PART I: Addressing Recent OCIE Risks—Inadequate Compliance Resources
Author: Amy D'Avella
This is the first in a series of blogs which will analyze the SEC’s Office of Compliance Inspections & Examination’s (OCIE) November 19 Risk Alert, titled OCIE Observations: Investment Adviser Compliance Programs.
Since requiring investment advisers to appoint Chief Compliance Officers (CCOs) in 2003, the SEC has treated CCOs as equals in the effort to prevent securities law violations. While CCOs have enjoyed vocal support from the SEC on their behalf, the SEC simultaneously piled on responsibilities and elevated compliance performance expectations.
CCOs currently have more than ever on their plate, and are navigating their broad portfolios while acutely aware of the laser focus of SEC enforcement on compliance programs, even sometimes holding CCOs personally liable for compliance failures.
On November 19, OCIE published a Risk Alert titled OCIE Observations: Investment Adviser Compliance Programs, which in part identified inadequate compliance resources as an increasing weakness in examinations of advisers. (See our earlier blog for a summary of the alert).
II. Why is the SEC highlighting this risk now?
The risks outlined in the alert are not new—the SEC routinely warns against the 1) dual-hatted CCO; 2) the inexperienced/uninformed CCO; and 3) the under-resourced CCO. Over the past 16 years, firms have struggled to allocate sufficient budget to compliance, overburdened CCOs with responsibilities beyond compliance, and deprived CCOs of the tools necessary to fulfill their mandate.
Inadequate CCO resourcing was a significant risk for firms prior to the 2020 pandemic, and the SEC correctly believes that COVID-19 has further amplified this problem. A few key issues have emerged to demonstrate the unique risks presented by COVID-19:
Firms must refresh SEC-required compliance policies and procedures in light of operational adaptations, firms must train employees on the changes;
Firms must update business continuity plans to ensure alignment with operational adaptations;
Proper supervision is complicated by employee dispersion while working from home;
Adviser representatives are working from home and could be putting client data at risk if they are not taking network safety precautions.
III. What is the risk exactly?
With this Risk Alert, the SEC is indicating that a) it will not grant any leeway on COVID-19-induced securities violations; and b) it is going to consider such violations more harshly if the firm neglected to properly staff the CCO.
Of all the issues identified in the Risk Alert, insufficient compliance resources is the linchpin: without a sufficiently supported CCO, a firm cannot meet any of its compliance requirements.
Consider the following common pitfalls:
1) The dual-hatted CCO: The CCO needs sufficient bandwidth
The danger of the dual-hatted CCO is that responsibilities outside compliance overwhelm the compliance role or create insurmountable conflicts of interests. While early on the SEC may have intended that the CCO rule would ensure at least some central oversight of the compliance program, over time the compliance program requirements have grown more demanding. Consequently, it is increasingly becoming more difficult for a CCO to split their duties while also living up to the SEC’s expectations for the CCO role. As the firm grows and enters periods of intense growth, this challenge often becomes impossible, particularly when the CCO is a practicing Financial Advisor, responsible for business development and marketing efforts, and/or the CCO serves as a Portfolio Manager.
Even where the dual-hatted responsibilities are potentially complementary, take for example a CCO who wears the second hat of COO, a single person shouldering the full responsibility of modifying business operations and confirming compliance in the wake of COVID-19 is potentially problematic. Failing to devote the necessary time to either role could have devastating impacts for a firm.
2) The inexperienced CCO: The CCO needs to know the relevant securities laws
The SEC never specified the exact qualifications of a CCO, but at a bare minimum, the CCO must know enough about the governing securities laws to design and implement a responsive compliance program. Often a CCO can find themselves lacking regulatory competence when they are overextended in a dual-hatted role, or simply neglected to study the rules.
This is a pretty easy leap—if the CCO does not understand the laws, then they cannot build and execute a compliance program that meets the legal requirements. The SEC can be very forgiving of compliance failures when they are made in good faith and within a structure of a thoughtful compliance program. Few things could be as devastating to an exam as willful ignorance.
3) The under-resourced CCO: The CCO needs sufficient internal buy-in and support
Of the three CCO-focused failures, this is probably the most frequent. Two factors are often the cause: 1) the firm does not allocate enough financial resources to compliance; and 2) the firm does not foster a culture of compliance, whether it’s a tone-at-the-top problem or the firm is not structured/willing to support compliance objectives.
Given the ever-increasing compliance to-dos imposed by the SEC, its challenging for a CCO alone to fulfill the firm’s compliance requirements. The SEC is not particularly sympathetic to the rising costs of a successful compliance program, whether its hiring staff or purchasing software to support the CCO is expensive; firms are expected to spend what is necessary so that the CCO can effectively perform.
