The compliance manual is the foundation of your compliance program, so have you built a strong, custom home or a house of cards?
How many of you wrote your compliance manual yourselves? How many of you had one written for you? Now, how many of you actually read it in its entirety?
If you’re like most advisers, you hired someone to register you and they provided a compliance manual without much ado, stating it would fit your practice because all [fill in the blank] types of advisers are the same. Or maybe you found one online for a bargain basement price and —in either instance—the document was never looked at again. Then, when the regulators came, they responded with a deficiency letter that aptly noted your manual appeared to be “off the shelf” and not adequately tailored to your business practices.
But how did they know? Simple. It was so broadly generic as to lack named references to any actual service providers or people, processes were so general as to provide limited detail on how you actually conduct business, and they have examined enough advisers to recognize that this is the same template version provided by [insert latest trendy industry association] with a different company name at the top of the page.
I cannot preach enough: your compliance manual is the foundation of your compliance program. It should be a tome that can be picked up by any Tom, Dick, and Larry to operate your business. It’s not wrong to start off with a template manual. It’s wrong not to customize it, because then it doesn’t take into account your individualized business practices like a particular investment strategy, types of clients, trading practices, valuation procedures or advisory fees. And you may feel raw about the regulators’ comment, but if you are telling clients that you’re not like every other investment adviser in the market, then why does the document that articulates how your business is run look just like all the others?
Perhaps though, you were one of the rarer breeds who invested some initial time and energy into your compliance manual. Maybe you had a good consultant who understood the importance of tailored policies and procedures, so they actually asked you about things like what gifts and entertainment reporting threshold made the most sense for your activities, your investment process, how you allocate block trades, your fee billing process (just to name a few). Or maybe you paid attention to the disclaimer to customize that off the shelf compliance manual you purchased online and spent some time editing it to fit your company’s practices. Bravo! You started out ahead of the game. If the regulators had waltzed in right after you registered, you would have likely come out smelling like roses.
However, the SEC and many state securities divisions only get to registrants once every 3-5 years. How many times have you modified your policies and procedures in the last 3-5 years? Probably not enough. Building a business is hard work. In the rapid shuffle of decisions throughout the year, you can forget to update your manual to reflect that those monthly client check-ins are now only done on a quarterly basis. Or that pursuant to the new cybersecurity regulations you’ve heard about, you started requiring stronger passwords. At a multi-person firm, it’s easy to forget to update references to particular roles that have responsibilities over certain business practices as they change over time. At single man firms, it’s easy to forget to update anything at all because you don’t have to keep another team member informed of business practice changes.
The best way to ensure that change is captured adequately in your manual is to stop thinking about compliance as an afterthought and to start thinking about it as part of your day to day operations. There’s a reason the CCO is a C-suite executive. Whether you outsource that position or wear the hat yourself, it allows compliance to be privy to every minor and major business change in order to help craft appropriate implementation strategy or merely reflect it in the policies and procedures. When you involve compliance from the start, you ensure there’s someone at the table opining and executing on the firm’s developments compliantly. And, if you’re a one man show wearing that CCO hat but without the compliance knowledge to back it up, then it may be appropriate to outsource the role or have outside consultants to provide assistance. However, any outsourced service is limited in their ability to assist by how involved you allow them to be. With so many firms asking for a “set it and forget it” resource, I caution them that an outsourced CCO without a true seat at your table is wasted. They cannot respond to the changes your business makes on the fly unless you are constantly apprising them. There is no true “forget it” mode; there’s only making it someone else’s delegated authority. Whether it’s establishing monthly/quarterly calls, inviting them to executive meetings, or arranging that you will preemptively discuss changes you intend to make, you can’t forget about compliance. If you do, that outsourced compliance solution becomes a reactive solution putting out fires after the fact.
You may now be thinking that the catch-all solution is to cram your manual full of the most extensive and detailed policies and procedures you can come up with, but you’d stumble into the final common compliance manual taboo – not following your policies and procedures. This generally happens as a combination of the underlying issues already noted. There’s an outdated template manual that no one has actually read. So when regulators are interviewing your employees, they observe that the firm is not performing certain reviews or using certain forms the manual states it will, and thus employees are not performing their job the way the manual describes. Some of the discrepancies could be chalked up to the firm needing better training, but more often than not it’s an issue of policy stuffing. When a new regulation comes out, some just hire someone to draft a policy and procedure for it and assume that is the end of their obligation. However, if starting off with unread, template policies and procedures was bad, continuing to stuff your manual with more does not make it better.
The compliance manual is a living, breathing document that is a direct reflection of the firm’s operations. Just as you put effort into getting dressed and looking good to go out on a date. Think of the manual as the reflection of you on a date with regulators and clients. Maybe most of you reading this don’t have clients that ask or care about your manual, but as you grow and want to serve ultra-high-net worth, family offices, pension plans, or any true sophisticated investor, you will come to see that your compliance program matters to them. So make sure it looks good and is a powerful representation of you as a firm.