Investment Adviser Policies and Procedures Manual

Investment AdviserPolicies and Procedures

Manual

Wed, Mar 8, 2017 02:26 PM

Wed, Mar 8, 2017 02:26 PM

Contents

11I. Introduction

12II. Organization and Compliance Structure12Overview

12Compliance Program Rule Requirement

13Annual Compliance Reviews

13Introduction

13Background

13Responsibility

13Procedure

14Code of Ethics

14Introduction

15Prohibition Against Insider Trading

17Background

17Responsibility

18Procedure

19Supervisory Procedures

21Other Duties

23Complaints

23Introduction

23Background

23Responsibility

23Procedure

24Disaster Recovery and Business Continuance

24Introduction

24Background

24Business Description

24Critical Processes

26Training, Testing & Revision Of Plan

27Supervision & Internal Controls

27Introduction

27Background

Woodstock Corporation - Woodstock Compliance Manual 3-1... Contents

Wed, Mar 8, 2017 02:26 PM Page 4 of 130

28Responsibility

28Procedure

29Oversight of Third-Party Service Providers

29Introduction

29Background

30Responsibility

30Procedure

30Books and Records

30Introduction

31Background

31Responsibility

31Procedure

31Corporate Records

31Introduction

31Background

32Responsibility

32Procedure

33III. Regulatory Filings

33Registration

33Introduction

33Background

33Responsibility

34Procedure

34Regulatory Reporting

34Introduction

34Background

35Responsibility

35Procedure

36IV. Privacy and Information Safeguarding

36Cybersecurity

36Introduction

36Background


Wed, Mar 8, 2017 02:26 PM Page 5 of 130

36Responsibility

36Procedure

37Privacy

37Introduction

37Background

38Privacy Notices

39Responsibility

40Procedure

43Reporting Breaches and Violations

44Identity Theft

44Introduction

44Responsibility

44Procedure

46E-Mail and Other Electronic Communications

46Introduction

47Background

47Responsibility

47Procedure

49Mobile Devices

49Introduction

49Responsibility

49Procedure

50Incident Management & Response Plan

50Introduction

51Responsibility

51Procedure

51Incident Management and Response Plan

53V. Marketing

53Advertising

53Introduction

53Background

53Responsibility

53Procedure


Wed, Mar 8, 2017 02:26 PM Page 6 of 130

54Performance

54Introduction

54Background

54Responsibility

55Procedure

55Solicitor Arrangements

55Introduction

55Background

55Responsibility

56Procedure

56Compliance Point

56Communications With the Press and Public

57VI. Client Account Maintenance

57Establishing New Client Relationships

57Introduction

57Background

57Procedures and Practices

58Anti-Money Laundering

58Introduction

58Background

59Responsibility

61Compliance Guidance

62Custody

62Introduction

62Background

62Responsibility

63Procedure

64Advisory Agreement

64Introduction

65Background

65Responsibility

65Procedure

66Compliance Guidance


Wed, Mar 8, 2017 02:26 PM Page 7 of 130

66Disclosure Brochures

66Introduction

66Background

67Responsibility

67Procedure

68Wrap Fee Advisor

68Background

68Responsibility

68Procedure

68Wrap Fee Sponsor

68Introduction

68Background

68Responsibility

69Procedure

70VII. Managing Client Accounts

70Investment Processes

70Introduction

70Background

70Responsibility

70Procedure

71Valuations of Securities

71Introduction

71Background

71Responsibility

71Procedure

72Soft Dollars

72Introduction

72Background

73Responsibility

73Procedure

73ERISA

73Introduction

73Background


Wed, Mar 8, 2017 02:26 PM Page 8 of 130

75Responsibility

75Procedure

76Best Execution

76Introduction

76Background

76Responsibility

77Procedure

77Proxy Voting

77Introduction

77Background

78Responsibility

78Procedure

78Trading

79Account Reconciliation

79

79Trade Errors

79Introduction

80Trade Recordkeeping

80Broker Selection

81Trade Aggregations and Allocations

82Directed Brokerage

82Introduction

82Background

83Responsibility

83Procedure

83Principal and Agency Cross Transactions

84VIII. Appendices

84Annual Holdings Form

85Code of Ethics Attestation (Initial and Annual)

87Compliance Manual Attestation


Wed, Mar 8, 2017 02:26 PM Page 9 of 130

88Disaster Recovery

882017 Call Tree

90Intermedia Instructions

92Disaster Recovery Attestation

93Phone and Remote Login Instructions

94Woodstock Floor Plan

95Due Diligence Vendor Checklist

96Email and Other Electronic Communications Acknowledgment

97Identity Theft

97Identity Theft Attestation

98Identity Theft Red Flags and Responses

108Mobile Device Policy Attestation

108SECTION 1: For personnel using a Mobile Device for business purposes

108SECTION 2: For personnel not a Mobile Device for business purposes

109Employee Mobile Device Log

110Personal Securities Transaction Form

111Pricing Information

112Privacy

112Appendix A California Financial Code Section 4056(b)

114Appendix B Regulation S-P, Rules 13, 14 & 15

117Appendix C

118Privacy Policy Attestation

119Record Retention Chart

130Trade Error Report

130Trade Error Report


Wed, Mar 8, 2017 02:26 PM Page 10 of 130

I. IntroductionThis Compliance Policies and Procedures Manual (the “Compliance Manual” or “ Policies and Procedures”) has beendeveloped to assist all Supervised Persons of Woodstock in complying with the provisions of the InvestmentAdvisers Act of 1940 (the “Advisers Act”), and other advisory-related statutes and rules issued or adopted by theSecurities and Exchange Commission (the “SEC”) and Woodstock's Code of Ethics. It details the compliance andoperating procedures and standards which must be followed by Woodstock to ensure full compliance with theserequirements. These Policies and Procedures cover Woodstock Corporation and Woodstock Services Company,LLC, as a provider of support services for Woodstock Corporation, and each officer and all employees are subject toWoodstock's supervision and control (Supervised Persons).

It shall be the policy of Woodstock to comply with the letter and spirit of all applicable laws and regulations.Consequently, Woodstock seeks to establish and maintain an effective compliance program as set forth herein thatconforms to the standards of applicable law. This program is designed, implemented, and enforced with thepurpose of preventing and detecting possible breaches of the law.

Each Supervised Person is responsible for reading, understanding and consenting to comply with the policiescontained herein (see Appendices, "Compliance Manual Attestation"). In addition, each Employee must be familiarwith the laws and regulations affecting his or her own job responsibilities. The importance of supervision andcompliance with applicable rules and regulations cannot be overemphasized. Failure to comply with applicableregulations or to adequately supervise the activities of Woodstock's Supervised Persons may result in fines,censures and other sanctions against such Supervised Persons or against Woodstock itself.

This Compliance Manual is not to be construed as an all-inclusive understanding of the Advisers Act and SECrequirements but rather serves as a guide in conducting and supervising daily investment managementbusinesses. Thus, each Supervised Person is required to recognize and respond appropriately to specific issues asthey arise. Please see the Chief Compliance Officer regarding any issues that cannot be resolved throughreference to this manual,

Nothing contained in this Compliance Manual or elsewhere prohibits Supervised Persons or former SupervisedPersons from voluntarily communicating with the SEC or other authorities concerning possible securities lawviolations or from recovering a Commission whistleblower award.

Each Supervised Person must retain a copy of this manual. Woodstock will review the manual on a periodic basis(at least annually) and any significant changes to the regulatory requirements or our internal policies andprocedures will be communicated to Employees by way of distributing updates or addenda to the ComplianceManual.1

1. THE POLICIES AND PROCEDURES CONTAINED WITHIN THIS COMPLIANCE MANUAL ARE SUBJECT TO MODIFICATION ANDFURTHER DEVELOPMENTS. WOODSTOCK RESERVES THE RIGHT TO AMEND, MODIFY, SUSPEND OR TERMINATE ANY POLICY ORPROCEDURE CONTAINED IN THIS COMPLIANCE MANUAL, AT ANY TIME AND WITHOUT PRIOR NOTICE. WOODSTOCK WILLENDEAVOUR TO PROMPTLY INFORM EMPLOYEES OF ANY RELEVANT MATERIAL CHANGES. WOODSTOCK HAS THE SOLE ANDABSOLUTE DISCRETION TO INTERPRET AND APPLY THE POLICIES AND PROCEDURES ESTABLISHED HEREIN AND TO MAKE ALLDETERMINATIONS OF FACT WITH RESPECT TO THEIR APPLICATION. THIS COMPLIANCE MANUAL IS FOR INTERNAL USE ONLY ANDSHOULD NOT BE DUPLICATED, LOANED, DISTRIBUTED AND/OR REVEALED TO ANY THIRD PARTY WITHOUT THE EXPRESS WRITTENCONSENT OF THE CHIEF COMPLIANCE OFFICER.

