Memo #
32952

OCIE Updates: The 2020 National Outreach Program; the Director's Views About CCOs; and OCIE's Risk Alert Containing Observations on Advisory Compliance Programs
| Print

[32952]

December 1, 2020 TO: ICI Members
Chief Compliance Officer Committee SUBJECTS: Compliance RE: OCIE Updates: The 2020 National Outreach Program; the Director's Views About CCOs; and OCIE's Risk Alert Containing Observations on Advisory Compliance Programs

 

This memo is intended to update you on three recent activities of OCIE: (1) its 2020 National Compliance Outreach Program; (2) the opening remarks that OCIE’s Director gave at that program, The Role of the CCO – Empowered, Senior, and With Authority; and, (3) OCIE’s latest Risk Alert, which discusses OCIE’s observations on investment advisers’ compliance programs.  Each of these is briefly summarized below with links to obtain more information. 

OCIE’s 2020 National Compliance Outreach Program

On November 19th, OCIE held its latest National Outreach Program for Investment Adviser and Investment Company Senior Professionals. This program, which lasted approximately 5 hours, consisted of four panels and opening and closing remarks by OCIE’s Director, Pete Driscoll.  The program was held virtually and an archive of it is available on the SEC’s website at: https://www.sec.gov/compliance-outreach-program-national-seminar-2020.[1] The program’s panels were as follows: 

  • Remarks from the SEC’s Directors– which included remarks from the Directors of OCIE (Pete Driscoll) and Investment Management (Dahlia Blass) and the Assistant Director of the Division of Enforcement (Marc Berger). [The comments of Director Driscoll are summarized next in this memo.] 
  • Panel I: Information Security and Operational Resiliency– which included a discussion of: the SEC’s operations during the pandemic; remote work; and OCIE’s observations relating to BCPs, disclosure, and supervision. The panel Administrator was Erica Gould (OCIE Exam Manager, San Francisco Regional Office) and the panelists were: Kristin Snyder (OCIE), David Joire (IM), Michelle Kelley (LPL Financial LLC), and Kristina Littman (Enforcement’s Cyber Unit).
  • Panel II: Undisclosed Conflicts of Interest– which discussed the impact of business practices on creating risks and conflicts of interest; disclosure of financial conflicts related to compensation; and steps advisers take to mitigate or address conflicts. The panel Administrator was Mark Wszolek (OCIE Staff Accountant, Atlanta Regional Office) and the panelists were: Dan Kahl (OCIE), Kimberly Frederick (Enforcement’s Asset Management Unit (AMU)), Janet Grossnickle (IM), and Jeannie Lewis (William Blair & Company).
  • Panel III: Registered Funds – which discussed recent regulatory developments, emerging risks, and common staff observations. The panel Administrator was Keith Kanyan (Program Specialist, OCIE National Exam Program) and the panelists were:  Kevin Christy (OCIE), Brian Johnson (IM), Joseph McGill (Lord Abbett), and Corey Schuster (Enforcement AMU).
  • Panel IV: Hot Topics – which, as its name indicates, focused on current hot topics including: issues affecting retail and senior investors, fin-tech, inconsistencies between practices and disclosure, and sustainable and responsible investing. The panel Administrators were Merryl Hoffman and Rachel Lavery (Senior Regulatory Counsel OCIE, New York Regional Office) and the panelist were: Marshall Gandy (OCIE), Lewis Collins (GW&K Investment Management), Jennifer McHugh (IM), and Jeremy Pendrey (Enforcement AMU)

Closing remarks were made by Pete Driscoll. 

The Role of the CCO From OCIE’s Perspective 

As noted above, OCIE’s Director, Pete Driscoll, provided opening remarks at OCIE’s National Compliance Outreach Program.  During his remarks, The Role of the CCO – Empowered, Senior, and With Authority,[2]he noted the following:

