Colorado Division of Securities Adopts New Investment Adviser Compliance Program Rule

This is the second in a three-part series discussing the newly amended rules (collectively the “Rules”) adopted by the Colorado Division of Securities (“Division”) effective as of March 30, 2023 (the “Effective Date”) applicable to certain Colorado investment advisers and their registered representatives (“IARs”). The Rules mostly affect investment advisers registered with Colorado State (such advisers, “Colorado Licensed Advisers”). The Rules also have a lesser impact on investment advisers who are excluded or excepted from Colorado registration.

This Part 2 describes, in detail, the requirements of new Rule 51-4.12(IA) (the “Compliance Rule” or the “Rule”), and offers concrete recommendations to Colorado Licensed Advisers for their compliance programs. Part 1 focused on the new Continuing Education Rule and offered practical guidance to advisers and their IARs for meeting the new requirements. Part 3 will review the amended Rules as a whole and provide best practices and compliance recommendations going forward.

The Compliance Rule

Rule 51-4.12(IA) adds a three-part compliance program requirement for Colorado Licensed Advisers, which includes establishing, maintaining, and enforcing written policies and procedures, designating a Chief Compliance Officer (“CCO”) to oversee the program, and conducting an Annual Review of the program.[1] The Rule does not require that the CCO conduct the Annual Review, nor does it specify a particular time of year for its completion. Furthermore there is no requirement for the Annual Review to be written.

The scope of the compliance program includes the Colorado Licensed Adviser, its "Supervised Persons," and its "Access Persons" (with regard to reporting personal trading). All employees, officers, partners, directors, IARs, and other persons who provide advice on behalf of the adviser and are subject to the adviser’s supervision and control are considered “Supervised Persons.”[2] “Access Persons” are “Supervised Persons” who have access to nonpublic information regarding client transactions or reportable fund holdings, make securities recommendations to clients, or have access to nonpublic recommendations, and generally, all officers, directors, and partners.[3]

The following areas must be substantively addressed in the firm’s policies and procedures:

Supervisory Policies and Procedures

Colorado Licensed Advisers must adopt, maintain, and enforce supervisory policies and procedures designed to prevent the firm or any of its Supervised Persons from violating the provisions of the Colorado Securities Act and the rules of the Division thereunder (the “Colorado Act”). This supervisory charge is consistent with existing Rule 51-4.6 (IA)(18) (the “Books and Records Rule”), which requires advisers to maintain written supervisory procedures and procedures to supervise the activities of its personnel and to ensure compliance with the securities laws.

Physical Security and Cybersecurity Policies and Procedures

Colorado Licensed Advisers must adopt, maintain, and enforce cybersecurity procedures that safeguard customers’ “Confidential Personal Information” and prevent unauthorized access to client records. Additionally, the new Rule outlines seven considerations that the Division's Commissioner may use to evaluate whether an adviser's cybersecurity policies and procedures are "reasonably designed."[4] The procedures under the new Rule must include five essential cybersecurity components:

  • Annual Risk Assessment: Procedures must provide for a risk assessment which would require the firm or an agent to conduct annual risk assessments of the particular threats and cyber risks to their systems.

  • User Security and Access: Procedures must provide for certain access controls designed to minimize employee user-related risks and prevent unauthorized access to electronic communications, databases, and media.

  • Identity Authentication: Procedures must provide for authentication practices, particularly concerning authenticating investor or client instructions and verifying an investor’s identity and the authenticity of such request.

  • Information Protection: Procedures must provide for the firm’s use and management of electronic communications, in particular, the use of secure email, encryption, digital signatures.

  • Disclosure of Risks: Procedures should provide for relevant disclosures to clients regarding the risks of the firm’s use of electronic communications.

The Compliance Rule also adds a new privacy policy requirement which requires Colorado Licensed Advisers to provide their privacy policy to clients at the time of engagement and annually thereafter. The privacy policy must explain how the investment adviser collects and shares non-public personal information, to the extent permitted by state and federal law. If there are any inaccuracies in the privacy policy, the adviser must promptly make updates and provide the revised policy to every client.

