Advertising and Marketing Regulation | Custody | Cybersecurity | Department of Labor | Form ADV | Hedge Funds | Pay to Play | Penetration Testing | Private Equity Funds

11 Key Takeaways for Updating your Compliance Program in 2018: Investment Advisers, Hedge Funds and Private Equity Funds

Based on our review of the investment adviser regulatory landscape of 2017, these are the top 11 recommendations for investment adviser CCOs for updating their compliance programs:


The revisions to the Form ADV and the accompanying FAQs (discussed in the SEC’s Information Update) were the SEC’s most significant regulatory changes in 2017.  The amendments focus on additional reporting requirements for separately managed accounts (SMAs) and stream-lining the umbrella registration requirements (also known as “relying advisers”). Several additional disclosures and clarifications have been included regarding advisory clients, social media activity, custody and office locations.  Advisers making their annual amendments in March 2018 will have to incorporate these changes.  (See the Form ADV Part 1A Summary of Changes for the revised form.)  Our blog post includes the details.  (I highly recommend this Checklist of New and Amended Form ADV Part 1A items from the Investment Advisers Association for more guidance on all the new reporting requirements).


  1. Separately Managed Accounts (SMSs) And Types Of Assets: Section 5.K(1) Of Schedule D. Develop a process for reporting the percentage of separately managed account assets (“SMAs”) that fall within these 12 categories:  Exchange Traded Equity Securities, Non Exchange Traded Equities, U.S. Government/Agency bonds, U.S. State and Local Bonds, Sovereign Bonds, Investment Grade Corporate Bonds, Non-Investment Grade Corporate Bonds, Derivatives, Securities issued by Registered Investment Companies or Business Development Companies, Securities issued by Pooled Investment Vehicles, Cash and Cash Equivalents and “other”.  Instead of defining these terms, the instructions permit advisers to use their own “consistently applied methodologies” to determine how to categorize assets.

Note:  Advisers with more than $10 billion in Regulatory Assets under Management (“RAUM”) are required to provide this data both mid-year and at year-end. Advisers with less than $10 billion in RAUM will be required to report this data only at year end.  Remember to add this task to your annual compliance calendar.   

  1. Borrowing And Derivatives Used In SMAs: Section 5.K(2) Of Schedule D: Advisers with SMAs AND having at least $500 million in RAUM should develop a way to collect and report information about their use of borrowings and derivatives in Section 5.K(2) of Schedule D. The extent of the information to be disclosed depends on the amount held by the SMA. For SMAs that hold between $500 million and $10 billion, the adviser must report the “amount of RAUM attributable to SMAs and the dollar amount of borrowings attributable to those assets that correspond to three levels of gross notional exposures.”(See page 44 of Form ADV Part 1A Summary of Changes).

In addition to those disclosures, advisers are required to report derivatives exposures within six derivatives categories (interest rate derivatives, foreign exchange derivatives, credit derivatives, equity derivatives, commodity derivatives and “other”) for SMAs holding $10 billion or more.  As noted above, advisers holding $10 billion or more in SMAs will have to report this information as of both mid-year and at year-end, so this report will need to be added to the compliance calendar.  Investment advisers may, but are not required to, limit their reporting to individual accounts of at least $10 million.

  1. Specific Data about Clients, Accounts and Wrap Programs: Item 5.D of the Form ADV Part 1A now requires more details about the firm’s advisory business. Item 5.D. now requires the following disclosures:
  • The actual number of clients and amount of RAUM attributable to each category of clients (currently only ranges are disclosed). There is one new category, “sovereign wealth funds and foreign official institutions”, which was not defined;
  • The approximate amount of an adviser’s total RAUM attributable to clients that are non-United States persons;
  • The number of clients that an adviser provides advisory services to, but does not include in its RAUM;
  • Whether an adviser reports assets in Form ADV Part 2A differently from RAUM reported in Part 1A;
  • The RAUM attributable to all separately managed accounts that are managed in parallel to a registered investment company; and
  • The adviser’s total RAUM attributable to acting as a sponsor and/or portfolio manager of a wrap fee program, as well as SEC file number and CRD number for those wrap fee programs.