Woodstock Corporation - Woodstock Compliance Manual 3-1... I. Introduction

Wed, Mar 8, 2017 02:26 PM Page 11 of 130

II. Organization and Compliance Structure

Overview

Woodstock’s Chief Compliance Officer is principally responsible for administering our Policies and Procedures. AllSupervised Persons, however, are individually and collectively responsible for compliance with our Policies andProcedures and applicable securities laws and regulations. Compliance with the firm’s Policies and Procedures is arequirement and a high priority for the firm and each of its Supervised Persons.

The Chief Compliance Officer will assist with any questions about Woodstock’s Policies and Procedures, or anyrelated matters. Further, in the event any employee becomes aware of or suspects any activity that isquestionable, or a violation or possible violation of law, rules or the firm’s policies and procedures, he/she shouldimmediately notify their supervisor or the Chief Compliance Officer. Supervisors should report complianceviolations, or possible violations, to the Chief Compliance Officer.

Woodstock has adopted these written policies and procedures which are designed to set standards and internalcontrols for the firm, its employees, and its businesses and are also reasonably designed to detect and prevent anyviolations of regulatory requirements and the firm’s policies and procedures. Every employee and manager isrequired to be responsible for and monitor those individuals and departments he or she supervises to detect,prevent and report any activities inconsistent with the firm’s policies, procedures, high professional standards,and/or legal/regulatory requirements.

Compliance Program Rule Requirement

The SEC has adopted an anti-fraud rule titled “Compliance Procedures and Practices” (Rule 206(4)-7) under theAdvisers Act requiring written compliance programs for all SEC registered advisers.

The Compliance Procedures and Practices rule makes it unlawful for an SEC adviser to provide investment adviceto clients unless the adviser:

1. adopts and implements written policies and procedures reasonably designed to prevent violations by thefirm and its supervised persons;

2. reviews, at least annually, the adequacy and effectiveness of the policies and procedures;3. designates a chief compliance officer who is responsible for administering the policies and procedures;

and4. maintains records of the policies and procedures and annual reviews.

Supervisor Administration

Under Section 203(e)(6) of the Advisers Act, the SEC is authorized to take action against an Adviser or any personwho has failed to reasonably supervise in an effort designed to prevent violations of the securities laws, rules andregulations. Section 203(e)(6) also provides that no person will be deemed to have failed to reasonably superviseprovided that:

1. there are established procedures and a system which would reasonably be expected to prevent anyviolations; and

2. such person has reasonably discharged his or her duties and obligations under the firm's procedureswithout reasonable cause to believe that the procedures were not being complied with.

Compliance Program Administration

M. Elena Gillespie, as the Chief Compliance Officer (“CCO”), is responsible for the administration of the firm’scompliance policies and procedures, including:

i. Maintaining and updating the Compliance Manual, as necessary;ii. Conducting compliance training for new and existing employees, as necessary;iii. Communicating to employees all changes to compliance policies and procedures; and

Woodstock Corporation - Woodstock Compliance Manual 3-1... II. Organization and Compliance Structure

Wed, Mar 8, 2017 02:26 PM Page 12 of 130

iv. Reviewing, no less frequently than annually, the adequacy of compliance policies and procedures and theeffectiveness of their implementation.

Repeated violations, or violations that the CCO deems to be of a serious nature, will be reported by the CCOdirectly to senior management. Senior management will also evaluate the CCO’s program development, asnecessary, including a review of the firm’s written Annual Compliance Review, to be completed by the CCO.

Annual Compliance Reviews

Introduction

It is Woodstock's policy to conduct an annual review of the firm's policies and procedures to determine that theyare adequate, current and effective in view of the firm's businesses, practices, advisory services, and currentregulatory requirements. Our policy includes amending or updating the firm's policies and procedures to reflectany changes in the firm's activities, personnel, or regulatory developments, among other things, either as part ofthe firm's annual review, or more frequently, as may be appropriate, and to maintain relevant records of suchreviews.

Background

In December 2003, the SEC adopted Rule 206(4)-7, Compliance Programs of Investment Companies andInvestment Advisers (Compliance Program Rule) under the Advisers Act and Investment Company Act, (SECRelease Nos. IA-2204 and IC-26299). The rules were effective and advisers and funds had to be in compliance withthe rules by 10/5/2004. The rules require SEC registered advisers and investment companies to adopt andimplement written policies and procedures designed to detect and prevent violations of the federal securities laws.The rules are also designed to protect investors by ensuring all funds and advisers have internal programs toenhance compliance with the federal securities laws. Among other things, the rules require that advisers andinvestment companies annually review their policies and procedures for their adequacy and effectiveness andmaintain records of the reviews. A Chief Compliance Officer must also be designated by advisers and investmentcompanies to be responsible for administering the compliance policies, procedures and the firm's annual reviews.

The required reviews are to consider any changes in the adviser's or fund's activities, any compliance matters thathave occurred in the past year and any new regulatory requirements or developments, among other things.Appropriate revisions of a firm's or fund's policies or procedures should be made to help ensure that the policiesand procedures are adequate and effective. Advisers and funds were to have completed their first annual reviewwithin eighteen months of the adoption or approval of their compliance policies and procedures (i.e., no later thanApril 5, 2006, and annually thereafter).

Responsibility

Woodstock's CCO has the overall responsibility and authority to develop and implement the firm's compliancepolicies and procedures and to conduct an annual review to determine their adequacy and effectiveness indetecting and preventing violations of the firm's policies, procedures or federal securities laws. Woodstock's CCOalso has the responsibility for maintaining relevant records regarding the policies and procedures and documentingthese reviews.

Procedure

Woodstock has adopted procedures to implement the firm's policy and conducts reviews to monitor and ensure thefirm's policy is observed, implemented properly and amended or updated, as appropriate, which include thefollowing:

Woodstock Corporation - Woodstock Compliance Manual 3-1... Annual Compliance Reviews

Wed, Mar 8, 2017 02:26 PM Page 13 of 130

◦ on at least an annual basis, Woodstock's CCO and such other persons as may be designated, willundertake a complete review of all Woodstock's written compliance policies and procedures;

◦ the review will include a review of each policy to determine the following:

a. adequacy;b. effectiveness;c. accuracy;d. appropriateness for the firm's current activitiese. current regulatory requirements;f. any prior policy issues, violations or sanctions; and

g. any changes or updates that may otherwise be required or appropriate.

◦ the annual review process should also consider and assess the risk areas for the firm and review andupdate any risk assessments in view of any changes in advisory services, client base and/or regulatorydevelopments;

◦ the firm's annual reviews will include a consideration of any prior violations or issues under any of thefirm's policies or procedures with any revisions or amendments to the policy or procedures designed toaddress such violations or issues to help avoid similar violations or issues in the future;

◦ Woodstock's Chief Compliance Officer will maintain hard copy or electronic records of the firm's policiesand procedures;

◦ Woodstock's Chief Compliance Officer, or designee(s), will also conduct more frequent reviews of theWoodstock's policies or procedures, or any specific policy or procedure, in the event of any change inpersonnel, business activities, regulatory requirements or developments, or other circumstances requiringa revision or update; and

◦ relevant records of such additional reviews and changes will also be maintained by Woodstock's ChiefCompliance Officer.

◦ All supervised persons are encouraged to comment on the adequacy and effectiveness of these policiesand procedures at any time.

Code of Ethics

Introduction

Fiduciary DutyThis Code of Ethics is based on the principle that all employees of Woodstock Corporation and Woodstock ServicesCompany, LLC (Woodstock) and certain other persons have a fiduciary duty to place the interest of clients ahead oftheir own and Woodstock's. This Code of Ethics applies to all "Access Persons" (defined below). Access Personsmust avoid activities, interests, and relationships that might interfere with making decisions in the best interests ofWoodstock’s Advisory Clients.

For purposes of this policy, the following words shall mean:

"Access Persons" means all employees, directors, and officers of Woodstock who (i) have access to nonpublicinformation regarding Advisory Clients' purchases or sales of Securities, (ii) are involved in making Securitiesrecommendations to Advisory Clients or (iii) have access to nonpublic Securities recommendations. All ofWoodstock’s employees, directors and officers are considered Access Persons by Woodstock.

"Advisory Client" means any person or entity for which it serves as investment adviser, renders investment adviceor makes investment decisions.