Code of Ethics

The Compliance Rule calls for Colorado Licensed Advisers to establish a code of ethics that must cover several of the following matters set out below:

  • Standard of Conduct and Compliance with Laws: The code of ethics must set forth a minimum standard of conduct for all personnel and must require their compliance with the Colorado Act, the federal securities laws, and the rules adopted respectively thereunder. The Division has not stated what this minimum standard should be, but the standard must reflect its fiduciary obligations.

  • Reporting Violations: Each adviser’s code of ethics must include provisions requiring Supervised Persons to report any code violations promptly to the CCO or other designee.

  • Distribution and Acknowledgment: The code must require the adviser to provide each supervised person with a copy of the code, and any amendments, and to obtain written acknowledgment from each supervised person of their receipt of a copy of the code.

  • Personal Securities Transactions: The code of ethics must require Access Persons to periodically report their personal securities transactions and holdings to the CCO or other designee. A complete report of each Access Person’s holdings of “Reportable Securities” in which an Access Person has, or acquires, a direct or indirect “beneficial interest” is due no later than ten (10) days after the person becomes an Access Person (the “Initial Report”) and at least once a year after that (the “Annual Report”). These Holdings Reports must be current as of a date not more than forty-five (45) days before the individual becomes an Access Person for Initial Reports or the date the report is submitted for Annual Reports. The code must also require Access Persons to provide quarterly reports of all their personal Reportable Securities transactions (“Quarterly Reports”). Quarterly Reports are due no later than thirty (30) days after the close of the calendar quarter.[5] In addition, the Rule permits three exceptions to the personal securities reporting obligations for (i) transactions effected under an automatic investment plan; (ii) securities held in accounts over which the Access Person had no direct or indirect influence or control; and (iii) transaction reports that would duplicate information contained in trade confirmations or account statements that the adviser has received and maintains as part of its recordkeeping. If the adviser has only one Access Person, it is not required to submit Quarterly or Annual personal trading Reports to itself or to obtain its own approval for certain transactions.

  • Pre-approval of Certain Securities Transactions: Lastly, in addition to requiring Access Persons periodically to report personal securities transactions, the code of ethics must also require Access Persons to pre-clear any acquisitions of security in an initial public offering or a limited offering private placement.

Misuse of Material Non-Public Information

The Compliance Rule requires the adoption of policies and procedures reasonably designed to prevent the misuse of material, non-public information. Following the federal standard, the Rule defines “material, non-public information” as material information that has not been disseminated in a manner making it available to investors. Information is material when it is substantially likely that the information would be important to a reasonable investor making an investment decision or is likely to have a significant impact on valuation. The design of the adviser’s policies and procedures will turn on the size and structure of the adviser as well as the nature of the material, non-public information its associated persons are likely to receive.

Business Continuity and Succession Planning

Incorporating aspects of former standalone Rule 51-4.12(IA) Business Continuity and Succession Planning, the Compliance Rule requires the adoption of policies and procedures relating to business continuity and succession planning (or “BCP”). While the specifics of a succession plan will vary depending on each adviser’s business model, the new Rule calls for procedures to include five components:

  • Books and Records: Procedures must provide for the protection, backup, and recovery of books and records.

  • Communication: Procedures must provide alternative means of communication with customers, key personnel, employees, vendors, and service providers (including third-party custodians).

  • Relocation: Procedures must provide for office relocation, if necessary, in the event of temporary or permanent loss of a principal place of business.

  • Designation: Procedures must provide for the assignment of duties to qualified, responsible persons in the event of the death or unavailability of key personnel.

  • Mitigation: Procedures must provide for controls, practices, and components of the plan that minimize service disruptions and client harm in the event of a sudden significant business interruption.

