In 2004, the SEC significantly strengthened the compliance responsibilities of investment advisers when Rule 206(4)-7 (also known as the "Compliance Rule") went into effect, requiring them to adopt and implement written compliance policies and procedures, review such policies and procedures annually, and designate a Chief Compliance Office to administer such policies and procedures. However, this "Compliance Rule" did not technically require that the annual compliance review of policies and procedures be conducted in writing, even though advisers were required to maintain records if they did document such reviews in writing!
To address this omission, the SEC has now formally adopted an amendment to the Compliance Rule requiring annual reviews to be documented in writing. Under the amended rule, advisers will be required to review and document in writing the adequacy of their compliance policies and procedures, the effectiveness of their implementation, whether compliance policies and procedures continue to work as designed, and whether changes are needed to ensure their continued effectiveness.
Notably, the exact formatting, length, level of detail, and overall content of annual reviews are not prescribed by the SEC. Rather, when the Compliance Rule originally went into effect in 2004, the adopting release described only 3 elements that should be considered in an annual review: 1) compliance matters in the previous year (e.g., when compliance policies and procedures did or did not function as intended), 2) changes in business activities (e.g., offering discretionary investment management for the first time instead of just financial planning), and 3) regulatory changes that might necessitate changing the firm's policies and procedures (e.g., the SEC's new marketing rule).
Further, advisers have significant flexibility in deciding how to prepare the compliance review, which could be a long-form written report with supporting documentation, quarterly reviews aggregated into an annual report, or even simply a compilation of notes. Even despite this flexibility, the SEC's examination staff relies heavily on the annual review documentation to "understand an adviser's compliance program, determine whether the adviser is complying with the rule, and identify potential weaknesses in the compliance program", positioning the Compliance Rule (and the annual review requirement within it) as an unambiguously vital mechanism to help advisers identify opportunities for improvement and implement actions to create a well-functioning annual review process.
Ultimately, the key point is that the SEC has signaled the importance it places on investment advisers performing annual compliance reviews and producing written documentation to memorialize them. And while these compliance requirements might seem like a daunting task, advisers have a range of options to make the process less painful, from breaking it down into bite-sized chunks over the course of the year (and periodically testing their compliance program and documenting the results) to engaging outside counsel to help ensure the review process and associated documentation are completed in a comprehensive and accurate manner!
2004 was a monumental year in the world of investment adviser compliance.
It was the year that – for the first time – investment advisers registered with the SEC were required to 1) adopt and implement written compliance policies and procedures, 2) review such policies and procedures annually, and 3) designate a Chief Compliance Officer (CCO) to administer such policies and procedures.
Not to belabor the point, but prior to February 5, 2004 (the effective date of Rule 206(4)-7, omnipotently known simply as the "Compliance Rule"), advisers were not required to maintain written compliance policies and procedures (or review such policies and procedures or designate a CCO). Given the Investment Advisers Act of 1940 (the "Advisers Act") was adopted in – you guessed it – 1940, the fact that it took over 60 years to require advisers to maintain compliance policies and procedures and appoint a CCO is pretty incredible.
But there was one catch, or perhaps one inadvertent omission from the Compliance Rule: the requirement to review compliance policies and procedures annually was not technically required to be memorialized in writing. Oops.
Though Section (a)(17)(ii) of the Recordkeeping Rule under the Advisers Act requires an adviser to maintain "any records documenting the investment adviser's annual review of those policies and procedures", a literal (if perhaps cute) reading of it did not technically require that such annual reviews be memorialized in writing; the written recordkeeping requirement only applied if and only if an adviser created any written records in the course of conducting its annual review.
Because this written memorialization omission clearly flew in the face of the old regulatory adage, "If it isn't in writing, it never happened", most (but not all) advisers have nonetheless created documentary evidence to support the performance of their annual review for years.
For the bravehearted holdouts that have not yet embraced the SEC's expectation, if not requirement, that annual reviews be memorialized in writing, the SEC has officially filled the gap by adopting an amendment to the Compliance Rule to make it abundantly clear that annual reviews of compliance policies and procedures must now be documented in writing.
The SEC did so by adding just 4 words – "and document in writing" – to the Compliance Rule (in bold below):
If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b–3), it shall be unlawful within the meaning of section 206 of the Act (15 U.S.C. 80b–6) for you to provide investment advice to clients unless you:
(a) Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act;
(b) Annual review. Review and document in writing, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation; and
(c) Chief compliance officer. Designate an individual (who is a supervised person) responsible for administering the policies and procedures that you adopt under paragraph (a) of this section.
