This is the second in a three-part series discussing the newly amended rules (collectively the “Rules”) adopted by the Colorado Division of Securities (“Division”) effective as of March 30, 2023 (the “Effective Date”) applicable to certain Colorado investment advisers and their registered representatives (“IARs”). The Rules mostly affect investment advisers registered with Colorado State (such advisers, “Colorado Licensed Advisers”). The Rules also have a lesser impact on investment advisers who are excluded or excepted from Colorado registration.
This Part 2 describes, in detail, the requirements of new Rule 51-4.12(IA) (the “Compliance Rule” or the “Rule”), and offers concrete recommendations to Colorado Licensed Advisers for their compliance programs. Part 1 focused on the new Continuing Education Rule and offered practical guidance to advisers and their IARs for meeting the new requirements. Part 3 will review the amended Rules as a whole and provide best practices and compliance recommendations going forward.
The Compliance Rule
Rule 51-4.12(IA) adds a three-part compliance program requirement for Colorado Licensed Advisers, which includes establishing, maintaining, and enforcing written policies and procedures, designating a Chief Compliance Officer (“CCO”) to oversee the program, and conducting an Annual Review of the program. The Rule does not require that the CCO conduct the Annual Review, nor does it specify a particular time of year for its completion. Furthermore there is no requirement for the Annual Review to be written.
The scope of the compliance program includes the Colorado Licensed Adviser, its "Supervised Persons," and its "Access Persons" (with regard to reporting personal trading). All employees, officers, partners, directors, IARs, and other persons who provide advice on behalf of the adviser and are subject to the adviser’s supervision and control are considered “Supervised Persons.” “Access Persons” are “Supervised Persons” who have access to nonpublic information regarding client transactions or reportable fund holdings, make securities recommendations to clients, or have access to nonpublic recommendations, and generally, all officers, directors, and partners.
The following areas must be substantively addressed in the firm’s policies and procedures:
Supervisory Policies and Procedures
Colorado Licensed Advisers must adopt, maintain, and enforce supervisory policies and procedures designed to prevent the firm or any of its Supervised Persons from violating the provisions of the Colorado Securities Act and the rules of the Division thereunder (the “Colorado Act”). This supervisory charge is consistent with existing Rule 51-4.6 (IA)(18) (the “Books and Records Rule”), which requires advisers to maintain written supervisory procedures and procedures to supervise the activities of its personnel and to ensure compliance with the securities laws.
Physical Security and Cybersecurity Policies and Procedures
Colorado Licensed Advisers must adopt, maintain, and enforce cybersecurity procedures that safeguard customers’ “Confidential Personal Information” and prevent unauthorized access to client records. Additionally, the new Rule outlines seven considerations that the Division's Commissioner may use to evaluate whether an adviser's cybersecurity policies and procedures are "reasonably designed." The procedures under the new Rule must include five essential cybersecurity components:
- Annual Risk Assessment: Procedures must provide for a risk assessment which would require the firm or an agent to conduct annual risk assessments of the particular threats and cyber risks to their systems.
- User Security and Access: Procedures must provide for certain access controls designed to minimize employee user-related risks and prevent unauthorized access to electronic communications, databases, and media.
- Identity Authentication: Procedures must provide for authentication practices, particularly concerning authenticating investor or client instructions and verifying an investor’s identity and the authenticity of such request.
- Information Protection: Procedures must provide for the firm’s use and management of electronic communications, in particular, the use of secure email, encryption, digital signatures.
- Disclosure of Risks: Procedures should provide for relevant disclosures to clients regarding the risks of the firm’s use of electronic communications.
Code of Ethics
The Compliance Rule calls for Colorado Licensed Advisers to establish a code of ethics that must cover several of the following matters set out below:
- Standard of Conduct and Compliance with Laws: The code of ethics must set forth a minimum standard of conduct for all personnel and must require their compliance with the Colorado Act, the federal securities laws, and the rules adopted respectively thereunder. The Division has not stated what this minimum standard should be, but the standard must reflect its fiduciary obligations.
- Reporting Violations: Each adviser’s code of ethics must include provisions requiring Supervised Persons to report any code violations promptly to the CCO or other designee.
- Distribution and Acknowledgment: The code must require the adviser to provide each supervised person with a copy of the code, and any amendments, and to obtain written acknowledgment from each supervised person of their receipt of a copy of the code.
