The staff of the SEC’s Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert reporting significant compliance and supervision deficiencies. Based on data collected from a 2017 sweep of over 50 advisers, OCIE found significant weaknesses in how firms hired, supervised, and disclosed information about employees with disciplinary histories. The OCIE staff also cited frequent compliance deficiencies including failures to supervise how fees are charged, what marketing materials are distributed, and whether remote workers complied with firm policies. OCIE also discovered that many advisers allocated compliance responsibilities but failed to assign those responsibilities or neglected to require documentation. The OCIE staff recommends that advisers “reflect on their practices” and implement such best practices as enhanced hiring due diligence, background checks, heightened supervision, and remote-office monitoring.
How many times must OCIE warn the industry about compliance, and how many enforcement actions will it take, before firms implement a legitimate compliance program? An investment adviser should spend at least 5% of revenue on compliance, hire a dedicated Chief Compliance Officer, adopt tailored policies and procedures, test the program every year, and prepare a written compliance report of deficiencies and remediation.
Firms should seriously re-consider tying portfolio management compensation directly to fund performance, especially where the PM is responsible for Level 3 (non-exchange traded) fair-valued securities. For both the C-suite and compli-pros, this case shows how a failure to properly supervise one bad employee can blow up your firm. As for the PM (and any other potential wrongdoer), the industry bar will make it difficult to find a job to get out of the six-figure hole resulting from the wrongdoing.
censured and fined a broker-dealer for inadequate email reviews. Although the firm, through its President/CCO,
conducted weekly reviews, FINRA charges that the firm’s random sampling and
lexicon-based reviews were not sufficient given the firm’s size and risk
areas. The firm used 24 search terms
provided by its email provider, but FINRA asserts that the search terms did not
reflect a meaningful assessment of risk areas and resulted in a large number of
false positives. FINRA faults the firm
for failing to change the email reviews “[d]espite the obvious indications that
the firm’s lexicon system was not reasonably designed.” FINRA also criticizes the firm’s Written Supervisory
Procedures for omitting specific email review procedures.
Just doing email reviews isn’t enough. A firm must conduct effective email reviews that can statistically assess whether supervised persons are complying with the securities laws. We call this “compliance alchemy” i.e. the appearance of compliance without the implementation of adequate procedures and testing.
fined a large broker-dealer $2 Million for under-resourcing its compliance
function, thereby allowing unlawful short-selling. As the firm’s trading activity increased, the
firm continued to rely on a primarily manual system to monitor compliance with
Regulation SHO’s requirements. The
handful of employees tasked with monitoring trading requested more resources as
their 12-hour workdays could not adequately surveil the activity of 700 registered
representatives. FINRA alleges that the
firm routinely violated Regulation SHO by failing to timely close-out
positions, illegally routing orders, and failing to issue required
notices. As part of the settlement, the broker-dealer
also agreed to hire an independent compliance consultant.
TAKE: Firms need to track business activity to ensure that compliance and operations
infrastructure keep up with the business.
A good metric is whether the firm spends at least 5% of revenues on compliance
infrastructure including people and technology.
Broker-Dealers and advisers must abandon the dual-hat compliance model, the practice of naming a non-regulatory professional with multiple executive roles. Firms must retain a competent and dedicated Chief Compliance Officer either by hiring a full-time employee or by retaining the services of an industry-recognized outsourcing firm.
OUR TAKE: Failure to prevent wrongdoing creates a burden and inference that your compliance policies and procedures do not measure up. In this case, the SEC did not offer insight into how the firm should conduct allocation testing or whether such testing would have stopped the misconduct. Instead, the SEC argues that the cherry-picking itself proves that the firm failed to implement reasonable policies and procedures. This is why firms need to implement testing and monitoring and not just write a nice policy.
OUR TAKE: Having a valuation control function is not the same as having an effective valuation control function. Global firms must consider metrics before gutting compliance and supervisory functions that could ultimately allow bad actors to put the firm at risk. Firm leaders should think of compliance and supervision as the defense to protect assets and the firm’s reputation. And, defense wins championships.
OUR TAKE: Having policies and procedures, but taking no significant action against those who violate them, eviscerates their purpose. This compliance voodoo – the mere appearance of a compliance program – will draw the ire of the regulators.