The SEC’s New Compliance Program Rules: Implications and Considerations

Reaction to the wave of late trading and market timing scandals came in the form of the SEC's compliance program for investment managers and advisors. This white paper which I helped author for Deloitte was written for compliance officers, c-level executives and board members of fund companies and provided them with a broad overview of the issues and implications issuing from this new regulatory initiative.

David R. Evanson

Privately Published, Winter, 2005

The SEC’s New Compliance Program Rules: Implications and Considerations

The Securities and Exchange Commissions new compliance rules, as well as their implications are complex. However, one important aspect of them is quite simple: The oversight and evaluation period has begun.

Fund and adviser operations that are occurring now are subject to new compliance rules, and their adequacy must be attested to one year from now. Thus chief compliance officers, as well as the boards and executive management teams they report to must alter their orientation. There are now implications issuing from how they deploy and organize resources to comply with the SEC’s new rules. A proactive, bold approach, coupled with the caution appropriate whenever regulatory ground is broken, represents in our view the suitable response to a new era in fund and adviser compliance operations.

This new era holds promise for advisers, fund companies, boards, newly minted chief compliance officers, regulators, and most importantly, investors. Unlike many rules which represent a regulatory overlay designed to check or restrain, the adoption of the rule 38a-1 under the Investment Company Act and rule 206(4)-7 under the Investment Advisers Act (the “SEC’s Compliance Program Rules”) represent new, and in our view, improved regulatory initiatives that are designed to inhabit the fiber of investment companies and funds. We believe that in this respect, they offer fund companies and advisers the opportunity to integrate compliance into their operations and in the process improve their reporting and create a more transparent organization.

[Third Party Quote to Go With Introduction]
“Simply complying with the rules is not enough. They should, as I have said before, make this approach part of their companies’ DNA. Form companies that take this approach, most of the major concerns about compliance disappear. Moreover, if companies view the new laws as opportunities – opportunities to improve internal controls, improve the performance of the board, and improve their public reporting – they will ultimately be better, more transparent, and therefore more attractive to investors.”

William Donaldson
Chairman, US Securities and Exchange Commission
July, 2003
[End of Third Party Quote to Go With Introduction]

[Purpose of Discussion Statement]
The discussion that follows examines the shifts in the investment management industry, the responses to these shifts, and how the regulatory bodies ultimately reacted. Further discussion and analysis is offered on the new compliance regulations and the strategic response warranted from fund companies and investment advisers alike. Finally, we examine a framework for evaluating the effectiveness of a compliance program.
[End Purpose of Discussion Statement]

[Sidebar: Inquiring Minds Want to Know]

The following questions concerning Chief Compliance Officers came from audience members at Deloitte’s October 12, 2004 symposium on the SEC’s Compliance Program Rules.

Can the fund CCO and adviser CCO be one and the same?

For adviser firms (but not investment companies) with an existing Director of Compliance, is a formal corporate resolution required designating a Chief of Compliance?

How closely do you think the SEC will examine the qualifications or experience of the fund CCO? Will the SEC find that a fund board approved a CCO that did not have the type of experience that the SEC thought the CCO should?

Does a CCO for a non-broker-dealer registered investment adviser need any registration?

At the fund level, are most of your clients looking to outsource or hire an internal CCO? Which option do you think is the best?

What are the licenses required for someone be deemed qualified to be a CCO? Are these pre-requisite licenses or can they be obtained after the CCOzzs appointment?
Can you clarify the role and obligations of the fundzzs CCO versus those of the adviserzzs CCO?

Are CCO reports to the Board, both interim and annual, intended to be in open meeting session or solely in executive session?

[End Sidebar: Inquiring Minds Want to Know]

How Did We Arrive At The Current Point in Time?

An optimists’ view of the world would suggest that it is the success of investment companies and investment advisers, not their shortcomings, which provoked an overhaul of compliance programs. Given the legacy of the fund business, its’ change and evolution, a series of stop gap regulations were put in place over time, resulting varied response among fund companies and advisers. The unevenness of these responses culminated, in part, in the approach the advisers and fund companies are implementing today with the SEC’s Compliance Program Rules.

Much of the change in the fund business is attributable purely to growth. Since their introduction in 1924, assets and the number of funds have increased dramatically growing at a compound annual rate of 16.95% since 1940 and now stand at more than $7.4 trillion.