- Personal Securities Transactions: The code of ethics must require Access Persons to periodically report their personal securities transactions and holdings to the CCO or other designee. A complete report of each Access Person’s holdings of “Reportable Securities” in which an Access Person has, or acquires, a direct or indirect “beneficial interest” is due no later than ten (10) days after the person becomes an Access Person (the “Initial Report”) and at least once a year after that (the “Annual Report”). These Holdings Reports must be current as of a date not more than forty-five (45) days before the individual becomes an Access Person for Initial Reports or the date the report is submitted for Annual Reports. The code must also require Access Persons to provide quarterly reports of all their personal Reportable Securities transactions (“Quarterly Reports”). Quarterly Reports are due no later than thirty (30) days after the close of the calendar quarter. In addition, the Rule permits three exceptions to the personal securities reporting obligations for (i) transactions effected under an automatic investment plan; (ii) securities held in accounts over which the Access Person had no direct or indirect influence or control; and (iii) transaction reports that would duplicate information contained in trade confirmations or account statements that the adviser has received and maintains as part of its recordkeeping. If the adviser has only one Access Person, it is not required to submit Quarterly or Annual personal trading Reports to itself or to obtain its own approval for certain transactions.
- Pre-approval of Certain Securities Transactions: Lastly, in addition to requiring Access Persons periodically to report personal securities transactions, the code of ethics must also require Access Persons to pre-clear any acquisitions of security in an initial public offering or a limited offering private placement.
Misuse of Material Non-Public Information
The Compliance Rule requires the adoption of policies and procedures reasonably designed to prevent the misuse of material, non-public information. Following the federal standard, the Rule defines “material, non-public information” as material information that has not been disseminated in a manner making it available to investors. Information is material when it is substantially likely that the information would be important to a reasonable investor making an investment decision or is likely to have a significant impact on valuation. The design of the adviser’s policies and procedures will turn on the size and structure of the adviser as well as the nature of the material, non-public information its associated persons are likely to receive.
Business Continuity and Succession Planning
Incorporating aspects of former standalone Rule 51-4.12(IA) Business Continuity and Succession Planning, the Compliance Rule requires the adoption of policies and procedures relating to business continuity and succession planning (or “BCP”). While the specifics of a succession plan will vary depending on each adviser’s business model, the new Rule calls for procedures to include five components:
- Books and Records: Procedures must provide for the protection, backup, and recovery of books and records.
- Communication: Procedures must provide alternative means of communication with customers, key personnel, employees, vendors, and service providers (including third-party custodians).
- Relocation: Procedures must provide for office relocation, if necessary, in the event of temporary or permanent loss of a principal place of business.
- Designation: Procedures must provide for the assignment of duties to qualified, responsible persons in the event of the death or unavailability of key personnel.
- Mitigation: Procedures must provide for controls, practices, and components of the plan that minimize service disruptions and client harm in the event of a sudden significant business interruption.
Takeaways for the Compliance Rule
- Understand the Scope and Applicability of the Compliance Rule: The Compliance Rule applies to an “investment adviser licensed or required to be licensed” with the Division under the Colorado Act. Critically, this means the Rule does not apply to Colorado-based investment advisers that would otherwise be fully regulated by the state but for a licensing exemption (such advisers generally herein “Colorado Exempt Advisers”) or an exclusion from the Colorado “investment adviser” definition (such advisers, “Colorado Excluded Advisers”). For example, Rule 51-4.12(IA) does not apply to advisers relying upon the Colorado private fund adviser licensing exemption under Rule 51-4.11(IA). Likewise, because investment advisers that meet the requirements of the federal exemptions for “family office” advisers, “venture capital fund” advisers, and “foreign private” advisers are exempt from the adviser licensing requirements of the Colorado Act, Rule 51-4.12(IA) does not include these Colorado Exempt Advisers in its coverage either. Similarly, Colorado Excluded Advisers, such as U.S. Banks and Bank Holding Companies, and those who do not otherwise satisfy all three of the elements of the “investment adviser” definition, are not considered within the scope of Rule 51-4.12(IA). Lastly, the new Rule does not affect investment advisers registered with the U.S. Securities and Exchange Commission (such advisers, “SEC Registered Advisers”) who are subject to the existing federal compliance regime established by the Investment Advisers Act of 1940 (the “Advisers Act,” as amended) and Rule 206(4)-7 thereunder.
