Improving Investment Adviser Compliance
Peter B. Driscoll, Acting Director, Office of Compliance Inspections and Examinations
GIPS Standards Annual Conference
Sept. 14, 2017
Thank you for that kind introduction and for inviting me to speak at this event.Before starting my remarks, let me give the requisite reminder that the views I express today are my own and do not necessarily represent the views of the Commission or its staff.
It is a pleasure for me to speak to this particular audience because I know that your participation in this conference sends important signals.It signals an awareness of the importance of applying principles and standards to your firm’s interactions with clients and prospective and existing clients and it signals a commitment to determining how to practically implement these standards at your firms.Your attendance at this conference also signals a concern for the fair presentation of performance results to prospective clients and an awareness of the importance of building a strong infrastructure to ensure performance composites are fairly constructed, results are calculated using industry-accepted methodologies, and that necessary disclosures are made.
Investors benefit and are able to make better informed decisions when you and your firms invest time to improve your processes and be more transparent in your presentation and disclosure of performance information.Today, I would like to focus on transparency, and specifically what OCIE is doing to be more transparent with regulated entities in order to advance OCIE’s mission, which, of course, then advances the SEC’s mission.
OCIE is often characterized as the “eyes and ears” of the Commission and I certainly agree with that characterization.Our mission is to protect investors, ensure market integrity and support responsible capital formation through risk-focused strategies.OCIE fulfills this mission in four primary ways:(1) improving compliance; (2) preventing fraud; (3) monitoring risk; and (4) informing policy. e refer to these as the “four pillars” of our mission.To execute on these pillars, OCIE is committed to being risk based, data driven and transparent.
II. Investment Adviser Examinations
OCIE plays a critical role in advancing the SEC’s mission of protecting investors and maintaining fair, orderly and efficient capital markets and facilitating capital formation. he National Exam Program is. ur risk-based and designed to focus resources on those firms and practices that pose the greatest potential risk of violations that can harm investors and the markets. s its primary responsibility, OCIE conducts risk – based exams each year of certain registered entities to evaluate their compliance with applicable regulatory requirements.
In 2016, OCIE conducted more than 2400 exams of regulated entities, which is an increase of more than 20% over FY 2015 and the highest number of examinations in the preceding seven fiscal years.Of those 2400 exams, nearly 1,450 were examinations of investment advisers, representing more exams than OCIE had completed of investment advisers in any of the prior seven fiscal years and almost 20% more investment adviser exams than it completed in FY2015.This reflected a coverage ratio of approximately 11% of the number of registered investment advisers.As many of you know, OCIE’s examination coverage of the adviser industry is critical because the SEC is the primary regulator of investment advisers.
The number of registered advisers, their complexity, and their assets under management has increased substantially over the last decade.As a result, in FY 2016, OCIE undertook an effort to redeploy a significant number of our existing examination staff to bolster the number of staff in our Investment Adviser and Investment Company examination program.In doing so, we increased the size of our staff by roughly 20%.I believe our redeployment of staff was an appropriate and tailored response to the growing investment adviser population and its importance to retail investors.But, above all, the number of examiners and exams completed takes a back seat to our focus on the quality of the exams we are conducting.This is our main priority and we are not going to sacrifice quality for quantity.
Moreover, increases or decreases in exam numbers alone do not tell the entire story of our program, as exam numbers alone do not speak to quality or the breadth of our work.Beyond examining registrants, OCIE has continued to spend considerable time and effort during the last few years on enhancing its risk assessment and surveillance capabilities to ensure that the program is spending its limited time and resources on those firms presenting the highest risk.As part of these efforts, the staff has spent significant resources to develop technological tools that allow us to collect and analyze data filed by registrants, not just those that are chosen for examination.The program has also conducted thousands of internal desk reviews to help ensure that the more time-consuming on-site visits we make are spent addressing higher risk firms and activities.The results of these efforts help to ensure that we utilize our resources in the most effective and efficient way.
III. Improving Adviser Compliance
When OCIE examines advisers or any other registrant, we are not attempting to play a game of “gotcha.”We want advisers to follow the rules because good compliance programs protect investors.
Good compliance is particularly important for advisers to retail clients.Retail clients may not have the resources to perform extensive diligence on advisers concerning internal adviser policies and procedures, custody and cybersecurity.Retail clients also may be more likely than institutional clients to be influenced by adviser advertisements.Therefore, OCIE’s mission of improving compliance is important not just for those advisers examined each year, but also for the thousands of advisers we are unable to examine.An adviser’s lack of attention to cybersecurity risks, or lack of compliance with the Adverting Rule, the Custody Rule, the Compliance Rule or other regulatory requirements can have a significant impact on retail clients.
