Effective Compliance Policies & Procedures and Annual Reviews: Meeting the Reasonably Designed Standards

Sometimes it seems that enough is never really enough. While compliance officers have grown intimately familiar with SEC Rule 206(4)-7 over the past 15 years since the Rule became effective, deficiencies in connection with the Compliance Program Rule continue to rank among the most frequently cited issues identified in OCIE examinations of investment advisers. It seems that the bar is constantly rising.

Simply having written policies and procedures, and conducting an annual review is not enough! As CCOs, we must implement compliance policies and procedures that are “reasonably designed to prevent violations” and review their “adequacy” and the “effectiveness” of their implementation.  Conspicuously, the Rule does not explicitly direct CCOs to identify and address violations; rather, the goal is prevention.

It’s a bit of a chicken-and-egg situation: if you have a violation, you have to ask whether your policies and procedures were reasonably designed to prevent the violation. According to the People’s Law Dictionary, “reasonable” means just, rational, appropriate, ordinary or usual in the circumstances. “Reasonable,” of course, is in the eye of the beholder. In this case, the beholder is the SEC.

In considering the reasonably designed standard, confirm that your compliance policies and procedures address the topics noted in the Rule’s adopting release. Also, determine what additional policies and procedures your firm may need to address conflicts and risk exposures relating to its particular operations. They need to be tailored to your firm and you must ensure they are appropriate in light of staff and other resources, such as technology. Remember that if you’re violating your own policies, this is going to be cited, so don’t set yourself up to fail.

It’s important to keep abreast of business developments in order to timely update or implement new policies and procedures. Be sure to attend and actively participate in meetings you’re invited to, and consider inviting yourself to be a guest at meetings you don’t normally participate in. These can be great opportunities to think about how the firm’s policies and procedures are functioning on a day-to-day basis. As a practical matter, when updating your compliance manual or implementing new policies and procedures, ask the people who will be performing the tasks to review and provide input.

By Rule, a review of the compliance program must occur no less than annually. In reality, most CCOs review policies and procedures continually throughout the year by performing testing and overseeing the implementation of and compliance with policies and procedures. Conducting an effective review requires questioning such as:

  • Have problems with the subject matter area addressed by the policy been detected?
  • Based on what has been detected, should the policy be revised or amended?
  • Is there a better approach to preventing violations of the policy?

Approaches to testing should vary and the frequency of testing is generally determined by the risk associated with the function. Leverage technology to the extent possible. Determine the capabilities of existing software including reporting capabilities. Exception reports can automate certain reviews, for example, to flag for violations of investment guidelines. As a reminder, when testing the compliance policies and procedures, be sure to test the technology systems you rely upon to ensure they are functioning as intended.

While Rule 206(4)-7 does not require the Annual Review to be memorialized in a written report, it’s awfully hard to prove that the review occurred if it isn’t memorialized in some form. Some CCOs prepare a detailed report outlining the testing that occurred, results, violations and recommendations, while others prefer more of a high-level summary. Regardless of the format, the Annual Review Report should be a compilation of the ongoing compliance program reviews conducted throughout the course of the past year.

Remember: the SEC will ask for your annual reviews. Even if you take a high-level summary approach, be prepared and knowledgeable about what the review entailed, what issues were identified, and be sure you’re taking action on all recommendations. Your annual review, and the report memorializing the review, will be key in demonstrating the reasonableness and effectiveness of your compliance program.

Interested in learning more tips on Meeting the Reasonably Designed Standard? Listen to our recent ComplianceCast webinar.

Need help with your annual review? Check out our services and contact us.

Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Latest Content

Time to Use the Bat Phone: Who to Call When a Compliance Officer Needs Help?

It seems that the burden of work continues to increase for compliance professionals in the investment management industry. While also ensuring that their compliance program is effective, compliance officers must also be aware of cybersecurity threats, business continuity plans, new regulations, changes in business strategy, and more – all while doing this under a work … Continued

Texas Outlaws and a Silver Bullet: Position Limits in the USA

In this first installment on position limits, Regulatory Guidance expert Greg Hotaling surveys the current landscape of position limits imposed for U.S.-listed commodity derivative holdings, which can affect investment firms and other speculative investors regardless of where they are based. Stay tuned for coverage of EU position limits in the next edition. “Who shot J.R.?!” … Continued

FAQs From the Cyber Desk

Cybersecurity is a fast-moving target, so it is not uncommon for firms to have questions when it comes to assessing and understanding their cybersecurity risks. Here at CSS we receive a lot of cybersecurity questions, so we thought we would take the time to answer 10 of the most common Frequently Asked Questions. (1) What … Continued