As assets climbed, so too did the number of financial services firms offering mutual funds. Banks, insurances companies, brokerages and asset managers all began offering mutual fund products. Massive entry into the market had a commoditizing effect on the product. A well managed mutual fund with good performance mattered. But an average performing mutual fund with wide distribution was more likely to be a success for a fund company. Thus growth, in terms of assets, number of funds, and the kinds of companies offering them, meant that one of the most important elements in the mutual fund industry was distribution [italicize distribution].

Source: The Investment Company Institute.

Testimony to the importance of distribution in the mutual fund business was the creation of the mutual fund supermarket in 1992. Fundamentally, the creation and success of fund supermarkets was attributable to market forces. Investors recognized that proprietary access to mutual funds was not as advantageous as one stop shopping and access to almost all mutual funds. As the chart below indicates, the introduction of mutual fund supermarkets represented an inflection point in the growth of assets under management, and remains an important distribution channel for the industry.

However, the emphasis on distribution exerted forces on the industry and how fund companies marketed their products. Many business practices materialized which assisted in the acquisition and maintenance of distribution channels. In retrospect several of these practices challenged the fiduciary responsibilities of fund managers and advisers.

For instance many fund companies directed their securities trading to brokerages which distributed their funds. These trading commissions represented lucrative business for the brokerage firms, and substantially reduced the marketing expenses of fund companies. However, it was questionable whether or not mutual fund shareholders were getting the best execution, and on the other side, whether or not brokerage customers were getting exposure to the funds most likely to suit their needs. In September of 2004, The SEC adopted amendments to the Investment Company Act that prohibited the practice of compensating broker-dealers for selling mutual fund shares through the use of directed brokerage arrangements.

Similarly some fund companies and advisers were allocating a portion a of the 12b-1 fees toward marketing and inclusion in a variety of fund supermarkets. However, since this was a fee borne by investors, the reallocation was a diversion of funds away from oversight toward marketing activities that many fund companies should have borne as a cost of doing business.

Likewise almost all advisers and fund companies used soft dollars, which presented a conflict of interest between their need to obtain research and their clientszz interest in paying the lowest commission rate available and obtaining the best possible execution. In addition, some soft dollar practices expanded to include funding of rents, equipment, salaries, travel, interior design and even construction expenses, further compromising the mutual fund shareholder’s receipt of the best possible execution services.

Perhaps the conflicts in business practices culminated in market timing abuses. By agreeing to place other assets with the adviser or fund company, or distribute products, individuals and hedge funds were granted access to sell in and out of mutual funds in excess of what other shareholders could do.

Clearly, conflicts of interest were resident throughout the business. These practices became imbedded in the operations, and to some degree the mentality of fund companies and their advisers, because they proliferated during a period of expansion, prosperity and success.

[Sidebar: A Timeline of Mutual Fund Milestones]
1924. The first mutual funds are established in Boston.
1933 The Securities Act of 1933 formed to regulate the registration and offering of new
securities, including mutual funds.
1936 The Revenue Act of 1936 establishes the tax treatment of mutual funds.
1940 The Investment Company Act of 1940 the regulatory framework for the mutual fund industry.
1951 The total number of mutual funds and mutual fund shareholders passes 100 and 1 million respectively.
1954 Household purchases of mutual fund shares exceed stocks.
1962 The Self-Employed Individuals Tax Retirement Act results in the creation of Keogh plans for self-employed individuals.
1971 Money market mutual funds are introduced.
1974 The Employee Retirement Income Security Act (ERISA) creates the Individual
Retirement Account (IRA).
1978 The Revenue Act of 1978 permits the creation of 401(k) retirement plans
and simplified employee pensions (SEPs).
1988 The SEC adopts a standardized presentation of fund fees for prospectuses.
1990 Mutual fund assets exceed $1 trillion.
1993 The first exchange-traded funds are distributed.
1997 The Taxpayer Relief Act of 1997 results in the creation of Roth IRAs.
1998 Mutual fund assets exceed $5 trillion.
2003 Investigations uncover instances of late trading and market timing involving
mutual funds. The SEC undertakes a wide-ranging action plan to reexamine

[End Sidebar: A Timeline of Mutual Fund Milestones]

The Plates Shift Beneath the SEC

As assets under management and product classes mushroomed, the SEC’s examination program was undergoing its own changes. The examination program was first established under the Securities Exchange Act of 1934 and was broadened to cover investment companies and their affiliates when Congress enacted the Investment Company Act in 1940 which authorized the SEC to conduct examinations and to require investment companies, their affiliates and auditors to provide copies of these records.

