Recommended practices include ongoing training and communication.
- Testing and Reporting: A firm cannot have a good compliance program without requiring its people follow the rules. Firms must annually test all policies and procedures, record the findings and recommendations in a written report for management, and continually follow-up to ensure remediation.
- Compliance Calendar: A good compliance calendar will serve as the working project plan of every activity required during the year. It should be written so that any new employee could follow the plan.
- Books and records: Documentation is the hallmark of a good compliance program. Only through well-maintained books and records can a firm log its compliance activities and demonstrate their effectiveness to senior management, clients, and the regulators. If it’s not documented, it didn’t happen.
- Email review: Very little transpires in an investment management firm without email communications. Email review can un-earth issues that annual testing may not. Email review adds “forensic” to testing.
- Marketing materials: An investment firm’s marketing materials are its “canary in a coal mine” i.e. if the marketing materials are misleading or omit disclosures, very often the firm has deeper regulatory problems.
- Outside advisers: The best compliance programs use outside advisers to provide advice and an independent and best practices assessment. The regulatory world has become too complicated to go it alone.
10 Prohibited Conflicts of Interest
The SEC often alleges “conflicts of interest” in various enforcement actions and also derides “conflicts” in letters, speeches, testimony, and other public statements. In order to help clarify what the SEC means by “conflict of interest,” today’s list describes 10 prohibited practices that the regulators have identified as conflicts of interest in enforcement cases.
- Recommending the Wrong Share Class: The SEC has brought several cases where wrap or managed account sponsors recommended share classes that were not the lowest-cost available. In many cases, the SEC alleged a conflict because the respondent received some sort of financial benefit such as loads or revenue sharing.
- Recommending Proprietary Products: The regulators highly scrutinize advisers and broker-dealers that recommend proprietary funds or managed account programs that include built-in fees.
- Favoring Certain Clients: The SEC has criticized firms for allowing redemptions to favored clients after telling other clients a fund was closed to redemptions or by selling out liquid investments for insiders and leaving outside clients holding illiquid investments.
- Manipulating Valuations to Increase Fees: Firms have tried all manners of schemes including using “friendly” broker quotes, lying about inputs, and using non-economic options trades.
- Making Sweetheart Deals with Affiliates: The SEC will not like firms who feign “independence” and then recommend affiliates for ancillary services to jack up revenue.
- Cherrypicking Allocations: Several firms have been prosecuted for using omnibus accounts and then retroactively cherry-picking good trades for proprietary accounts and not-as-good trades to client accounts.
- Taking Undisclosed Fees: The fee may appear legitimate (and maybe the client should have known), but, without specific written disclosure, a firm looks like it has engaged in a classic conflict of interest when it surreptitiously takes undisclosed compensation. Examples include payment of overhead expenses, consulting fees, and investment banking fees.
- Over-billing Clients: Firms have found regulatory trouble by overbilling clients by using an opaque billing formula such as changing measurement dates for valuing client assets or failing to deduct unrealized losses.
- Lying about Performance or Strategy: The SEC views misleading marketing materials as a form of conflict of interest. There have been many criticized practices including using backtested data, failing to describe a strategy’s true risks, omitting poor recommendations from performance calculations, and cherry-picking time periods.
- Lying about Qualifications: In addition to performance, the SEC has also faulted firms who lie about their academic or business qualifications, the firm’s AUM, or the firm’s financial or disciplinary record.
The 10 Consequences of Noncompliance and SEC Enforcement
Today, we address the 10 implications for a firm that faces an enforcement action as a result of a failure to implement a competent compliance program (either intentionally or unintentionally).
- Financial penalties: The most obvious direct consequence of an enforcement action include the financial penalties that the SEC can impose. These can include fines, interest, and restitution for “ill-gotten gains” going back several years.
- Industry bars: Rarely does an SEC action not name one or more of the firm’s principals. And, if successful, the penalties usually include fixed or permanent industry bars, thereby precluding you from making a living in your chosen field. If the permanent bar includes a firm principal, it could mean the end of the firm itself.
