Key Questions For Reviewing Compliance Policies and Procedures

Hedge funds and asset managers over a certain size are required to establish and maintain compliance policies and procedures to ensure they are compliant with applicable rules and laws. Having a robust compliance program is key to meeting today’s increasingly stringent regulatory requirements and an expectation of the regulator.

So, how do you ensure that your compliance program is robust? Well, the starting point is carrying out a thorough assessment to determine the unique set of risks that apply to your firm. This includes asking important questions both when establishing your compliance policies and procedures, and when periodically assessing your compliance program to ensure ongoing efficiency. In this blog, we list the key questions you should keep in mind when setting up and reviewing your firm's compliance processes and procedures to ensure they are robust.

Topics covered: 

Why asset managers and hedge funds need robust compliance policies and proceduresWhy asset managers and hedge funds need robust policies and procedures

In North America, hedge funds, asset managers, banks, brokers and other regulated financial services providers are obligated to meet the requirements set out by the SEC, FINRA, CFTC and IIROC. Many of the rules firms are beholden to require them to have in place sophisticated compliance programs that ensure they are able to identify, investigate, report and mitigate regulatory risks and violations. This is becoming even more important as regulators increasingly clamp down on compliance. In the US, we are for example seeing increased scrutiny of communications rules with a number of top-tier banks coming under investigation. It is therefore more important than ever that firms review the robustness of their compliance programs.

How to establish robust and effective compliance policies and procedures

Establishing a robust compliance program is grounded in having processes and procedures that are customized to the business activities that the firm carries out. Among other factors, a firm’s business type, trading strategies, and instruments or asset class coverage all impact the rules they are subject to. Based on these factors, firms should carry out an in-depth analysis of the specific risks they are subject to. After that, they can then come up with a thorough plan for the compliance policies and procedures that are needed to best prevent those specific risks from occurring.

Once a firm has formulated adequate policies and procedures to mitigate the risks identified in their analysis, the second step to robust compliance is thereafter to periodically reassess their business risk to ensure policies remain effective.

Key questions to ask when establishing or reviewing your firm’s compliance programReviewing your firm’s compliance program

Given the need to carry out an in-depth risk analysis before establishing a compliance program and thereafter periodically reviewing that program to ensure it remains robust, here are some of the key questions firms should ask themselves. If the answer to any of these is “no”, then the compliance program is at risk of not being what regulators refer to as “robust” and needs to be reevaluated.

Tailored risk assessment, quality control and testing

  • Have you evaluated your firm’s activities, arrangements, affiliations, client base, service providers, conflicts of interest, and other business factors to understand the specific risks applicable to your business? 

  • Did this risk evaluation serve as the basis for developing your compliance policies and procedures?

  • Have you planned/conducted an annual review of your compliance program?

  • Can this review test the comprehensiveness of your compliance policies and procedures, taking into account any business changes?

  • Do you periodically also re-evaluate your risk assessment to determine if there are any new, evolving, or resurgent risks and that those are adequately addressed?

  • Do you conduct transactional or quality control tests to determine whether your activities are consistent with your compliance policies and procedures? 

  • Do you periodically carry out tests to detect instances where your policies and procedures may be circumvented or gaps in your compliance program may be abused?

  • Do these tests produce reports, and are reports reviewed by knowledgeable staff to resolve exceptions or problems in a timely manner?

Key questions to ask when establishing or reviewing your firm’s compliance programPolicies and procedures

  • Are your compliance policies and procedures designed to manage and control the compliance risks identified in your risk assessment?

  • Does the implementation of your compliance policies and procedures reflect good principles of management and control?

Record-keeping requirements

  • Do you create, record, and retain all required information, including information that may be contained in emails and instant messages, for required time periods? Is this information accurate and securely archived?

  • Do you ensure that records are preserved and protected from unplanned destruction, loss, alteration, compromise, or use?

  • Can you promptly produce information, whether on paper or electronic media, upon request?

  • Does your records management program enable you to read and produce information maintained electronically or photographically, or that has been encrypted for the entire period required by record retention rules?

  • Do you have the ability to place records under legal hold? 