Still, it took the SEC almost seventeen years to establish an active examination program for investment companies. Its first inspections in 1956 uncovered such a myriad of irregularities that the SEC determined that a regular program of inspections was necessary. The program was formalized by the Commission in 1960 with a process in which headquarters staff reviewed field office inspection reports
With the creation of the Office of Compliance Inspections and Examinations (OCIE) in 1995 the inspection of funds and advisers took place on a rotating schedule every five years. While it was easy to recognize that inspections needed to evolve from reactive to proactive, there was no budget or momentum effect such a change in orientation.

But the corporate scandals which surfaced in 2001 provided the mandate for a more risk based approach which is being pursued today by the SEC. These risk based examinations focus on detecting the kinds violations that impact mutual fund shareholders most directly and which include the use of client brokerage commissions to pay for products and services that provide benefits to the adviser, allocations of securities among different types of clients, and calculations of an adviserzzs performance.

In addition, the SEC began so-called sweep investigations in areas of particular interest including personal securities trading by fund personnel, privacy, soft-dollar payments, anti-money laundering programs, and payments for fund distribution.

A greater focus on risk based examination gave currency to the notion of a more process oriented compliance program among advisers and fund companies. In addition, issues uncovered in September of 2003 with respect to market timing abuses led to recognition within the SEC that there needed to be a compliance process under the leadership of a Chief Compliance Officer. A direct reporting relationship between a fund’s board and the Chief Compliance Officer enabled the latter to become the eyes and ears of the former so that inappropriate practices were not engaged in. In addition, a Chief Compliance Officer could ensure that a compliance program was in place for advisers as well as fund companies that would prevent, correct and detect violation of federal securities laws as well breach’s of the organization’s own policies and procedures.

Bird’s Eye View of the SEC’s Compliance Program Rules

The chapter and verse of rules 38a-1 under the Investment Company Act and 206(4)-7 under the Investment Advisers Act that were ultimately developed by the SEC is not covered here. Our purpose is to provide context and perspective on the genesis of the Compliance Programs, and to highlight some of the strategic implications for fund companies and advisers.

Still, for the purposes of clarity, a brief overview of the SEC’s Compliance Program is merited. The Compliance Programs must incorporate:

– Written policies and procedures reasonably designed to prevent violations of federal securities laws.

– An annual review of the policies and procedures for their adequacy and the effectiveness of their implementation

– The appointment of a Chief Compliance Officer (the “CCO”) who shall be responsible for the administration of the compliance policies and procedures.

For investment advisers the annual review should consider any compliance matters that arose during the previous year, any changes in the business activities of the investment adviser or its affiliates that may requires amendments to the policies and procedures and finally, any changes to the adopted policies and procedures that may be appropriates because of regulatory changes.

[Sidebar: Inquiring Minds Want to Know]

The following questions about policies and procedures came from audience members at Deloitte’s October 12, 2004 symposium on the SEC’s Compliance Program Rules.

Do the rules to have written compliance procedures imply a formal supervisory or compliance manual?

How do you feel the SEC would react to a grid/summary format versus a full policy manual format?

How are companies defining material changes/compliance matters?

What is your definition of the responsibility of administering policies?

If the fund has delegated oversight of service providers (sub-advisers,
TA, administration) to the adviser, how detailed should the fundzzs written policies and procedures be?

[End Sidebar: Inquiring Minds Want to Know]

For investment companies, a fund’s board must review its compliance policies and procedures annual as well as those of its investment advisers, transfer agent, distributor, administrator and any other service provider. The board may rely upon a review submitted by the Chief Compliance Officer in his or her annual report submitted to the board. The annual report of the CCO should address at a minimum:

– The operation of the compliance policies and procedures of the fund and each service provider
– Any material changes to the policies and procedures since the last report
– Any recommendations for material changes to the fund’s policies and procedures
– Any material compliance matters since the date of the last report.