IV. What’s the worst that could happen?
A firm could suffer fines, disgorgement, industry disbarment, and private litigation brought by clients. Whether as a result of SEC or individual action, an individual may be found personally liable for compliance failures. The fallout to the business itself could even be greater since these legal and regulatory actions pose substantial reputational and business risk. Particularly for firms catering to the institutional and high net worth marketplace, which are already highly competitive, regulatory discipline may be a dealbreaker for clients and prospective clients.
V. How can advisers minimize these risks?
The simple answer is to ensure the firm’s CCO 1) is able to devote a significant amount of their time and energy towards compliance; 2) is competent in investment adviser compliance; and 3) has sufficient budget and internal cooperation.
But SEC violations are not typically incurred because an adviser disregarded these three key elements—often advisers find themselves in trouble because they struggled to balance them. We are presently in as perilous a time period as we have been in decades thanks to the collision of a) unprecedented risks to adviser business posed by COVID-19; and 2) the SEC’s unwillingness to consider COVID-19 a mitigating factor in securities violations.
In this critical moment, all investment advisers should take stock of what their compliance program is doing well, and where improvements are needed. A few things to consider as you inventory your compliance resources and evaluate what additional resources might be necessary:
Prioritize a refresh of your compliance policies and procedures and business continuity plan. Memorialize the changes to firm operation and risk management you’ve made since adapting to COVID-19. The SEC will want to see that you carefully considered how your firm mitigated risks to your clients and prevented future COVID-19 ramifications.
Review your compliance program as a whole. Are your resources allocated proportionately to your biggest risks? If you are underspending on risks, consider reallocating your compliance budget or expanding it—some spending now can prevent disastrous costs, financial or otherwise, later.
Communicate to employees the import of the CCO’s mandate. Once you’ve refreshed your compliance policies and procedures and business continuity plan, empower your CCO to host a training to update employees on any changes.
If your CCO is dual-hatted, make sure that your tone-from-the-top encourages transparency from the CCO on how they are juggling duties. The CCO should feel free to communicate with firm leadership and receive their support when the CCO needs to delegate or back-burner other tasks so that compliance is not compromised.
Make sure that when your CCO asks for something, they receive it. When CCOs need documents or staff time, this means they are doing their job—don’t stand in their way.
Clear a path for your CCO to stay up to date on investment adviser regulation. Whether this is subscribing to a compliance industry publication or joining a trade group, make sure the CCO can tap into the latest legal developments.
Fortunately, by issuing the Risk Alert, OCIE has given advisers time to prepare for an exam that focuses on the issues identified. Though compliance may fall to the bottom of the list in a crisis, it is essential that firms take a moment to reevaluate whether their compliance program is effectively equipped to play a key role in weathering the storm.
Part II will focus on OCIE’s concerns regarding insufficient authority of CCOs. Later in our blog series we will provide guidance on a holistic approach to all issues raised in this most recent Risk Alert.
 Risk Alert, U.S. Sec. & Exch. Comm’n Off. of Compliance Inspections & Examinations, OCIE Observations: Investment Adviser Compliance Programs (Nov. 19, 2020), https://www.sec.gov/files/Risk%20Alert%20IA%20Compliance%20Programs_0.pdf  17 CFR § 275.206(4)-7(c) (2004).  See Compliance Programs of Investment Companies and Investment Advisers, 68 Fed. Reg. 247, 74,714 (“The proposed rules were designed to foster, among other things, improved compliance by clarifying the compliance obligations of fund management and to strengthen the hand of fund boards and compliance personnel when dealing with them.”); Peter Driscoll, Dir., Off. of Compliance Inspections and Examinations, U.S. Sec. & Exch. Comm’n, Speech at The National Regulatory Services Compliance Conference: How We Protect Retail Investors (Apr. 29, 2019), https://www.sec.gov/news/speech/speech-driscoll-042919#_ftnref17 (“It’s not an overstatement to say that I view compliance officers and personnel as partners.”). See also Andrew Ceresney, Dir., Division of Enforcement, U.S. Sec. & Exch. Comm’n, Keynote Address at the National Society of Compliance Professionals National Conference (Nov. 4, 2015), https://www.sec.gov/news/speech/keynote-address-2015-national-society-compliance-prof-cereseney.html (addressing compliance professionals, stating “First, you have the Commission’s full support. We rely on you as essential partners in ensuring compliance with the federal securities laws and we will do all we can