U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
Remarks at the 2006 Securities Law Developments Conference Investment Company Institute


Lori A. Richards

Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

Washington, D.C.
December 5, 2006

As a matter of policy the SEC disclaims responsibility for any private statement by any employee. The speaker's views are her own, and do not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.

Good morning. It's a real pleasure to be with you this morning at the ICI's Securities Law Developments Conference. Many thanks to Elizabeth Krentzman and to Ari Burstein for inviting me.

I wanted to talk with you today about two things that the staff at the SEC, and in the exam program in particular, are buzzing about. First, CCOutreach and the National Seminar for fund and adviser chief compliance officers that we held just three weeks ago, and second, I'd like to share some observations, from my perspective as an examiner, on how firms have been implementing the annual review component of the new Compliance Rule.


First, CCOutreach. My colleagues and I at the SEC have often said -- using various formulations of the same theme -- that the SEC staff and fund and adviser compliance staff have a shared mission; we both want to ensure that firms are in compliance with the law and that investors' interests are protected. Whether we say that we are the "ally" of compliance staff, or we're "of common interests" - what we mean is that we very much support the work of industry compliance programs and encourage fund firms to continue to ensure that compliance is an integral part of firms' business models.

The CCOutreach program is designed to provide a forum for SEC staff and industry compliance officers to discuss compliance issues in a practical way, to share experiences, and to learn about effective compliance practices. The program is sponsored by both the SEC's Division of Investment Management and the Office of Compliance Inspections -- and this reflects the philosophy of the program -- we (the IM and OCIE staff) mean to marry the legal requirements of the securities laws and rules with their practical application in compliance programs. We know well that advisers and funds are widely diverse in size and type, and that compliance programs are too. Indeed, while compliance with the law is a minimum standard, the compliance process by which firms achieve that standard is not a one-size-fits-all proposition. One strong message that we've heard from fund and adviser compliance staff is that, while talking about the overarching legal principles is interesting, what they want and need is practical information about specific compliance mechanisms that work.

When we first announced this initiative, it was met with a bit of skepticism -- I suppose some felt that our aim was untrue -- that we didn't really mean to help firms improve their compliance programs, or, some felt that we should rely on the army of private lawyers and compliance consultants to communicate our message (mostly this last view seemed to be held by some outside lawyers and some compliance consultants). I hope that our work so far on CCOutreach has helped allay any initial skepticism, we really do mean to help the industry to improve compliance programs. And, while lawyers and consultants are very valuable, we think having a direct line of communication with SEC-regulated firms helps to avoid misunderstanding and misinterpretation. And, it's enormously healthy for us to hear directly from firms about the compliance issues they face, and the challenges they encounter.

At the National Seminar, we had a panel of SEC staff and CCOs to discuss the annual review, and two panels to discuss the kinds of information that SEC examiners typically request when performing an exam. For the first time -- we talked about what examiners do with the information they obtain -- the tests that we run and the methodologies we use to identify problems and violations. This information is not only interesting, it's valuable, as these same tests can also be used by CCOs in their own compliance programs. One industry newsletter reporting on the seminar called this information a "goldmine" for CCOs! The National Seminar also included a panel of SEC staff sharing results of recent examination sweeps - again, we provided a lot of valuable information about compliance problems that CCOs should be alert to in their own firms. We're very pleased that 96% of the attendees at the National Seminar rated it as "excellent" or "good."

The National Seminar capped off a series of regional CCOutreach seminars that we held across the country last summer. In total, examiners in our field offices held 27 regional seminars with CCOs in their regions to discuss compliance issues of concern. Almost 2,000 chief compliance officers attended the regional seminars. The regional seminars ranged in size from 30 to about 120 attendees, and were purposefully smaller in size to allow for interaction among the participants. Our goal was to make these regional sessions relevant and helpful to CCOs of all types and sizes. In the seminars, the participants together worked through various compliance risk scenarios, and as a group, identified compliance risks and compliance policies and procedures that could address those risks. The scenarios dealt both with some fairly straightforward compliance risks that exist in small shops, as well some that were quite complicated based on the compliance complexities inherent in a large and diversified asset management firm.

We're interested in CCOs' views on the topics they would most like covered in our 2007 regional seminars, and we're inviting feedback on this question at CCOutreach@SEC.gov.