The Compliance Programs evolved according to the following timeline:

Rules Effective Mandatory First Annual First CCO
38a-1 & 206(4)-1 Date of Compliance Evaluation Board
Adopted Rules Date Period End Date Report Due

Compliance Program Readiness Oversight & Eval.. Period
_ _ _ _ _ _ _ _ _ _ _ ___________________ __________________ _ _ _ _ _ _ _ _____

December 2003 February 2004 Oct 5, 2004 April 2006 June 2006

With respect to the timing, one point is critical. Fund companies and advisers have entered the time frame that will cover the annual review which will occur during the latter spring of 2006.

SEC Compliance Program Rules – For Advisers, An Opportunity to Take A Fresh Look

Traditionally, investment advisers have operated under comprehensive compliance regimes. Many investment advisers already maintain compliance personnel on staff. As a result of this legacy, the SEC’s Compliance Program Readiness period from February of 2004 to October of 2005 was, for advisers, tantamount to a ‘free pass’ to take a look at adopted policies to make sure they were appropriate to prevent detect and correct violations of federal law. Moreover, it was also an opportunity for advisers to take fresh look at their business and think about not only the regulatory areas the SEC identified, but also to do a risk based analysis of other areas and to consider if there might be new policies and procedures that could be appropriate to facilitate compliance.

There are several operational areas that might make for productive and fruitful examination on an ongoing basis. However, perhaps one universal point of departure for each of these areas of consideration is whether or not the documentation written years ago is still relevant and appropriate to the business the adviser is currently engaged in.

In addition, CCOs should keep in mind that the language of 206(4)-7 anticipates varying levels of policy, depending on the complexity of the advisers’ business. Specifically: “We would expect smaller advisory firms without conflicting business interests to require much simpler policies and procedures than larger firms that, for example, have multiple potential conflicts as a result of their other lines of business or their affiliations with other financial service firms.” How might this work in practice with the potential areas of focus? For instance, with respect to affiliated transactions, to the extent that investment advisers operate as a stand alone shop, their need for controls around affiliated transactions are not as robust as a large financial services organization that is a registered investment adviser with an affiliate that is a broker/dealer, with the adviser directing trades within the same holding company.

Other areas of potential focus spelled out in 206(4)-7 include:

Code of Ethics and Personal Trading

Portfolio Management Processes

Trading Practices

Client Disclosures

Custody of Client Assets

Books and Records

Advertising and Marketing

Valuation of Assets

Material Non-Public Information

Business Continuity

Proxy Voting

While taking a fresh look at these areas and others within the context of a risk based analysis may not require new thinking on the part of investment advisers per se, what clearly does represent a new frontier are the annual reviews and the obligations and responsibilities which flow from them. Specifically, according to the amended Investment Advisers Act,

“Rule 206(4)-7 requires each registered adviser to review its policies and procedures annually to determine their adequacy and the effectiveness of their implementation. The review should consider any compliance matters that arose during the previous year, any changes in business activities of the adviser or its affiliate and any changes in the Advisers Act. . .”

[Third Party Quote to Appear on or About This Page]
While the Commission can write rules, set standards and hold lawbreakers legally accountable, true reform must also rest on the establishment and nurturing of a culture of fiduciary responsibility that comes from within the industry, not just one that is imposed from the outside through regulation or legislation.

Paul F. Roye
Director, Division of Investment Management
U.S. Securities and Exchange Commission
Remarks Before the Investment Company Institute General Membership Meeting
May 20, 2004
[End Third Party Quote to Appear on or About This Page]
In this light, compliance policies and procedures evolve from a defensive measure to a proactive measure designed to detect, protect and correct violations of federal law. However, the compliance function does not assume this proactive mantle simply because an annual review of policies and procedures has been mandated. Rather the intended result is achieved with management’s active engagement in the process, and a sincere desire on their part to make changes in compliance procedures and policies that accommodate shifts in their business, the Advisers Act or other external factors. Management’s ability to do this effectively is not foreign, however its application to this area of their business is new, and as a result, may likely prove to be one of the most challenging aspects of the amendment.