"Code" means this policy as supplemented by other policies and procedures contained in Woodstock’s ComplianceManual.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Code of Ethics

Wed, Mar 8, 2017 02:26 PM Page 14 of 130

“Securities” means any stocks, bonds, futures, investment contracts, or any other instruments considered a“Security” as defined in the Investment Company Act of 1940, as amended or the Investment Advisers Act of1940, as amended and includes items such as options on Securities, indexes, and currencies as well as limitedpartnerships, foreign unit trusts, mutual funds, private investment funds, hedge funds, and investment clubs.

"Reportable Securities" means all securities in which an Access Person has a beneficial interest except:

i. U.S. Government Securities,ii. money market instruments (e.g., bankers' acceptances, bank certificates of deposit, commercial paper,

repurchase agreements, and other high quality short-term debt instruments),iii. shares of money market funds,iv. shares and holdings in other mutual funds unless Woodstock acts as the investment advisor to, or the

principal underwriter of, the subject fund, andv. units of a unit investment trust (“UIT”) if the UIT is invested exclusively in unaffiliated mutual funds.

An Access Person is presumed to have a beneficial interest in Securities that are held by his or her immediatefamily members sharing the Access Person’s household.

As fiduciaries, all Access Persons must at all times:

1. Place the interests of Advisory Clients first.All Access Persons must scrupulously avoid serving their own personal interests ahead of the interests ofWoodstock’s Advisory Clients. Access Persons may not induce or cause an Advisory Client to take action, or not totake action, for personal benefit rather than for the benefit of the Advisory Client. For example, a supervisor oremployee would violate the policy by causing an Advisory Client to purchase a Security he or she owned for thepurpose of increasing the price of that Security.

2. Comply with laws and regulations.All Access Persons must comply with all applicable federal securities laws.

3. Avoid taking inappropriate advantage of their position.The receipt of investment opportunities, perquisites or gifts from persons seeking business with Woodstock or itsAdvisory Clients, could call into question the exercise of the independent judgment of an Access Person. AccessPersons may not, for example, use their knowledge of portfolio transactions to profit by the market effect of suchtransactions.

4. Conduct all personal Securities transactions in full compliance with this Code including both pre-clearance andreporting requirements.Approval must be obtained from the Chief Compliance Officer, (“CCO”) before investing in an initial public offering(“IPO”), limited offering, or private placement. Doubtful situations always should be resolved in favor of AdvisoryClients. Technical compliance with the Code's provisions shall not automatically insulate from scrutiny anySecurities transactions or actions that indicate a violation of Woodstock’s fiduciary duties. Woodstock expects allpersonnel to comply with the spirit of the Code, as well as the specific rules contained therein. Any violations mustbe promptly reported to the CCO.

Prohibition Against Insider Trading

Policy Statement on Insider TradingWoodstock forbids any person associated with Woodstock from trading, either personally or on behalf of others,including accounts managed by Woodstock, on material nonpublic information or communicating materialnonpublic information to others in violation of the law. This conduct is frequently referred to as “insider trading.”

The term “insider trading” is not defined in the federal securities laws, but generally is used to refer to the use ofmaterial nonpublic information to trade in securities (whether or not one is an “insider”) or to the communicationof material nonpublic information to others.

While the law concerning insider trading is not static, it is generally understood that the law prohibits:

Woodstock Corporation - Woodstock Compliance Manual 3-1... Prohibition Against Insider Trading

Wed, Mar 8, 2017 02:26 PM Page 15 of 130

• trading by an insider, while in possession of material nonpublic information, or• trading by a non-insider, while in possession of material nonpublic information, where the information

either was disclosed to the non-insider in violation of an insider’s duty to keep it confidential or wasmisappropriated, or

• communicating such material nonpublic information to others.

1. Who is an Insider?The concept of “insider” is broad. It includes the directors, officers, and employees of the company which issuedthe securities involved. In addition, a person can be a “temporary insider” if he or she enters into a specialconfidential relationship in the conduct of a company’s affairs and as a result is given access to information solelyfor the company’s purposes. A temporary insider can include, among others, a company’s attorneys, accountants,investment bankers, consultants, commercial bankers, and the employees of such organizations. According to theU.S. Supreme Court, the company must expect the outsider to keep the disclosed nonpublic informationconfidential and the relationship must at least imply such a duty before the outsider will be considered an insider.

2. What is Material Information?Trading on inside information is not a basis for liability unless the information is material. “Material information”generally is defined as information for which there is a substantial likelihood that a reasonable investor wouldconsider it important in making his or her investment decisions or information that is reasonably certain to have asubstantial effect on the price of a company’s securities.

There are at least three different types of material information that may come into the possession of aninvestment advisory organization. The first type of material information is that which is obtained by an associatedperson through fiduciary relationships such as directorships, consulting arrangements, or other businessrelationships.

The second type of material information is that which flows from the outside world through non-fiduciaryrelationships to an associated person of an advisory organization.

The third type of material information is trading information generated within the firm, i.e., buy and sellrecommendations made by analysts and portfolio managers (Note: Woodstock’s policy with respect to trading onthis type of information is that no associated person possessing such information may purchase or sell a securityor related option at any time when to do so would thereby advantage such person in consequence of the marketeffect of its client transactions or otherwise adversely affect its clients).

Information about an issuer that should be considered material includes, but is not limited to: dividend changes,earnings estimates, changes in previously released earnings estimates, significant expansion or curtailment ofoperations, significant merger or acquisition proposals, hostile takeover bids, agreements or negotiations,significant new products or discoveries, acquisition or loss of a significant contract, significant financingdevelopments, liquidity problems, major personnel changes or other extraordinary management developments,major litigation, and the status of labor negotiations.

3. What is Nonpublic Information?Information is nonpublic until it has been effectively communicated to the market place. One must be able to pointto some fact to show that the information is generally public. For example, information found in a report filed withthe SEC, appearing in Dow Jones, Reuters Economic Services, The Wall Street Journal, or other publications ofgeneral circulation would be considered public.

4. Will Use of the Information Violate the Law?The use of material nonpublic information by an investment advisory firm for the benefit of its clients is notnecessarily illegal in every situation. In general, insider trading liability is predicted on the existence of a breach ofa fiduciary obligation in connection with the use of inside information, the unlawful misappropriation of insideinformation, or knowledge (in the case of tippee liability) of such a breach or misappropriation in connection withthe communication of the information. The legality of the use of nonpublic information depends on thecircumstances under which the information was received, including whether or not there exists any relationshipbetween the recipient and the “insider” who provides the information. Given the complexity of issues in this area,Woodstock has adopted a procedure of “ask first” (see Section II. B).

Woodstock Corporation - Woodstock Compliance Manual 3-1... Prohibition Against Insider Trading

Wed, Mar 8, 2017 02:26 PM Page 16 of 130

Other examples of potential sources of inside information include the receipt of information related to the offeringof private investments in public offerings (“PIPES”), and information from other third parties including, but notlimited to, counsel, independent registered public accounting firms, financial printers, and trading partners.

In any situation in which a supervised person of Adviser may have received inside information, it is theresponsibility of the advisor to make a judgment as to its further conduct. To protect yourself, your clients and thefirm, you should contact the CCO immediately if you believe that you may have received material, nonpublicinformation, and it is required that you report all information regarding any direct or indirect PIPES offeringsreceived by you to the CCO.

5. Penalties for Insider TradingPenalties for trading on or communicating material nonpublic information in violation of the law are severe, bothfor individuals involved in such unlawful conduct and their employers. A person can be subject to some or all of thepenalties below even if he or she does not personally benefit from the violation. Penalties include:

• civil injunctions• disgorgement of profits• jail sentences• fines for the person who committed the violation of up to three times the profit gained or loss avoided,

whether or not the person actually benefited, and• fines for the employer or other controlling person of up to the greater of $1,000,000 or three times the

amount of the profit gained or loss avoided.

Background

In July 2004, the SEC adopted an important rule (Rule 204A-1) similar to Rule 17j-1 under the Investment CompanyAct, requiring SEC advisers to adopt a code of ethics. The new rule was designed to prevent fraud by reinforcingfiduciary principles that govern the conduct of advisory firms and their personnel.

The Code of Ethics rule had an effective date of 8/31/2004 and a compliance date of 2/1/2005. Among otherthings, the Code of Ethics rule requires the following:

• setting a high ethical standard of business conduct reflecting an adviser's fiduciary obligations;• compliance with federal securities laws;• access persons to periodically report personal securities transactions and holdings, with limited

exceptions;• prior approval for any IPO or private placement investments by access persons;• reporting of violations;• delivery and acknowledgement of the Code of Ethics by each supervised person;• reviews and sanctions;• recordkeeping; and• summary Form ADV disclosure.