- Lost management time: Responding to, and defending, SEC enforcement actions consumes hundreds of hours of management time dealing with lawyers, assembling materials, meeting with employees, and testifying. This is time lost to the productive activities required to run your business.
- Defense Costs: The costs of lawyers retained at high hourly rates to defend enforcement actions very often far exceed any fines or disgorgement that the SEC imposes.
- Reputation: Competitive (dis)advantage: Don’t think your competitors won’t highlight a public enforcement action during every RFP and competitive client situation. Additionally, many institutional investors automatically disqualify money managers with a regulatory record.
- Impact on commercial value: A potential buyer will discount a firm’s equity value because of public regulatory issues that could impact its long-term competitiveness.
- Criminal prosecution: The SEC has the power to refer cases to the Department of Justice. As a result of such referrals, especially when fraud or misuse of asset is alleged, the DoJ has prosecuted and imprisoned many financial executives.
- Increased examination focus: Once the SEC has brought an action, expect the staff to appear for regulatory exams on an accelerated, if not continuous, cycle. It’s the SEC’s job to weed out recidivists.
- Insurance Costs: Following an enforcement action, E&O and D&O rates will rise significantly, assuming you can even obtain such coverage.
- Hiring: In the war for talent, a bad reputation will repel the best and brightest who have multiple opportunities.
The 12-Step Cybersecurity Program
The term “cybersecurity” may be more of a buzzword in investment management than performance, fiduciary or robo-adviser.
- Identify location of confidential information. Conduct an internal assessment of the location of confidential information and who might have access.
- Restrict access: Passwords should be specific to each employee and should require updating on a periodic basis. Also, make sure to shut down access for exiting employees.
- Monitor for intrusions: The IT function should add intrusion monitoring as part of the virus and security protocols. Also, IT should report multiple log-in failures.
- Prohibit removable storage media. Also, create a hardware environment that makes it difficult to use such media.
- Limit devices. Only firm-approved and encrypted devices should have access to the network/system.
- Test vulnerability. Hire an IT firm to perform a vulnerability assessment and conduct penetration testing.
- Evaluate vendors. Ensure vendor selection includes cybersecurity due diligence. Create ongoing monitoring and reporting system.
- Report to Management. Add cybersecurity as an agenda item to every management and compliance meeting and include reports from IT and Compliance.
- Appoint somebody accountable. One person should own cybersecurity compliance across the organization, whether that person resides in IT, Compliance, or Operations.
- Create response plan. The response plan should include requires notices to clients and regulators and how to patch vulnerabilities.
- Consider cybersecurity insurance. Determine if a cybersecurity insurance policy will protect the firm against a catastrophic event.
- Implement policies and procedures. Develop policies and procedures governing all of the above and annually test whether they are being followed. Also, ensure ongoing employee training.
The 7 Most Important Attributes of a Chief Compliance Officer
A topic often raised by compliance officers and the bosses who love them.
- Regulatory Knowledge – A CCO must have an in-depth knowledge of the laws, regulations, interpretations, and regulatory positions as well as the firm’s compliance policies and procedures and their implementation.
- Firm Knowledge – A CCO must become intimate with the firm’s organization, finances, clients, and culture.
- Industry Experience – An effective CCO must advise his/her firm’s executives about how other industry players implement products, develop structures, work with the regulators, and utilize technologies.
- Analytical Intelligence – Dynamic firms in dynamic markets require a CCO that can be flexible to adopt new approaches, yet professionally skeptical of unproven methods, products and structures.
- Diplomatic – Knowledge and experience will only go so far if a CCO does not have the political skills to convince business executives.
- Calm – A CCO must always display grace under pressure and show confidence regardless of the situation and implications.
- Fearless – A CCO must exercise independence with senior executives and put personal issues aside while tackling difficult issues even in the face of possible personal liability.