Question: If an adviser inadvertently receives securities from a client, under the amended rule may the adviser forward the securities to the qualified custodian instead of returning the securities to the client?

Answer: No. If the adviser does not return the securities to the sender within three business days, the adviser not only has custody but has also violated the amended rule’s requirement that client securities be maintained in an account with a qualified custodian. However, the Division would not recommend enforcement action to the Commission under certain circumstances if an adviser inadvertently receives tax refunds from tax authorities, or client settlement proceeds from administrators in connection with class action lawsuits and other legal actions, or stock certificates, dividends, or evidence of new debt from issuers in connection with class action lawsuits involving bankruptcy or business reorganization, and forwards these client assets within five business days of its receipt and maintains appropriate records.

This past Friday, the staff of the Division of Investment Management issued its much anticipated responses to questions about the amended custody rule. I will address each one in turn, but since I have been focusing on the due inquiry requirement I want to start with that first. There had been a question of how an adviser could satisfy the due inquiry requirement when clients receive their account statements from their qualified custodian by way of a download from the custodian’s web site. here is the SEC’s response:

“Advisers whose clients receive electronic statements from qualified custodians must still form a reasonable belief after due inquiry that the clients are receiving those statements. The adviser may satisfy this requirement by, for example, being copied on the email notifications of account statement postings sent to clients in addition to having access to client statements on the custodian’s website, although this is not the exclusive means of forming that reasonable belief.”

Dear Compliance Professional:

The purpose of this compliance training material is to familiarize you with key issues regarding information security.

Overview

One of the most pressing compliance issues for investment advisers is how to satisfy SEC requirements in the area of information security. The following checklist will allow you to take measure of your advisory firm’s existing information and data security program.

While each and every of the following questions may not apply to the conduct of your advisory business, for those questions that do apply, you should be able to answer “yes”.

Information Security Checklist

1. Policy.  Has your advisory firm developed and implemented comprehensive information security policies and procedures?

__  Yes    __  No

2. Acknowledgment.  Are all employees and independent contractors required to provide written acknowledgment of their understanding and acceptance of your advisory firm’s information security policies?

__  Yes    __  No

3. Confidentiality Agreements. Are confidentiality agreements signed before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?

__  Yes    __  No

4. Physical Security. Are buildings, paper records, computer and network equipment and storage media within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?

__  Yes    __  No

5. Anti-Virus. Are all computer systems protected with up-to-date anti-virus software and other defenses against malicious software attacks?

__  Yes    __  No

6. Internet Security. Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by firewalls, intrusion detection systems, virtual private networks (or other forms of encrypted communication,) and incident response capability?

__  Yes    __  No

7. Software Patches.  Are security-sensitive software patches promptly applied to systems that are accessible to users outside of your advisory firm?

__  Yes    __  No

8. Data Protection. Is sensitive, valuable information properly protected from unauthorized access?

__  Yes    __  No

9. Business Resumption Plan. Does your advisory firm have a documented and tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?

__  Yes    __  No

10. Portable Data.   Does your advisory firm encrypt sensitive information stored on portable devices including laptop computers and smart phones?

__  Yes    __  No

11. Telecommuting. Does your advisory firm ensure the safety of sensitive client information in remote or home offices?

__  Yes    __  No

12. Data Security Breaches. Does your advisory firm have the ability to detect the unauthorized use of, or access to, sensitive client information?

__  Yes    __  No

13. Training. Does your advisory firm have a program in place for training employees on the proper use of your firm’s computer security system, and the importance of information security?

__  Yes    __  No

14. Due Diligence. Does your advisory firm conduct due diligence on the information security programs of third-party service providers?

__  Yes    __  No

The purpose of this compliance training material is to familiarize you with key issues regarding the annual review process.

……………………………………………….

Overview

In accordance with Rule 206(4)-7(b) under the Advisers Act, an investment adviser is required to perform an annual review of its compliance policies and procedures to determine whether they are adequate, current and effective in view of the advisory firm’s businesses, advisory services, and regulatory requirements.

In this review, the Chief Compliance Officer (or other designated individual(s)) is required to consider (i) any compliance matters that arose during the previous year; (ii) any changes in the advisory activities of the advisory firm; (iii) any previous SEC and other applicable regulatory examination deficiency letters (to confirm that past deficiencies were corrected and are not reoccurring); and (iv) any changes in the Advisers Act and other applicable laws and regulations that might suggest the need to revise certain policies and procedures.

Goals of the Annual Review

Determine whether the Procedures are Adequate

1. Do the procedures address all applicable areas of the advisory firm’s business?
2. Have all laws and rules been cited?
3. Do the procedures require the advisory firm to do what the rules require?

Determine how Effectively the Advisory Firm’s Procedures have been Implemented

1. Are they reasonably designed to detect violations and promptly correct any violations that have occurred?
2. Is there sufficient: (i) supervision; (ii) employee training; (iii) forensic testing; and (iv) problem detection and correction?

