ALI-ABA Conference on Life Insurance Company Products November 3-4, 2005 Washington, D.C. Rule 38a-1: Lessons Being Learned and Future Challenges By Mary Jane Wilson-Bilik Sutherland Asbill & Brennan LLP 1275 Pennsylvania Avenue, NW Washington, DC 20004 (202) 383-0660 mj.wilson-bilik@sablaw.com Lee D. Augsburger Vice President and Chief Compliance Officer Prudential Investment Management Corporation Newark, New Jersey (973) 367-4121 lee.augsburger@prudential.com Rule 38a-1: Lessons Being Learned and Future Challenges ALI-ABA Conference on Life Insurance Company Products November 3-4, 2005 Mary Jane Wilson-Bilik Sutherland Asbill & Brennan LLP 1275 Pennsylvania Avenue, NW Washington, DC 20004 (202) 383-0660 mj.wilson-bilik@sablaw.com
Lee D. Augsburger Vice President and Chief Compliance Officer Prudential Investment Management Newark, New Jersey (973) 367-4121 lee.augsburger@prudential.comintroduction As the second set of deadlines approaches for compliance with Rule 38a-1 under the Investment Company Act of 1940, as amended (the 1940 Act ), we want to take this opportunity to review the lessons the industry has been learning from the initial phase of Rule 38a-1 and to assess the operational and legal challenges that lie ahead. Among the topics this outline will discuss are: the evolving role of the Chief Compliance Officer ( CCO ), the emerging definition of the compliance function, and how compliance is distinguished from the legal function. We also will look at how the industry is preparing for the annual review and the attendant annual report. I. Background A. Phase one initial compliance. On December 17, 2003, the Securities and Exchange Commission ( SEC or Commission ) published the release adopting new Rule 38a-1. The SEC at its December 3, 2003 open meeting had approved Rule 38a-1 unanimously. Final Rule 38a-1 provided a 9-month implementation period during which every registered investment company ( RIC ), including management investment companies ( funds ) and insurance company separate accounts registered as unit investment trusts ( separate accounts ), adopted and implemented written policies and procedures reasonably designed to prevent violation of the Federal Securities Laws. The final Rule also required all RICs to have designated, and the board/depositor to have approved, one CCO by October 5, 2004 who would be responsible for administering the RIC s policies and procedures and those of its service providers, which include, as applicable, the RIC s principal underwriter, investment adviser, insurance company depositor, administrator and transfer agent ( Service Providers ). B. Phase two ongoing development and maintenance. Since October 5, 2004, RICs and their CCOs have been addressing the maintenance of their Rule 38a-1 policies and procedures and the development of the compliance program. And, as discussed below, the role of the CCO in administering the compliance program and implementing the requirements of Rule 38a-1 has also been evolving. C. Phase three future challenges of the annual review and annual report. In the next phase of Rule 38a-1, all RICs must review their compliance policies and procedures annually for the adequacy and the effectiveness of their implementation, and prepare an annual report. The first annual review of the compliance policies and procedures must be completed no later than 18 months after adoption or approval of the compliance policies and procedures (by no later than April 6, 2006). The CCO
must submit the first annual report within 60 calendar days of the completion of the annual review (by no later than June 7, 2006). II. Phase One: Adopt Written Compliance Policies and Procedures Each RIC, and each Service Provider for a RIC, is required to have adopted and implemented written policies and procedures that are reasonably designed to prevent the RIC and Service Provider from violating the Federal Securities Laws. The RIC s policies and procedures also must provide for the RIC s oversight of compliance by each Service Provider. The policies and procedures must be reasonably designed to prevent violations of the Federal Securities Laws from occurring. A. Scope of the written compliance policies and procedures. Written policies and procedures must be comprehensive in scope and cover all facets of compliance with the Federal Securities Laws. The language of Rule 38a-1 is very broad and general, and it does not specify any specific policies and procedures, or even specific matters that must be covered. In light of market timing and late trading enforcement actions involving RICs and their Service Providers that were unfolding in late 2003, the Adopting Release discussed the application of Rule 38a-1 to certain important compliance areas, and provided a non-exhaustive bullet-point list of critical areas that policies and procedures should cover in order to be compliant with Rule 38a-1. Among the compliance controls discussed in the Adopting Release are: 1. Pricing and processing of units and mutual fund shares. Rule 38a-1 requires a separate account to have in place policies and procedures that provide for the forward-pricing of unit values and the segregation of orders received before the 4:00 p.m. ET pricing deadline from orders received after the deadline. Some funds and separate accounts, through contractual provisions, rely on third party administrators to receive and properly segregate contractowner orders to ensure proper pricing of unit values. Reliance on those contractual provisions alone would be insufficient to meeting the requirements of Rule 38a-1. 2. Identification of affiliated persons. To prevent self-dealing and overreaching by persons in a position to take advantage of the RIC, the 1940 Act prevents a RIC, including a separate account, from entering into certain transactions with affiliated persons. Rule 38a-1 requires policies and procedures to be in place that identify those affiliated persons and that are reasonably designed to prevent unlawful transactions with such persons. 3. Market timing. Under Rule 38a-1, a separate account must have procedures reasonably designed to ensure compliance with its prospectus (and other) disclosure regarding market timing. These procedures should
