Receiving an examination notice, particularly for the first time, from the Securities and Exchange Commission’s (“SEC”) Division of Examinations (DOE, formerly known as OCIE, Office of Compliance Inspections and Examinations), can be unsettling. Rest assured, this is a right of passage for all SEC registrants. Although no examination should be taken lightly, a little preparation can go a long way toward avoiding a painful experience. Below are some tips for managing your SEC exam with the least amount of friction.
Various Types of SEC Exams
First, a word about examination types, which come in several flavors:
- Routine Exam: A routine SEC examination is the most common. Registrants are selected based on various risk factors, but the SEC’s goal is to ensure every registrant is examined at a reasonable interval. If you have never been examined, you should expect a knock on your electronic door any day; those that have been examined before typically receive routine examinations every 5-7 years.
- Sweep Exams: Occasionally, registrants will have to undergo “sweep” or limited purpose exams that focus on targeted exam priorities. Some of these are designed for the SEC to gather data and intelligence to inform rulemakings; others may to gather information for disseminating in the form of industry risk alerts; still, others may be focused on ferreting out potential regulatory violations in risk areas for which the SEC has a programmatic interest (i.e., potential enforcement targets).
- Cause Exams: Lastly, and perhaps the least common, are “cause” exams that are intended to understand the causes of known regulatory failures or substantial investor harms. This last category is the one most likely serving as a precursor to an enforcement investigation. You should consider DOE to be an enforcement stalking horse in those cases and would be wise to engage counsel early in the process.
Ground Rules: Being Professional Goes a Long Way
Whatever the staff’s underlying purpose, you should follow some basic ground rules in your approach to the exam. Preliminarily, you should be professional and (mostly) cooperative. It sounds intuitive, but many exams go south quickly because the registrant is needlessly antagonistic. To be clear, SEC examiners are not your friends; they are your regulators. But they also are not enforcement staff (though sometimes those lines can be blurred!). At least in the case of routine examinations, the exam staff is largely trying to provide useful compliance guidance, and their observations are often opportunities for you to identify weaknesses and improve your controls. Your goal in any exam is to ensure that even disagreements over compliance requirements do not escalate into enforcement disputes.
Also bearing emphasis: You should be truthful and candid. Do not try to hide any information that you perceive to be damaging or out of order; there is no need to be defensive. (But you may wish to consult counsel if you perceive any particularly sensitive areas of concern.) If you do not know an answer, say so and let the staff know that you will try to obtain the requested information; do not guess. Naturally, put your best foot forward; do not cast a light on every wart, and you should, within reason, defend practices that you believe are consistent with the law. It never hurts to explain why your decisions are beneficial to shareholders or clients.
Important Points During an SEC Examination
Now for some particulars to keep in mind:
- Scope – In your first conversation with the exam staff, ask what they have in mind for the scope. Use that first call as an opportunity to ferret out in advance any issues that may be a concern so you can begin to prepare your response.
- Initial Meeting – The staff typically asks for a kickoff meeting (virtual these days), or they may want a short introductory call. Plan to give the staff at least a short introduction to your firm so you can describe the business and how it is organized. You should include your CCO, but you may also want to include the general counsel and a principal of the firm. This makes clear that you take compliance seriously and there is nothing more important than compliance for even the firm’s top brass.
- Areas of Interest – Prepare a brief presentation that outlines the business, key personnel, and the compliance function. You should consider outlining what testing or controls and assessments are conducted and what (sub-) certifications you receive. If you know there are areas of interest, you should be prepared to discuss those and may want to give an overview of that aspect of operations.
- Documents – Whether the SEC staff asks or not, you should expect to provide them copies of:
- your policies and procedures manual and Code of Ethics
- latest Form ADV
- organizational chart and possibly bios of key personnel (or ADV 2B)
- copies of any written submissions you have already provided
If you have SOC-1 or audit report that shows a clean bill of health, that is not a bad thing to have at the ready.
- Keep Records – You will be asked for other documents or records. It is imperative that you keep a record of everything that is given to the SEC. We recommend organizing materials in electronic files that correspond to the numbered requests you receive from the staff.
- Previous Issues – You should expect that the examiners will revisit any deficiencies or matters of concern raised in prior examinations to confirm that you have in fact implemented any changes you previously committed to make. You should be prepared to address those matters specifically.
- One Point of Contact – If the SEC staff asks for an on-site visit, you should appoint one person (typically the CCO) as a point of contact and ensure the SEC staff has that person’s email and phone number. You do not want the SEC staff wandering your office and casually interviewing anyone they see without your point person knowing about it! You also should ensure that your IT staff or consultant is available, both to ensure there are no technology issues and to be prepared to discuss network security and cybersecurity defenses.
At the end of your SEC exam, the staff typically arranges an exit interview. The staff will outline any deficiencies noted and may share observations that they consider potentially troublesome, even if not technically in violation of the law. You should take all the staff’s comments under advisement; you do not need to be confrontational. If there are deficiencies (which is common), you will receive a letter detailing the staff’s observations and perceived violations.
Your Follow-Up Written Response
You generally should respond in writing explaining how you will correct the deficiencies, or politely explain why you disagree with their findings. Bear in mind, you may be expected to reimburse clients for damages. You also should consider your possible audience to be Enforcement staff, so be careful in your response. You may wish to engage counsel if you sense that any matters are serious or may potentially escalate.
DOE Response and Closure
DOE may have further follow-up questions, but often there is no further dialog. Generally, DOE is expected to respond within 60 days of your response, but that is not set in stone. You can follow up with the staff to ask if the exam has been closed, but typically if a few months have passed without further communication, the exam will be considered closed.
It Pays to be Prepared
The best way to prepare for an examination is to do the compliance work daily, understand that an exam will happen, educate your internal staff, be professional and candid, and keep in mind the SEC may provide useful compliance guidance. No compliance program is perfect, so seize the opportunity to identify areas for improving your compliance controls. Before the exam team cometh, you also may benefit from a compliance check-up, mock examination, or additional experienced support. Ultimus is here to help.