Blogs > Biz Law Blog

Meeting Specified Standards: the SEC’s OCIE Assesses Compliance

Credential Stuffing: Cyber Intrusions for Broker/Dealer and Investment Advisor Client Accounts - SEC OCIE Compliance

The Fall of 2020 has been a time of particular focus on “compliance” by the U.S. Securities and Exchange Commission (“SEC”), and specifically by its Office of Compliance Inspections and Examinations (“OCIE”). On September 15, 2020, the OCIE issued a Risk Alert warning registered investment advisers and broker/dealers to improve their cybersecurity protocols to guard against unauthorized intrusion in customer accounts, especially intrusion using a technique called “Credential Stuffing.” See my November 19, 2020, blog post, “Credential Stuffing: Cyber Intrusions Into Client Accounts of Broker/Dealers and Investment Advisors.” The OCIE followed with two more Risk Alerts in November: the first, issued November 9, warned of shortfalls in supervising operations at branch offices; and the second, issued November 19, identified failures generally found across the registered investment adviser industry.

Securities Exchange Act of 1934

On September 30, 2020, Meredith A. Simmons, Esq., the Chief Compliance Officer (“CCO”) of a registered investment adviser, consented to a settlement of an enforcement action brought by the SEC for record retention and related violations in the matter of Meredith A. Simmons, Esq., Securities Exchange Act of 1934 Release No. 90061 (Sept. 30, 2020). The CCO interviewed a research analyst in the firm to make sure the analyst did not have material non-public information prior to the advisory firm making an investment in a particular company. She drafted a blank memo with the date and name, but without any other content. The following day the company in question announced that it had agreed to be acquired.

Eleven months later, after an inquiry from her supervisor, she completed the blank memo, although with a number of factual inaccuracies. Six weeks later, in response to an OCIE examination, the “ex post facto” memo was given to the OCIE as a purported record made contemporaneously after her interview with the analyst. The SEC discovered the fabrication and brought an enforcement action resulting in a censure, a $25,000 fine, a three-year bar from serving as a compliance officer, AND a one-year bar from practicing as an attorney before the SEC.

Investment Advisers Act of 1940: the Compliance Rule

Then, on October 19, 2020, Commissioner Hester Peirce spoke at the conference of the National Society of Compliance Professionals. Her address focused on the liability exposure of compliance officers, and she pointedly mentioned the Simmons case, “a compliance officer created and backdated compliance memoranda.” She noted that the rule applicable to the compliance function, Rule 206(4)-7 adopted under the Investment Advisers Act of 1940 (the “Compliance Rule”), supports negligence-based liability. And she went on to note that despite the origins of negligence (a failure to meet an applicable standard), “in practice… the rule’s standard has looked more like strict liability” (citing former SEC Commissioner Dan Gallagher).

Commissioner Peirce then expressed concern that persons will not be willing to serve as compliance officers when their judgments are so vulnerable to being second-guessed. One of the steps she advocated, to improve both the quality of compliance and the willingness to serve, is to create “public-private advisory groups charged with meeting periodically to discuss current and potential regulatory, examination, and enforcement efforts, and to publish guidance and recommendations to compliance officer and regulators reflecting the insight of both regulators and the regulated,” citing a New York City Bar Report issued October 16, 2020.

OCIE Risk Alert

The November 9 OCIE Risk Alert acknowledged the administrative difficulties of managing compliant operations involving branch offices but nonetheless found registrants had fallen short. The report deals with examinations by OCIE of almost 40 investment advisers, with multiple branches and about 185,000 clients, managing approximately $110 billion, as part of the OCIE’s “Multi-Branch Initiative.” OCIE found common deficiencies throughout all of the investment advisory firms. Some of the most material of these were:

  1. Failure to have comprehensive written policies concerning compliance and supervision, including the failure to have adequate “Code of Ethics” rules, failure to have clear custody rules, and inadequate fiduciary duty requirements, especially concerning fees, expenses, and advertising
  2. Inadequate supervision of the type of investment advice being provided, and inadequate disclosure and management of conflicts
  3. Discriminatory allocation of investment opportunities; more than one-half of the advisers examined were found deficient in the investment recommendations they made, failing to disclose the conflict and too often steering clients to higher-cost investments

All too frequently, the examinations found that the branch offices had too much leeway and exposed clients unnecessarily to higher costs and/or the risk of loss.