provide for monitoring of [contractowner] trades or flows of money in and out of the fund [and separate account] in order to detect market timing activity, and for consistent enforcement of the fund [and separate account s] policies regarding market timing. 4. Other issues to be addressed. Among the other issues that the SEC expects RICs to address in their Rule 38a-1 policies and procedures are: (a) (b) (c) (d) (e) (f) The accuracy of disclosures made to contractowners and regulators, including account statements and advertisements; The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction; Processes for valuing assets and assessing fees; Safeguards for the privacy protection of client records and information; Business continuity plans; and Processing of unit holder transactions, including new account applications, premium payments, and exchanges. B. Policies and procedures regarding the oversight of Service Providers. Rule 38a-1 requires that the written compliance policies and procedures of the RIC provide for the oversight by the RIC of compliance by its Service Providers (that is, the principal underwriter, insurance company depositor, administrator or transfer agent) through which the fund or separate account conducts its activities. To do this, the fund or separate account may, but is not required to, adopt, as its own, the compliance policies and procedures of its Service Providers. If adoption of a Service Provider s policies and procedures is not practical, the insurance company depositor or fund board must approve the Service Provider s compliance policies and procedures and make a finding that the Service Provider s policies and procedures are reasonably designed to prevent violations of the Federal Securities Laws. 1. Simple reliance on a Service Provider s policies and procedures is not sufficient oversight. The Adopting Release explicitly rejects the suggestion from commenters that, when overseeing its Service Provider s compliance, a RIC may simply rely on [its] Service Provider s policies and procedures. The SEC did not permit simple reliance on the third party s procedures on the ground it would permit the RIC to absolve itself of responsibility for the compliance activities of its Service Providers. More active supervisory measures are required to be included in the RIC s own written policies and
procedures. 2. Suggested oversight techniques of Service Providers to be included in the RIC s policies and procedures. As will be discussed further below, in cases where a fund or separate account employs Service Providers that are not affiliated persons, it may not be practical for the CCO for the fund or separate account to directly review all the Service Provider s policies and procedures. In such cases, the Adopting Release indicates that one of the ways that Rule 38a-1 will be satisfied is if the fund or separate account uses a third-party report on the Service Provider s procedures, rather than the procedures themselves, to evaluate the Service Provider. The third-party report must describe the Service Provider s compliance program as it relates to the types of services provided to the RIC, discuss the types of compliance risks material to the RIC, and assess the adequacy of the Service Provider s compliance controls. 3. RIC s approval of the Service Provider s policies and procedures: appropriate use of summaries. The SEC noted in the Adopting Release that a RIC may satisfy its obligations under the Rule with regard to the approval of the policies and procedures of its Service Providers by reviewing summaries of their policies and procedures. These summaries can be prepared by the CCO for the RIC, by legal counsel or by persons familiar with the Service Provider s compliance program. The summaries should provide the RIC s board (or the depositor, in the separate account context) with a good understanding of how the compliance programs address particularly significant compliance risks. Comment: Although the Adopting Release has been published for over 18 months, the authors are unaware of any registrants utilizing a SAS 70 review for this purpose. Moreover, the audit profession has not clearly accepted the suitability of the SAS 70 report to this type of review. C. Board/depositor approval of written policies and procedures. Rule 38a-1(a)(2) requires each RIC to obtain approval from the RIC s board of directors (including a majority of disinterested directors) of the RIC s compliance policies and procedures and those of its Service Providers. Because unit investment trusts ( UITs ) do not have boards of directors, paragraph (b) was included in Rule 38a-1 to require the insurance company depositor (or principal underwriter) to function in place of the RIC s board of directors, and approve the policies and procedures of the separate account and each of its Service Providers (including the depositor). The depositor must base this approval on a finding that the policies and procedures are reasonably designed to prevent violations of the Federal Securities Laws by the separate account and its Service Providers (including the depositor).