Note:  The aggregate amount of RAUM in Item 5.D.(3) should equal the amount of RAUM in Item 5.F.(2)(c). 

  1. Identification Of Custodians: Section 5.K.(3) Of Schedule D: Advisers need to determine and identify which custodians hold 10% (or more) of the total RAUM of the firm’s separately managed accounts, and the amount of RAUM held at each such custodian.
  2. Social Media, Additional Offices and the CCO: In addition to asking about websites, the SEC amended item 1.l of Form ADV Part 1A to require disclosure about the use of social media platforms, such as Twitter, Facebook and LinkedIn. Advisers will be required to list the addresses of its social media pages. In response to numerous comments, however, the SEC limited required disclosure to accounts where the adviser controls the content. Additionally, advisers do not have to provide information about the social media accounts of employees.

In addition to disclosing the address of an adviser’s main office in item 1F of Form ADV Part 1A, advisers are now required to disclose the total number of offices it uses to conduct business. Additional information is required for an adviser’s 25 largest locations, including the number of employees providing advisory services and the types of activities conducted in these offices.

More disclosure is also being requested about Chief Compliance Officers. Item 1.J, which previously requested the name and contact information of an investment adviser’s chief compliance officer, now asks whether a firm’s CCO is compensated or employed by any person other than the adviser (or an affiliate), and for the name and IRS employer identification number of that other person. Advisers will not be required to disclose the identity of the other person compensating or employing the chief compliance officer if that other person is an investment company registered under the Investment Company Act of 1940 advised by the adviser.

  1. Private Fund Advisers with Relying Advisers: Umbrella Registration:  The revisions to the Form ADV provide a better process for “umbrella registration”, for a filing adviser and one or more relying advisers, as allowed under the 2012 ABA letter.  This type of registration is limited to a private fund adviser operating as a single business through multiple legal entities.  Advisers are required to complete a Schedule R for each relying adviser to provide identifying and ownership information.


In addition to preparing for the changes, advisers should develop processes and evidence to support the information provided in the Form ADV.  True to form, the SEC has been going over Forms ADV with a fine tooth comb and brought a number of enforcement cases in 2017 based on misstatements in the Form ADV.

For example, the SEC pursued an investment adviser for misstatements in Form ADV. The firm disclosed in its Form ADV that block trades would be allocated to client accounts using a rotational method roughly allocating equal access participation. Instead, the adviser allegedly allocated day trades with a profit of $300 or less only to a single client account, while distributing other trades consistently among the other accounts.  The firm was fined $75,000 and its principal was fined $25,000 personally.

Similarly, the SEC brought a case against a CCO of an exempt reporting adviser. The SEC alleged that the CCO made untrue statements in multiple Forms ADV that she prepared, signed, and filed on behalf of the adviser. Basically the CCO represented that the private funds managed by the firm were subject to an annual audit, that the financial statements were prepared in accordance with GAAP, and were distributed to fund investors, all of which were untrue.  Among other sanctions, the CCO was suspended from association with any investment adviser for a period of nine months and was fined $15,000.

In another case, the SEC fined a CCO $30,000 and banned him from the industry for one year because he did not take sufficient steps to ascertain the accuracy of the assets under management reported on the Form ADV.  In this case, an outsourced CCO prepared a Form ADV to reflect the merger of two firms under the same parent company.  In preparing the document, the CCO relied on an email message from the Chief Investment Officer that provided him with an estimate of the combined AUM, which overstated the amount by 190%.  There was no evidence that the CCO engaged in fraud or that investors were harmed.  He simply relied on a preliminary estimate without any documentation to back up the RAUM, and filed the form without confirming it with the CIO.