Methodology for Conducting the Annual Review

Step 1:     Review the inventory of the compliance obligations under state and federal laws, SEC rules, contracts with clients, offering documents and disclosures made to clients.  Review should include:

• Identification of recent SEC exams including any deficiencies raised and any corrective actions taken;
• Identification of the advisory firm’s interim reviews and other audits and any follow-up or corrective action;
• Identification of any serious compliance issues that arose at the advisory firm in the past year;
• Identification of any serious compliance issues that arose in the investment advisory industry in the past year;
• Identification of violations reported pursuant to the advisory firm’s code of ethics;
• Analysis of compliance implications of any new businesses, discontinued businesses and change in the advisory firm’s operations during the past year;
• Analysis of new statutory or regulatory requirements that impact the advisory firm’s business;
• Identification of “hot topics” identified by the SEC staff;
• Description of how the advisory firm sought to identify risk; and
• Description of how the advisory firm went about assessing the effectiveness of critical controls.

Step 2:    Compare the inventory of obligations against existing procedures:

• Determine whether the procedures specify the actions to be taken to achieve compliance;
• Identify any gaps and determine whether new procedures need to be developed or current procedures enhanced to address such gaps; and
• Determine whether new obligations arose as a result of new products offered or new regulations were adopted since the last review.

Step 3:    Assess the effectiveness of existing procedures and how well the advisory firm is implementing the procedures as currently written. For each procedure evaluate whether the procedure:

• Makes violations less likely;
• Results in prompt identification of violations;
• Collects in a timely fashion the information necessary to allow the advisory firm to correct problems as they are identified;
• Is written in plain English articulating the goal of compliance and how it is supervised; and
• Is adequately supervised by responsible personnel of the advisory firm.

Step 4:    Engage in a risk-assessment strategy that targets high-risk areas of the advisory firm’s business.

• Review well-recognized areas of conflicts of interest present in the advisory firm’s operations (i.e. personal trading accounts, allocation of aggregated orders and advertising materials);
• Identify any conflicts that, if left unmitigated, could result in harm to the advisory firm’s clients; and
• Develop procedures to mitigate or eliminate these conflicts.

Step 5:    Test and assess the procedures periodically.

• Use “forensic testing” including the examination of samples of accounts, transactions, communications for consistency with the advisory firm’s procedures, compliance with the law and outcomes for clients.

Documentation of Findings

As part of the annual review, the advisory firm should document the following:

• Whether the compliance policies and procedures continue to be reasonably designed to prevent and detect violations of the Advisers Act and its rules;
• Whether the compliance policies and procedures are being adequately carried out by accountable personnel of the advisory firm; and
• Whether any customer harm resulted from any significant compliance deficiency that was uncovered as part of the annual review.

The purpose of this compliance training material is to familiarize you with key issues regarding the risk assessment process.

……………………………………………….

Overview

Investment advisers are required to evaluate how their advisory activities, arrangements, affiliations, client base, service providers, conflicts of interest and other business factors may cause violations of the Investment Advisers Act.  The results of this risk assessment should serve as the basis for drafting and revising compliance policies and procedures that are designed to mitigate, manage and control each risk area in ways that reflect advisory firm’s resources and need for assurance that violations can be prevented or, if violations occur, that such violations will be detected promptly and corrected.

A risk assessment involves identifying and prioritizing issues pertaining to an investment adviser’s operations that may create risk to the interests of the advisory firm and/or its clients. Accordingly, investment advisors need to (1) identify areas of risk that may be part of their advisory firm’s everyday operations; (2) assess whether the controls in place managing or mitigating these risks are adequate; and (3) make modifications to their advisory firm’s compliance policies and procedures as necessary.

Types of Risk

An adviser should consider the following types of risk as potentially harmful to the interests of the advisory firm and its clients.

Operational Risk

Operational risk arises from the potential that inadequate information systems, operations systems, transaction processing will result in unforeseen losses.

Compliance Risk

Compliance risk arises from the possibility that a breach of internal policies or procedures, laws, rules, regulations or ethical standards may impact negatively or disrupt firm operations or condition.

Financial Risk

Financial risk is the risk that the advisory firm may be unable to meet its financial obligations.

Reputational Risk

Reputational risk arises from the potential that inappropriate associated persons or management actions or inactions may cause clients or potential clients to form a negative opinion of the advisory firm and/or its services.

Strategic Risk

Strategic risk arises from inadequate current and prospective business decisions or responsiveness that might harm the advisory firm’s financial condition or create conflicts among its clients.

Identifying Risks

The SEC has identified 12 specific areas of concern that should be examined:

• Marketing/Performance
• Form ADV/Disclosures
• Invoices/Fees
• IPO Offerings
• Soft Dollars
• Compensation
• Objectives/Restrictions
• Trade Ticket
• Trade Execution
• Non-Public Information
• Personal/Proprietary Trading
• Money/Securities to/from Broker/Custodian

Measuring the Risks

The adviser should measure the risks identified by considering the likelihood, impact and probability of a risk event in the absence of controls.

Likelihood

The possibility that a given event will occur.

Impact

The effect the event will have on clients or potential clients, disclosures, finances, reputation and regulatory obligations should it occur.