- Designate a Chief Compliance Officer: Advisers must “designate” (note: not “hire”) a CCO. The CCO may be an employee with other duties, such as the general counsel or chief legal officer, or a third party specifically engaged to be the adviser’s CCO. Hybrid approaches also include aspects of outsourcing to third parties and internal work. Although not expressly stated, under the Federal equivalent of the Compliance Rule, rule 206(4)-7 under the Advisers Act, the expectation is that the compliance officer should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.
- Identify the firm’s “Supervised Persons” and “Access Persons”: The determination as to whether a person constitutes an “Access Person” requires a facts-and-circumstances analysis that focuses on the Supervised Person’s role and responsibilities and access to nonpublic investment information. Special consideration should be given to the involvement of consultants, affiliates, contractors, service providers, and temporary employees to determine if they function as employees. It is important to note that the status of an Access Person may change over time and may require reassessment.
- Alert and Train Personnel On Their Reporting Obligations: Firms should consider implementing a system for reminders of upcoming compliance deadlines for Quarterly and Annual personal trading transactions and holdings reports. Likewise, firms may want to hold orientation or training sessions with new and existing employees to remind them of their reporting obligations under the code of ethics. This approach could help ensure that reporting is completed on time and importantly, the firm will be far better equipped to avoid violations of its code of ethics if its personnel understand it.
- Determine the When, Who, and What of Conducting the Annual Review: While there is no single approach to conducting an Annual Review, Colorado Licensed Advisers should consider looking to the best practices of SEC Registered Advisers to determine their own “when, who, and what.” Typically, many of these firms perform the review after the end of their fiscal year to align with other year-end review processes. The responsibility for conducting the review usually falls on the CCO, but some firms may hire third-party service providers or outside counsel for assistance. Moreover, although the Compliance Rule and its federal equivalent does not specifically require documentation of the Annual Review, many advisers opt to create a report similar to one required to be provided by the CCO of a registered investment company to its board of directors (or equivalent governing body) setting forth any (i) material changes to the compliance report during the year, and (ii) “material compliance matters” that occurred.
- Review the Divisions’ Examination Priorities: Licensed Advisers should be mindful of the Division’s 2023 investment adviser examination priorities, which may serve as a valuable tool to assess compliance readiness and to understand the potential enforcement focus of the Division going forward.
Building off prior guidance issued by the Division in October 2021, the Compliance Rule imposes a number of discrete requirements on Colorado Licensed Advisers. It also signals the Division’s continued focus on compliance programs as one of its top priorities in 2023. As coverage of the new Compliance Rule overlaps in many ways with SEC rules 206(4)-7 and 204A-1, Colorado Licensed Advisers should also consider looking to federal guidance to build and develop an effective compliance program.
 See Rule 51-4.12(IA)(C); Rule 51-4.4.1(IA)(B).
 Under Rule 51-4.4.1(IA)(D)(11), ‘‘Supervised person’’ means any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an investment adviser, or other person who provides investment advice on behalf of the investment adviser and is subject to the supervision and control of the investment adviser. The definition includes investment adviser representatives, employees, independent contractors, or other associated persons and supervised personnel, or other person acting on the behalf of the investment adviser.
 The Rule includes a presumption of Access Person status for all directors, officers, and partners of an investment adviser whose primary business is providing investment advice. See Rule 51-4.4.1(IA)(D)(1).
 In determining whether the cybersecurity procedures are reasonably designed, the Commissioner may consider: “(i.) The firm’s size; (ii.) The firm’s relationships with third parties; (iii.) The firm’s policies, procedures, and training of employees with regard to cybersecurity practices; (iv.) Authentication practices; (v.) The firm’s use of electronic communications; (vi.) The automatic locking of devices that have access to Confidential Personal Information; and (vii.) The firm’s process for reporting of lost or stolen devices.” Rule 51-4.4.1(IA)(A)(3)(a).
 The Division’s Compliance Rule effectively treats all securities as a “Reportable Security” with five exceptions that mirror those exceptions with the definition in Section 202(a)(18) of the Securities Act of 1933: (1) Direct obligations of the Government of the United States; (2) Bankers' acceptances, bank certificates of deposit, commercial paper and high quality short-term debt instruments, including repurchase agreements; (3) Shares issued by money market funds; (4) Shares issued by open-end funds other than reportable funds; and (5) Shares issued by unit investment trusts that are invested exclusively in one or more open-end funds, none of which are reportable funds.