To avoid this kind of trouble, advisers should write in detail the process for determining their regulatory assets under management (RAUM).   The steps should include how to identify those accounts (or portions thereof) for which the advisor provides continuous and regular supervisory or management services. The next step is determining the fair market value of the accounts, using values calculated within 90 days prior to the filing of the Form ADV.  The procedure should specifically identify the source of the account values, the date the values are to be downloaded, and the process for scrubbing the data.  The process should be in sufficient detail that it can be repeated accurately and consistently.  It should also include keeping a record, such as a spreadsheets or other evidence, to support the calculation.  (For a great discussion on calculating RAUM, check out Michael Kitces blog post here.)

This is just one example.  Similar processes should be developed for other important data included in the Form ADV.  Compliance officers should consider having different areas of the firm review and certify the accuracy of disclosures provided.  The Form ADV should be the responsibility of all areas of the firm, not just the CCO.


Another big change for investment advisers relates to custody. In 2016 and 2017, SEC exams of registered investment advisers included scrutiny of the standard custody arrangements that retail investment advisers have with some of the major custodians.  The SEC focused on an adviser’s authorization to transfer funds between like-registered and third-party accounts at different financial institutions.

For some retail firms, it’s common practice for clients to grant their investment adviser a standing letter of authorization (“SLOA”) to move money in and out of their accounts. SLOAs allows advisers to provide monthly bill paying services, brokerage-to-checking transfers, and money movements among client accounts — all with just a phone call.  Post-Madoff, the SEC determined that these types of arrangements create the risk that advisers will abuse such authority, and issued guidance in the form of the Investment Advisers Association (IAA) No-Action letter and a Guidance Update.  The upshot — advisers found to have custody of client assets as a consequence of an SLOA may have to submit to an annual surprise examination under the Custody Rule.  For help determining whether your advisory firm has custody, check out Custody SLOA Flow Chart here.   Certain language in the custodial agreement also signals whether an adviser might have custody.  Here are a few examples from the SEC’s Guidance Update:

  • A custodial agreement that grants the client’s adviser the right to “receive money, securities, and property of every kind and dispose of same.”
  • A custodial agreement under which a custodian “may rely on [adviser’s] instructions without any direction from you. You hereby ratify and confirm any and all transactions with [the custodian] made by [adviser] for your account.”
  • A custodial agreement that provides authorization for the client’s adviser to “instruct us to disburse cash from your cash account for any purpose . . . .”

If the custodial agreement allows the adviser to instruct the custodian to withdraw client funds or securities, the SEC views this as custody.

What makes this development particularly painful for investment advisers is the fact that there are many different forms of SLOAs. Major custodians have a number of SLOA forms, each granting different types of authority.


Advisers should identify all accounts with SLOAs, and determine whether the adviser has been granted first or third-party disbursement authority.  In many cases, existing SLOAs will have to be amended to include more information, such as account numbers and details of the disbursements, in order to avoid custody.  Advisers will also have to work with custodians to determine what steps they will be taking to help comply with the IAA No-Action letter in order to avoid triggering the requirement for annual surprise exams, since most of the conditions rely on the custodian’s cooperation. Finally, advisers will also have to disclose the amount of assets related to third-party SLOAs in Item 9 on Form ADV as part of the annual Form ADV update in March 2018.


Post-Dodd Frank, OCIE has made a concerted effort to provide more information to registrants about its findings and concerns, including issuing a Risk Alert in February 2017, where it identified the five most common compliance issues found during exams. (See our blog post for details.)  Not surprisingly, the big five deficiencies included problems with Custody Rule (Rule 206(4)-2) compliance, Form ADV and Disclosure issues, Code of Ethics Rule (Rule 204A-1) violations, incomplete and inadequate recordkeeping (Rule 204-2), and violations of the Compliance Rule (Rule 206(4)-7).  Our experience at Hardin Compliance Consulting is consistent with these findings, and included a couple of others, such as fee and billing procedures, and best execution concerns (See our blog post for more information.)