to help you perform your work.”). See, e.g. Public Statement, Luis A. Aguilar, Comm’r, U.S. Sec. & Exch. Comm’n, The Role of Chief Compliance Officers Must be Supported (June 29, 2019), https://www.sec.gov/news/statement/supporting-role-of-chief-compliance-officers.html. See Mary P. Hansen, James G. Lundy, et. al, How to Manage the Risky Role of the Investment Adviser CCO in the 21st Century, 24 Inv. L., no.7 (2017), at 1 (“The demands of being a [CCO] of an investment advisory firm registered with the [SEC] have increased significantly over the last 10 years.”). See generally N.Y.C. Bar Ass’n Compliance Comm., N.Y.C. Bar Report on Chief Compliance Officer Liability in the Financial Sector 1 (2020), https://s3.amazonaws.com/documents.nycbar.org/files/Report_CCO_Liability_vF.pdf (“Based on recent regulatory enforcement actions, [financial firm] compliance officers face, and equally importantly, perceive, a growing risk of personal liability from the day-day performance of the compliance function.”). See, e.g. Ceresney, supra note 3 (describing three general categories of CCOs against whom the SEC brings action, including 1) CCOs who engaged in “misconduct unrelated to their compliance function”; 2) “CCOs who engage in efforts to obstruct or mislead the [SEC]”; and 3) “where the CCO has exhibited a wholesale failure to carry out his or her responsibilities.”); Gene Gohlke, Assoc. Dir. Off. of Compliance Inspection and Examinations, U.S. Sec. & Exch. Comm’n, Speech to Managed Funds Association, Educational Seminar Series: A Job Description For CCOs of Advisers to Private Investment Funds (May 5, 2005), https://www.sec.gov/news/speech/spch050505gg.htm (“The extent to which a compliance program will achieve the objectives laid out by the Commission is also, to a certain extent, dependent on the abilities of the CCO and the Commission, in its Adopting Release, identified three attributes that a CCO should have: knowledge, competence, and empowerment. In essence, the Commission described two general attributes, or qualities, that an advisory firm's CCO should possess, and a third attribute that depends more on the CCO's position in the firm's organization.”). C.f. Kristin Broughton, Compliance Layoffs, Budget Cuts Raise Prospect of Looser Internal Oversight, Wall St. J. (May 27, 2020), https://www.wsj.com/articles/compliance-layoffs-budget-cuts-raise-prospect-of-looser-internal-oversight-11590404400?mod=searchresults_pos2&page=3 (discussing corporate compliance budget cuts among both companies most affected by COVID-19 and even those less affected).  SeeSecurities Industry and Financial Markets Association, White Paper: The Evolving Role of Compliance 2-3 (2013), https://www.sifma.org/wp-content/uploads/2017/05/the-evolving-role-of-compliance.pdf (noting that in the aftermath of the 2008 financial crisis, new regulations expanded the portfolio of the compliance function. Whereas prior to 2008 compliance teams were primarily consumer-protection focused, they are now charged with new responsibilities for managing systemic risks).  See generally Risk Alert, U.S. Sec. & Exch. Comm’n Off. of Compliance Inspections & Examinations, Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (Aug. 12, 2020), https://www.sec.gov/ocie/announcement/risk-alert-covid19-compliance (outlining adviser compliance areas particularly vulnerable to COVID-19 disruptions); Peter Driscoll, Dir., Off. of Compliance Inspections and Examinations, U.S. Sec. & Exch. Comm’n, Speech at National Investment Adviser/Investment Company Compliance Outreach: The Role of the CCO – Empowered, Senior and With Authority (Nov. 19, 2020), https://www.sec.gov/news/speech/driscoll-role-cco-2020-11-19 (“As firms continue to develop new ways to cope with [COVID-19], new challenges may arise from the solutions.”). See 17 68 Fed. Reg. 247 at 74,720 (limiting the professional minimum requirements of an investment adviser CCO, stipulating only that the CCO “should be competent and knowledgeable regarding the Advisers Act . . .”).  Bob Grohowski, Sanjay Lamba, Managing Rising Compliance Costs is a Zero-Sum Game, IAA Blog (Feb. 8, 2016), https://www.investmentadviser.org/news/iaa-blog/2016-posts/managing-costs (“Since the SEC started requiring advisers to implement a formal compliance program and hire a chief compliance officer, there has been a steady stream of new regulations that each demand a significant compliance infrastructure: the formal implementation of codes of ethics, surprise exams under the custody rule, pay-to-play, procedures to address identity theft, narrative disclosures in brochures, and new reporting obligations for advisers that manage private funds. Then there are the significant new regulations proposed in 2015 . . . And that’s only the SEC.”).  Deloitte, Global Survey on Reputational Risk 12 (2014), https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-Compliance/gx_grc_Reputation@Risk%20survey%20report_FINAL.pdf (reporting that in a survey of financial services executives who experienced a reputational risk incident, 45% of respondents cited regulatory investigation as the most significant consequence, 38% cited impact on revenue/earnings as the largest impact).