Effective Compliance Policies & Procedures and Annual Reviews: Meeting the Reasonably Designed Standards

Sometimes it seems that enough is never really enough. While compliance officers have grown intimately familiar with SEC Rule 206(4)-7 over the past 15 years since the Rule became effective, deficiencies in connection with the Compliance Program Rule continue to rank among the most frequently cited issues identified in OCIE examinations of investment advisers. It seems that the bar is constantly rising.

Simply having written policies and procedures, and conducting an annual review is not enough! As CCOs, we must implement compliance policies and procedures that are “reasonably designed to prevent violations” and review their “adequacy” and the “effectiveness” of their implementation.  Conspicuously, the Rule does not explicitly direct CCOs to identify and address violations; rather, the goal is prevention.

It’s a bit of a chicken-and-egg situation: if you have a violation, you have to ask whether your policies and procedures were reasonably designed to prevent the violation. According to the People’s Law Dictionary, “reasonable” means just, rational, appropriate, ordinary or usual in the circumstances. “Reasonable,” of course, is in the eye of the beholder. In this case, the beholder is the SEC.

In considering the reasonably designed standard, confirm that your compliance policies and procedures address the topics noted in the Rule’s adopting release. Also, determine what additional policies and procedures your firm may need to address conflicts and risk exposures relating to its particular operations. They need to be tailored to your firm and you must ensure they are appropriate in light of staff and other resources, such as technology. Remember that if you’re violating your own policies, this is going to be cited, so don’t set yourself up to fail.

It’s important to keep abreast of business developments in order to timely update or implement new policies and procedures. Be sure to attend and actively participate in meetings you’re invited to, and consider inviting yourself to be a guest at meetings you don’t normally participate in. These can be great opportunities to think about how the firm’s policies and procedures are functioning on a day-to-day basis. As a practical matter, when updating your compliance manual or implementing new policies and procedures, ask the people who will be performing the tasks to review and provide input.

By Rule, a review of the compliance program must occur no less than annually. In reality, most CCOs review policies and procedures continually throughout the year by performing testing and overseeing the implementation of and compliance with policies and procedures. Conducting an effective review requires questioning such as:

  • Have problems with the subject matter area addressed by the policy been detected?
  • Based on what has been detected, should the policy be revised or amended?
  • Is there a better approach to preventing violations of the policy?

Approaches to testing should vary and the frequency of testing is generally determined by the risk associated with the function. Leverage technology to the extent possible. Determine the capabilities of existing software including reporting capabilities. Exception reports can automate certain reviews, for example, to flag for violations of investment guidelines. As a reminder, when testing the compliance policies and procedures, be sure to test the technology systems you rely upon to ensure they are functioning as intended.

While Rule 206(4)-7 does not require the Annual Review to be memorialized in a written report, it’s awfully hard to prove that the review occurred if it isn’t memorialized in some form. Some CCOs prepare a detailed report outlining the testing that occurred, results, violations and recommendations, while others prefer more of a high-level summary. Regardless of the format, the Annual Review Report should be a compilation of the ongoing compliance program reviews conducted throughout the course of the past year.

Remember: the SEC will ask for your annual reviews. Even if you take a high-level summary approach, be prepared and knowledgeable about what the review entailed, what issues were identified, and be sure you’re taking action on all recommendations. Your annual review, and the report memorializing the review, will be key in demonstrating the reasonableness and effectiveness of your compliance program.

Interested in learning more tips on Meeting the Reasonably Designed Standard? Listen to our recent ComplianceCast webinar.

Need help with your annual review? Check out our services and contact us.

Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for … Continued

SEC’s New Committee Begins Review of Form CRS Filings

The SEC’s Divisional Standards of Conduct Implementation Committee launched its review of Form CRS from a cross section of RIAs and BDs to assess compliance with the content and format requirements. Initial observations from the Committee have identified examples of relationship summaries that may lack certain disclosures or could be clearer or otherwise improved. The … Continued

Proposed Amendment to 13F – What This Really Means?

The SEC released a proposed amendment to Form 13F on July 10 to update the reporting threshold for institutional investment managers and make other targeted changes. The threshold has not been adjusted since the Commission adopted Form 13F over 40 years ago. New Proposed Reporting Threshold: The proposal would raise the reporting threshold to $3.5 … Continued