An investment adviser's Code of Ethics and related policies and procedures represent a strong internal control withsupervisory reviews to detect and prevent possible insider trading, conflicts of interest and potential regulatoryviolations.

Responsibility

Woodstock's Chief Compliance Officer has the primary responsibility for the preparation, distribution,administration, periodically reviews, and monitoring our Code of Ethics, practices, disclosures, sanctions andrecordkeeping.

The following procedures have been established to aid Woodstock in preventing, detecting and imposing sanctionsagainst insider trading. Any individual who does not follow these procedures risks serious sanctions, includingdismissal, substantial personal liability and criminal penalties. If you have any questions about these proceduresyou should consult Woodstock’s CCO or, Woodstock’s President in her absence.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Background

Wed, Mar 8, 2017 02:26 PM Page 17 of 130

Procedure

1. Information from Fiduciary RelationshipsIf you are a director, officer, or employee of Woodstock, you are required to inform Woodstock’s CCO, ChiefCompliance Officer, in writing promptly after you become a director, trustee of, or a consultant to any companywhere the securities of which are publicly traded. Material inside information in your possession about any suchcompany must not be communicated to anyone else inside Woodstock. While in possession of material insideinformation about a company you should not trade, either personally or for clients, in securities of that companynor be involved in the investment decision making process for that company.

2. Information from the Analytical Process and Other Non-Fiduciary RelationshipsBefore trading for Woodstock’s clients or yourself in the securities of a company about which you may havereceived inside information (other than information obtained through a fiduciary relationship as described inparagraph 1 above and information originating with Woodstock), ask yourself the following questions:

i. Is the information material? Is this information that an investor might reasonably consider important inmaking his or her investment decisions? Does this information have a reasonable likelihood of affectingthe market price of the securities if generally disclosed?

ii. Is the information nonpublic? To whom has this information been provided? Has the information beeneffectively communicated to the marketplace by being published in Reuters, The Wall Street Journal, orother publications of general circulation?

If, after consideration of the above, you believe that the information is or may be material and nonpublic youshould take the following steps:

i. Report the matter immediately to Woodstock’s CCO (or in her absence, Woodstock’s President).ii. Do not communicate the information to any person inside or outside Woodstock, other than to

Woodstock’s CCO (or in her absence, Woodstock’s President), until she has advised you thatcommunication is appropriate.

iii. Do not purchase or sell the securities on behalf of any clients of Woodstock or yourself, until Woodstock’sCCO (or in her absence, Woodstock’s President) instructs you that trading is appropriate.

3. Trading Information Generated by WoodstockIn addition to complying with Woodstock’s policy against trading securities while in possession of materialnonpublic information as described in paragraphs 1 and 2 above, each “advisory representative” (i.e., eachdirector, each officer, and each employee or controlling person (including the affiliates of such controlling persons)who has access to investment recommendations) of Woodstock should comply with Woodstock’s policy concerningpersonal securities trading, which is set forth in paragraph 2 of Section I above, and should comply with thefollowing additional procedures:

a. ReportingEach advisory representative of Woodstock shall submit to Woodstock’s CCO a report of every securitiestransaction in which he/she and his/her family (including his spouse, minor children and adults living in the samehousehold) have participated in, along with trusts of which he/she is trustee have participated within thirty daysafter the end of the calendar quarter in which such transaction was effected. The report shall include informationas described in Section III, paragraph H.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Procedure

Wed, Mar 8, 2017 02:26 PM Page 18 of 130

b. Prohibition Against Front-Running, Etc.As noted under paragraph 2 of Section I above, it is impermissible for any advisory representative of Woodstock topurchase or sell, directly or indirectly, any security (or any option to purchase or sell such security) which he/sheactually knows at the time of such purchase or sale is being considered for purchase or sale for the account of anyclient of Woodstock or being purchased or sold for the account of any client of Woodstock if such advisoryrepresentative would thereby realize an advantage in consequence of the market effect of client transactions orsuch purchase or sale would otherwise adversely affect any client. For the purposes of this policy, the term“security” does not include securities issued by the Government of the United States (including governmentmoney market instruments of the type issued by agencies of the Federal government or guaranteed by the Federalgovernment or its agencies), bankers’ acceptances, bank certificates of deposit, commercial paper and shares ofregistered open-end investment companies other than exchange-traded funds (ETFs). If there is any doubt as towhether a transaction is prohibited under this policy, the advisory representative should obtain writtenauthorization from Woodstock’s CCO prior to effecting the transaction.

This prohibition does not apply to the following transactions by advisory representatives of Woodstock:

i. Purchases or sales over which such person has no direct or indirect influence or control.ii. Purchase or sales which are non volitional on the part of either such person or the account of Woodstock’s

clients, including purchases or sales upon the exercise of puts or calls written by such person.iii. Purchases which involve the automatic reinvestment of dividends under a dividend reinvestment plan.iv. Purchases effected upon the exercise of rights issued by an issuer pro rata to all holders of a class of

securities, to the extent such rights were acquired from such issuer.

4. Shadow TradingIt should be borne in mind that trading for one’s own account based on knowledge of trading then being engagedin by clients or others (“shadow trading”) is very hazardous. The person engaged in the shadow trading has noway to know whether the trades being shadowed are based on illicit use of inside information. If an insider tradinginvestigation were to ensue involving the client or other person whose trades were shadowed, the person whoengaged in the shadow trading might have a very difficult time convincing regulatory authorities that he or shehad not been tipped regarding the inside information. Accordingly, Woodstock forbids trading for one's ownaccount based on knowledge of trading then being engaged in or contemplated by clients, and stronglydiscourages persons associated with Woodstock from engaging in such trading based on knowledge of tradingthen being engaged in or contemplated by non-clients.

5. Restricting Access to Material Nonpublic InformationInformation in your possession that you identify as material and nonpublic (other than information originating withWoodstock) may not be communicated to anyone, including persons within Woodstock, except as provided inparagraph 2 of this Section II above. In addition, care should be taken so that such information is secure. Forexample, files containing material nonpublic information should be sealed and access to computer files containingmaterial nonpublic information should be restricted.

Information concerning Woodstock’s investment activities should not be disclosed to any person not employed byWoodstock, including without limitation any member of your immediate family, except as required in theperformance of your regular duties.

6. Resolving Issues Concerning Insider TradingIf, after consideration of the items set forth in paragraph 2 of this Section II, doubt remains as to whetherinformation is material or nonpublic, or if there is any unresolved question as to the propriety of any action, it mustbe discussed with Woodstock’s CCO (or, in her absence, Woodstock’s President) before trading or communicatingthe information to anyone.

Supervisory Procedures

1. Prevention of Insider Trading and Other Prohibited Trading Activities to prevent Insider Trading,Woodstock’s CCO shall:

Woodstock Corporation - Woodstock Compliance Manual 3-1... Supervisory Procedures

Wed, Mar 8, 2017 02:26 PM Page 19 of 130

i. provide a copy of Woodstock’s policy and procedures to each new advisory representative of Woodstockand obtain a written acknowledgment of the receipt thereof,

ii. provide, on a periodic basis, an educational program to familiarize directors, officers and employees withWoodstock’s policy and procedures,

iii. provide annually to all advisory representatives of Woodstock a reminder regarding Woodstock’s policyand procedures,

iv. answer questions regarding Woodstock’s policy and procedures,

v. (iv) maintain a list of issuers as to which directors, officers and employees of Woodstock serve in afiduciary capacity,

vi. resolve issues of whether information (other than information originating with Woodstock or informationobtained through fiduciary relationships) received by a director, officer or employee of Woodstock ismaterial and nonpublic,

vii. when it has been determined that a director, officer or employee of Woodstock has material nonpublicinformation:

a. take appropriate measures to prevent dissemination of such information, and

b. if necessary, restrict trading the securities for the accounts of clients of Woodstock.

2. Detection of Insider Trading and Other Prohibited Trading Activities to detect insider trading,Woodstock’s CCO shall:

i. review the personal securities transactions reports filed with her,ii. maintain and review lists of the securities “monitored,” traded and under study by Woodstock during the

relevant period, andiii. review the trading activity of Woodstock’s own account, if any.

3. Special Reports to the Board of DirectorsPromptly, upon learning of a potential violation of Woodstock’s policy and procedures, Woodstock’s CCO shallinvestigate and take such further steps as she may consider appropriate using her judgment, including but notlimited to consulting with or reporting to the President and/or the Executive Committee of the Board of Directors. Ifthe circumstances require, the CCO should prepare a written report to the Board of Directors providing full detailsand recommendations for further action.

