In his opening remarks at the National Investment Adviser/Investment Company Compliance Outreach 2020, held virtually on November 19, 2020, Peter Driscoll, Director of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), gave advice to registered investment advisors (“RIAs”) that will help them now and in years to come. Driscoll discussed the challenges faced by chief compliance officers (“CCOs”), as well as stressed the importance of CCOs obtaining empowerment, seniority, and authority within their firms in order to ensure their effectiveness.
Driscoll’s speech is available here.
Examinations move forward despite Covid-19
Even with Covid-19, OCIE examiners continued to conduct examinations of RIAs. In fiscal year 2020, OCIE conducted over 2,950 examinations, including 15 percent of all SEC-registered investment advisers. Examiners verified 4.8 million investor accounts that contained $3.4 trillion in assets. Driscoll reported that OCIE held over 300 outreach events, published its Cybersecurity and Resiliency Observations, and released eight risk alerts. OCIE’s educational efforts are designed to drive a culture of compliance.
On the day Driscoll gave his speech, OCIE published a risk alert relating to Rule 206(4)-7 of the Investment Advisers Act of 1940, commonly referred to as the “Compliance Rule.” That risk alert can be reviewed here. An analysis of that risk alert is available here.
Examiners’ expectations of CCOs’ role in the organization
The Compliance Rule requires each RIA to designate a CCO to administer its policies and procedures. The Adopting Release for that rule stated that CCOs should be competent and knowledgeable regarding the Investment Advisers Act and its rules. CCOs should be empowered to develop, implement, and enforce appropriate policies and procedures. In addition, CCOs should possess sufficient authority and seniority to compel others to comply with the firm’s policies and procedures.
Driscoll expressed concern about RIAs with a CCO who is too low in the organization to make meaningful changes. This includes situations where a CCO is a mid-level officer or is placed under the CFO function. CCOs should have a meaningful seat at the table and should not be made to feel that they are one “no” answer away from being terminated. When an RIA has changed CCOs recently or frequently, examiners are likely to ask about the circumstances surrounding those events.
According to Driscoll, examiners will notice when:
Examiners will also notice when a firm’s compliance function is underfunded.
Best practices for CCOs
Examiners will take note of firms’ best practices such as:
Effective CCOs offer proactive compliance guidance on new or amended rules that may provide RIAs with additional business options.
Compliance is not solely the responsibility of the CCO. According to Driscoll, CCOs should not and cannot ensure compliance by themselves. They should not and cannot be held responsible for all of a firm’s compliance failures.
Driscoll emphasized how important it is for firms to have a culture of compliance. Without a culture that truly values the CCO and the sincere support of senior management, an RIA may lose the hard-earned trust of clients, investors, customers, and other key stakeholders.
No CCO, no matter how diligent and capable, can be effective without the full support of management. Support from management is demonstrated by allocating sufficient resources to the compliance function. According to Driscoll, the resources provided should be based on the RIA’s business model, size, sophistication, and advisor representative population and dispersal. The resources allocated for compliance will not necessarily be correlated to the firm’s revenues, budget, or assets under management. Furthermore, the need for resources may change as the RIA’s business model grows or shrinks, new business strategies are adopted, or as compliance weaknesses are identified.
Conclusion
Many CCOs are currently handling all of their roles virtually. Driscoll recognized that CCOs and their staffs have difficult jobs, which are even more challenging because of Covid-19.
Compliance must be integral to an RIA’s business and part of its senior leadership. CCOs need to be fully engaged in activities involving conflicts of interest, disclosures to clients, fee calculations, and protection of clients’ assets.
Driscoll did not definitively say to whom CCOs should report in an organization. The answer, Driscoll said, depends on the size of the organization, the leadership structure, the CCO’s experience, and the firm’s compliance culture. At a minimum, CCOs should have a direct line of reporting to senior management. Even better, they should be part of senior management.
In all cases, CCOs should be empowered to address compliance weaknesses directly. They must also be able to report concerns directly to senior management, no matter who or what is the source of the problem.