Takeaways for the Compliance Rule

  • Understand the Scope and Applicability of the Compliance Rule: The Compliance Rule applies to an “investment adviser licensed or required to be licensed” with the Division under the Colorado Act. Critically, this means the Rule does not apply to Colorado-based investment advisers that would otherwise be fully regulated by the state but for a licensing exemption (such advisers generally herein “Colorado Exempt Advisers”) or an exclusion from the Colorado “investment adviser” definition (such advisers, “Colorado Excluded Advisers”). For example, Rule 51-4.12(IA) does not apply to advisers relying upon the Colorado private fund adviser licensing exemption under Rule 51-4.11(IA).[6] Likewise, because investment advisers that meet the requirements of the federal exemptions for “family office” advisers, “venture capital fund” advisers, and “foreign private” advisers are exempt from the adviser licensing requirements of the Colorado Act, Rule 51-4.12(IA) does not include these Colorado Exempt Advisers in its coverage either.[7] Similarly, Colorado Excluded Advisers, such as U.S. Banks and Bank Holding Companies, and those who do not otherwise satisfy all three of the elements of the “investment adviser” definition, are not considered within the scope of Rule 51-4.12(IA).[8] Lastly, the new Rule does not affect investment advisers registered with the U.S. Securities and Exchange Commission (such advisers, “SEC Registered Advisers”) who are subject to the existing federal compliance regime established by the Investment Advisers Act of 1940 (the “Advisers Act,” as amended) and Rule 206(4)-7 thereunder.[9]

  • Designate a Chief Compliance Officer: Advisers must “designate” (note: not “hire”) a CCO. The CCO may be an employee with other duties, such as the general counsel or chief legal officer, or a third party specifically engaged to be the adviser’s CCO. Hybrid approaches also include aspects of outsourcing to third parties and internal work. Although not expressly stated, under the Federal equivalent of the Compliance Rule, rule 206(4)-7 under the Advisers Act, the expectation is that the compliance officer should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.

  • Identify the firm’s “Supervised Persons” and “Access Persons”: The determination as to whether a person constitutes an “Access Person” requires a facts-and-circumstances analysis that focuses on the Supervised Person’s role and responsibilities and access to nonpublic investment information. Special consideration should be given to the involvement of consultants, affiliates, contractors, service providers, and temporary employees to determine if they function as employees. It is important to note that the status of an Access Person may change over time and may require reassessment.

  • Alert and Train Personnel On Their Reporting Obligations: Firms should consider implementing a system for reminders of upcoming compliance deadlines for Quarterly and Annual personal trading transactions and holdings reports. Likewise, firms may want to hold orientation or training sessions with new and existing employees to remind them of their reporting obligations under the code of ethics. This approach could help ensure that reporting is completed on time and importantly, the firm will be far better equipped to avoid violations of its code of ethics if its personnel understand it.

  • Determine the When, Who, and What of Conducting the Annual Review: While there is no single approach to conducting an Annual Review, Colorado Licensed Advisers should consider looking to the best practices of SEC Registered Advisers to determine their own “when, who, and what.” Typically, many of these firms perform the review after the end of their fiscal year to align with other year-end review processes. The responsibility for conducting the review usually falls on the CCO, but some firms may hire third-party service providers or outside counsel for assistance. Moreover, although the Compliance Rule and its federal equivalent does not specifically require documentation of the Annual Review, many advisers opt to create a report similar to one required to be provided by the CCO of a registered investment company to its board of directors (or equivalent governing body) setting forth any (i) material changes to the compliance report during the year, and (ii) “material compliance matters” that occurred.[10]

  • Review the Divisions’ Examination Priorities: Licensed Advisers should be mindful of the Division’s 2023 investment adviser examination priorities, which may serve as a valuable tool to assess compliance readiness and to understand the potential enforcement focus of the Division going forward.[11]

Conclusion

Building off prior guidance issued by the Division in October 2021, the Compliance Rule imposes a number of discrete requirements on Colorado Licensed Advisers.[12] It also signals the Division’s continued focus on compliance programs as one of its top priorities in 2023.[13] As coverage of the new Compliance Rule overlaps in many ways with SEC rules 206(4)-7 and 204A-1, Colorado Licensed Advisers should also consider looking to federal guidance to build and develop an effective compliance program. SOURCE

Advisor Armor