Before the SEC comes in:
- Disclosure, Disclosure, Disclosure. Make sure it’s adequate and complete. It’s not a cure-all, but it’s your first line of defense. For advisers, this starts with the ADV. Know what it says and make sure its comprehensive.
- Be aware that your firm’s performance and marketing could attract SEC attention.
- The best way to prepare for an SEC exam is to be very proactive and thoughtful about identifying conflicts and remediating those conflicts with strong policies, procedures and other risk controls.
- Be sure that the firm has a strong ethical culture from top to bottom or find another firm! Explain to Senior Management the goal of Compliance and be sure there is support and understanding from everyone in the firm.
- Ensure that your Compliance team has adequate resources to comply with securities laws in this changing regulatory environment.
Evaluate the risk assessment process within your compliance structure before the exam. The process should include the following:
- Business personnel, who have frontline responsibility for managing risk;
- Independent risk and control personnel (compliance, IT, ethics, risk and control) who must identify critical issues; and
- Internal audit personnel or third parties, who provide independent verification and assess whether the control environment is operating effectively.
The SEC has stressed that these three lines of defense, when effectively utilized, protect investors, ensure the integrity of the capital markets, and promote capital formation.
Consistency is key. Ensure that your disclosure documents, your compliance manual and your actual practices and procedures are all consistent and have been updated according to new regulation and best practices put out by the Commission
- With respect to the firm’s procedures, confirm that all the stated practices are actually being performed, and that you can prove it with backup documentation.
- Review the results of your annual review, your firm’s website and a recent response to a request for proposal (RFP) or due diligence questionnaire (DDQ).
- Review recent headlines and regulatory speeches. Keep up with regulatory developments and update your policies regularly. Attend compliance conferences.
- Ensure prior examination findings and internal audit findings are fixed.
- Correct known problems or be in the process of correcting them.
- Do a test run. Mock audits go a long way in helping you prepare for an exam.
- Maintain an exam team that has a SEC response process in place and that can ensure an effective and efficient response the moment you receive a SEC document request letter. Once the exam begins, the team should meet daily, track document requests, update management on the progress of the exam and remind employees that SEC examiners are on-site.
- Prepare key personnel that are likely to be interviewed by Staff in the process of the examination by discussing likely topics and ensuring they adequately understand compliance policies and procedures.
- Mitigate the possibility of risk of data breaches and results for breaches to firm financials and reputation by performing independent testing of cybersecurity policies in place to protect client data. Work with your internal IT team or outsourced provider to review recent SEC risk alerts regarding cybersecurity and ensure that you have a reasonable cybersecurity policy in place to mitigate cyber breaches and protect your infrastructure with a robust Disaster Recovery and Business Continuity plan.
- Train employees regarding what to expect during an examination; how to conduct themselves during an examination and in interviews with SEC staff and impart to them not to take offense if the CCO interrupts during an interview. Remind them to maintain a clean work space and mind common area discussions.
Management, the Board of Directors and the CCO are advised to understand, contain and insure against their liability.
- Reviewing enforcement cases is a great way to understand where and how the SEC has more success when bringing actions.
- Understand the insurance coverage currently in place and know if there are other options to enhance the protection.
Once you are notified of an Exam:
- At the outset, try to maintain one point of contact; assign an examiner liaison and have all requests go through/from that person (typically the CCO).
- Get management participation and backing prior to the onset of the exam; include them in the initial meeting with the SEC staff and solidify their ultimate accountability and responsibility with respect to firm compliance and the firm’s conduct during the examination, including responses to SEC staff.
- During the opening phase, including initial interviews and tour of the firm’s offices, impress the staff by treating them with courtesy and respect, set the tone, paint a positive picture of the firm, and focus on your risk management and compliance culture.
- Discuss with the staff what the protocols will be during the onsite examination. for example, confirm with the SEC that you will have one point-person through whom all requests should filter. Confirm the staff agrees to one or two meetings per day etc.
- At the initial meeting with examiners, it is recommended that CCO and senior staff show a PowerPoint that goes over the firm’s last risk assessment and which describes the firm and its compliance culture, such as listing firm training and recent compliance conferences you have attended. This is part of the effort to demonstrate that your firm is committed to compliance. This will give a clear understanding of your firm’s practices to the Staff before they begin their examination onsite. This can also help create a “road map” that can steer the Staff towards the parts of your compliance program you believe are stronger and away from those that are not as robust. Consider having this initial meeting by telephone prior to the onsite to prevent unnecessary questions and document production.
- Firm staff should answer questions, but not appear standoffish (don’t interject if there is silence after a verbal response, don’t provide more information than necessary, don’t speculate or mislead). 23
- Ensure firm staff complies with a “clean desk” policy wherein they do not leave any documents exposed on their desk and make sure that all computers are locked and inaccessible without passwords when employees leave their desks.
- Facilities provided to the examiners should be conducive to carry out their functions effectively and in reasonable comfort. Ensure there is reliable and secure access to internet, phone etc. Ensure that examiners do not have access to any internal documents or servers.
- Throughout the examination, remain polite, convey mutual respect and establish a productive relationship.
- Establish and maintain control of the examination by 1- checking in periodically, 2-asking if anything is outstanding and whether there is anything that requires clarification; and 3-by responding promptly and accurately to requests.
- Ensure two people are at all interviews and take notes.
- Put yourself in the examiners’ shoes. Ask yourself: “what can I provide to expedite the closing of the examination and to effectively respond to requests so they can do their job?”
- If you utilize any third-party service providers (such as email archiving systems or trade management systems), ensure that there is appropriate login information for examiners to access these systems to perform testing.
- Consult with counsel and consultants as needed and use your resources. It is important to consider disclosing problems you have internally uncovered. According to the SEC, nothing could be worse than for the SEC to find a problem through an examination or through a tip, complaint or referral that personnel in your organization knew about but tried to conceal.
- Keep track of all requests and respond promptly to additional requests for information and documents. Ask that subsequent requests be put in writing for the purposes of tracking and clarity. Number and date them.
- Organize information in a manner that corresponds to the information requests and in the format requested. Prepare folders that are labeled and/or provide items in electronic media. Convey the appearance of preparedness.
- Consider bate stamping materials or otherwise indicating or tracking when documents were provided to the SEC staff. Consider placing Freedom of Information Act (FOIA) stickers on sensitive materials.
- Don’t be afraid to discuss examiner document requests. Ask examiners to notify the CCO if they feel they are not getting the information they need.
- Follow up on requests that appear burdensome and make sure you are providing what is being requested. Don’t be afraid to attempt negotiations to provide a document that is both responsive to their request and not unduly burdensome to the firm. Seek clarity if there is confusion and offer alternate records if they may be responsive to the examiners’ request.
- Never back date or create documents unless the SEC staff has made a request that entails creation of a new document or report. Be candid about corrections that have been made and whether new documents need to be created as well as the time it will take to respond to such a request.
- Request an exit interview. If you can make progress in addressing SEC concerns immediately, you may influence the way an exam letter is written as it may address your progress and cooperation. In addition, in some cases you may be able to prevent an enforcement referral.