At this point, readers may be rightly wondering, "How is he possibly going to drag this seemingly inconsequential, 4-word rule amendment into an entire Kitces-length article?"
Allow me to demonstrate the art of verbosity, my friends.
In all seriousness, I think this mostly inconsequential form-over-substance rule amendment provides the perfect excuse for 2 things: 1) to remind advisers that the annual review requirement exists and is taken very seriously by the SEC, and 2) to provide what will hopefully be a practical guide that covers how to actually perform an annual review.
The Origin Story
The SEC amended the Compliance Rule to impose the written documentation requirement on annual compliance reviews in the strangest way – as part of a massive package of new rule adoptions and amendments specifically targeting advisers to private funds. In total, the SEC adopted 8 new rules under the Investment Advisers Act of 1940 (the "Advisers Act") and adopted amendments to 2. The SEC press release on the matter is entitled "SEC Enhances the Regulation of Private Fund Advisers", and the corresponding Fact Sheet is entitled "Private Fund Adviser Reforms: Final Rules."
An adviser that is not an adviser to private funds may read these titles and justifiably believe that – mercifully – the SEC's latest avalanche of rulemaking is inapplicable to them. However, the Compliance Rule amendment to require a written record of annual compliance reviews is but a single snowflake buried in this deceptively titled "private fund adviser" rule avalanche – and applies to all advisers (whether they advise private funds or not).
Restated less dramatically, the new annual review written documentation requirement is 1 of the 10 new or amended rules adopted in the package of private fund adviser reforms.
The adopting release to the private fund adviser reforms is an eye-watering 656 pages, and the SEC's discussion of the new annual review written documentation requirement takes up just over 6 pages – or less than 1%.
My point is that the SEC buried the lede – at least for non-private fund advisers – by choosing to amend the Compliance Rule in this fashion.
What We Can Learn From The 1%
The 1% I'm referring to in this section is the 6 pages the SEC dedicated to discussing the new written documentation requirement for annual reviews in the aforementioned adopting release (beginning on page 297). Despite paling in comparison to the voluminous discussion of the private fund rule adoptions and amendments, these 6 pages provide a number of actionable insights for advisers insofar as to how they are to perform their annual reviews and what SEC Exam staff expectations will be.
Section 206 of the Advisers Act is colloquially referred to as the "anti-fraud section" of the Advisers Act (though it is under a heading entitled "Prohibited Transactions by Registered Investment Advisers", not to be confused with the concept of "prohibited transactions" under the Employee Retirement Income Security Act of 1974, or ERISA). In broad-brush, the anti-fraud provisions of Section 206 essentially prohibit advisers from employing any "device, scheme, or artifice to defraud any client or prospective client", engaging in any "transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client", and engaging in "any act, practice, or course of business which is fraudulent, deceptive, or manipulative". TLDR: Advisers are prohibited from acting fraudulently, deceitfully, deceptively, or manipulatively.
Importantly, Section 206(4) states that the SEC shall "by rules and regulations define, and prescribe means reasonably designed to prevent, such acts, practices, and courses of business as are fraudulent, deceptive, or manipulative". Said another way, the SEC is empowered to adopt rules and regulations under Section 206(4) of the Advisers Act to govern what it deems to be fraudulent, deceptive, or manipulative.
Thus, any rules adopted under Section 206(4) of the Advisers Act are colloquially referred to as the "anti-fraud rules", and such anti-fraud rules have the enumerated prefix of "206(4)-". Advisers will likely recognize many of these anti-fraud rules, such as the Marketing Rule (206(4)-1), the Custody Rule (206(4)-2), and the Compliance Rule (Rule 206(4)-7), to name a few.
I write all of this to make the point that the Compliance Rule – and, therefore, the requirement to undertake and maintain a written record of an annual review – has been adopted as an anti-fraud rule. This means that failure to comply with the written annual review requirement is a violation of an anti-fraud rule, which, in turn, means that the adviser has engaged in an "act, practice, or course of business which is fraudulent, deceptive, or manipulative".
In case it's not clear by this point, the written annual review is a requirement that the SEC takes seriously.
Overarching Principles & Questions To Answer
To quote the adopting release, the written annual review requirement:
…requires advisers to review and document in writing, no less frequently than annually, the adequacy of their compliance policies and procedures and the effectiveness of their implementation. The annual review requirement was intended to require advisers to evaluate periodically whether their compliance policies and procedures continue to work as designed and whether changes are needed to assure their continued effectiveness.
