Speech by SEC Staff:
Put The Compliance Rule To Work: IA Compliance Best Practices Summit

by

Lori A. Richards

Director, Office of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

Washington, D.C.
March 15, 2004

Thank you. I'm pleased to be here today. The focus of this conference is certainly timely - as it is clear to me, and I hope to all of you, that advisory firms must take action now to improve compliance practices. In simply too many instances, we have found advisers valuing their own profits over the interests of their clients. The recent cases of advisers allowing abusive market timing, sometimes by their own employees, late trading, and selective disclosure speak loudly, and plainly say: "Past compliance practices didn't work." Too many advisory firms seem to have forgotten that they owe the highest duty of fiduciary care to their clients. In too many instances, examination staff have found that compliance policies, procedures, and personnel were pushed aside and ignored. This cannot continue. As far as I am concerned, the Commission put everyone on notice when it said: "We will aggressively pursue and punish those who have violated the federal securities laws and breached their fiduciary obligations to clients." For advisory firms, it is time - indeed past the time - to get your compliance house in order and to let your compliance personnel perform the jobs they are expected to perform. Moreover, compliance staff can't do it alone, they must operate within an environment that recognizes and supports the role of strong compliance and ethical practices, whether they're in the room or not. I have referred to this in the past as a "Culture of Compliance." It's up to the business leaders of the firm to take steps to imbue a culture of compliance throughout the firm, and to lead accordingly, every day, in making decisions, big and small.

This is a message that the Commission intended to send unequivocally when it adopted the "Compliance Rule" last December. The new rule requires every registered investment company and investment adviser to adopt strong compliance controls administered by a chief compliance officer. The goal of the rule is to codify and enhance the compliance function, and by doing so, to foster improved compliance. This is a very important new rule and I urge advisers and funds to take it very seriously. The Compliance Rule requires four basic things of an adviser or a fund:

1. It must adopt and implement written policies and procedures to prevent violations of the Adviser's Act, and, for funds, the securities laws. These policies and procedures must be written and, in the case of a fund, approved by its board of directors.
    
2. It must conduct an annual review of its policies and procedures to see if they work.
    
3. It must appoint a chief compliance officer - someone who has the knowledge and authority to develop and enforce appropriate policies and procedures. Finally,
    
4. It must keep a copy of its policies and procedures, along with records that document their annual review.

The compliance date for the new rule - that is, the date by which all advisers and funds must have in place written compliance policies and procedures and have a chief compliance officer - is October 5, 2004. What is expected of advisers and funds on this date? When our examiners walk through a firm's door on October 5, they will expect the firm to have in place an effective and fully functioning Compliance Program. We will be looking for a program that reflects the reality of the firm's business and the conflicts and risks presented by that business. Let me offer some advice here - I suggest that advisory firms use this new rule and the time between now and October 5th to take a fresh look at existing compliance functions and to ask: "does this procedure really work?" "Is there a procedure that might work better?" "How sound are the firm's internal compliance checks and balances?" In addition, look at all areas of the firm's business for areas where the firm lacks compliance controls. Identify areas where there are conflicts of interest between the firm's interests, employees' interests, advisory client and shareholder interests. These are the areas to key in on, and hard. Then, after this thoughtful self-assessment, retool to improve existing compliance functions, and don't forget to adopt new compliance procedures to cover previously-uncovered areas.

So, how might one approach this task? Here are my thoughts on how firms might do so. Step one: conduct an inventory of compliance obligations under both the federal securities laws and pursuant to your disclosures to investors. Step two: identify areas of conflicts of interest. As you approach this, think about, in very realistic terms, what could go wrong? How could clients be harmed? Write these possible problems down. Consider the types of abusive conduct that has already been identified by the SEC in enforcement actions - but be more expansive in your analysis. Think about your service providers, too, and how their conduct - or misconduct - might harm your clients. Your goal here is to identify conflicts of interest that, if unmitigated, could lead to violations of any type. Step three: match existing compliance practices to your inventory of obligations and conflicts of interest and find any gaps. Step four: assess the effectiveness of existing compliance functions. In this stage, determine whether a particular compliance function makes violations less likely, and results in the prompt identification of violations. Step five: identify additional compliance procedures that are warranted. Step six: implement them, in writing in a clear, plain English manner, setting forth the goal of the compliance procedure, the regularity with which it will be performed and who will perform it. Part of successful implementation is to make sure employees are trained and understand their role in how the compliance function is to work. Step seven: test the compliance procedures. You can only ensure your Compliance Program is working if you test all the various components - and improve any weaknesses found. You should be tweaking your program over time - not simply waiting until the annual review. Mark your calendars now, because examiners will expect to see the annual review completed by October 5, 2005.