SEC Compliance Program Rules – For Investment Companies, An Opportunity to Integrate and Optimize

Investment companies face a different set of challenges with respect to the SEC’s Compliance Program Rules. Specifically, most investment companies already navigate a broad array of mandated controls and procedures and the attendant requirement to review the effectiveness and appropriateness of these procedures within their operating environment. For instance, Section 302 of the Sarbanes Oxley Act, the Anti-Money Laundering Procedures of the Patriot Act, and the privacy policy procedures under the Bank Secrecy Act, all represent, with varying degrees of concentration, the requirement to implement controls and procedures and to review their effectiveness.

However, with most extant regulation, the requirement to implement and evaluate controls and procedures focuses on relatively narrow functional areas. With the adoption of 38(a)-1 however, one of the chief challenges for Investment Companies is to now ensure that policies and procedures for a wide array of activities are appropriately designed and operating effectively for the global, enterprise-wide compliance mechanism. Some suggested areas of focus include:

Pricing of Portfolio Securities

Processing of Fund Shares

Distribution of Fund Shares


Identification of Affiliated Persons

Protection of Non Public Information

Fund Governance

Market Timing

Late Trading

Anti Money Laundering

Customer Privacy

Thus, in some respects, the SEC’s Compliance Program Rules require mutual fund companies to engage in a process of optimization. That is, to coordinate their many implementation and oversight activities in such a way that does not hinder, but in fact enhances the operation of the business.

Evaluating The Effectiveness Compliance Programs – Challenges and Strategies for Annual Reviews

Chief compliance officers will find a number of challenges in their annual reviews of the firm’s policies and procedures, and in the case of investment companies, the policies and procedures of its service providers. The latter requirement for the review of the policies and procedures of service providers, which is germane to fund companies, adds a layer of complexity for CCOs. In addition, the CCO will find new challenges in determining how [italicize how] the annual report of compliance policies and procedures which they prepare is presented to the board, and what if any actions the board intends to take based on information contained in the annual report, as well as the manner in which the board communicates its intentions to the CCO.

These challenges notwithstanding, CCOs of fund companies as well as advisers face the same basic strategic challenge. Their annual report must examine whether or not the design of the compliance program is sufficient to meet the requirements and that the control activities are effective in addressing what the design purports. Moreover, if the design of the program is effective, CCOs must adopt techniques for observing and evaluating the components on a day to day basis.
The bulk of this challenge may be met someday with a standardized compliance report that is under development as part of an industry wide initiative. The need for such reports has come to the fore because CCOs are operating without precedent and with responsibilities which are extensive by any standard. The existence of a standardized format would be a resource to CCOs because it would provide a framework which they could draw upon in their own annual compliance reports. Deloitte & Touche has developed its own standardized report format to use in the meantime. This report, a Compliance Program Examination Report consists of three parts: a description of the compliance program, a program examination and finally an audit opinion.
Another significant challenge associated with SEC’s Compliance Program Rules is talent. The skill set of professionals that can do the kind of work which represents the underpinning of the annual report is not common. Success will require facility with control testing, the asset management business and fluency in the regulatory requirements. Moreover, CCOs at fund companies will face another challenge: as the eyes and ears of the board, they must employ the kind of deft human relations skills normally reserved for state diplomacy. Specifically, how to effectively work for the fund’s board of directors, yet blend on a day to day basis with employees over which they are exercising regulatory oversight?
[Sidebar: Inquiring Minds Want to Know]
Evaluation Process
The following questions about the compliance program evaluation process came from audience members at Deloitte’s October 12, 2004 symposium on the SEC’s Compliance Program Rules.
Has the SEC provided specific guidance on the minimum steps that should be taken by an investment advisor in its annual review such as a sample check list?
If we were to engage a third party consultant in such a review, would we receive a SAS 70? If not, what are the differences?
Does risk assessment mean inherent risk or risk after considering controls in place. If you say risk is high but you have controls which have reduced the risk is it then considered low risk?
What type of documentation are you seeing people keep for the annual review?
Is the exam engagement an AT 601?
Can the CCO rely on internal audits of specific functions to assess for example allocation, to determine it is effective, or does he/she have to do their own review/digging.
For an investment adviser, how should the annual review be documented? And does this have to be submitted to the Board?
Is Deloitte preparing to help test investment adviser compliance programs? If so, what is the scope and depth?
[End Sidebar: Inquiring Minds Want to Know]