4. Annual Reports to the Board of DirectorsOn an annual basis, Woodstock’s CCO shall prepare a report to the Board of Directors of Woodstock setting forththe following:

i. a summary of existing procedures to detect and prevent insider trading,ii. full details of any investigation, either internal or by a regulatory agency, of any suspected insider trading,

the results of such investigation and any disciplinary actions taken,iii. an evaluation of the current procedures and any recommendations for improvement, andiv. a description of Woodstock’s continuing educational program regarding insider trading, including the

dates of such programs since the last report to the Board of Directors.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Supervisory Procedures

Wed, Mar 8, 2017 02:26 PM Page 20 of 130

5. Special Procedures for Independent DirectorsIt is Woodstock's policy to not share information about purchases and sales of client securities (or contemplatedpurchases and sales) ("trading information"), with its non-management directors until 30 days after the completionof such purchases and sales. The information for contemplated purchases and sales will not be shared until theyare no longer contemplated, or at the directors’ request. If a director or employee has reason to believe that adirector may have obtained trading information prior to the expiration of the 30 day period describe above, thensuch director or employee shall inform Woodstock’s CCO. The CCO shall confer with such director to determinewhich trading restrictions, if any. It may be appropriate with respect to the securities not to trade in such securitiesuntil the expiration of the 30 day period.

Other Duties

A. ConfidentialityAccess Persons are prohibited from revealing information relating to the investment intentions, identities, activitiesand portfolios of Advisory Clients except to persons whose responsibilities require knowledge of the information.

B. GiftsThe following provisions on gifts apply to Access Persons:

1. Accepting Gifts.On occasion, because of their position with Woodstock, Access Persons may be offered, or may receivewithout notice, gifts from clients, brokers, vendors or other persons. Gifts of nominal value (i.e., a gift whosereasonable value, alone or in the aggregate, is not more than $300 in any twelve month period), customarybusiness meals, entertainment (e.g., sporting events), and promotional items (i.e., pens, mugs, T-shirts)may be accepted.

Any supervised person who accepts, directly or indirectly, anything of value from any person or entity thatdoes business with or on behalf of Woodstock Corporation, including gifts and gratuities with value in excessof $300 per year must obtain consent from Woodstock’s Chief Compliance Officer before accepting such gift.

This reporting requirement does not apply to bona fide entertainment if, during such dining orentertainment, you are accompanied by the person or representative of the entity that does business withWoodstock Corporation.

This gift reporting requirement is for the purpose of helping Woodstock Corporation monitor the activities ofits employees. However, the reporting of a gift does not relieve any supervised person from the obligationsand policies set forth in this Section or anywhere else on this Code. If you have any questions or concernsabout the appropriateness of any gift, please consult Woodstock’s Chief Compliance Officer.

2. Solicitation of GiftsAccess Persons are prohibited from soliciting gifts of any size under any circumstances.

3. Giving GiftsAccess Persons may not give any gift with a value in excess of $100 (per year) to an Advisory Client orpersons who do business with, regulate, advise or render professional services to Woodstock.

These provisions are not intended to prohibit normal business entertainment.

C. Serving as an Officer or Director of Another CompanyAny service as a director or officer of another company, other than a non-profit corporation, by an employee mustfirst be pre-cleared by the CCO and Security transactions in such entity by an employee must be pre-cleared bythe CCO.

D. Company OpportunitiesAccess Persons may not take personal advantage of any opportunity properly belonging to any Advisory Client orWoodstock. This includes, but is not limited to, acquiring Reportable Securities for one's own account that wouldotherwise be acquired for an Advisory Client.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Other Duties

Wed, Mar 8, 2017 02:26 PM Page 21 of 130

E. Undue InfluenceAccess Persons shall not cause or attempt to cause any Advisory Client to purchase, sell or hold any Security in amanner calculated to create any personal benefit to such Access Person. If an Access Person stands to materiallybenefit from an investment decision for an Advisory Client that the Access Person is recommending or participatingin, the Access Person must disclose to those persons with authority to make investment decisions for the AdvisoryClient the full nature of the beneficial interest that the Access Person has in that Security, any derivative Securityof that Security or the Security issuer, where the decision could create a material benefit to the Access Person orthe appearance of impropriety. The person to whom the Access Person reports the interest, in consultation with theCCO, must determine whether or not the Access Person will be restricted in making investment decisions inrespect to the subject Security.

F. False RumorsAll employees are also expressly prohibited from knowingly spreading any false rumor concerning any company, orany purported market development, that is designed to impact trading in or the price of that company’s or anyother company’s securities (including any associated derivative instruments), and from engaging in any other typeof activity that constitutes illegal market manipulation. This prohibition includes the spreading of false rumors, orany other form of illegal market manipulation, via any media, including, but not limited to email, instant messages,PIN messages, text messages, blogs or chat rooms.

G. Prohibition Against Front-Running, Etc.It is impermissible for any Access Person to purchase or sell, directly or indirectly, any Security (or any option topurchase or sell such Security) which he/she knows at the time of such purchase or sale is being considered forpurchase or sale for the account of any client of Woodstock or being purchased or sold for the account of any clientof Woodstock if such Access Person would thereby realize an advantage in consequence of the market effect ofclient transactions or such purchase or sale would otherwise adversely affect any client. If there is any doubt as towhether a transaction is prohibited under this policy, the Access Person should obtain written authorization fromthe CCO prior to effecting the transaction.

H. Reporting RequirementsQuarterly Transaction Reports: Each Access Person of Woodstock shall submit to the CCO a report of everySecurities transaction in which he/she, his/her family members (including his/her spouse, minor children and adultsliving in the same household), and trusts of which he/she is a trustee have participated within thirty days after theend of the calendar quarter in which such transaction was effected; provided, however, that no report shall berequired to be made with respect to transactions for any account over which such person does not have any director indirect influence or control or transactions effected pursuant to an automatic investment plan (unless anytransaction overrides the preset schedule or allocations of the automatic investment plan). The report shall includethe name of the Security, date of the transaction, quantity, price, and broker-dealer through which the transactionwas effected. This requirement may be satisfied with respect to transactions in any such account which is aWoodstock client account by making an appropriate reference to the particular account or accounts involved.

Initial and Annual Report of Holdings: Each Access Person of Woodstock is also required to submit to the CCO areport of all holdings in Reportable Securities within 10 days of becoming an Access Person and thereafter on anannual basis. The holdings report must include: (i) the title and exchange tickler or CUSIP number, type of Security,number of shares and principal amount (if applicable) of each Reportable Security in which the Access Person hasany direct or indirect beneficial ownership; (ii) the name of the broker, dealer or bank with which the Access Personmaintains an account in which Securities are held for the Access Person’s direct or indirect benefit; and (iii) thedate the report is submitted. The information supplied must be current as of a date no more than 45 days beforethe annual report is submitted. For new Access Persons, the information must be current as of a date no more than45 days before the person became an Access Person. This requirement may be satisfied with respect totransactions in any such account which is a Woodstock client account by making an appropriate reference to theparticular account or accounts involved.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Other Duties

Wed, Mar 8, 2017 02:26 PM Page 22 of 130

I. Reporting, Review and RecordkeepingSupervised persons shall promptly report to the CCO, all apparent or potential violations of the Code. The CCOshall periodically review Access Persons' personal trading reports and otherwise take reasonable steps to monitorcompliance with, and enforce, this Code of Ethics. The CCO shall maintain in the Company's files (i) a current copyof the Code, (ii) records of violations and actions taken as a result of the violations, (iii) copies of all AccessPersons' written acknowledgement of receipt of the Code, (iv) copies of annual compliance certificates required bythe Code, (v) copies of quarterly transaction reports, (vi) copies of annual holdings reports.

J. SanctionsIf the CCO determines that an Access Person has committed a violation of the Code, Woodstock’s Board ofDirectors may impose sanctions and take other actions as it deems appropriate, including a letter of caution orwarning, suspension of personal trading privileges, suspension or termination of employment, fine, civil referral tothe SEC and, in certain cases, criminal referral. Woodstock’s Board of Directors also may require the offendingAccess Person to reverse the trades in question, forfeit any profit or absorb any loss derived thereof and suchforfeiture shall be disposed of in a manner that shall be determined by Woodstock’s Board of Directors in its solediscretion. Failure to timely abide by directions to reverse a trade or forfeit profits may result in the imposition ofadditional sanctions.

K. ExceptionsExceptions to the Code will rarely, if ever, be granted. However, the CCO may grant an occasional exception on acase-by-case basis when the proposed conduct involves negligible opportunities for abuse. All exceptions shall besolicited and issued in writing. No reports shall be required under this Code for (i) transactions effected pursuant toan automatic investment plan and (ii) Securities held in accounts over which the Access Person has no directcontrol.