Probability

The anticipated frequency of a risk event given the regularity of the activity or process that is associated with the risk.

Prioritizing the Risks

Once the advisory firm has measured the inherent risks (e.g., the likelihood and impact in the absence of controls), the firm should prioritize the risks by addressing the areas that have the greatest exposure.

Managing the Risks

The advisory firm should develop a risk management matrix that maps the firm’s inventory of risks to specific compliance policies and procedures. The firm should periodically, but no less than annually, update the risk management matrix.

Let me just state for the record that one of the greatest mistakes an investment adviser can commit is purchasing a “one-size-fits-all” type compliance manual. Indeed, officials from the SEC Office of Inspections and Examinations officials have urged advisers not to buy an “off-the-shelf” compliance manual and have stated on numerous occasions that if they find compliance manuals that are not specific to the adviser’s business, they will assume that compliance is not well-respected by these firms, determine that these firms are at high risk of violations, and will likely conduct a top-to-bottom, in-depth review of the firm’s entire operations. If anyone is in doubt as to just how the SEC feels about this subject, please go the to SEC web site and look up the speeches of Lori Richards, the former Director of the Office of Inspections and Examinations. In numerous speeches and public statements over the past years she has stated time and again that the SEC will come down very hard on advisors who use boilerplate policies and procedures.

As if risking the opprobrium of SEC regulators was not reason enough to avoid these types of manuals, there is a second reason that should be of even greater concern to advisers. That is, there is nothing more enticing to a lawyer of a potentially litigious client (and lets face it, all clients are potentially litigious clients) than to find that the advisory firm is not even following its own policies and procedures. Litigators call that the Holy Grail. I call that game, set and match. Insurance companies call that “go get your Errors and Omissions insurance from some other company”. The point being is that ill-fitting compliance policies and procedures are bad for your advisory business vis-à-vis regulators and clients.

As you can imagine, a lot of smaller advisers are no longer seeing the benefit of SEC registration. The perceived “prestige” factor has dissipated in the wake of the Madoff affair and in the face of an increasingly onerous regulatory burden.  A lot of client whose assets have fallen below the $30 million mark as of December 31, 2009 are trying to de-register with the SEC and register with one or more states. If their asset level is below $25 million the de-registration is mandatory. The problem is when the asset level is between $25 million and $30 million. Remember, when first registering with the SEC, an adviser is give the choice to register at $25 million but must register at $30 million. Thus, there is that grey area where the adviser has some latitude.

Is it the same for de-registration? That is, can an adviser with $28 million to report on their annual updating amendment de-register from the SEC. The answer - according to this attorney at the SEC - is no they can not de-register. It was explained that the purpose of the $25 to $30 million grey area is only meant to spare an adviser that is registered with the state from having to register with the SEC if their assets jump over $25 million.

Requirement

Advisers with custody of client assets are required to undergo a surprise examination of those assets by an independent public accountant.

Objective

The objective of the accountant’s examination is to verify that client funds and securities of which an investment adviser has custody are held by a qualified custodian in a separate account for each client under that client’s name, or in accounts that contain only clients’ funds and securities, under the investment adviser’s name as agent or trustee for the clients.

PCAOB Registration and Inspection

The surprise examination must be conducted by an independent public accountant that is registered with, and subject to regular inspection by, the Public Company Accounting Oversight Board (“PCAOB”).

Surprise Audit

The accountant should obtain from the investment adviser records that detail client funds and securities of which the investment adviser has custody and the identification of the qualified custodian(s) of those funds and securities. The accountant should also obtain records of accounts that were closed during the period or that have a zero balance as of the date of the examination.

For a sample of client accounts, the accountant should obtain records of the purchases, sales, contributions, withdrawals and any other debits or credits to each selected client’s account occurring since the date of the last examination. The accountant’s procedures to meet the objective of the examination should normally include, but are not limited to, the following with respect to each selected client account:

• Confirmation with the qualified custodian(s) of client funds and securities as of the date of the examination and that the client’s funds and securities are held in either a separate account under the client’s name or in accounts under the name of the investment adviser as agent or trustee for clients;
• Confirmation with the client of funds and securities held in the account as of the date of the examination and contributions and withdrawals of funds and securities to and from the account since the date of the last examination; where confirmation replies are not received, the accountant should perform alternative procedures; and
• Reconciliation of confirmations received and other evidence obtained to the investment adviser’s records.

Commission Reporting

Under amended rule 206(4)-2, each investment adviser subject to the surprise examination requirement must enter into a written agreement with an independent public accountant to conduct the surprise examination. The agreement must require the accountant, among other things:

• To submit Form ADV-E via the IARD system to the SEC accompanied by the accountant’s certificate within 120 days of the time chosen by the accountant for the surprise examination, stating that the accountant has examined the funds and securities and describing the nature and extent of the examination;
• To notify the SEC within one business day of finding any material discrepancy during the course of the examination; and
• To file via the IARD system, upon dismissal or resignation within four business days a statement regarding the termination along with Form ADV-E.