The Devil’s in the Details – Avoiding Vague Procedures and Absolute Language in Your Compliance Manual

Advisers often spend significant time drafting compliance manuals, but are these policies truly effective in daily operations and risk mitigation? The strength of a compliance program lies in the precision of its language. Vague directives and rigid rules can cause confusion, hinder accountability, and attract regulatory scrutiny. In this second installment, we’ll explore the importance of clear and specific compliance procedures, effective responsibility assignment, and the need for flexibility. Learn how to write actionable compliance procedures, assign specific responsibilities, and maintain adaptable policies.

The Manual is Too Vague

Many firms’ compliance manuals do not specifically assign responsibility for ensuring that their policies are followed. Other firms simply assign responsibility for everything in the manual to the CCO. For example, a policy stating that “The Firm ensures that its investment adviser representatives (IARs) recommend an appropriate account type (e.g., wrap fee or other separately managed account) based on the client’s individual financial situation and requirements” does not “ensure” that the appropriate recommendations are actually made since it fails to assign responsibility to the firm’s IARs. When errors occur, the CCO has no way to hold the appropriate parties accountable, ultimately leading to increased regulatory risk.

We recommend that compliance procedures include sufficient detail on the process and assign responsibility for its execution and oversight. For example, if investment adviser representatives are responsible for making investment recommendations for clients, the procedures should include standard criteria for making the recommendation, require the IAR to document the reasons for the recommendation, and include a periodic review of the process by others. Failure to follow the process should have consequences. An account opening request that is missing the required documentation could result in a NIGO (not in good order) status, halting the account opening until the deficiencies are rectified.

Responsibility for compliance with policies and procedures should be embedded in the firm’s supervisory structure. The CCO should rely on firm supervisors to do their jobs and then conduct testing periodically to confirm that the policies and procedures are being followed and working as expected. For example, daily trading blotter review, investment performance calculations, fee calculations, portfolio management and best execution should be handled by the firm’s existing supervisory structure. In these areas, firm supervisors are in a better position to see what is going on, identify potential issues and have the authority to resolve them.

Policies and Procedures Written in Absolute Terms

At the other end of the spectrum are compliance manuals that are too specific. Compliance procedures are often written in absolute terms, requiring the performance of specific tasks on an impractical schedule or when not required by regulation. Aside from wasting time and resources, failing to comply with the firm’s written processes can result in regulatory issues. During the examination process, the SEC staff reads the compliance policies and procedures. If the firm is not complying with its written procedures, the SEC can cite the adviser for noncompliance with the Compliance Program Rule (Advisers Act Rule 206(4)-7). Even absent client harm or legal violations, such discrepancies can still result in regulatory citations.

Here are a few real-life examples:

• The CCO shall ensure that the firm’s branch offices adhere to all applicable compliance policies and procedures and that advisory services are provided in accordance with the Advisers Act and the regulations thereunder.
• At the conclusion of each business day, the IAR or his/her designees will review the following documents related to client trades: daily blotter, copies of confirmations, and order tickets.

In the first example, the designated supervisor of the branch office should be responsible for ensuring that compliance policies and procedures are being followed. The CCO is not in a position to effectively supervise employees in the branch office. In the second example, the firm’s IARs act as portfolio managers for client accounts and enter client trades into the system. In practice, the firm’s IARs may periodically check to ensure that trades were executed, but many are not reviewing the daily trading blotter, confirmations, or trade tickets. The review may actually take place, but it may be performed by the Head Trader.

Leave room for operational reality—and good faith errors

Our advice is to look for the logical person(s) when determining who should be responsible for overseeing a procedure. In the first example, the head of the branch office should be accountable for ensuring compliance in that location, not the CCO. The procedure should reflect what actually happens, not what some law firm thinks should happen.

Compliance doesn’t have to be perfect—but it does have to be real. In the second example, consider how the IAR can practically confirm that the trades they initiated were executed correctly. Instead of reviewing the daily trading blotter, confirmations and statements, the firm’s operations team may be able to efficiently issue other daily reports to the IARs to facilitate their review.

No Standard Operating Procedures for Compliance Testing

 As compliance consultants, we are often called in when the CCO or other senior compliance officer has left the firm. It’s ironic, but we routinely find no written standard operating procedures (SOPs) or documentation of the testing and monitoring required by the compliance program.  Detailed SOPs not only ensure consistency—they also protect the firm during staff turnover or extended absences.

We recommend that compliance teams develop their own SOPs and include the following:

• The purpose
• Key regulatory references and resources
• Description of the process
• Identification of the responsible party

SOPs should be detailed but also reasonable for the firm’s operations. For example, if the test relies on a report from the portfolio management system, include instructions on how to access the system and run the report. It is often helpful to “test the test” by asking someone unfamiliar with the review to perform the test to identify gaps using the SOP. Finally, designate a backup to perform each test (in case someone is on vacation or out sick) and arrange for access to critical systems.

The procedure should describe what the reviewer should be looking for and why. For example, an SOP requiring the CCO to review the trade blotter daily could detail that the CCO is looking for personal trading ahead of clients, unreported cross or principal trading, or trades in wrap programs that are charged commissions. The SOP should also outline how to perform and document the review and where it should be stored. Finally, compliance policies and procedures should include instructions on escalating issues. The development of SOPs is essential when compliance personnel leave the firm or are out of the office for an extended period. 

Photo by Josh Applegate on Unsplash