L. Compliance CertificationAll Access Persons shall sign a certificate promptly upon becoming employed or otherwise associated withWoodstock that evidences his or her receipt of this Code of Ethics. Annually, all Access Persons will be required tocomplete the Annual Certification of Compliance with the Code of Ethics form attached to this Code. Uponamendments of the Code, the CCO shall circulate a revised version of the code to all Access Persons as soon asreasonably practical.

See Appendices: Quarterly and Annual Report of Transactions; Code of Ethics and Insider Trading Attestation

Complaints

Introduction

Woodstock takes seriously any client complaint. Woodstock’s policy is to address any complaint within areasonable period, and determine the merits of any particular complaint.

Background

Based on an adviser's fiduciary duty to its clients and as a good business practice of maintaining strong and longterm client relationships, any advisory client complaints of whatever nature and size should be handled in aprompt, thorough and professional manner. Regulatory agencies may also require or request information about thereceipt, review and disposition of any written client complaints.

Responsibility

The CCO has the overall responsibility for the monitoring of our complaints policy, procedures and practices.

Procedure

• Woodstock maintains a complaint file for any written complaints received from any clients or third parties.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Complaints

Wed, Mar 8, 2017 02:26 PM Page 23 of 130

• Any employee receiving a client complaint must forward the client complaint to their supervisor who willreview the complaint with Woodstock's CCO.

• As appropriate, the CCO and the supervisor will review the Complaint, and investigate the circumstancesof the matter. Any appropriate supervisory review and/or response will be completed.

• The CCO will maintain records and supporting information for each client's written complaint in the firm'scomplaint file.

Disaster Recovery and Business Continuance

Introduction

As part of their fiduciary duty to their clients Woodstock Corporation and Woodstock Services Company, LLC(hereinafter, “Woodstock”) have adopted this Disaster Recover/Business Continuity Plan (hereinafter, the “Plan”) toprovide for the firm recovery from an emergency or disaster and for the resumption of business operations in asshort a period of time as possible. These policies and procedures are, to the extent practicable, designed toaddress those specific types of disasters that Woodstock might reasonably face given its business and location.

Background

Written disaster recovery and business continuity plans for the firm’s business allow advisers and Woodstockaccess persons to meet their responsibilities to clients as a fiduciary in managing client assets, among otherthings. It also allows the firm to meet its regulatory requirements in the event of any kind of an emergency ordisaster, such as a bombing, fire, flood, earthquake, power failure or any other event that may disable the firm orprevent office access.

Woodstock Corporation is an SEC registered investment advisor. Woodstock provides investment advisory servicesto individuals, typically high net worth individuals, corporations and charitable organizations.

Business Description

The firm’s policy is to respond to a Significant Business Disruption (SBD) by safeguarding employees’ lives and firmproperty, making a financial and operational assessment, quickly recovering and resuming operations, protectingall of the firm’s books and records, and allowing our portfolio managers to transact business and our clients toaccess to their securities and funds.

Woodstock’s plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only Woodstock’sability to communicate and do business, such as a fire in Woodstock’s building. External SBDs prevent theoperation of the securities markets or a number of firms, such as a terrorist attack, a city flood, or a wide-scaleregional disruption. Woodstock’s response to an external SBD relies more heavily on other organizations andsystems, especially on the capabilities of Fidelity and Advent.

Critical Processes

Portfolio Management

The majority of client funds and securities are held at Fidelity. In the event of an internal or external SBD,clients may still request withdrawals from their accounts by contacting their portfolio manager or portfolioadministrator by telephone or email. Authorization requirements will remain the same except that approversmay submit their approval by email. Fidelity Wealth Central should be available remotely. Portfolio trading canbe handled by portfolio managers using Fidelity Wealth Central. The portfolio manager will execute the tradesdirectly. For all other trading, portfolio managers will contact Adrian Davies for trading requests. Adrian Davieswill then contact the appropriate broker for trade execution.

In the event that servers are not up, Baseline can be remotely accessed by logging in through a ThomsonReuters website.

Disaster Recovery Team

Woodstock Corporation - Woodstock Compliance Manual 3-1... Disaster Recovery and Business Continuance

Wed, Mar 8, 2017 02:26 PM Page 24 of 130

The Disaster Recovery Team point people will be responsible for contacting all appropriate and affected vendors inthe event of an emergency.

Home Phone Mobile Phone

Adrian Davies 978-443-5350 978-460-0844

Elena Gillespie 781-821-4546 781-820-5700

David Layden n/a 617-877-7468

David Levesque 781-294-1651 617-335-2419

When An Emergency/Disruption Occurs

1. Emergency During Office Hours

In the event of an emergency during office hours, call 911. The next appropriate course of action will dependon the nature of the emergency. Most types of emergencies will require all employees to quickly evacuate thebuilding, including fire, bomb-threats, etc. If so, gather your belongings, including any medications if timesafely permits, and promptly exit the building. Certain emergencies, however, may require that employeesremain in-doors, including the release of a hazardous airborne substance in the immediate vicinity of the firm’sprincipal office. Employees should, at all times, follow the instructions of emergency personnel. If it isnecessary to evacuate the building please find the easiest and safest exit by referring to the “BUILDINGFLOORPLAN” attached to this Plan as part of the Appendix. Please note key alternative routes in the eventthat the main exit-ways are impassable during an emergency. All employees are to meet at the designatedarea indicated below, and, if safe to do so, follow evacuation procedures of the principal office.

Designated Meeting Area: The Walgreens Building, 24 School Street Entrance.

1. After-Business Hours Disruption/Discovery and Notification of Employees

In the event of a business disruption or disaster occurring after business hours, each employee will becontacted, informed of the nature of the event and given instructions regarding if, when and where toconvene. Any employee initially discovering an emergency situation at the principal office must contact ElenaGillespie to inform her of the situation. If for any reason, she cannot be reached, the employee is to contactDavid Levesque. David Levesque or Elena Gillespie will contact Adrian Davies if possible. Together the two willdetermine a course of action. Once a plan of action has been decided upon, Adrian and Elena, or DavidLevesque, shall initiate the Employee Call Tree. He/she will attempt to contact the specified employees on the“EMPLOYEE CONTACT SHEET” attached to this Plan as Appendix A.

When contacted, each employee will be appraised of the situation and provided with instructions either tomeet at the principal office at a later time, to meet at the alternative business location at a specific time or toawait further instructions.

1. Disruption in Services of Critical Third Party

In the event of a disruption in the service provided by a critical service provider, Fidelity, David Layden willserve as firm contact.

Data Protection, Back Up & Recovery

1. Back Up Procedures

Woodstock Corporation - Woodstock Compliance Manual 3-1... Critical Processes

Wed, Mar 8, 2017 02:26 PM Page 25 of 130

All data on Woodstock servers is backed-up by Venyu to a remote location on a daily basis and retained for sixyears. (See “VENDOR CONTACT SHEET” attached hereto as Appendix C for contact information). This processis fully automated and is completed via a secure Internet connection. Woodstock is currently in the process ofhaving files, otherwise maintained by Woodstock in paper form (i.e. client agreements), scanned on theWoodstock network. All paper files maintained at Woodstock’s principal office are kept in secure filingcabinets. Email archiving is retained by Global Relay; email service is hosted through Intermedia, whereredundancy protocols are built into Intermedia’s platform.

2. Recovery Procedures

If Woodstock’s systems are accessible and otherwise undamaged following an emergency, as may be the casein the events of a power failure, it may be possible to safely retrieve and transport Woodstock’s server andhardware systems, containing all electronically-stored data, to an alternative site for restoration of businessoperations if necessary. In the initial state of the disruption Elena Gillespie in consultation with Omniworks, thefirm’s Information Technology vendor, will make the determination regarding the physical and economicpossibility and practicality of this course of action or whether a computer back-up to an alternative system iswarranted.

Communications

1. Telecommunications Disruption

In the event that Woodstock’s local “voice over IP” telephone service is disrupted, employees are encouragedto use their personal cellular phones to conduct business until service is restored. Woodstock has arrangedwith its local telephone service provider to use a feature called Remote Call Forwarding, through serviceprovider DSCI, in the event of a local telecommunications disruption. This feature will forward all incomingtelephone calls made to the employee’s telephone number of their choice (home/mobile). Please refer to thetelephone communications appendix for instructions on how to set this up.

1. Internet Service Disruption

The firm has provided for a back-up internet service in the event of a disruption in internet service provided byour vendor, DSCI. It is an automatic failover system.

1. Workstation Disruption

If the disruption has affected the office but not the servers, the firm has provided a way for employees to log into their workstation desktops through Log Me In, a website that can be accessed via the internet from anycomputer. Instructions on how to access may be found in the appendix.

