By 
This very basic, but often overlooked, element of a compliance program can make all the difference in day-to-day program effectiveness and at exam time
Recently in this space, we explored the ins and outs of preparing for an external audit. Out of that two-part series came this surprising revelation, offered by Patrick Dominguez, Director Of Investment Adviser Services at Gordian Compliance Solutions: "One of the most common findings to come out of SEC exams is that an investment advisor hasn't conducted an annual review of its compliance program: an honest look at the policies and procedures as written versus the firm's actual advisory business practices. It's basics like this that will position you for a successful external exam before it ever begins."
So today we want to offer advice on this very basic, but often overlooked, element of an enterprise financial firm's compliance program: one that can make all the difference not just in day-to-day program effectiveness but also at exam time.
HOW OFTEN SHOULD YOU REVIEW YOUR RULES?
"The letter of the law is an annual review," says Dominguez, "but a lot of firms break that up into topic areas." The reason for this is that, especially at a big firm, an annual review can bring things to a standstill. With multiple lines of business, there can be a lot of rules to review. Breaking the review out by topic area, perhaps on a rolling timeline, can make the review process far more manageable.
"Maybe you review allocation and valuation in January, and you look at best execution in February," says Dominguez. "Whatever makes sense for how your firm is organized. It's divide and conquer."
WHAT SHOULD TRIGGER AN AD HOC RULES REVIEW?
So however you do it—whether in a single, comprehensive effort or area by area—you should review your rules once a year. But is there any situation that should spark an ad hoc review? What about an incident at the firm? Maybe an incidence of insider trading? Or an unfavorable external exam? "It's possible anything like that might spark a rules review," says Kelsey Amar, Associate Director and Head of US Professional Services for StarCompliance. "But more often, if we have clients coming back to us for a change in their compliance software to deal with something unexpected, it's for a regulation change."
The kind of regulation change Amar is referring to is a change that affects employee trading policy. The types of securities employees can and can't invest in. When they're allowed to trade certain securities and when they can't. A change in any of this means a change to the company code of ethics, which means a change to the compliance system, be it manual or automated. "If there's a change in regulation that affects employee trading rules," says Amar, "then you have to match that with a change in the workflow. For our clients that typically just means a settings adjustment, which the software is built for."
HOW BIG OF TASK CAN A RULES REVIEW BE?
This partly gets at what we addressed in the beginning of the blog, i.e., the bigger the firm, and the more lines of business it's involved in, very likely the more rules that will need to be reviewed. This makes sense. But how big, and how onerous, of a task it all ends up being also depends on how complicated the rules are. "Some clients have a very basic code," says Amar, "maybe five to ten rules, covering the fundamentals, like 'these kinds of securities are exempt.' Or 'these kinds of securities are restricted.' And 'you can't trade securities that are on these lists.' Reviewing a code like this typically isn't too much of an undertaking."
One of the ways rules reviews get complicated is when a single company has multiple codes of ethics coexisting within the same firm. This is different than having a single code with carve-outs and exceptions for certain groups: a fairly normal state of affairs. Multiple codes of ethics means entirely different rulebooks, perhaps split out along the firm's separate lines of business. Happily for compliance teams, the trend in the industry is to centralize, to get all their lines of business onto one code. "It's almost a one-to-one relationship," says Amar. "The easier your code of ethics is, the easier it is to review."
Another potential rules review complicator is an entirely avoidable one: compliance teams not being familiar with their own codes of ethics. This can simply be the result of not conducting regular rules reviews. Again, Amar: "Even if you know what the system is doing from a workflow perspective, if you haven't looked at how your rules are built in a really long time, now you have to reacquaint yourself with what they're actually doing versus what they're supposed to be doing, from a compliance perspective. You're better off keeping up with things in the first place. And that means regular reviews."