We know there are many CCOs who want to improve compliance at their firms.We also know that CCOs are busy and bear a lot of responsibility for making the business case for investing resources in compliance.That is why OCIE is always looking for ways to engage and empower CCOs in formats that are accessible and help improve their firm’s compliance programs.
As I mentioned a moment ago, examinations are not the only avenue for OCIE to fulfill its mission.As a means of improving and promoting compliance, OCIE has increasingly have added outreach events as a way to educate and engage with the industry.In coordination with the Division of Investment Management, OCIE continues to sponsor Compliance Outreach Programs each year and to hold these across the country.In 2017, there were regional seminars in Portland, New York, Boston, and Chicago and, in 2016, a national seminar at the SEC headquarters in Washington.To enable a wide audience access to these events, they are available via webcast on the SEC’s website.During these outreach programs, OCIE staff discuss examination procedures, the examination selection processes, recent trends in examinations and key examination program initiatives which typically represent the areas of heightened risk we are concentrating our resources on addressing.
OCIE has recently increased its use of publications to provide more transparency about our exams .OCIE has published our Exam Priorities each year for the last several years.OCIE’s 2017 priorities are organized around three thematic areas:(1) examining matters of importance to retail investors; (2) focusing on risks specific to elderly and retiring investors; and (3) assessing market-wide risks.
Our hope is that this increased transparency into what OCIE is prioritizing, and ultimately observing at registrants will help registrants in a variety of ways.Knowing what OCIE is prioritizing may help registrants focus their own internal compliance reviews.It may also help facilitate the ability to anticipate and preemptively solve common compliance issues.
In other words, we hope our increased transparency promotes compliance at registrants with the ultimate effect of protecting investors.One particular vehicle for transparency that OCIE staff has increasingly used to inform the industry about compliance issues is our use of Risk Alerts. CIE staff has consistently published Risk Alerts over the past few years.Based on feedback we have received from industry and compliance professionals, we have been working on issuing more detailed Risk Alerts that summarize common exam findings across an array of topics.We believe the transparency in these types of risk alerts provide CCOs with clear information about common compliance issues.In turn, we hope they and the advisers they work for will use this information to improve compliance in these important areas and that investors are better protected as a result.
IV. Recent Risk Alerts
This year OCIE staff has so far published 4 risk alerts including a risk alert on compliance with the Advertising Rule, a risk alert on the top five most commonly-cited deficiencies, and two risk alerts on cybersecurity.
A. Advertising Risk Alert
[Today,] OCIE is publishing its latest risk alert concerning common compliance issues related to the Advisers Act Advertising Rule.As discussed in this risk alert, OCIE staff observed advertisements that contained misleading performance, including performance results that did not deduct advisory fees, that compared results to a benchmark but did not include disclosures about the limitations inherent in such comparisons; and, advertisements that contained hypothetical and back-tested performance results, but did not explain how these returns were derived and did not include other potentially material information regarding the performance./p>
Staff also observed advertisements that contained misleading claims of compliance with voluntary performance standards, such as GIPS, when the performance results in fact did not adhere to the performance standards’ guidelines.
Cherry-picked stock selections also made the top-five.One observation was advisers only including profitable stock selections or recommendations in presentations, client newsletters, or on their websites.
With respect to using third party rankings or awards, staff observed advisers that published potentially misleading advertisements containing references to awards or rankings conferred by third parties that failed to disclose material facts about such awards or rankings, such as payments made in exchange for the ranking or the fact that the ranking or award is many years old and no longer applicable.
Staff alsoOCIE observed that both advertisements and disclosures included in the adviser’s Form ADV Part 2B brochure supplements contained potentially false or misleading references to the professional designations held by advisory employees, such as references to professional designations that have lapsed or that did not explain the minimum qualifications required to attain such designations.
Clients, particularly retail clients, often rely on the information presented in an adviser’s advertisements to evaluate the adviser’s capabilities and experience.We hope our latest risk alert highlights common compliance problems with the Advertising Rule and will help to encourage advisers to review their advertising practices and make any needed changes.
B. Top Five Deficiencies Risk Alert
In February, OCIE staff published a risk alert detailing the five most common compliance topics for investment advisers.he five common compliance topics addressed are deficiencies or weaknesses involving various rules under the Advisers Act, including: (1) the Compliance Rule; (2) required regulatory filings; (3) theCustody Rule; (4) the Code of Ethics Rule; and (5) the Books and Records Rule. ome typical examples of deficiencies or weaknesses observed in the February risk alert include:/p>
- Compliance manuals that include policies and procedures that were not reasonably tailored to the adviser’s business practices;
- Annual compliance program reviews that were not performed or did not address the adequacy of the adviser’s policies and procedures;
- Inaccurate disclosures on Form ADV Part 1A or in Form ADV Part 2A (the disclosure brochure), such as inaccurately reporting custody information, disciplinary history and conflicts;
- Advisers that did not identify all of their access persons, such as partners or directors, for purposes of reviewing personal securities transactions under the Code of Ethics Rule; and
- Advisers that did not maintain all the books and records required by the Books and Records Rule, such as trade records, advisory agreements and general ledgers.
