We want to take the opportunity to share a few significant items put out by the SEC last month.

Enforcement Annual Report

On November 2, 2020 the SEC Division of Enforcement released its 2020 Annual Report for the fiscal year ended this past September. The recap shows that enforcement actions against Investment Advisers and Investment Companies came in at 137 for 2020 – accounting for one in five of all SEC enforcement actions but falling behind securities offerings enforcement for lead category this year. The Division brought a total of 405 stand-alone cases in fiscal 2020, versus 526 in 2019, with 180 follow-on cases. The Division obtained 475 industry bars and suspensions and returned $602 million to harmed investors. While enforcement actions declined by 23% from 2019, disgorgement amounts were higher overall.

The overall rate of disgorgement was up 7.6% at $4,680 million for 2020, with a median action of $533,000. The top five percent of actions represented 81% of that dollar amount while the remaining 95% of actions amounted to $885 million. That amount yields an average of $2.3 million per enforcement action on cases outside those “top 5%” cases. That was down 11% over 2019, which had seen an average increase over 2018 of 37% per action.

The release can be found here.

SEC Outreach

On November 19, 2020, the SEC hosted its Compliance Outreach Program. The program included four panels covering Information Security and Operational Resiliency, Undisclosed Conflicts of Interest, Registered Funds, and Hot Topics. During the program’s introduction, the SEC noted the proliferation of guidance provided over the past two years. That became a common theme throughout the program.

Hot topics included issues affecting retail investors and senior clients, fintech-related topics, inconsistencies between business practices and disclosures, and advisers marketing of impact, sustainable, and responsible investing.

Risk Alert – Compliance Programs

Also notable in November was the release (during the program) of a new risk alert, OCIE’s Observations on Investment Adviser Compliance Programs. The report cites shortcomings under the Compliance Rule itself as the most common issue across advisers.

Chief among these were the following issues:

• Inadequate Compliance Resources, including CCOs that are spread thin, whether the roles are internal or external; insufficient or under-qualified staff; and compliance programs that have not grown with the complexity of the firms.
• Insufficient Authority of CCOs, including access to senior management, participation in discussions with compliance implications, and authority to access key business information (trading files, agreements).
• Annual Review Deficiencies that spanned failure to evidence any review to failures to identify key risk areas or omission of significant aspects of adviser’s business.
• Failure to Implement Policies and Procedures, such as failure to review client accounts or new business documents; perform oversight as described (e.g., over best execution, advertising, fee calculations, etc.); failure to follow checklists identified in the compliance manual; and failure to provide compliance and other required training to employees.
• Maintaining Reasonably Designed Policies and Procedures: The SEC also noted Compliance Manuals that contained outdated or inaccurate information about the firm or that contained policies and procedures unrelated to the business conducted by the firm. Other had simply not implemented adequate policies and procedures, relying on cursory or informal processes and, in some cases, compliance programs of affiliates that were not tailored to the adviser’s business.
• Where firms did maintain policies and procedures, the SEC noted weaknesses across many areas, including portfolio management, marketing, trading practices, disclosure, fees, valuation, privacy, books and records, custody and safekeeping of assets, and business continuity.
• Notable among these in the COVID-19 world were the emphasis on oversight of remote locations, including remote offices, third party managers, vendors, and solicitors. Safeguarding assets and business continuity were also areas brought into focus by the dispersed working arrangements. And, of course, cybersecurity – and specifically encryption policies – were raised among the client privacy considerations.
• Business continuity plans.  The maintenance of adequate disaster recovery plans because the business continuity plans were not tested or did not contain contact information or designate responsibility for business continuity plan actions.

While we haven’t addressed everything that happened on the regulatory front in November, our goal is to provide you with some insight as you prioritize year-end testing.  We are here to help if you need it!