 For a deeper discussion of the contours of the private fund adviser licensing exemption, see DGS Legal Alert: Division of Securities Adopts New Exemption from Investment Adviser Licensing Requirements. A private fund adviser who provides investment advice solely to one or more "qualifying private funds" is exempt from the Colorado licensing requirements, subject to certain additional conditions. A “qualifying private fund” means a private fund that meets the definition of a “qualifying private fund” in Rule 203(m)-1 under the federal Investment Advisers Act of 1940 (the “Advisers Act”) which, in effect defines "qualifying private fund" as a “3(c)(1) and 3(c)(7) funds”, as they are more fully defined under the federal Investment Company Act of 1940 (the “1940 Act”). Advisers relying upon the Colorado private fund adviser licensing exemption in Rule 51-4.11(IA) should bear in mind that they could potentially operate as an “Exempt Reporting Adviser” by taking advantage of the federal private fund adviser exemption under Section 203(m)(1) of the Advisers Act and rule 203(m)-1 thereunder (“Private Fund Adviser Exemption”) or the Section 203(l) and rule 203(l)-1 thereunder (“Venture Capital Fund Exemption”). The Private Fund Adviser Exemption is available to advisers who solely manage "qualifying private funds" and have less than $150 million in assets under management. A detailed analysis of the Venture Capital Fund Exemption conditions is beyond the scope of this Alert, but very broadly, investment advisers that solely advise venture capital funds may be exempt from registration under the Advisers Act.
See Colorado Securities Commissioner Interpretive Order No. 12-IN-001, March 30, 2012, providing that investment advisers meet the federal exemption requirements for family office advisers, venture capital fund advisers, and foreign private advisers are otherwise exempt from the adviser licensing requirements of the Colorado Securities Act. Against, at the federal level, venture capital fund advisers that rely on the Section 203(l) “Venture Capital Fund Exemption” are also considered SEC “Exempt Reporting Advisers. ”
 The term “bank” is defined in Section 202(a)(2) of the Advisers Act. Persons who: (1) engage in the business of advising others (2) regarding securities (3) for compensation are regulated as investment advisers by the Advisers Act and under C.R.S. § 11-51-401(1.5) at the Colorado level. However, a person must satisfy all three of the elements of the “investment adviser” definition for such regulations to apply. Section 202(a)(11) of the Advisers Act defines the term “investment adviser” to mean “any person who, for compensation, engages in the business of advising others, either directly or through publications or writings, as to the value of securities or as to the advisability of investing in, purchasing, or selling securities, or who, for compensation and as part of a regular business, issues or promulgates analyses or reports concerning securities.” Under C.R.S. § 11-51-201(9.5)(a)(I) “investment adviser” is defined as verbatim to Section 202(a)(11) of the Advisers Act and includes (II) “financial planners or other persons who, as an integral component of other financially related services, provide investment advisory services to others for compensation and as a part of a business or who hold themselves out as providing investment advisory services to others for compensation.”
 Colorado uses the term “Federal Covered Adviser.” See C.R.S. § 11-51-201(5.5)(a). Generally speaking, Section 203A of the Advisers Act prohibits “Mid-Size Advisers” with between $25 million and $100 million of assets under management from registration with the SEC. In some cases, however, advisers under the $100 million threshold may be required to register with the SEC instead of the states where an adviser is: (1) exempt from state registration in its home state or (2) not subject to subject to examination by the securities authority of the state. See Advisers Act Section 203A(a)(2)(B)(i). Advisers who take advantage of an exception from Colorado registration should pay close attention to the interaction of state and federal investment adviser regulation.
 See generally, SEC Rule 38a-1(a)(4)(iii).
 The Division’s Examination Priorities can be found at: https://securities.colorado.gov/press-release/alert-the-colorado-division-of-securities-announces-2023-investment-adviser.
 See Colorado Division of Securities Investment Adviser Guide (Volume I), October 28, 2021.
 See Colorado Division of Securities 2023 Investment Adviser Examination Priorities, January 31, 2023, at p.,3, (“The Staff expects that one of the Division’s top examination priorities in 2023 will be assisting advisers in complying with new rules”).