These compliance issues are important to investors, particularly retail investors.Investors should receive accurate disclosure from advisers about conflicts, disciplinary history and custody in order to make informed investment decisions.Moreover, the law requires advisers to make full and fair disclosure of these material facts.Internal policies, procedures, and controls are the first line of defense against adviser misconduct and must be tailored to the adviser’s business and followed.Compliance with the Custody Rule is critical to protecting client assets.We hope this risk alert encourages advisers to reflect upon their own practices, policies and procedures in these areas and to improve their compliance programs.
C. Cybersecurity 2 Initiative Risk Alert
During the past four months, OCIE staff published two risk alerts about cybersecurity.In August, OCIE staff published a risk alert summarizing observations from OCIE’s Cybersecurity 2 Initiative.This risk alert highlighted issues OCIE believes firms would benefit from considering when assessing and improving their policies, procedures, and practices relating to cybersecurity.
- As discussed in the August Cybersecurity risk alert, many adviser information protection policies and procedures appear to have issues. CIE observed examples that included policies and procedures that were not reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague and did not articulate procedures for implementing the policies.
- The staff also observed Regulation S-P-related issues among firms that did not appear to adequately conduct system maintenance, such as the installation of software patches to address security vulnerabilities and other operational safeguards to protect customer records and information. Examples include stale risk assessments, use of outdated operating systems that were no longer supported by security patches and lack of remediation efforts from penetration tests or vulnerability scans.
D. Cybersecurity Ransomware Alert
And also in May of this year, OCIE staff published a risk alert concerning the widespread ransomware attack, known as WannaCry, which impacted numerous organizations across the world.OCIE encouraged broker-dealers and advisers to review a publication by the United States Department of Homeland Security and evaluate whether applicable system patches had been properly and timely installed.
Cybersecurity issues become more important every day.In publishing these cybersecurity risk alerts, we hope to encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity in efforts to safeguard investors.
Improving adviser compliance with applicable regulatory requirements is core to both the SEC’s and the National Exam Program’s mission of protecting investors.The industry reaction to the transparency provided in these recent risk alerts has been positive.I believe these types of detailed risk alerts about common compliance issues and observations will help the industry improve its compliance.Researching and cataloging potential deficiencies and preparing these risk alerts takes time and resources, but I believe the effort OCIE staff has spent in doing so has a significant positive impact.But, OCIE would like to do better.I encourage and am asking registrants to provide feedback on these risk alerts.Have they been helpful?What could OCIE do to be more helpful?What additional risk areas would you like to see OCIE address?And even more broadly, are there other things you would like to know from us that you believe would improve and promote compliance and ultimately protect the investing public?
Thank you for the opportunity to speak with you today and I look forward to having a continued dialogue going forward.
 The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees.The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author’s colleagues on the staff of the Commission.
 Advisers Act Rule 206(4)-1.
 Advisers Act Rule 206(4)-2.
 Advisers Act Rule 206(4)-7.
 See, e.g., 2017 Compliance Outreach Program Regional Seminars for Investment Adviser and Investment Company Senior Officers, available at: https://www.sec.gov/info/cco/cco-regional-seminars-ia-ic-2017.htm.
 See, e.g., OCIE “Examination Priorities for 2017,” January 12, 2017, available at: https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.
 Advisers Act Rule 206(4)-1.
 Advisers Act Rule 206(4)-1.
 OCIE Risk Alert, “The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers,” February 7, 2017, available at: https://www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf.
 Advisers Act Rule 206(4)-7.
 Among other filing requirements, Rule 204-1 under the Advisers Act requires advisers to amend their Form ADV at least annually, within 90 days of the end of their fiscal year and more frequently, if required by the instructions to Form ADV. Rule 204(b)-1 under the Advisers Act requires advisers to one or more private funds with private fund assets of at least $150 million to complete and file a report on Form PF. In addition, Rule 503 under Regulation D of the Securities Act of 1933 generally requires issuers to file Form Ds.
 Advisers Act Rule 206(4)-2.
 Advisers Act Rule 204A-1.
 Advisers Act Rule 204-2.
 OCIE Risk Alert, “Observations from Cybersecurity Examinations,” August 7, 2017, available at: https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.