The objective of the compliance program is to prevent, detect and correct violations of securities laws. To this end, investment advisers registered under Section 203 of the Investment Advisers Act of 1940 (the “Advisers Act”) are required to have a compliance program. Rule 206(4)-7 of the Advisers Act, commonly referred to as “the compliance rule,” has three requirements:

  1. Policies and procedures: Adopt and implement written policies and procedures reasonably designed to prevent, detect and correct violations of securities regulations. 

  2. Annual review: Review, no less frequently than annually, the adequacy of the policies and procedures and the effectiveness of their implementation.
  3. Chief compliance officer: Designate an individual responsible for administering the firm’s compliance program. (For more, see: Regulatory Considerations for Your Aging Clients.)

Compliance Policies and Procedures

A policy is a guiding principle used to set direction in an organization. A procedure is a series of steps to be followed as a consistent approach to accomplish a desired result consistent with the policy. As an example, an adviser may have a policy stating cash deposits will not be accepted. The procedure would indicate staff must not accept the cash deposit and must log the refusal in the deposit log. Policies and procedures are the building blocks of a compliance program.

Rule 206(4)-7 does not set forth specific elements for creating a robust compliance program. Rather, the firm must analyze its individual operations, identify the conflicts of interest and the operational risks of its advisory business and then design policies and procedures and internal controls that address those risks and conflicts.

The staff of the Securities and Exchange Commission’s (SEC) Division of Investment Management provided guidance in the adopting release of Rule 206(4)-7, stating that it expects an adviser’s policies and procedures to at least include provisions addressing the following matters, as applicable, to the firm’s business: 

  • Portfolio management processes, including allocation of investment opportunities among clients, adherence to client investment objectives and restrictions, and compliance with regulatory requirements.
  • Accuracy of disclosures made to investors, clients and regulators including, without limitation, with respect to portfolio management processes, account statements, advertisements, etc. 

  • Proprietary trading for the adviser’s own account and the personal trading activities of its supervised persons (as defined below). 

  • Potential conversion or inappropriate use of client assets by the adviser’s personnel. 

  • Creation and maintenance of required books and records to prevent their unauthorized 
alteration, use or untimely destruction. 

  • Privacy safeguards for client records and information. 

  • Trading practices, including procedures for best execution, use of client brokerage to 
obtain research and other services (referred to as “soft dollar arrangements”), and 
allocation of aggregated trades among clients.

  • Marketing practices, including the use of solicitors.
  • Valuation of client holdings and assessment of fees based on those valuations. 

  • Business continuity plans. 

An SEC-registered adviser must adopt a code of ethics, which serves as an integral component of the adviser’s compliance program. Rule 204A-1 of the Advisers Act sets forth the requirements that every SEC-registered adviser must address in a written code of ethics. The code must, at a minimum, apply to all of an adviser’s supervised persons and include: 
(For more, see: Your Cybersecurity Program: Legal Considerations.)

  • Standards of business conduct for supervised persons reflecting the adviser’s and the supervised persons’ fiduciary obligations. 

  • A requirement for all supervised persons to comply with applicable federal securities laws. 

  • A requirement that all access persons (as defined below) report, and the adviser review, their personal securities transactions and holdings according to a strict schedule.

  • A requirement that supervised persons report any violations of the code promptly to the chief compliance officer (CCO) and any other persons of authority as designated in the code.
  • A requirement that the adviser provide supervised persons with a copy of the code and obtain written acknowledgments of receipt from supervised persons. 

An adviser’s “supervised persons” are its officers, directors, partners (and other persons of similar status or function) and employees, as well as any person who provides investment advice on the adviser’s behalf and is subject to its control and supervision. An adviser’s “access persons” are a subset of its supervised persons who either: (1) have access to nonpublic information regarding client transactions or portfolio holdings of any “reportable fund”* or (2) are involved in making securities recommendations to clients or have access to such recommendations, which are nonpublic. (For more, see: What Advisors Leaving Their Firm Should Consider.)

The definition of access person in rule 204A-1 states that: if providing investment advice is the adviser’s primary business, all of the adviser’s directors, officers and partners are presumed to be access persons.

Writing Policies and Procedures

Written procedures should follow the “who,” “what,” “when” and “how” format.

  • “Who” must follow the procedure?

  • “What” steps must be performed?

  • “When” is the procedure applicable?
  • “How” are the steps to be performed?

Here is an example of a policy and procedure using this format:

Policy: Prior to opening an account, the adviser requires each client to execute a written advisory agreement with the firm. The adviser will not provide any advisory services to a client until all required documentation is complete, executed and on file.

Procedure: The operations personnel responsible for opening client accounts should verify that documentation is complete prior to opening the account. During the account opening process, should any required documentation be missing, the operations personnel will inform the IAR assigned to the client to obtain any missing information. The CCO will perform periodic reviews to help ensure that all required documentation is complete and maintained in the firm’s files.