OCIE Observations: Investment Adviser Compliance Programs

On November 19, the OCIE published another Risk Alert entitled “OCIE Observations: Investment Adviser Compliance Programs,” setting forth the most common deficiencies in investment advisor compliance programs, as identified by OCIE in the course of its inspections and examinations of investment advisers. The OCIE notes in this Risk Alert that the Compliance Rule “does not enumerate specific items that advisers must include in their policies and procedures.” Rather, “each adviser should adopt policies and procedures” that reflect the nature of its operations. These policies and procedures “should be designed to prevent violations from occurring, detect violations that have occurred, and correct promptly any violations that have occurred.” These policies and procedures are to be reviewed at least annually “to determine their adequacy and effectiveness.”

Such review is to consider compliance matters that arose in the prior period, as well as changes in the adviser’s business. Interim reviews are STRONGLY suggested in the case of significant compliance matters, changes in business, or regulatory developments. The Compliance Rule does require each registered investment adviser to have a designated CCO, who is to have both securities market knowledge and sufficient authority “to compel others to adhere to the compliance policies and procedures.”

What then were the common deficiencies identified by the OCIE? In its “laundry list” of these in the Risk Alert, the OCIE begins to contradict its own pronouncement that no specific items must be addressed in the adviser’s policies and procedures. The observed deficiencies, as set forth in the Risk Alert, are as follows:

  1. Inadequate resources including information technology, the inadequate time commitment of the CCO, lack of adequate training programs, failure to revise policies and procedures to reflect changes (such as growth) in the firm’s business
  2. Insufficient authority, including access to senior management
  3. Inadequate annual reviews, including failure to identify risks (such as cybersecurity, use of third party managers, etc.) and to “audit” those areas
  4. Failure to implement required actions, including reviewing client accounts for performance consistent with client objectives, reviewing advertising materials, testing fee calculations, and reviewing business continuity plans
  5. Failure to maintain tailored and up-to-date policies, procedures, and records [consider the basis for the enforcement action against Meredith A. Simmons, Esq.]
  6. Failure to ensure that the firm’s policies and procedures are “reasonably designed to prevent violations of the Advisers Act,” with particular focus on portfolio management, marketing, trading practices, disclosure (especially the Form ADV that each adviser must file with the SEC and keep up-to-date), advisory fees and valuations, protection of client privacy, maintaining books and records, protecting client assets, and having required business continuity plan

SEC OCIE Emphasis on Compliance

On the same day the November 19 Risk Alert was issued by the OCIE, its Director, Peter Driscoll, gave a speech at the SEC’s annual compliance outreach conference, in which he “instructed” registered investment advisers “to empower Chief Compliance Officers.” Specifically, he called for the CCO’s to have both sufficient authority AND access to the highest levels of firm management. Indeed he suggested that CCO’s themselves be members of senior management and be given, by an employment contract or otherwise, confidence that their employment would not be at risk for raising compliance issues. As one commenter noted, “Proper compliance is … not just a matter of following the [Compliance] Rule but [also] good business.”

Taking into account the SEC emphasis on compliance, and these recent exhortations from the OCIE, registered investment advisers should promptly AND carefully review their compliance policies and procedures – BEFORE the next OCIE Compliance Inspection. One does not want to receive a deficiency letter from the OCIE finding (in the words of the proverbial handwriting on the wall in Daniel 5:25) “Mene, Mene, Tekel, Upharsin” (Measured, Weighed, AND FOUND WANTING).

Attorneys from Norris McLaughlin, P.A., may be able to help with that review. If you have any questions about this post or any other related securities or general business law matters, please feel free to contact me at