Here we are, one full year after the Securities and Exchange Commission adopted a new compliance program through Rule 38a-1 under the Investment Company Act of 1940, requiring fund boards to adopt written compliance policies and procedures reasonably designed to prevent violations of the federal securities laws by fund complexes, including compliance oversight of certain service providers.
Even a full year later, the industry arguably is not any more knowledgeable about the SEC's expectations than when the rule was adopted. That is because, in many respects, Rule 32a-1 is a mere skeleton to which a mutual fund board and its chief compliance officer must add muscle and flesh to make it a living, breathing constitution of principals and standards of conduct for the fund and its service providers.
Unfortunately, this task is akin to giving a hospital resident a scalpel on his first day of residency and telling him to scrub in and perform surgery. One slip, and it is all over. And I am not talking just about the patient's livelihood.
Just like the resident, a fund CCO wants and needs more guidance before jumping into the assigned task of implementing the rule's directives. Fortunately, there is no dearth of unofficial guidance in the form of articles in publications, meetings of industry support groups, such as the Investment Company Institute is hosting this week, and others who make a livelihood out of this, such as myself and other professionals.
Following are trends I have seen regarding the rule's implementation, particularly the initial annual review and the CCO's interaction with service providers.
First, let's note that the rule's scope covers not just written policies and procedures of the fund, but also policies and procedures for compliance oversight of the investment advisor, distributor, administrator and transfer agent. However, many funds have deemed it prudent to expand their oversight beyond these required service providers to include custody and fund accounting functions, because these activities bear directly on the fund's ability to comply with federal securities laws. Thus, to the extent the compliance function extends to such functions, so must the annual report.
Second, the rule doesn't clearly identify who should be performing the review and how. One section of the rule requires the fund to annually review the adequacy of the compliance program and the effectiveness of its implemention. But complicating matters here even further, it doesn't clarify if it is the CCO, the board or both that is supposed to be reviewing the compliance program.
Then, the next section of the rule states that the CCO is responsible for implementing the compliance program and that they must deliver a written report to the board, at least once a year, that "addresses" the operations of the compliance program and any materials changes, including changes recommended as a result of the annual review of its adequacy.
So who really has the responsibility for performing the review?
I think the practical answer is that the CCO must perform the necessary due diligence and prepare their written report on the results, while the board must review the report.
Further complicating matters is that the rule does not specify that the CCO's written report must address each "material compliance matter," which means any compliance matter that the fund's board would reasonably need to know to oversee fund compliance. This would involve, without limitation, violations of federal securities laws or of the compliance program, or even weaknesses in the compliance program's design and implementation.
As far as the annual review and reporting process is concerned, many boards and CCOs are not waiting to complete the initial written report within the first 18-month deadline, and are planning to present subsequent reviews and reports more frequently than just once a year, for a number of good reasons.
First, the rule requires that the review of the compliance program, the delivery of the written report and the executive session meeting of the CCO and independent board members occur "no less frequently than annually." Footnote 84 of the rule's adopting release indicates that if there is a material compliance matter, then it should be important enough to communicate sooner rather than later. This allows the CCO and board to establish a relationship and understanding with each other on the form, material substance and frequency of ongoing communications.
Further, the SEC has also been conducting its CCO exams, in which it asks probing questions about compliance programs, the CCO's approach and their overall efficacy.
Thus, each written communication of a CCO's activities documents the steps taken to date toward completing the initial written report within the 18-month deadline.
So, if most fund complexes are planning to deliver these reports more frequently than annually, how often will they deliver them? The emerging trend is to have formal communications at quarterly board meetings with informal contact in-between, particularly if the CCO wants guidance or feels a need to elevate an issue.
In line with this, a corollary emerging trend is the use of quarterly written reports, which helps establish records under the rule and creates a paper trail for the next SEC examination. Often, these reports consolidate information the CCO receives from the service providers and segments it by category or service provider function to help identify existing or emerging problem areas. The reports may serve as an update of the CCO's progress or as documentation of the steps taken to complete the annual written report, in lieu of a single snapshot at year-end. Or, they may incorporate certifications by the CCO and/or service providers that detail exceptions to an otherwise clean report.
