Refreshing the Annual Review Process to Address Business and Regulatory Risks

Rule 206(4)-7 requires each registered adviser to review its policies and procedures no less frequently than annually, to determine their adequacy and the effectiveness of their implementation. But what’s the best way to approach this review? How are other firms meeting this requirement? At the recent Ascendant Compliance Solutions Strategies 2019 Spring Conference in Miami Beach, a panel of compliance experts offered their insights during the pre-conference workshop, “Refreshing the Annual Review Process to Address Business and Regulatory Risks.”

The session began with a reminder that Rule 206(4)-7 requires each adviser to adopt and implement written policies and procedures, to conduct an annual review, and to designate a Chief Compliance Officer to administer its compliance policies and procedure. The panel stressed that each firm’s compliance manual must be customized. John Gentile, Director of Private Fund Manager Services and Director of Broker-Dealer Services for CSS, noted that when he was an SEC examiner, he “found firms didn’t always do what’s in the compliance manual, and that was a problem.” You may have a great compliance manual written by a top law firm, but if the manual is not tailored to your firm, and your firm is not doing what it says, the firm will start off a regulatory examination on the wrong foot. Heather Kaden, Head of Investment Advisory Compliance for Jennison Associates LLC, advised that CCOs “must know every word of your compliance manual.”

In addition to tailoring policies and procedures to your firm’s business, the panel advised that firms avoid designating the CCO as the one responsible for doing everything. To the extent practicable, structure the firm’s policies and procedures where the CCO serves as a consultant to support the business, and committees or supervisors carry out the day-to-day responsibilities. This advice extends to the annual review process as well—the CCO should not operate in a vacuum!

Eugenie Warner, a Senior Consultant, Content Expert and Associate General Counsel with CSS, suggested beginning the annual review right after the SEC issues its exam priorities notice, and stressed that “annual’ is a misnomer—the best practice is to conduct continuous reviews and compile the results and recommendations annually.”

Begin the process with a formal review of your risk assessment and be sure to include management in the process, then set testing plan based upon these results. Including management at this stage can also lead to greater buy-in—they’ll understand why you’re asking for materials and it can help guide you to schedule testing to better align with their schedules. They may even have their own testing priorities. The risk assessment should consider your business model and recent SEC risk alerts/regulatory hot topics.

Remember that the annual review should not fall solely on the CCO. Include business personnel (Operations, trading), auditors (SOC 1), and consider retaining outside assistance. The testing plan should identify where the CCO will test and where the CCO will incorporate or verify testing completed by others. Leverage available technology and consider where additional software can increase efficiency and decrease potential errors. Ask custodians if there are any additional reports they can provide to you. If your firm is a dual registrant, clearing firms will have multiple monitoring reports that can help, such as reverse churning reports.

Steps to conduct the testing should be documented, along with the results. However, you should avoid writing legal conclusions in your report. Ms. Kaden advised that “having a review where you have no exceptions is probably a red flag for the SEC,” but the report should not include conclusive terms such as violation, fraud, deficiency, crook, or other similar words. While using your work plan to guide testing over the course of the year, if you miss something, be sure to document that the testing was completed at a later date. Never backdate the testing. Once all the testing is completed, prepare a summary of the work, gaps identified and recommendations.

Mr. Gentile also stressed the importance of documentation. “If the review is well-documented, you have something tangible you can send (the SEC). This can demonstrate you don’t need the SEC exam to prompt effective testing. You’re doing it effectively yourself. It may result in an easier exam.” In addition to being prepared to provide a copy of the annual review to the SEC when they examine you, bear in mind that clients may also request the report, especially institutional clients who need to provide it to their boards.

In wrapping up the workshop, the panel offered best practices for forensic testing. If you’re looking to refresh your annual review to better address business and regulatory risks, consider incorporating some of these ideas!

Gifts and Entertainment (Given)
  • Review of T&E reports
  • Email Lexicon reviews
  • CRM activity – for lobbying, FCPA activity
Gifts and Entertainment (Received)
  • Entertainment trends (frequency, value) with brokers
  • Broker trading activity patterns
  • Employee entertainment volume analysis
Pay to Play
  • Sample review of public campaign websites (,,
  • Post contribution check against pre-clearance request
Conflicts of Interest
  • Email surveillance
  • Personal trading reviews
Personal Trading
  • Front running (review personal trades within X days of firm trades)
  • Employee personal trade volume analysis
  • Expert networks
  • Corporate management meetings
  • Top 10/ Bottom 10
  • Review trades in opposite directions
Trade Allocation
  • Performance dispersion
  • Trade order sequencing
Marketing Materials
  • Sample review of compliance comments v. final materials
Social Media
  • Spot check employee LinkedIn profiles


Ascendant, the compliance services division of CSS, offers help in completing the required annual compliance review under SEC rules, including documentation and recommendations for enhancements to the company’s policies and procedures, and other best practices for consideration. For more explore our solutions or contact us.

Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Giving Voice to Values: A New Approach to Ethics

The “Giving Voice to Values” program grew out of Professor Mary Gentile’s frustration of what was going on in both the financial industry and in higher education. She was frustrated and angry about the poor way that ethics was being taught in universities and applied in real-world scenarios. What developed out of her frustration is … Continued

Tips for Developing a Tailored Private Fund Compliance Calendar

As regulatory concerns proliferate and become more complex, developing and monitoring your “to-do” list becomes of paramount importance.  John Gentile, the Director of Private Fund Manager Services for Compliance Solutions Strategies and Michael Emanuel, a Partner at Stroock & Stroock & Lavan LLP provided attendees of the recent CSS 2019 Fall Conference some insight into … Continued

Brexit: Implications for Shareholders with Threshold Interests

As yet another deadline approaches for the United Kingdom to either leave the European Union with a withdrawal agreement in place or else exit effective immediately in a “no-deal” scenario, it is worth examining how this would affect asset managers subject to the UK regimes for major shareholdings, short selling, and dealing disclosures. First, the … Continued