The Risk Alert notes the following examples of common deficiencies:

  • Compliance manuals have not been tailored to the adviser’s business practices. (For ideas on how to address this issue, check out our blog post, Write the Best Compliance Manual Ever!)
  • Annual reviews were not performed or did not address the adequacy of the adviser’s policies and procedures.
  • Adviser’s staff fails to follow the compliance policies and procedures.
  • Inaccurate and/or untimely regulatory filings, including the Form ADV, Form PF and Form D filings.
  • Failure to recognize custody when an adviser has custody to client accounts through online access using clients’ personal usernames and passwords.
  • Code of Ethics failures, such as not identifying all access persons, failure to require review of annual holdings and transaction reports, late and incomplete transaction and holdings reports.
  • Books and records failures, such as failing to have all required records, including trading records, advisory agreements and general ledgers.

These deficiencies are basic blocking and tackling for compliance officers.


Review the risk alert in detail, focusing on those areas where your firm is vulnerable.  Confirm your policies and procedures accurately address the topics as they apply to your firm. Verify compliance testing is included in your program to identify the types of common deficiencies discussed in the risk alert. Providing advice on all of the issues cited is beyond the scope of this article, so I recommend that you review the following resources:

  1. The SEC’s final release of the Compliance Program Rule, which provides valuable information about the SEC’s expectations with respect to the compliance program.
  2. Our blog post, Write the Best Compliance Manual Ever!, that provides useful tips on how to review and update your manual.
  3. Compliance Calendars (example from Paul, Weiss here and from our blog)
  4. Regulation of Investment Advisers by the U.S. Securities and Exchange Commission by Robert E. Plaze, June 2017.


The OCIE also shared its list of “Most Frequent Advertising Rule Compliance Issues” in a risk alert.  At the top of the list were misleading performance advertisements.  Not surprisingly, many of OCIE’s comments were directed at advisers that failed to state that performance shown was gross of advisory fees, or included a benchmark without discussing the limitations of the comparison.  Advisers using hypothetical and back-tested performance received black marks for failing to explain how the returns were derived.  False claims of compliance with the Global Investment Performance Standards (GIPS®) were also noted.  Additionally, firms were cited for failing to have policies and procedures in place for review of marketing materials prior to publication/dissemination.

Other major issues included “misleading use of third party rankings or awards.”  OCIE nailed advisors for publishing stale rankings, or claiming to be award winners without providing details such as who created and conducted the survey, how many advisers participated, and whether the adviser paid a fee to be included.  OCIE also found that disclosing professional designations could also be misleading if the adviser failed to include a description of the minimum qualifications required to achieve the designation.   Finally, OCIE reminded advisers to refrain from publishing client endorsements on the firm website or on social media platforms.


If you don’t have a process in place for your compliance officer to review marketing prior to distribution, you should put procedures in place to implement this type of review. Compliance officers should review this risk alert carefully and incorporate the findings into their advertising review process, including ensuring supporting documentation is maintained for all performance shown in marketing pieces.  To facilitate an efficient review process, consider creating an advertising review checklist that identifies all the requirements under the marketing rule.  A checklist can help identify regulatory requirements for marketing pieces that the firm may not produce on a regular basis.


OCIE issued a Risk Alert summarizing its findings from examinations of 75 firms.  OCIE found an overall improvement in cybersecurity practices since the 2014 Cybersecurity 1 Initiative, and noted that broker-dealers were ahead of the curve on cybersecurity issues. OCIE staff still found gaps in the policies and procedures and failures to enforce the cybersecurity measures.


Advisers should consider implementing the following practices recommended by the SEC as robust cybersecurity controls, including:

  • Detailed policies and procedures for reviewing results of penetration testing;
  • Monitoring and auditing information systems, periodic review of access rights, and reporting issues.
  • Scheduling vulnerability scans and beta testing of security patches;
  • Enforcing controls for accessing data and systems;
  • Maintaining an inventory of data, information and vendors;
  • Mandatory employee training; and
  • Engagement of senior management.