  • Do you need to pay your service provider to export your data from your record-keeping system?


Supervisory oversight and market abuse

  • Do you have effective oversight of your regulated employees' trading activity? 

  • Do you have the technology and means to detect instances of insider trading?

  • Do you have the ability to detect prominent market abuse behaviors?

  • Do you have effective oversight of electronic communications, authorized and unauthorized?

  • Do you have policies in place which prohibit the use of electronic messaging platforms your firm does not capture? 

  • Do you have technology in place that allows you to monitor policy adherence, especially for unauthorized communication channels

  • Are you able to monitor the communications and personal accounts of people on restricted lists?

CCO and compliance staff

  • Is your CCO knowledgeable of the applicable regulatory frameworks and laws, competent in regard to administering your compliance program, and empowered to enforce compliance with your policies and procedures?

  • When confronted with facts and circumstances that are inconsistent with how things should be, do your staff follow up on these matters, including bringing these matters to the attention of higher-level management and the CCO?

  • Does your CCO have both compliance and organizational positions? Are the resulting conflicts of interest appropriately identified and managed?

How can my compliance program help foster a culture of compliance in my firm?

How can my compliance program help foster a culture of compliance in my firm?

An ethical environment is important for ensuring all employees prioritize compliance. Therefore, your compliance program should support your efforts to create and maintain a company culture of compliance. Here are some questions you can ask when assessing your firm’s compliance culture:

  • Do you have a code of ethics that encourages an honest, open, and ethical compliance culture/ethical environment?

  • Is your compliance culture/ethical environment consistent with the description in your code of ethics?

  • Do you use specific factors (e.g., the number of compliance issues that occur) to measure the effectiveness of the ethical environment?

  • Does your compliance culture handle conflicts of interest and compliance issues in ways that are consistent with your disclosures, given your fiduciary responsibilities?

  • Is periodic training provided to your staff that effectively provides information with respect to expectations regarding ethical conduct?

  • Are violations of the code of ethics handled appropriately and consistently across all staff, including the imposition of fines or similar sanctions for repeated violations of code provisions?

5 Ways to Protect Your Firm From MNPI Breaches


Compliance is a necessary legal requirement for every hedge fund and asset manager, and to meet regulatory demands, compliance policies and procedures need to be robust. As regulators clamp down further on firms and scrutinize their compliance programs, ensuring your own compliance efficiency is necessary for avoiding serious consequences which can be detrimental to your firm. 

When establishing or reviewing your compliance program, keep the above questions in mind, as they will help you evaluate whether your compliance program is adequate or in need of additional work, and make a point of reviewing your compliance program regularly as the regulatory landscape continues to evolve and bring about new requirements for firms to meet.

How RegTech support from SteelEye can help your compliance program

Technology is a key part of establishing a robust compliance program. It can help firms more easily demonstrate to regulators that policies and procedures are robust and being met. At SteelEye, we provide a holistic platform for record-keeping, trade and communications surveillance, best execution monitoring, TCA and more. These solutions are deep-rooted in data management, helping firms easily sift through vast volumes of data to identify records, escalate cases for investigation and report back to the business. This data-driven approach also enables firms to easily flag where there might be a potential policy violation, for example, an employee asking a client or colleague to communicate on WhatsApp where this channel is banned for corporate use.

How RegTech support from SteelEye can help your compliance programAt SteelEye, we believe in the 3 Cs of Smarter Compliance


Bringing together all your data in one place gives you a holistic view of all your information – from transactions, communications, market data and more. Using the same underlying dataset for all compliance requirements mitigates risks associated with manual errors and signals being missed. SteelEye is the only company that offers a complete platform of data and compliance solutions.


Having all your compliance processes on one platform provides enhanced control and oversight. It is easy to spot errors, breaches, and risks. Many firms have their data spread across multiple platforms. There is often little control in this or over who uses the data. With SteelEye, you can control who sees what and when.


Bringing everything together under a single lens reduces the number of systems, vendors, and manual processes you rely on. As a result, direct and indirect costs associated with regulatory compliance can be reduced.

Reach out to our team of experts to start leveraging technology to your advantage.

Enhance your compliance with solutions from SteelEye