Accept All Cookies
A recent order by the Securities and Exchange Commission (“SEC”) strongly suggests that registered investment advisers that rely upon quantitative investment models to manage client assets are required by the Investment Advisers Act of 1940 (the “Advisers Act”) to implement written compliance policies and procedures in order to identify and mitigate the risks associated with their quantitative models. See Investment Advisers Act Release No. 3149 (Feb. 3, 2011) (the “Order”).
The SEC’s press release announcing the Order states that the SEC had charged a registered investment adviser (the “Adviser”) “with failing to adopt and implement compliance policies and procedures to ensure that the [Adviser’s quantitative investment] model would work as intended.” SEC Press Release 2011-37 (Feb. 2, 2011) (the “Press Release”). The Press Release further quoted Rosalind Tyson, Director of the SEC’s Los Angeles Regional Office, as stating:
Quant managers need to ensure that their compliance policies and procedures are tailored to the risks of their model’s strategies, and that compliance personnel are integrated into the development and maintenance of their investment models. [Emphasis supplied.]
While the quoted language is not taken from the actual text of the Order, the Order does find that the Adviser violated Section 206(4) of the Advisers Act and Rule 206(4)-7 thereunder by reason of the Adviser’s failure to implement written policies and procedures with respect to the model’s performance as represented to clients and investors. See Paragraph 32 of the Order.
Though the actual Order is more limited than the Press Release implies, the Order’s finding is nevertheless worrisome in that it suggests that a registered adviser must expand its compliance processes, required by Rule 206(4)-7, to include the review of functions that are not obviously regulatory. This requirement seems to extend beyond existing practice for advisers and broker-dealers. Moreover, the uncertainty created by the Order is compounded by the fact that the Order provides little in the way of guidance to assist advisers seeking to avoid becoming subject to similar disciplinary actions.
The Adviser developed computer code for a quantitative investment model (the “Model”) used by its affiliated advisers to manage client portfolios. In June 2009, an employee of the Adviser discovered an error in the Model’s computer code. This code had been put into service in April 2007 and the discovered error was characterized by the Order as having, in effect, “eliminated one of the key components in the Model for managing risk.” See paragraph 2 of the Order. The employee brought this error to the attention of a person who was a senior official at both the Adviser and the Adviser’s parent. In response, the employee who had discovered the error was directed to keep quiet about it and to not fix it at that time. The error was fixed eventually in the fall of 2009 and, at about that same time, the error was disclosed to the parent’s CEO by an employee of the Adviser who “felt compelled” to do so. Id.
After learning of the error, the parent company conducted an internal investigation that concluded in mid-March 2010. The Adviser also obtained advice of external legal counsel “concerning its obligation to disclose the error.” Id. A few weeks after the conclusion of the internal investigation, the parent company disclosed the error to SEC examination staff. Significantly, this disclosure came after the parent was informed by the SEC’s Office of Compliance Inspections and Examinations of an impending examination of the Adviser and other affiliated entities.
Clients were informed of the error a few weeks later on April 15, 2010. Prior to such disclosure, the Adviser had misinformed clients about the ability of the Model to control risk. Indeed, according to the Order, even after the error was discovered, clients were falsely informed that underperformance of client portfolios had resulted from market volatility and other factors unrelated to the error.
As described in the Order, “the Model was comprehensive in its ability to capture and process a substantial amount of publicly available information, such as financial data for particular companies, news, and industry information, and to make investment decisions largely without human interaction.” Paragraph 8 of the Order. Investment advisers affiliated with the Adviser used the Model as their exclusive investment decision-making tool. Significantly, these affiliated advisers, relying upon information provided by the Adviser, marketed the Model “as the basis of their offer of investment advisory services to prospective clients.” Paragraph 9 of the Order.
The Order states that primary responsibly for the Model rested with a small group of trusted and long-time employees. This group, which the Order refers to as a “micro-group,” was led by a senior officer, who also was the individual who initially directed that the discovery of the error not be disclosed. Only the members of this micro-group, including the senior officer, had full access to the Model and all of its underlying code. The Order specifically observed that none of the members of the micro-group had any compliance-related responsibilities (which seems quite unsurprising in light of the skill set that one expects to find in compliance and legal personnel).
The Model consisted of three components:
In April 2007, when the Risk Model was linked to the Optimizer, the two programmers that wrote the code for this task made an error in the Optimizer’s code that, as described above, “effectively eliminated one of the key components in the Model for managing risk.” Paragraph 2 of the Order.
The Order states that although the Adviser conducted simulations involving the new Risk Model and “tested the new Risk Model, it did not conduct independent quality control over the programmers’ work on the code.” Paragraph 10 of the Order (emphasis added).