Training, Testing & Revision Of Plan

1. Distribution of the Plan

Each employee will receive two (2) copies of the Plan and will be required to sign an acknowledgement that he/she has read and understands the Plan. (See “ACKNOWLEDGEMENT FORM” attached hereto as Appendix G).One copy of the Plan is to be kept at the employee’s workstation. The other copy is to be kept at theemployee’s home address. ALL EMPLOYEES ARE REQUIRED TO MAINTAIN A CURRENT COPY OF THIS PLAN ATHIS OR HER HOME ADDRESS. The acknowledgement is to be provided to Kim Curtis in a timely fashion.(Please note, to protect the privacy of non-public client information, not all employee’ copies of the Plan willinclude a Client Contact Sheet).

1. Training

The Plan will be reviewed at least annually with all employees at a firm-wide meeting. Attendance by allemployees is mandatory. If an employee has any questions regarding the Plan or his/her role in the event ofan emergency, he/she is encouraged to ask Elena Gillespie for clarification. It is imperative that all personnelare familiar with the policies and procedures of the Plan and have a thorough understanding of his/herresponsibilities in the event of an emergency.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Training, Testing & Revision Of Plan

Wed, Mar 8, 2017 02:26 PM Page 26 of 130

1. Testing, Plan Revision & Recordkeeping

Woodstock periodically will test the Plan. Such tests may be as complex as running a simulation of an actualdisaster, including the restoration of data to alternate systems, or as basic as testing the employee call tree.In order to gain realistic results that may be used to revise and optimize the effectiveness of the Plan in theevent of a real emergency, not all tests will be announced ahead of time to all employees.

Test results will be evaluated and documented and a determination of any weaknesses exposed by the test willbe made at that time. The Plan will be revised accordingly to fill gaps discovered during testing. The Plan mayalso be revised pursuant to reviews and the issuance of regulatory guidance.

Changes in business operations, contracts and contacts, including new employees, new vendors or newaddresses for existing employees or vendors, etc. must be reflected in the Plan. Elena Gillespie will beresponsible for ensuring that the Plan is updated periodically and as required by the frequency of suchchanges. Changing the date in the lower left-hand corner of the Plan will indicate any such revision. Anyrevision to the Plan will be distributed to all employees and each employee will be required to provide a new,signed acknowledgement form of receipt to Kim Curtis. Old copies of the Plan will be exchanged for the newcopies to assure that no employee holds an out-dated copy or confuses an out-dated copy for a current copyduring an emergency. All prior versions of the Plan will be destroyed except for one copy maintained inWoodstock’s files.

See Appendices: Disaster Recovery Attestation, Phone and Remote Login Instructions, Call Tree, Critical VendorList, Woodstock Office Floor Plan

Supervision & Internal Controls

Introduction

Woodstock has adopted these written policies and procedures which are designed to set standards and internalcontrols for the firm, its employees, and its businesses and are also reasonably designed to prevent, detect, andcorrect any violations of regulatory requirements and the firm's policies and procedures. Every employee andmanager is required to be responsible for and monitor those individuals and departments he or she supervises todetect, prevent and report any activities inconsistent with the firm's procedures, policies, high professionalstandards, or legal/regulatory requirements.

Consistent with our firm's overriding commitment as fiduciaries to our clients, we rely on all employees to abide byour firm's policies and procedures; and, equally importantly, to internally report instances in which it is believedthat one or more of those policies and/or practices is being violated. It is the expressed policy of this firm that noemployee will suffer adverse consequences for any report made in good faith.

Any unlawful or unethical activities are strictly prohibited. All firm personnel are expected to conduct businesslegally and ethically, regardless of where in the world such business is transacted.

Background

The SEC adopted the anti-fraud rule titled Compliance Procedures and Practices (Rule 206(4)-7) under the AdvisersAct requiring more formal compliance programs for all SEC registered advisers. The rule became effective 2/5/2004and SEC advisers had until 10/5/2004 (compliance date) to be in compliance with the rule.

Rule 206(4)-7 makes it unlawful for a SEC adviser to provide investment advice to clients unless the adviser:

1. adopts and implements written policies and procedures reasonably designed to prevent violations by thefirm and its supervised persons;

2. reviews, at least annually, the adequacy and effectiveness of the policies and procedures;3. designates a chief compliance officer who is responsible for administering the policies and procedures;

and

Woodstock Corporation - Woodstock Compliance Manual 3-1... Supervision & Internal Controls

Wed, Mar 8, 2017 02:26 PM Page 27 of 130

4. maintains records of the policies and procedures and annual reviews.

Under Section 203(e)(6), the SEC is authorized to take action against an adviser or any associated person who hasfailed to supervise reasonably in an effort designed to prevent violations of the securities laws, rules andregulations. This section also provides that no person will be deemed to have failed to supervise reasonablyprovided:

1. there are established procedures and a system which would reasonably be expected to prevent anyviolations;

2. and such person has reasonably discharged his duties and obligations under the firm's procedures andsystem without reasonable cause to believe that the procedures and system were not being compliedwith.

Furthermore, on May 25, 2011, the SEC adopted final rules implementing the whistleblower provisions of the Dodd-Frank Act, which offer monetary incentives to persons who provide the SEC with information leading to asuccessful enforcement action. While the rules incentive rather than require prospective whistleblowers to useinternal company compliance program, the regulations clarify that the SEC, when considering the amount of anaward, will consider to what extent (if any) the whistleblower participated in the internal compliance processes ofthe firm.

Firms that engage in business activities outside of the United States may be subject to additional laws andregulations, including among others, the U.S. Foreign Corrupt Practices Act of 1977 as amended (the "FCPA") andthe U.K. Bribery Act 2010 (the "Bribery Act"). Both these laws make it illegal for U.S. citizens and companies,including their employees, directors, stockholders, agents and anyone acting on their behalf (regardless of whetherthey are U.S. citizens or companies), to bribe non-U.S. government officials. The Bribery Act is more expansive inthat it criminalizes commercial bribery and public corruption, as well as the receipt of improper payments.

Responsibility

Every employee has a responsibility for knowing and following the firm's policies and procedures.Every person in a supervisory role is also responsible for those individuals under his/her supervision. The President,or a similarly designated officer, has overall supervisory responsibility for the firm.

Recognizing our shared commitment to our clients, all employees are required to conduct themselves with theutmost loyalty and integrity in their dealings with our clients, customers, stakeholders and one another. Improperconduct on the part of any employee puts the firm and company personnel at risk. Therefore, while managers andsenior management ultimately have supervisory responsibility and authority, these individuals cannot stop orremedy misconduct unless they know about it. Accordingly, all employees are not only expected to, but arerequired to report their concerns about potentially illegal conduct as well as violations of our company's policies.

Woodstock's Chief Compliance Officer, as the Compliance Officer, has the overall responsibility for administering,monitoring and testing compliance with Woodstock's policies and procedures. Possible violations of these policiesor procedures will be documented and reported to the appropriate department manager for remedial action.Repeated violations, or violations that the Compliance Officer deems to be of serious nature, will be reported bythe Compliance Officer directly to the President, or a similarly designated officer, and/or the Board of Directors forremedial action.

Procedure

Woodstock has adopted various procedures to implement the firm's policy, conducts reviews of internal controls tomonitor and ensure the firm's supervision policy is observed, implemented properly and amended or updated, asappropriate which including the following:

◦ designation of a Chief Compliance Officer as responsible for implementing and monitoring the firm'scompliance policies and procedures;

◦ on-going and targeted compliance training;◦ procedures for screening the background of potential new employees;

Woodstock Corporation - Woodstock Compliance Manual 3-1... Responsibility

Wed, Mar 8, 2017 02:26 PM Page 28 of 130

◦ initial training of newly hired employees about the firm's compliance policies;◦ adoption of these written policies and procedures with statements of policy, designated persons

responsible for the policy and procedures designed to implement and monitor the firm's policy;◦ a review of the firm's policies and procedures by the Compliance Officer and senior management;◦ annually reviews of employees' activities, e.g., outside business activities, personal trading, etc., are

conducted;◦ annual written representations by employees as to understanding and abiding by the firm's policies;◦ to facilitate internal reporting by firm employees, the firm has established open channels of

communications to the firm's compliance staff;◦ internal reports will be handled promptly and discretely, with the overall intent to maintain the anonymity

of the individual making the report. When appropriate, investigations of such reports may be conductedby independent personnel; and

◦ supervisory reviews and sanctions for violations of the firm's policies or regulatory requirements.