Ultimately, in the CCOutreach program, we hope that by providing a forum to discuss practical compliance issues, we can help strengthen industry compliance programs. I believe that this communication -- between the industry and the regulator -- is more important now than ever before. The reasons are two-fold. First, the Compliance Rule is a principles-based rule -- it does not mandate particular compliance policies and procedures, but only that firms have effective, written compliance policies and procedures. The Rule leaves the identification, design and implementation of the compliance policies and procedures to the firm, based on the firm's own compliance risks. In my view, this is both the beauty and the challenge of the new rule. The beauty is that firms have an enormous amount of flexibility to determine what will work for them. But the challenge is significant too. Firms have more responsibility to identify both compliance risks and the specific compliance procedures that will work, and must implement them. Since there are no minimum mandates other than that the policies must be effective and in writing - it makes an enormous amount of sense for the SEC and the industry to communicate about the compliance controls that are effective.

The other reason that communication between the industry and the SEC is imperative at this point in time, is because recent history includes some serious compliance failures. To avoid compliance failures anew, compliance must become an integral and lasting component of firms' operations. I know that compliance is getting a lot of attention at the moment - and that compliance programs are better staffed, better resourced and better respected now than in the past - but I believe that real lasting benefits will come only when compliance is a permanent component within firms - and that will occur only when compliance programs and their attendant processes become well-established within firms.

And, I think we're at an early point in the establishment process. The Compliance Rule is just two years old, and firms have only just been through the first annual review required by the Rule. I hope that this process will not be static - that firms will continue to enhance and improve their compliance programs - and improve their annual review each year. With that in mind, I thought it would be helpful to you today to share the observations of examiners who recently reviewed firms' annual reviews as part of our examinations for compliance with the Compliance Rule.

The Annual Review

The Annual Review is a key component of the Compliance Rule. While it's critical, it did not get as much ink in the Commission's release as the other aspects of the Rule. To review, Advisers Act Rule 206(4)-7 requires each registered adviser to review its policies and procedures at least annually to determine their adequacy and the effectiveness of their implementation. Similarly, Investment Company Act Rule 38a-1 requires a fund to at least annually review its policies and procedures and those of its service providers. The Commission stated that: "the review should consider any compliance matters that arose during the previous year, any changes in the business activities of the adviser or its affiliates, and any changes in the Advisers Act or applicable regulations that might suggest a need to revise the policies or procedures."1 The Commission went on to say that: "Although the rule requires only annual reviews, advisers should consider the need for interim reviews in response to significant compliance events, changes in business arrangements, and regulatory developments."2

With respect to funds, the Rule requires the chief compliance officer to annually furnish the board with a written report on the operation of the fund's policies and procedures and those of its service providers. The report must address, at a minimum: (i) the operation of the policies and procedures of the fund and each service provider since the last report; (ii) any material changes to the policies and procedures since the last report; (iii) any recommendations for material changes to the policies and procedures as a result of the annual review; and (iv) any material compliance matters since the date of the last report. In reviewing the report, the fund's board is to focus on ensuring that the compliance programs of the fund and its service providers are reasonably designed and functioning effectively. In the release, the Commission stated that "material compliance matters" were those about which the fund's board reasonably needs to know in order to oversee fund compliance.

The new rules require funds and advisers to keep any records documenting their annual review. The Commission, anticipating that exam staff would review firms' implementation of the Compliance Rule, stated that the recordkeeping requirements would assist examination staff in determining whether the adviser or fund is adhering to the new rules and in identifying weaknesses in the compliance program if violations do occur or are uncorrected.

All funds and advisers (registered for a year or more) must have completed their first annual review by now, and in our routine exams, we're looking at how firms implemented the requirement. The findings I'll describe are based on just a small subset of the fund and adviser industry - about 158 advisers and 24 fund groups, with a range of assets under management, from $8 million to $80 billion, examined between May and August of this year.

First, let me start with how we, as examiners, evaluate firms' annual reviews. We consider a number of factors:

  • Who conducted the annual review? (e.g., the CCO, with other compliance staff, with business-line staff, internal auditors, external counsel or compliance consultant)
  • What was the scope of the review, and how was the scope determined (i.e., was a risk-assessment completed, did the scope include existing compliance policies and procedures, did it review the firm's process for identifying gaps)
  • When was it performed?
  • How was it performed? (e.g., using a checklist, forensic tests, review of past exceptions)
  • What were the findings? (we would expect that thorough reviews would be likely to have findings and/or areas where the firm's compliance programs could be proactively improved)
  • What recommendations were made by the staff who conducted the review? (do they appear to adequately address the findings)
  • What is the current status of those recommendations -- have they been implemented?
  • What documentation was created and retained by the firm to reflect the work done?
  • What, if any, was the involvement of senior management in the review?