Let's break down this narrative expectation and consider some preliminary questions that advisers can ask to assess each point of what they are required to do. Annual reviews should evaluate the following:
- The adequacy of the adviser's compliance policies and procedures.
- Questions to answer to satisfy the "adequacy" evaluation:
- Do the compliance policies and procedures sufficiently address applicable elements of the Advisers Act and the rules adopted thereunder?
- Are the policies and procedures reasonably designed to prevent violation, by the adviser and its supervised persons, of the Advisers Act and the rules adopted thereunder?
- Do the policies and procedures contain enough detail to inform supervised persons to know how to comply with them?
- Are the policies and procedures appropriately tailored to the nature and business operations of the adviser?
- The effectiveness of their implementation.
- Questions to answer to satisfy the "effectiveness of implementation" evaluation:
- Does the Chief Compliance Officer (CCO) have sufficient authority and bandwidth to actually implement (and enforce) the policies and procedures within the firm?
- Are supervised persons sufficiently trained and educated on the elements of the compliance policies and procedures so they know how to comply with them?
- Are supervised persons actually following the compliance policies and procedures (or are there repeated instances of compliance policy and procedure violations)?
- Are there open channels of communication between the CCO and supervised persons that facilitate reporting of compliance policy and procedure violations?
- Whether compliance policies and procedures continue to work as designed.
- Questions to answer to satisfy the "continue to work as designed" evaluation:
- Have the compliance policies and procedures become too long, verbose, bloated, or otherwise unclear, such that they are impractical to implement?
- Notwithstanding changes in the regulatory landscape or the business model of the firm, are the compliance policies and procedures still reasonably designed to prevent violation, by the adviser and its supervised persons, of the Advisers Act and the rules adopted thereunder?
- Whether changes are needed to ensure their continued effectiveness.
- Questions to answer to satisfy the "whether changes are needed" evaluation:
- Are the originally adopted compliance policies and procedures an untailored template that includes "Insert firm name here" references?
- Have new SEC rules, rule amendments, Risk Alerts, no-action letters, or other formal or informal guidance caused the compliance policies and procedures to be outdated?
- Has the firm launched a new business line, a new advisory service offering, an affiliated business, or otherwise changed its business model such that corresponding updates to the policies and procedures are required?
- Has the firm entered into any new vendor relationships or started offering any new products that create new conflicts of interest that need to be addressed?
- Questions to answer to satisfy the "whether changes are needed" evaluation:
- Questions to answer to satisfy the "continue to work as designed" evaluation:
- Questions to answer to satisfy the "effectiveness of implementation" evaluation:
- Questions to answer to satisfy the "adequacy" evaluation:
The lists of "questions to answer" above are simply intended as a starting point to create the scaffolding within which an annual review can be conducted and certainly do not represent the universe of potential lenses through which an annual review can be viewed.
Specific Elements Of An Annual Compliance Review
The exact formatting, length, level of detail, and overall content of annual reviews are not prescribed by the SEC. In fact, when the Compliance Rule originally went into effect in 2004, the adopting release described only 3 elements that should be considered in an annual review:
- Any compliance matters that arose during the previous year;
- Changes in the business activities of the adviser or its affiliates; and
- Any changes in the Advisers Act or applicable regulations that might suggest a need to revise the policies and procedures.
These 3 considerations can and should be addressed in different sections of the written annual review.
Compliance Matters In The Previous Year
When considering the compliance matters that arose during the previous year, an adviser can summarize instances in which the compliance policies and procedures functioned as intended (e.g., catching a trade error before the trade was placed, preventing a fraudulent third-party wire from occurring as a result of a verbal confirmation with the client, identifying a supervised person's new outside business activity as requiring conflict of interest disclosure in Form ADV Part 2A) and instances in which the compliance policies and procedures did not function as intended – what I like to refer to as "opportunities for improvement" (e.g., a client that was overbilled due to the wrong advisory fee being entered into a fee billing file, a client that didn't receive Form CRS when the adviser recommend a rollover transaction, failure to file the annual updating amendment to Form ADV in a timely fashion).
In this sense, a "compliance matter" that arose during the previous year doesn't necessarily just have to be a laundry list of what went wrong; advisers can also highlight what went right if desired.