  • OCIE remained fully operational during the pandemic;
  • In light of health and safety concerns, OCIE has conducted examinations offsite through correspondence and they are working with registrants to address the timing of their requests, availability of registrant personnel, and other matters to minimize disruption;
  • OCIE continues to collect information from registrants regarding the pandemic’s impact on their operations, including their operational resiliency and fund liquidity;
  • OCIE has found registrants’ BCPs to be generally beneficial in addressing the impact of the pandemic;
  • “Many of the issues with implementing business continuity and pandemic plans have been minor and were addressed quickly;”
  • Concerns or challenges that will require more active revisiting and monitoring include cybersecurity, data protection concerns, addressing market volatility and spiked volume, firms maintaining their financial solvency, and concerns regarding customers with financial hardships;
  • The burdens on firms to adapt to processes such as remote due diligence on service providers and sub-advisers will require considerable attention by advisory firms;
  • New technology adopted to address business or compliance needs during the pandemic may bring with it risks that will need to be evaluate by skilled and knowledgeable compliance departments;
  • During 2020, OCIE conducted almost 3000 examinations, including 15% of registered advisers; conducted over 300 outreach events; issued a report on Cybersecurity and Resiliency Observations; and published eight risk alerts;
  • OCIE tries to assist CCOs by being as transparent as possible about the deficiencies it commonly sees during exams. This, in part, informs registrants of OCIE’s concerns even when the registrant has not been subject to an exam;
  • To be effective, CCOs need to be empowered and have both seniority and authority;
  • Good practices OCIE has observed evidence a firm’s commitment to compliance include CCOs being routinely included in business planning, strategy sessions, and early involvement in decision-making; have access and interaction with senior management; and having prominence in the firm;
  • CCOs must have adequate resources to support the compliance function and OCIE “cannot overstate a firm’s continued need to assess” this issue;
  • A firm’s compliance department must be fully integrated into the business of the adviser for it to be effective;
  • The critical function of compliance should not all fall on the shoulders of the CCO – without the support of management, “no CCO, no matter how diligent and capable, can be effective;”
  • “The cause or blame for a compliance issues for failure typically does not sit only with the CCO and many not sit at all with the CCO.” OCIE appreciates that often the CCO is the person responsible for identifying a problem and fixing it;
  • When asked to whom a CCO should report in an organization, Director Driscoll believes it depends on the size of the organization, the leadership structure, the experience of the CCO, and the compliance culture. At a minimum, however, the CCO “should have a direct line of reporting to senior management” and “should be empowered to address compliance weaknesses directly, and report concerns directly to senior management, no matter the source of the problem;”
  • In terms of how much a firm should budget for the compliance function, according to Director Driscoll, there is no standard or rule “but it is something we definitely notice on examinations, particularly where we see an underfunded compliance department.” While there “is not always a correlation in the amount of the firm’s revenues, percentage of its budget, or its assets under management . . .  the need for resources must be continually reassessed, as the firm’s business model may grow or shrink, as new business strategies are adopted, or as weaknesses in compliance are identified.”

Director Driscoll closed his remarks by noting that,

[W]ithout a culture that truly values the CCO, supported by a sincere ‘tone at the top’ by senior management, a firm stands to lose the hard-earned trust of its clients, investors, customers, and other key stakeholders. As the Commission stated [in its release adopting the compliance rule], CCOs should be empowered, senior and have authority, but CCOs should not and cannot do it alone and should not and cannot be responsible for all compliance failures.

OCIE’s Latest Risk Alert: Observations on Investment Adviser’s Compliance Programs

On November 19, 2020, OCIE published its latest Risk Alert, Investment Adviser Compliance Programs.[3] This Risk Alert “provide an overview of notable compliance issues” identified by OCIE during its exams of advisers. The Risk Alert discusses each of the following types of Compliance Rule deficiencies and weaknesses identified by OCIE:

  • Inadequate compliance resources, including those related to information technology, multiple professional responsibilities, staff, and training;
  • Insufficient authority of the CCO, including denying CCOs access to critical information, the CCO’s limited interaction with senior management, and failure of staff to consult with the CCO about matters that had potential compliance implications;
  • Annual compliance review deficiencies, including failure to evidence the review was conducts, identify risks, and review all significant aspects of the adviser’s business;
  • Implementing actions required by the adviser’s written policies and procedures, including an adviser failure to act consistently with it written policies and procedures;
  • Maintaining accurate and complete information in the adviser’s compliance policies and procedures; and
  • Failure to establish, implement, or appropriate the adviser’s written policies and procedures in the following areas:
    • Portfolio management
    • Marketing
    • Trading practices
    • Disclosures
    • Advisory fees and valuation
    • Safeguards for client privacy
    • Required books and records
    • Safeguarding of client assets and
    • Business continuity plans.

In sum, the Risk Alert encourages advisers to review their written policies and procedures and their implementation “to ensure they are tailored to the advisers’ business and adequately reviewed and implemented.”

 

Tamara K. Salmon
Associate General Counsel

 

endnotes

[1] The agenda for the program and speakers’ biographies are also available through this link.

[2] Director Driscoll’s remarks are available at: https://www.sec.gov/news/speech/driscoll-role-cco-2020-11-19.

[3] The 6-page Risk Alert is available at: https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs_0.pdf.