In case you are wondering how to prioritize your resources in 2018, keep in mind that the Division of Enforcement’s Annual Report for 2017 highlighted the fact that the SEC has formed a new Cyber Unit.  Clearly the SEC is allocating more people, time and money to deal with this issue.


Another significant regulation that became effective on July 9, 2017 was the DOL’s Fiduciary Rule (see our blog post for more details.)  Recently the DOL deferred provisions of the Best Interest Contract Exemption (BICE), the Principal Transaction Exemption, and amendments to Prohibited Transaction Exemption 84-24 until July 1, 2019.  Additionally, the DOL’s current non-enforcement policy has been extended. The end result?  Maintain the status quo, meaning that advisers are held to an expanded definition of fiduciary advice (which now includes 401(k) rollover recommendations), and should adopt impartial conduct standards (i.e., provide prudent investment advice, charge only reasonable compensation, and avoid misleading statements).


A large adviser was fined $13 million for incorrect fee billing, custody, and books & records violations related to a merger and acquisition and subsequent fee billing system conversion. During the merger the new firm never properly tested client fees against the client’s investment advisory agreements. Later, the bad fee schedules were then copied over to a new billing system.  If the firm had done proper fee testing initially, it would have identified the incorrect fees being charged as well as the fact there were no investment advisory agreements verifying the fees.

It’s tempting to rely on automated systems for repetitive tasks such as fee billing.  However, as the saying goes, it’s garbage in, garbage out.  Firms should perform quality control.


First, firms should perform testing to ensure that when an account is set up, the fee schedule uploaded into the system is the same as the fee schedule included in the investment management agreement, and both are consistent with the fee schedule in the Form ADV.  And the testing should not be performed by the same person who sets up the accounts on the system.  Next, firms should test to ensure that the asset values used to calculate the fees are consistent with the disclosure in the Form ADV and the investment management agreement.  Fees being debited from client accounts should be tested periodically to ensure that they are consistent with the fees set forth in the investment management agreement.


In 2017, the SEC censured and fined 10 investment advisory firms for violations of Rule 206(4)-5 of the Advisers Act.    All of these advisers are now subject to a two-year time-out from receiving advisory fees because of campaign contributions made by the firms’ associates.  The Pay-to-Play Rule prohibits investment advisers from provided compensatory advisory services to a government client or through a pooled investment vehicle for two years after a political contribution is made to a candidate who could influence the investment adviser selection process.


We recommend revisiting your compliance training program surrounding the Pay-to-Play Rules and incorporating searches of public web sites that track campaign contributions, such as, to see if your firm’s associates have been contributing to local political campaigns.  Compliance policies surrounding political contributions should also include the maintenance of a political contribution log and a requirement to pre-clear or report all political contributions made by covered associates.  Prior to onboarding a new local or state government entity client, compliance officers should review the political contribution log and conduct a search of the applicable state or local websites to identify if any political contributions were made by their covered associates.


For private fund advisers, the message from the SEC has been consistent since 2014:  focus your efforts on ensuring appropriate disclosure of fees, scrutinize the allocation of fund expenses, and look for undisclosed conflicts of interest.  For example, the SEC nailed a private equity fund adviser for charging the funds for “broken deal” expenses of co-investors.  The limited partnership agreements disclosed that the funds would pay their own expenses, nothing was said about the funds bearing the broken deal expenses for co-investors.  The adviser had to pay $1.9 million in disgorgement and interest and a $1.5 million penalty.