As for how CCOs check in with the board in-between meetings, they tend to be less formal and more episodic. Often, phone calls are made since they can be more effective and may not trigger the same type of recordkeeping issues as e-mail communications, given the controversy surrounding record retention and retrieval requirements of e-mail correspondence. Phone calls also serve as a way for the CCO to check in with their supervisors.
Although no one reporting structure on handling such interim communications seems to dominate, an emerging trend is for a board subset or liaison to be the CCO contact person and perhaps filter or convey information to other board members. Of course, the type of reporting or communication structure between the CCO and the board will vary based on the board's size and character. Some funds may direct the CCO to contact the board chair, all independent trustees or the audit committee. Other funds have chartered a compliance committee and designated a chair to be the primary liaison with the CCO.
So what does this all mean for service providers? How have they been impacted by the rule and how are they preparing for the annual report process?
From an understandably selfish perspective, service providers desire a single uniform compliance report format to deliver to all CCOs. This is efficient and establishes defined control parameters on the reporting of material compliance matters. However, a CCO may want a customized format or report that can be easily integrated with reports of other service providers to produce a single board report. Thus, there needs to be a balance between, and perhaps some negotiation of, these potentially competing interests. However, large services providers with numerous clients may have non-negotiable limits on customization.
Obviously, if a board specifies how information is to be reported, then the service provider also will need to take this into consideration. Fortunately, technology helps facilitate the compilation and delivery of information in a timely, organized manner, and provides greater flexibility in its usage. Web-based delivery of or access to service provider reports, often called "dashboards," can provide the CCO with quick and efficient access and may allow the CCO to reconstitute and combine the data with that of other service providers to deliver to the board a more comprehensive, customized report.
As far as the CCO's due diligence of service providers is concerned, the CCO's confidence in the integrity of the service provider's compliance and reporting information is influenced by a number of factors. Perhaps the most important or telling is an "onsite" due diligence. It is the CCO's opportunity to "kick the tires" and "see what is under the hood." Service providers with numerous clients will find it more challenging to individually entertain each CCO. Thus, they have gravitated to scheduling annual due diligence forums for the CCOs to attend en masse. When complemented with an educational segment about the service providers' operations as well as some individualized time for each CCO, this may balance and satisfy the needs of both.
Assuming the service provider has demonstrated a robust and healthy compliance program, the CCO may achieve comfort with quarterly certifications or reports in-between these annual due diligence visits. This certification process is becoming more commonplace and seems to have been picked up from the internal sub-certification process used by many to satisfy the Sarbanes-Oxley Act filing certification requirements.
Ultimately, the CCO's comfort level with the service provider's compliance program and the integrity of information reported will depend on many factors, including the adequacy of the service provider's reporting structure and controls, the scope of the CCO's prior due diligence and onsite visits, the service provider's reputation and responsiveness, and the CCO's overall experience with the service provider.
To enhance the CCO's comfort zone, service providers are evaluating ways to employ independent assessments of their internal controls and procedures, such as providing enhanced Type II SAS-70s, leveraging their own internal audit and reporting capabilities, hiring independent accountants to perform a SOX-type review and analysis, or engaging other types of third-party compliance consultants to review and assess their operations and compliance programs.
In that regard, the release adopting the rule specifically supports the ability of the board and the CCO to rely on third-party audits and certifications of the adequacy of service provider compliance programs.
Even as the industry marks the rule's first anniversary with a mix of pride and frustration, it is already trying to anticipate how to transcend its crawl down this road.
Buzzwords, like "forensic testing," seem to be surfacing. Given that first-year assessments will likely focus on some of the core issues, such as the compliance program's adequacy, establishing protocol and determining the best method and detail of reporting to the CCO and the board, it appears that next year's focus will likely shift to more holistic issues, such as augmenting risk assessment, analysis and backtesting, and reinforcing compliance through expanded education and training.
As compliance programs and processes mature, there is likely to be a greater focus on addressing systemic issues (how best to identify and prevent them) and how service providers are identifying and preparing themselves to comply with new regulations.
Only time will tell.
Victor R. Siclari is a member of the investment management group and a partner at Reed Smith of Pittsburgh. He is scheduled to speak at the Investment Company Institute's Operations & Technology Conference this week.
(c) 2005 Money Management Executive and SourceMedia, Inc. All Rights Reserved.