You may find that that the most effective way to undertake this entire assessment process is to utilize a committee comprised of staff from different areas of the firm, or to otherwise engage employees from all areas of the firm in a discussion about what procedures may be the most effective. You may also find that you benefit from outside assistance. Whatever process you use to review and implement new compliance processes, remember that your Compliance Program must be tailored to your business. Why? Because to be effective, it must be integral to your own operations. In this regard, I urge that you not slap together a Compliance Program at the last minute, or buy an off-the-shelf "one-size-fits-all" compliance manual. These Compliance Programs are not likely to be effective. If we find, after October 5th, Compliance Programs that are ill-suited to the firm's business and ineffective, our examiners will assume that compliance is not well-respected by these firms, determine that these firms are at high risk of violations, and will likely conduct a top-to-bottom, in-depth review of the firm's entire operations. And where appropriate we will make referrals to the Enforcement Division.

Thinking about how to manage risk areas is - or should be - nothing new! Firms have been doing this since the first day they went into business. We at the Commission have been certainly been talking about and enforcing the need for compliance for years. It also should not be new to hear that our examinations have been focusing on the identification of risk areas, the adoption of policies to mitigate and manage risk, the implementation of procedures to implement those policies, and the monitoring of the effectiveness of the procedures.

I know that many firms are starting this self-evaluation process, and indeed that's very likely the reason that you are attending this conference. As you know, the Compliance Rule does not list or mandate the particular areas for which firms must have compliance procedures, or the particular compliance procedures that must be adopted. Funds and advisers are too varied in their operations for them to have the same list of required elements. Instead, the Commission said that each firm's policies and procedures should take into account the nature of, and risks presented by, each organization's operations. The Commission also said that the policies and procedures should be designed to prevent violations from occurring (which is certainly the best outcome!), detect violations that have occurred, and correct promptly any violations that have occurred.

In the Release adopting the Compliance Rule, the Commission noted generally several areas where it would expect that advisory firms and investment companies would have policies and procedures. Not surprisingly, these areas closely correspond to risk areas that examination staff have been looking at for some time. Let me run down the list, and give some examples of the conduct that you should be focused on preventing. This is not by any means an exhaustive list.

1. Portfolio Management, including the allocation of investment opportunities among clients and the consistency of portfolios with clients' investment objectives, disclosures and regulatory restrictions. Some examples of conduct that compliance procedures should be designed to prevent are:
    
• Style drift - chasing returns;
• Violation of investment restrictions;
• Window dressing and portfolio pumping;
• Unfair allocation of securities, including initial public offerings;
• Use of 17a-7 and 10f-3 transactions to dump unfavorable securities; and
• Cherry picking.


2. Trading practices, including satisfying the duty of best execution and the use of client commissions to obtain execution, research or other services. Examples of conduct that compliance procedures should be designed to prevent include:
    
• Failure to obtain best execution;
• Failure to periodically and systematically review execution quality and to route and reroute orders accordingly;
• Use of commissions to obtain items/services outside the safe harbor of 28(e), and without adequate disclosure to clients/shareholders;
• Interpositioning an affiliated broker-dealer;
• Use of commissions outside of 12b-1 to pay for distribution, or use of commissions to pay for client referrals, without disclosure; and
• Failure to clearly disclose to clients the use of their commission dollars.


3. Proprietary trading of the adviser and personal trading by employees. Examples of conduct that compliance procedures should be designed to prevent include:
   • Market timing, insider trading, front-running or other abusive personal or proprietary trading;
   • Untimely or failure to report personal securities transactions;
   • Violations of the codes of ethics; and
   • Failure to properly identify and monitor trading by all access persons.
   
   
4. The accuracy of disclosures made to investors, clients and regulators, including account statements and advertisements. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Inaccurate or misleading performance numbers;
• Inadequate supporting documentation for performance claims;
• Misleading advertisements;
• Inappropriate use of after-tax returns; and
• Any statement in an ADV, brochure, prospectus, SAI or other document that is not 100% accurate.


5. Safeguarding of client assets from conversion or misuse. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Improper or inadvertent access to client assets;
• Unauthorized trading in clients' accounts;
• Improper disclosure of client account information;
• Delivery of false custodial statements to clients; and
• Discrepancies between the records of the firm and custodian.


6. Creating and maintaining accurate books and records. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Failure to maintain and have accessible all required books and records, including emails;
• Failure to protect records and information from unauthorized access and manipulation; and
• Maintaining inaccurate books and records - e.g., revenue and expense numbers are not accurate or timely; and
• Failure to produce business records required by inspection staff.


7. Marketing advisory services, including the use of solicitors. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Failure to disclose or inadequate disclosure of solicitation arrangements;
• Failure of solicitor to deliver adviser's ADV;
• Failure to disclose payments to employees for referrals; and
• Failure to contract for solicitation.