In 2009, while an employee of the Adviser was working on a new version of the Risk Model, the employee noticed certain “unexpected results when comparing the new Risk Model to the existing one that was rolled out in April 2007.” This observation ultimately led to the discovery of the error and to the concealment of that discovery.
The Order found the conduct described above to constitute a violation by the Adviser of Section 206(4) of the Act and Rule 206(4)-7 thereunder. See Paragraph 31 of the Order. For the most part, the Order’s analysis in this regard is rather straightforward and can be summarized as follows:
The Order’s analysis becomes more interesting, however, when it pivots from an obligation to have “reasonable policies and procedures relating to the making of false statements” [emphasis supplied] to the obligation to adopt and implement policies and procedures “to ensure that the Model performed as represented” [emphasis supplied]. Paragraph 32 of the Order. If taken at face value, the Order seems to take the position that, if an adviser makes a representation to a client, the function or process to which that representation relates must itself be subject to policies and procedures that comply with Rule 206(4)-7. That is, because the representation to clients of a function or process in a manner that is misleading (even if only accidentally so) may constitute a violation of the Advisers Act, advisers must adopt reasonable policies and procedures to ensure that the process or function in fact performs as represented.
The Order concludes that the Adviser did not have “reasonable procedures in place to ensure that the Model would assess those risks as intended” and that the Adviser, or its parent, “failed to conduct sufficient quality control over the coding process before putting that model into production.” Paragraph 32 of the Order. While it is not clear how the conclusion as to the reasonableness of the Adviser’s existing procedures was reached, it appears that it is based, in part, upon the fact that a significant “coding error operated undetected for more than two years.” Id. The Order also states that the Adviser’s “compliance program did not sufficiently identify and mitigate” the associated risks. Id.
It is difficult to know exactly what to make of the Order’s extension of Rule 206(4)-7 to functions and processes that are not themselves regulatory in nature or within the customary skill sets of compliance personnel. It is also unclear whether this extension of Rule 206(4)-7 should be understood as applying just to the facts at hand, i.e., quantitative investment models, or whether it should be understood to apply more broadly to any use of technology or, indeed, to any function as to which representations are made to investors or clients.
Arguably, any extension should be limited to areas that are both of significant risk and the subject of representations to clients and/or investors. Indeed, this limitation is supported by the duties of the Independent Compliance Consultant, which, as described in the Order, include the review of “disclosures about the coding process; [the identification of] any weaknesses in that process; and [the making of] recommendations as to the appropriate disclosures relating to the coding of the Model to investors.” Paragraph 36(a)(i) of the Order. In other words, it would appear that the Independent Compliance Consultant’s job is not to fix weaknesses in the coding process but to ensure that any potential weaknesses in coding are accurately disclosed to investors.
It is also difficult to understand the Order’s apparent concern that the “micro-group” that created the Model was entirely lacking in persons with “compliance-related responsibilities” as well as the announcement in the Press Release that “[q]uant managers need to ensure . . . that compliance personnel are integrated into the development and maintenance of their investment models.”
With all respect to compliance personnel, it is not clear what skills they can bring to the development and maintenance of complex investment models. Indeed, the involvement of compliance personnel in complex functions and processes such as the development of an adviser’s automated trading model would seem to be a far-reaching expansion of the compliance function as it is generally understood. Such an expansion seems to go beyond the role contemplated by the Compliance Release, which states both that Rule 206(4)-7 does not require “advisers to memorialize every action that must be taken in order to remain in compliance with the Advisers Act” and that “it may be enough for the compliance policies and procedures to allocate responsibility within the organization for the timely performance of many obligations. . . .” The Compliance Release at the text preceding note 23.
Read in a manner that is consistent with the Compliance Release, it would appear that neither the Order nor the Press Release should necessarily be understood as mandating the involvement of compliance personnel in the day-to-day operations or oversight of business and other non-compliance functions. Instead, it would appear that the better fit for compliance personnel would be in managing the over all risk identification process and ensuring that appropriate policies and procedures are adopted, implemented, and followed.
In light of the Order, advisers may wish to revisit their client disclosures and offering documentation with a view toward identifying whether those representations and disclosures are appropriate in light of technology or quantitative processes and functions that present significant risks.
In addition, advisers should consider whether their overall compliance risk assessment process appropriately considers all significant risks to investors and clients and is not limited to regulatory or compliance concerns. Advisers should also consider whether key risk areas, especially those that figure prominently in representations to investors and clients, are covered by reasonable procedures.
At a minimum, such procedures should clearly allocate responsibility over all key risk areas. Any allocation should also assign responsibility to develop and implement a reasonable process to mitigate the risk of such function. Such process should provide for ongoing supervision, reporting to management and compliance or another control function, and periodic audits. It should also provide for appropriate risk disclosure to investors and be subject to a formal review and approval process.