Changes In Business Activities
Consideration of business changes is fairly straightforward, but examples could include:
- Offering discretionary investment management for the first time instead of just financial planning;
- Changing from an asset-based fee schedule to a flat-fee schedule;
- Launching a tax return preparation and filing service (either within the adviser or through an affiliate);
- Sponsoring or participating in a wrap fee program for the first time;
- Offering retirement plan consulting or discretionary management services for the first time;
- Retaining or recommending a sub-adviser, TAMP, or outsourced chief investment officer for the first time;
- Transitioning from a brick-and-mortar office to a fully remote work environment; or
- Hiring the first additional investment adviser representative besides the founder.
Tracking changes in the Advisers Act or applicable regulations can be challenging (especially when the SEC obscures its changes in completely unrelated new rule avalanches, *ahem*), but this is where a few subscriptions to compliance consultancies, law firms, or certain other nerdy newsletters may come in handy. 😉
The SEC also has its own mailing list, which you can sign up for here. For whatever it's worth, I'm subscribed to the SEC's Speeches and Statements, Press Releases, Investor Alerts, Litigation Releases, Administrative Proceedings, No-Action Letters, EXAMS Staff Letters and Risk Alerts, Division of Examinations Announcements, Division of Investment Management Announcements, Proposed Rules, Final Rules, and Interpretive Releases.
Beyond the 3 considerations described above, the SEC makes it very clear that advisers have wide latitude to perform and document annual reviews as they see fit. It's worth quoting the adopting release to the private fund adviser reforms at length here to drive home this point:
The amended rule does not enumerate specific elements that advisers must include in the written documentation of their annual review. The written documentation requirement is intended to be flexible to allow advisers to continue to use the review procedures they have developed and found most effective. For example, some advisers may review the adequacy of their compliance policies and procedures (or a subset of those compliance policies and procedures) and the effectiveness of their implementation on a quarterly basis. In such a case, we believe that the written documentation of the annual review could comprise written quarterly reports. Some commenters suggested that we offer flexibility in the approach to the written annual review requirement. We have previously stated our views regarding the areas that we expect an adviser's policies and procedures to address, at a minimum, if they are relevant to the adviser. We understand that some advisers may choose to document the annual review of their written policies and procedures: (i) in a lengthy written report with supporting documentation; (ii) quarterly documentation, aggregated at year end; (iii) a presentation to the board or another governing body, such as a limited partner advisory committee (LPAC); (iv) a short memorandum summarizing the findings; and (v) informal documentation, such a compilation of notes throughout the year [sic]. There are a number of other ways that an adviser may choose to document its annual review. This rule does not prescribe a specific format of the written documentation, instead, allowing an adviser to determine what would be appropriate.
Key takeaways to extract from the above:
- The written documentation requirement is intended to be "flexible".
- The annual review may encompass "a subset" of compliance policies and procedures.
- The annual review could, in fact, take the form of shorter, quarterly reviews (with the "annual review" essentially being an aggregation of such quarterly reviews).
- All of the following manifestations may be sufficient:
- A long-form written report with supporting documentation;
- Quarterly reviews, aggregated into an annual report;
- Board or management presentations;
- A short summary memorandum; or
- Compilations of notes compiled over the course of the year.
It's understood that an annual review for a solo adviser that simply manages ETF portfolios for its retail clients will look very different than an annual review for an institutional asset manager with a variety of business lines, client types, product offerings, and affiliated businesses; however, there may also be significant variability between the annual reviews of 2 seemingly identical advisers due to the flexibility afforded by the SEC.
We generally recommend that advisers periodically test the functioning of their compliance policies and procedures incrementally over the course of the year, aggregate the results of such tests into an annual compliance review report, and summarize any business or regulatory developments as part of the drafting of the annual review report. This incremental approach spreads the workload over the course of the year rather than backloading it all at the end of the year when there may be other priorities or time constraints taking precedence or that otherwise jeopardize the ability to dedicate the requisite time to perform a sufficient annual review. The incremental testing over the course of the year is usually mapped to a compliance calendar, which helps advisers stay on track and remain on top of compliance obligations associated with a deadline of some sort (such as annual ADV amendment filings, Form 13F filings, registration renewals, etc.).
Why Does The SEC Care About An Adviser's Annual Review?
The positioning of the Compliance Rule (and the annual review requirement within it) as an anti-fraud rule, as described above, is, by itself, an unambiguous reflection of its importance. In the adopting release to the private fund adviser reforms, the SEC further explains that its examination staff relies on the annual review documentation to help it "understand an adviser's compliance program, determine whether the adviser is complying with the rule, and identify potential weaknesses in the compliance program". [emphasis added]
The italicized emphasis above reflects the catch-22 aspect of the annual review documentation requirement; that is, an annual review that documents a litany of compliance failures over the course of the year may seemingly hand SEC examination staff a referral to the SEC enforcement staff on a silver platter… creating a roadmap of violations of the Advisers Act or the rules promulgated thereunder that may not have otherwise been discovered. Herein lies the rub.
