Tips on Creating New Compliance Policies & Procedures
Regulators expect firms to have an “evergreen” compliance program (“Program”), in other words, one that adapts to its changing business. The Policies and Procedures/Compliance Manual (the “Manual”) a firm adopted when it launched may not be fresh today. A Chief Compliance Officer’s (“CCO”) annual review process can help flag areas of a firm’s business and/or the Program that need to be updated, but how does one create a brand new policy? Consider the following:
1. Where does it go?
Code of Ethics (“Code”), Manual or somewhere else? Generally speaking, policies and procedures (“P&P”) around business operations should go in the Manual, whereas those that focus on individual employee conduct can go in the Code. A typical Code includes P&P relating to insider trading, conflicts of interest, outside business activities, personal account trading and gifts, gratuities and entertainment. Some firms include political contributions (aka Pay to Play) and lobbyist registration in the Code, whereas others include these in the Manual.
It can be tempting to insert detailed workflows, specific guidance or similar explanatory details into the Manual. As these change, the Manual itself will need to change and be reissued to employees. Accordingly, consider keeping the P&P more general in nature (without sacrificing clarity), and document workflows, guidance and other details separately.
Keep in mind that the SEC requires advisers to obtain employee attestations to the Code on at least an annual basis. If the Code is revised in the meantime, employees should attest to the revised Code when it is rolled out. If a particular change to the Code is urgently needed, an adviser may have no choice but to roll it out immediately and obtain employee attestations. Other changes may wait until its typical annual acknowledgment timeframe (often around year-end, or after the beginning of a new year) so both can be accomplished at once. Multiple attestation cycles during the year can create confusion and a series of too many changes may give a negative impression to regulators.
Changes to the Manual typically do not need to be acknowledged by employees as they happen, so long as impacted employees are made aware of (and trained on, if needed) the changes.
A firm should set a target date to officially launch a new P&P, but have it ready about a month before that for a “soft launch” during which it can be tested and revised if needed. Once any post-testing changes are made, the revised, final Manual or Code can be circulated to all employees.
3. Who is involved?
Which departments/employees will be most involved in the new P&P? Soliciting their input while it is being developed will help a firm create a customized P&P that is more easily integrated into existing workflows. Handled well, discussing this feedback will reinforce employees’ sense of buy-in to the new P&P and more generally boost the firm’s culture of compliance. On the practical side, while management may understand the need for a new P&P, affected employees may have a detail-level familiarity with the processes that will be invaluable when the P&P is operational. Finally, this input during development means that the testing phase can focus more on detecting unanticipated issues (instead of getting bogged down on issues that could have been resolved earlier).
Similarly, outside counsel and/or a firm’s compliance consultant should be in the loop to troubleshoot issues based on their regulatory expertise and broader experience. Either/both of these service providers can assist with drafting P&P and determining where/how it is documented and integrated into a firm’s Program and overall business.
4. Testing and Training
As discussed in point 2, above, a “soft launch” of a new P&P provides a window of time to test it and ensure that it works as intended. Parallel with testing, affected employees should be trained and their immediate questions answered before the P&P is official. If a new P&P is unusual or complex, consider asking your compliance consultant to run the test. Finally, the firm’s next annual review or mock exam should cover the new P&P in more detail; a longer period of time and the accumulation of applicable records will enable the CCO to see the new P&P in a larger context, and more objectively able to make any other changes.