Perhaps the most significant challenge that will be faced by CCOs is the requirement to review the policies and procedures of its service providers. When the issue of certifying the policies and procedures of services providers first surfaced regarding compliance with Section 302 of Sarbanes-Oxley, the industry gravitated toward self certification. Human nature took its course with respect to this approach: issues were rarely, if ever identified by service providers, calling into question reliance on these certifications.
But there was another more fundamental problem with self certification as it relates to the SEC’s Compliance Program Rules. The CCO cannot execute his or her duties without evaluating [italicize evaluating] the policies and procedures which they are certifying as adequate.
[Sidebar: Inquiring Minds Want to Know]

The following questions about fund service providers (FSPs) came from audience members at Deloitte’s October 12, 2004 symposium on the SEC’s Compliance Program Rules.

What about compliance policies and procedures of fund accountants and custodians? Please clarify third party service providers covered under the Rules. Is a fund accounting agent covered under the rule?

What are CCOs looking for from service providers on an ongoing basis to support their need to report to the board?

For service providers over the next 18 months, do firms plan to conduct on-site visits of every provider?

Are FSPs aware of the fact that they really donzzt have 18 months to test as their MF clients will be looking for results earlier than that in order to roll into the funds’ overall evaluation of the their program?

[End Sidebar: Inquiring Minds Want to Know]
The evaluation of service provider policies and procedures presents an industry wide challenge. It appears impractical for CCOs to evaluate the policies and procedures of a myriad of service providers. It appears equally impractical for service providers to support the examinations of hundreds, and in some cases, thousands of CCOs seeking to discharge their duties under the SEC’s annual review requirement.
For this reason, third party attestation of the effectiveness and design of compliance programs of service providers may be necessary. Obviously, it’s much easier for service providers to share an auditor’s report with fund CCOs. In addition, CCOs can reasonably review and evaluate auditor reports. In fact such a higher level review by CCOs might more effectively embody the spirit of the SEC’s Compliance Program Rules. After all, the program was put into place to achieve a higher and more productive level of oversight, not necessarily a higher level of activity on the part of CCOs, advisers and investment companies.
[Third Party Quote to Appear on or About This Page]
Although better transparency and disclosure practices are key components of reform, true reform will require changes in the boardroom. Fund shareholders rely on the board to aggressively police potential conflicts of interest and to vigorously protect shareholder interests
Senator Richard Shelby
U.S. Senate Committee on Banking, Housing, and Urban Affairs
February 25, 2005
[End Third Party Quote to Appear on or About This Page]

Fund and advisor CCOs alike will need to consider strategies and tactics for understanding executive management’s, or the board’s expectations for the annual report. What level of detail do they expect? What level of materiality? Do they want to wait for an annual review, or do they expect a series of quarterly reviews leading up to the annual review? With respect to these issues, it’s important to keep in mind that the board or executive management may be looking for guidance on these procedures. The repercussions for violations of the SEC’s Compliance Program Rules are material, and accordingly, executive management and fund boards will be intensely interested in information and processes that have an impact on their oversight, governance or fiduciary responsibility.
What boards and executive management teams may ultimately come to prize equally in CCOs is the discharge of their duties and [italicize and] an ability to coordinate and integrate the various risk, control and evaluation initiatives required by regulation and by fiduciary responsibility. While the SEC’s Compliance Program Rules are new, and as a result, are garnering substantial attention, in the eyes of the law, all of the compliance initiatives are equally important. Thus, boards and executive management teams will look to CCOs to focus the allocation of resources in a way so as to maximize compliance while optimizing the use of the funded to this function. While post October 5th compliance may inhabit the DNA of advisers and fund companies, profitability and expense ratios, respectively, still belong to their hearts.

The most important takeaway point form this paper is also the easiest to understand: The oversight period has begun. The executive management of advisers, fund boards and CCOs are now operating in the period which will come under review.
While the novelty of the SEC’s Compliance Program Rules creates uncertainty, this uncertainty does not abdicate responsibility. In our view, a proactive, bold approach, coupled with the restraint, is not only appropriate orientation, but the one which will also yield the best long term results for the compliance program as well as the day to day operations of the fund or adviser’s business.

More Posts

Scroll to Top