On the one hand, an annual review that doesn't uncover any opportunities for improvement can give the appearance that only a cursory annual review was performed or that an adviser has its proverbial head in the sand. A squeaky-clean annual review is at least optically suspicious. On the other hand, an annual review that uncovers egregious or repeated compliance violations could subject the adviser to an SEC enforcement action, which could even result in monetary penalties being assessed (and the potential reputational damage).
The leap from annual review documentation to enforcement action is bridged by SEC exam staff, who will almost certainly request an adviser's annual review documentation during the course of an examination and may refer any serious violations identified in the annual review documentation to the SEC's enforcement division (which is responsible for initiating proceedings against advisers). Annual review documentation must be provided to SEC exam staff "promptly", a turnaround time which is generally interpreted to extend beyond 24 hours only in "unusual circumstances".
Importantly, if an adviser uncovers truly egregious violations in the course of its annual review, it should consult with qualified legal counsel to navigate a path forward. This path may involve some combination of immediate remedial action and memorializing such remediation in the annual review documentation or elsewhere, or it may involve falling on the sword and self-reporting (though extreme caution is warranted before pursuing the latter path, as sometimes no good deed goes unpunished).
The overall lesson here is not to spin the annual review documentation to make it appear as if the adviser runs a perfect, impeccable compliance program. There are always opportunities for improvement. Identifying opportunities for improvement and implementing actions that take advantage of those opportunities are signs of a well-functioning annual review process.
Use Of Third-Party Compliance Consultants And/Or Attorneys
Advisers need not undertake the annual review alone, as the adopting release to the private fund adviser reforms makes it clear that "nothing in the [Compliance Rule] prohibits advisers from seeking the guidance of service providers or outside counsel during their annual review". In fact, in a roundabout way, the SEC contemplates that service providers or outside counsel may either 1) perform the annual review on behalf of or in conjunction with the adviser and memorialize the results for the adviser's own staff to document in a written summary, or 2) the service provider or outside counsel may itself produce the documentation of the annual review. The nature and extent to which an adviser engages a service provider or outside counsel in its annual reviews (or if it engages one at all) is simply a business decision.
If outside counsel is engaged as part of the annual review (either directly or as a conduit to a non-lawyer compliance consultant), the annual review documentation is generally not protectable under the attorney-client privilege, the work-product doctrine, or other similar protections. In other words, the retention of an attorney during the annual review process can't be used as an excuse not to produce written documentation evidencing the annual review to the SEC under the theory that it is non-disclosable under the attorney-client privilege. Notably, such assertions may be viable if an attorney is retained to perform a mock examination, for example, since a mock examination is not required under the Advisers Act or any rules thereunder, and therefore, there is no recordkeeping requirement associated with mock examinations. The annual review, on the other hand, is required under the Compliance Rule and written records are required to be maintained in furtherance thereof, which has the practical effect of neutralizing most claims of attorney-client privilege.
If an attorney is engaged to render legal advice about the annual review and the adviser still maintains separate documentation supporting the annual review process, such attorney-client communications about the annual review may be protectable under the attorney-client privilege. The applicability or inapplicability of attorney-client privilege is a nuance beyond the scope of this article, and is again an area in which outside counsel is best suited to advise.
To cite the adopting release to the private fund adviser reforms, "Attempts to improperly shield from, or unnecessarily delay production of any non-privileged record is inconsistent with prompt production obligations and undermines Commission staff's ability to conduct examinations".
All SEC-registered advisers are required to comply with the written record element of the Compliance Rule 60 days after publication of the amendment in the Federal Register (or 60 days from September 14, 2023). Whenever an adviser commences its review within the next 12 months after this compliance date, the review must be documented in writing.
An annual review can take many shapes and forms, and I encourage advisers to streamline their annual review process by breaking it down into bite-sized chunks over the course of the year by periodically testing their compliance program – and documenting the results of such testing – pursuant to an ongoing compliance calendar.
Regardless of whether an annual review is simply an amalgamation of notes or a polished report that follows APA Style guidelines, it should reflect an adviser's bona fide efforts to poke and prod at its compliance policies and procedures, identify opportunities for improvement, and actually implement such improvements when warranted.
An adviser will almost certainly be expected to promptly produce its documented annual reviews during its next examination, so it's best to create a game plan sooner rather than later!