When writing policies and procedures, it is important for compliance personnel to collaborate with senior management and the business units at the firm. Not only is it important to make sure the procedures match business practices, but the feedback received is valuable and including people in the formulation of policies and procedures goes a long way in gaining their acceptance and assistance during the implementation phase.

Annual Review

The second requirement under Rule 206(4)-7 mandates that SEC-registered investment advisers conduct a review at least annually of the adequacy and effectiveness of their policies and procedures. Such reviews may be conducted by the CCO with the assistance of other compliance personnel or outside consultants.

The SEC provided some guidance in the rule’s adopting release regarding the performance of annual reviews, noting that an investment adviser should consider, among other things: (1) any compliance matters that arose during the previous year, (2) any changes in the adviser’s or its affiliates’ business activities, and (3) any changes in the Advisers Act or applicable regulations that may require a revision to the compliance program. (For more, see: SEC Audits: What Financial Advisors Should Look Out For.)

A key question in the review process is whether the compliance program is able to detect violations of its policies and procedures and other regulatory requirements. In assessing this element, the CCO should take into account any known violations of the compliance program, any remedial actions taken and whether such actions are adequate to prevent future violations.

Another important part of the compliance review process is qualitative and quantitative testing. For example, a CCO might review employee personal trading reports and pre-clearance requests against the specific requirements set forth in the code, or spot-check online public databases of political contributions for the names of employees subject to the adviser’s pay-to-play policies. In all cases, detailed documentation of the testing conducted on the various elements of the compliance program should be maintained.

Based on testing results, the CCO can implement adjustments to the firm’s policies, procedures and/or internal controls to enhance their adequacy and effectiveness in preventing, detecting and correcting violations. All such adjustments should be documented and maintained in a designated file.

In 2006, the SEC issued guidance titled “Questions Advisers Should Ask While Establishing or Reviewing Their Compliance Programs,” to help advisers in creating, evaluating and maintaining a compliance program. Among other things, the guide provides a list of questions to consider when developing a compliance program that are tied to an investment adviser’s regulatory requirements under the Advisers Act.

Advisers are required to keep any records documenting their annual review for five years from the end of the fiscal year in which the annual review was performed. In a footnote in the adopting release, the SEC staff set forth its view that these records are meant to be made available to the SEC and its staff and they are not subject to the attorney-client privilege, the work-product doctrine, or similar protections, no matter who prepares them (e.g., the CCO or legal counsel). Although Rule 206(4)-7 sets forth no requirement that an investment adviser report the results of their annual review to any party, it is advisable that the CCO provide their findings and recommendations to senior management. (For more, see: SEC Enforcement Actions Dip Below 2015 Record.)

Chief Compliance Officer

According to the adopting release for Rule 206(4)-7, the CCO must be an individual who is competent and knowledgeable regarding the Advisers Act, and empowered with full responsibility and authority to develop appropriate policies and procedures. The adopting release further states that the CCO should have a sufficient position of seniority and authority within the adviser’s organization to enforce and compel the adherence of others to the compliance program.

One of the best ways to improve the compliance function at a firm is to improve the knowledge and skills of the compliance personnel, including the CCO. In this regard, professional development is critical especially since new challenges and new regulations are a constant occurrence. There are numerous conferences, roundtables, professional designations and training programs dedicated to the professional development of compliance personnel and mentoring can be an invaluable tool. The internet provides a wealth of information and law firms and consulting firms have email distribution lists that dispense valuable information, usually at no cost.

General knowledge and skills are important but just as important is specific knowledge of your firm’s business model, personnel and clientele. We refer to this as “local knowledge.” Local knowledge is developed through interaction and learning from your co-workers.

The Bottom Line

In 2011, the SEC’s Division of Enforcement implemented their Compliance Program Initiative to focus on investment advisers that have not corrected previous deficiencies in their compliance programs as identified during routine exams, or that have otherwise ignored the full requirements of Rule 206(4)-7. Since 2011, the SEC has taken a number of advisory firms to enforcement under this initiative and appears to be continuing in their quest.

With a new year and new regulations just around the corner, senior management should consider whether or not additional time and/or resources need to be allocated to helping ensure the firm’s compliance program is robust and compliance personnel are well trained. (For more, see: Advisors: Avoid SEC Scrutiny Through Compliance.)


Author: Craig Watanabe, Sr. Compliance Consultant; Editor: Tina Mitchell, Lead Senior Compliance Consultant, Core Compliance & Legal Services, Inc. (CCLS).

This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.

*A “reportable fund” is a fund registered under the Investment Company Act of 1940 (e.g., a mutual fund) for which the adviser either serves as investment adviser (or sub-adviser) or is in a control relationship (i.e., controlling, controlled by or under common control) with such fund’s adviser or principal underwriter.

Want to learn how to invest?

Get a free 10 week email series that will teach you how to start investing.

Delivered twice a week, straight to your inbox.