Using these factors as a framework, at 60% of the firms visited, examiners found indications that a solid annual review had been performed - that is, one in which the planning and execution appeared to provide a reasonable or a high degree of assurance that its compliance program will deter, detect and correct problems. That's good news. With respect to many firms, the annual review was comprehensive, encompassing all compliance policies and procedures, included forensic tests, identified compliance risk areas where there was weakness and reviewed the firm's risk inventory for completeness. Many annual reviews included a focus on changes in the business, product lines personnel, and regulations, and several firms used the annual review process as a starting point for setting goals for the coming year. For most of these firms, the scope of their review included:

  • Code of Ethics and Personal Trading
  • Portfolio Management, Research and Proxy Voting
  • Business Continuity / Disaster Recovery
  • Capturing/Compiling/Preserving/Protecting Information
  • Brokerage Arrangements and Best Execution
  • Safekeeping of Client Assets
  • Anti-Money Laundering
  • Marketing, Advertising, Calculating Performance
  • Distribution of Fund Shares
  • Trade Allocations
  • Reporting / Disclosures / Form ADV
  • Pricing and Client Position Valuation
  • Fund Corporate Governance
  • Back Office Functions and Advisory Fee Billing

Other firms also reviewed service providers' compliance programs, funds with specific compliance risks (e.g. variable product funds and money market funds), email and books and records retention, market timing and late trading, restricted or illiquid securities, segregation of collateral, solicitation arrangements, and sub-adviser oversight.

Interestingly, only 10% of the firms reported finding material compliance issues during the annual review. The most common of these related to violations of the firm's Code of Ethics and trade errors. Also reported as material were issues related to the maintenance of required books and records, portfolio valuation, portfolio compliance, and needed improvements in review processes. Firms also found other violations or deficiencies during the annual review, though did not deem them to be "material;" these involved disclosures, violations of clients' mandates, brokerage arrangements and best execution, disaster recover planning, oversight of service providers, solicitation agreements, and inadequate compliance staff.

One issue, of course, is what is a "material compliance issue"? In adopting the Compliance Rule, the Commission said that these matters would be those about which the fund's board reasonably needs to know in order to oversee fund compliance. Only a few firms we visited had fleshed out this definition - and those that did most often said that it included "a reasonable need to know by management" and/or took into account "harm to investors" and the "repetitive nature of the issue." This is an area where perhaps more work could be done by CCOs of both advisers and funds to work with senior management or the fund board (as the case may be) to identify and better define expectations about matters that will be reported. Interestingly however, even the funds that did not report "material compliance matters" often still reported to their boards on other less serious compliance matters that were found in the annual review.

In most cases, the CCO did all or substantially all of the work involved in the annual review, and about a quarter of the firms also involved business personnel. Over half of the firms indicated that senior management was involved or provided oversight in some way. Some firms used outside counsel and/or a compliance consultant for some facet of the annual review. We did not see any firms that utilized their internal audit staff, though certainly this resource could be tapped to leverage resources.

Most firms used a combination of approaches to conduct the review - reviewing policies and procedures, comparing them to current practices, conducting interviews with business personnel, identifying risks and mapping them to current policies and procedures, and conducting forensic testing. Only a small number of firms reviewed exceptions that had been identified in the last year for patterns and weaknesses. For most firms, conducting the annual review took a month, two, or three, though almost a quarter conducted the review over a longer, rolling period.

The most common remedy recommended for problems identified in the annual review was to improve, change or strengthen the firm's policies and procedures. Other remedies suggested included committing additional resources to compliance, improving disclosures, improving documentation, improving oversight of service providers, implementing or improving forensic testing, and improving the risk assessment process. Most firms appeared to have implemented the recommendations or were in the process of doing so.

So, while 60% of the firms we reviewed appeared to perform a solid first-year annual review, the report for the remaining 40% of firms examined is not so good. At these firms, it appeared that the firm did not conduct any annual review, or that its efforts provided little or no assurance that its compliance program would be effective. For example:

  • No annual review was conducted;
  • The review was conducted in a single day;
  • The scope and methodology were insufficient to identify significant gaps in the compliance program;
  • There were insufficient resources devoted to the annual review;
  • The review resulted in no findings at all;
  • There was no report or documents evidencing the review; and
  • There were no recommendations made.

In these situations, the firms were sent a deficiency letter noting that the annual review was not performed, or was not performed in a manner that appeared fully consistent with the Compliance Rule. It's our hope and expectation that these firms will do a better job next year in performing the annual review. And, striving for a process of constant improvement, we hope that all firms will improve their annual reviews going forward. As I said at the outset, this is an area where I hope that dialogue amongst us through our CCOutreach program will result in improved and established compliance programs, for the benefit of investors.


Thank you for your attention this morning. I hope that this information has been helpful to you. Have a good conference.



Modified: 12/05/2006