8. Valuing client holdings and assessing fees. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Illiquid or fair-valued assets not valued appropriately, or not back-tested; and
• Inaccurate computation of fees, or fees based on inaccurate computation of client assets.


9. Protecting the privacy of client records and information. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Failure to safeguard the privacy of clients;
• Failure to notify clients of policies on safeguarding;
• Lack of verification that client data is compiled accurately; and
• Integrity of client data is not protected from unauthorized changes.


10. Business continuity. Examples of conduct that policies and procedures should be designed to prevent include:
     
• Failure to prepare for, and test operations during human or natural emergencies;
• Failure to provide for availability of critical personnel and systems;
• Failure to verify continuity plans of third party providers; and
• Failure to protect records from unplanned destruction.

For investment companies, the funds' or their advisers' policies and procedures should address all of the pertinent areas noted above, as well as other critical areas, including the following.

1. Pricing of portfolio securities and fund shares. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Inaccurate NAV;
• Inaccurate accruals;
• Failure to value a position correctly;
• Failure to record or delete a position subsequent the purchase or sale;
• Inappropriate overrides of valuations;
• Failure to monitor prices;
• Inaccurate number of shares outstanding;
• Failure to monitor and timely value illiquid positions; and
• Inadequate NAV error correction policies.


2. Sales of Fund Shares. Examples of conduct that policies and procedures of the principal underwriter should be designed to prevent include:
    
• Failure to charge appropriate sales charges, including providing all discounts;
• Failure to ensure that sales of funds and fund share classes are suitable for the investor, that prospectuses are delivered, and that information provided to investors is accurate;
• Failure to comply with all fund disclosures concerning market timing; and
• Appropriate and lawful use of the Rule 12b-1 plan, including with respect to disclosure, board approval and actual use of 12b-1 plan monies.


3. Shareholder Processing. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Failure to execute orders and redemptions in a timely manner;
• Excessive backlogs leading to errors and corrections;
• Discrepancies between the number of shares on subsidiary and general ledgers;
• Failure to monitor the application of breakpoints and other sales charges; and
• Failure to comply with Rule 12b-1.


4. Identification of affiliated persons. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Improper or excessive payment of fees;
• Improper purchase or sale of securities;
• Loans to affiliated persons;
• Improper joint transactions; and
• Participation in an affiliated underwriting without compliance with requirements.


5. Protection of Non-Public Information. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Inappropriate and unauthorized disclosure of portfolio holdings, pending transactions or trading strategies to third parties; and
• Access persons' trading on non-public information.


6. Compliance with fund governance requirements. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Failure to perform all responsibilities required by the Investment Company Act and applicable rules;
• Failure to consider sufficient information in considering contract approvals and in excercising oversight;
• Lack of independence of directors;
• Board's financial expert is not actually an expert;
• Content of board minutes are vague or inadequate to record that fiduciary duty was met;
• Telephonic meetings in place of in-person meetings;
• Inadequate attendance at meeting; and
• Failure to review and monitor proxy voting policies and procedures.

Good corporate governance policies and procedures would dictate that a fund compile and preserve an accurate and complete record of board meetings. With respect to board minutes and records, "the less said" is not the better course. In the absence of minutes and records that document board members' performance of their statutory and fiduciary responsibilities, our examiners will have to assume that little or no discussion was held.

7. Market timing. Examples of conduct that policies and procedures should be designed to prevent include:
    
• Inconsistencies between disclosure and actual practice;
• Failure to ensure that policies are policed and applied;
• Failure to ensure that intermediary sellers are complying with the fund's anti-market timing policies; and
• Failure to monitor shareholder trades or money flows to detect market timing transactions.
   
8. Money Laundering. Examples of conduct that policies and procedures should be designed to prevent include:
    
• AML policies and procedures are inadequate;
• Failure to designate an AML officer;
• Failure to provide adequate AML training;
• Failure to monitor AML activities of agents;
• Failure to conduct an annual review;
• Failure to report suspicious transactions; and
• Inadequate customer identification process.

As I noted above, no one plan will suit every adviser. But this list of risk areas and potential risks is very basic - and advisers need to consider each area when drafting their Compliance Program.

Now, having hopefully helped start you on your way to identifying the areas that you will want your Compliance Program to cover, let me conclude, by retreading a bit the ground from which I started. Recent events underscore that advisory firms must take action now to improve compliance practices. I view the new Compliance Rule as a mandate certainly - as I said, examiners will expect full compliance with the rule on October 5th - but I also view it as an opportunity as well. I urge that advisory firms view the Compliance Rule as an opportunity to take a fresh look at existing compliance programs, and to retool and to adopt state-of-the-art new procedures designed to ensure that firms are fully compliant with the securities laws and their representations to clients and shareholders.

Thank you.

http://www.sec.gov/news/speech/spch031504lar.htm