In yet another case, a private fund manager and two of its principals settled a case with the SEC for failure to disclose conflicts of interest.  Two fund managers used assets from Fund I to invest in Fund II. Fund II, in turn, loaned money to the adviser, which used the money to expand its business, and, presumably, its profits.   Disclosure of the investment and conflict of interest didn’t happen until 18 months later — in the audited financial statement for Fund I.  The SEC seemed to find it particularly galling that investors in Fund I were not informed that a substantial portion of the Fund’s assets were not being deployed in the disclosed foreign currency trading strategy, and that these investors also ended up paying a second advisory fee because of Fund I’s investment in Fund II.  Adding fuel to the fire, the CCO and CEO were hit with willful violation of the Custody Rule because they did not send out the audited financials within three months of their fiscal year end.  Additionally, the independent auditor for the funds was registered with the PCAOB, but it was not also subject to PCAOB inspection, which meant it was not qualified to perform audits under the Custody Rule.   The firm and its principals had to civil penalties ($80,000 for the firm, and a total of $55,000 for the principals) and to retain an independent consultant to review its compliance policies and procedures and provide notice of the SEC’s order to affected investors.

Similarly, the SEC pursued a case against a private fund adviser, where fund assets were used to pay firm expenses such as rent, salaries for the investment teams and the firm’s legal fees and expenses related to an OCIE examination and an SEC enforcement investigation.  The funds’ offering documents and the limited partnership agreements were pretty clear — these types of expenses were expected to be paid for by the adviser, not the funds. Moreover, the adviser was supposed to offset its management fee by 50 percent of any fees it received for services provided to portfolio companies, which it failed to do. The SEC found these actions to violate the anti-fraud provisions of Section 206 of the Advisers Act.  The SEC then doubled (and tripled) down on these violations, finding these same acts also violated the Custody Rule (Rule 206(4)-2), the Compliance Program Rule (Rule 206(4)-7), and Section 207 (for material misstatements on the Form ADV).   The adviser and its principal were ordered to pay a $300,000 penalty and engage an independent compliance consulting firm to review its compliance program.  The firm was also required to reimburse the private fund investors for management fees it failed to offset.


To deal with these issues, a compliance officer should review the limited partnership agreement, operating documents and the confidential private offering memorandum to determine whether all the disclosures regarding fees and expenses are consistent. Focus on the disclosure of how fees and expense are allocated – are these practices described in the offering memorandum or discussed in the limited partnership agreement? Are there written procedures regarding these allocations and are they being followed?

It is also important to review the fees paid by the fund to the General Partner, Investment Adviser, directors, operating partners, consultants, or service providers related to the General Partner. Are the fees disclosed in the offering memorandum? Are all related-party relationships and related-party transactions being disclosed? Are fees and expenses being charged consistently with the disclosure provided? Are there fees being charged to investors that are not disclosed or contemplated by the partnership agreement, such as for administrative expenses, or reorganizations? Are there any fees received by the General Partners, Investment adviser or other related parties that should be offset against the management fees, and are those offsets being taken?


SEC Sweep Examination on Electronic Communications.  OCIE recently started a sweep exam targeting the use of electronic communications by investment advisers.  Staff wants to find out about the types of electronic message platforms being used, the devices permitted, policies and procedure to monitor and review communications, and how violations are handled.  OCIE also wants to know what measures advisers are taking to secure sensitive information transmitted through electronic messaging.


Compliance officers should confirm they have their arms around all messaging platforms used within the firm.  They should confirm policies and procedures are in place surrounding archiving and monitoring e-mail, text messaging, instant messages, chat rooms, and other messaging application firm employees may use.  Additionally, compliance officers should ensure the firm’s information security program includes protocols for securing sensitive information transmitted electronically.

If you have questions or need help, please feel free to contact us at at 724-935-6770, or use our Contact Us page.

 Hardin Compliance Consulting provides links to other publicly-available legal and compliance websites for your convenience. These links have been selected because we believe they provide valuable information and guidance.  The information in this e-newsletter is for general guidance only.  It does not constitute the provision of legal advice, tax advice, accounting services, or professional consulting of any kind.