Oversight of Third-Party Service Providers

Introduction

Woodstock may use third-party affiliated and unaffiliated service providers and vendors (“Service Providers”) toassist with fulfilling its responsibilities to clients and facilitating its business operations subject to the procurementand monitoring procedures set forth below. Woodstock 's policy is to conduct initial due diligence on its ServiceProviders using a risk-based approach. The Firm will also conduct ongoing due diligence, as it deems appropriate,on its Service Providers based on the risk assessment. This policy is applicable to all Service Providers engaged toprovide services to the firm and its clients except those: (i) who provide off-the-shelf software products; and (ii)those Service Providers who provide minimal services to the firm and the CCO determines are outside the scope ofthe policy (such as housekeeping, catering or delivery services).

Background

A registered investment adviser may outsource investment and non-investment functions, such as operations,compliance, legal and information technology, to Service Providers. In doing so, the adviser outsources theactivity or function, but retains ultimate responsibility for the services being provided to its business and clientsthrough Service Providers. The adviser is also responsible for complying with applicable federal securitiesregulations.

By virtue of the services they provide to Woodstock, Service Providers may have access to investor information,material non-public information and other confidential business information. Service Providers for mission criticalservices, as determined by a risk assessment, are also an important component of Woodstock’s businesscontinuity plan because a disruption in the vendors’ services could impact the operations of Woodstock .

The SEC has issued guidance pertaining to the oversight an investment adviser should exercise with respect toService Providers. Similar to the “know your customer” requirements, the SEC expects an adviser to know theService Providers with which they do business and conduct periodic due diligence reviews of the vendors. Duediligence can include questionnaires, requests for documents, certifications of compliance and/or onsite reviews.The purpose of conducting due diligence of Service Providers is to identify the potential risks to the adviser’sbusiness associated with outsourcing certain activities and understand how the risks can be managed ormitigated.

Furthermore, the State of Massachusetts requires compliance with 201 CMR 17.00, Massachusetts Privacy Law,which requires initial and ongoing review of third-party service providers with respect to their ability to reasonablyprotect any Private Information that may be stored or otherwise accessed by such provider.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Oversight of Third-Party Service Providers

Wed, Mar 8, 2017 02:26 PM Page 29 of 130

Responsibility

The CCO has the responsibility for the implementation and monitoring of our Service Providers due diligencepolicy, practices, and recordkeeping.

Procedure

Due Diligence Review and Assessment:

• An initial due diligence must be conducted on any new Service Provider being considered by the Firm andon any new service being provided by an existing Service Provider. Initial reviews will be conducted bythe business unit recommending the Service Provider and other business units as may be required.

• The initial review should also include obtaining and reviewing any comprehensive Written InformationSecurity Policy maintained by third parties in order to gain reasonable assurance of compliance withMassachusetts Privacy Law, if applicable. A current version of the vendor's WISP, if available, will bereviewed on a periodic or as-needed basis.

• To initiate a due diligence review of a new Service Provider or new service summary informationpertaining to the Service Provider should be submitted to the CCO on a Due Diligence Checklist.(Exhibit II)

• A report assessing the Service Provider must be submitted to the CCO after the due diligence review hasbeen conducted. The CCO will determine if the assessment should be reviewed by other senior membersof the Firm.

• After the CCO approves engaging the Service Provider, the service level agreement (“SLA”) or contractmust be reviewed bySenior Management in advance of the SLA or contract being executed. No officer oremployee may enter into an agreement with a Service Provider for services to be provided to Woodstockwithout such approval.

• The CCO will in determine the frequency of the next due diligence review for the Service Provider.• Any proposals to modify the terms of an SLA or contract must be submitted to the CCO. Modifications to

an SLA or contract are prohibited without the written approval of the CCO.

Recordkeeping:

• The executed copies of the SLAs or contracts for each Service Provider will be maintained by the firm'sController. The SLAs or contracts must be maintained in a manner which safeguards them from loss,alteration or destruction.

• Records of the due diligence reviews of each Service Provider shall be maintained in the manner andlocation determined by the CCO.

See Appendices: Due Diligence Vendor Checklist

Books and Records

Introduction

As a registered investment adviser, Woodstock is required, and as a matter of policy, maintains various books andrecords on a current and accurate basis which are subject to periodic regulatory examination. Our firm’s policy isto maintain firm and client files and records in an appropriate, current, accurate and well-organized manner invarious areas of the firm depending on the nature of the records.

Woodstock's policy is to maintain required firm and client records and files in an appropriate office of Woodstockfor the first two years and in a readily accessible facility and location for an additional three years for a total of notless than five years from the end of the applicable fiscal year. Certain records for the firm’s performance,advertising and corporate existence are kept for longer periods. A detailed firm record retention chart isincorporated into this guide for reference.


Wed, Mar 8, 2017 02:26 PM Page 30 of 130

Background

Registered investment advisers, as regulated entities, are required to maintain specified books and records. Thereare generally two groups of books and records to be maintained. The first group is financial records for an adviseras an on- going business such as financial journals, balance sheets, bills, etc. The second general group of recordsis client related files as a fiduciary to the firm's advisory clients and these include agreements, statements,correspondence and advertising, trade records, among many others.

Responsibility

Woodstock's Chief Compliance Officer has the overall responsibility for the implementation and monitoring of ourbooks and records policy, practices, disclosures and recordkeeping for the firm.

Procedure


Woodstock's filing systems for the books, records and files, whether stored in files or electronic media, aredesigned to meet the firm's policy, business needs and regulatory requirements as follows:

◦ arranging for easy location, access and retrieval;◦ having available the means to provide legible true and complete copies;◦ for records stored on electronic media, back-up files are made and such records stored separately;◦ reasonably safeguarding all files, including electronic media, from loss, alteration or destruction (see

back-up procedures in Disaster Recovery Policy);◦ limiting access by authorized persons to Woodstock's records;◦ ensuring that any non-electronic records that are electronically reproduced and stored are accurate

reproductions;◦ maintaining client and firm records for five years from the end of the fiscal year during which the last

entry was made with longer retention periods for advertising, performance, and firm corporate/organization documents; and

◦ periodic reviews will be conducted by the designated officer, individual or department managers tomonitor Woodstock's recordkeeping systems, controls, and firm and client files;

For additional information on Woodstock's Books and Records policy, please refer to the Record Retention Chart.(Appendix X)

Corporate Records

Introduction

As a registered investment adviser and legal entity, Woodstock has a duty to maintain accurate and current“Organization Documents.” As a matter of policy, Woodstock maintains all Organization Documents, and relatedrecords at its principal office. All Organization Documents are maintained in a well-organized and current mannerand reflect current directors, officers, members or partners, as appropriate. Our Organization Documents will bemaintained for the life of the firm in a secure manner and location and for an additional three years after thetermination of the firm.

Background

Organization Documents, depending on the legal form of an adviser, may include the following, among others:

◦ Articles of Incorporation, By-laws, etc. (for corporations)◦ Agreements and/or Articles of Organization (for limited liability companies)


Wed, Mar 8, 2017 02:26 PM Page 31 of 130

◦ Partnership Agreements and/or Articles (for partnerships and limited liability partnerships)◦ Charters◦ Minute Books◦ Stock certificate books/ledgers◦ Organization resolutions◦ Any changes or amendments of the Organization Documents

Responsibility

Woodstock's Controller has the responsibility for the implementation and monitoring of our OrganizationDocuments policy, practices, and recordkeeping.

Procedure


◦ Woodstock's designated officer will maintain the Organization Documents in Woodstock's principal officein a secure location; and

◦ Organization Documents will be maintained on a current and accurate basis and reviewed annually andupdated by the designated officer so as to remain current and accurate with Woodstock's regulatoryfilings and disclosures, among other things.


Wed, Mar 8, 2017 02:26 PM Page 32 of 130

III. Regulatory FilingsThe accuracy of an investment adviser’s regulatory filings is critically important. An investment adviser’sregulatory filings include appropriate registrations that are essential to the regulatory monitoring of advisers.Certain regulatory filing requirements are also required as a means of the regulatory gathering of information tomonitor market places. This section summarizes the regulatory filing requirements to which Woodstock is subject.

Registration

Introduction

As an SEC-registered investment adviser, Woodstock maintains and renews its adviser registration on an annualbasis through the Investment Adviser Registration Depository (IARD), for the firm, state notice filings, asappropriate, and licensing of its investment adviser representatives (IARs).

Woodstock's policy is to monitor and maintain all appropriate firm notice filings and IAR registrations that may berequired for providing advisory services to our clients in any location. Woodstock monitors the state residences ofour advisory clients, and will not provide advisory services unless appropriately registered as required, or a deminimis or other exemption exists.

Background

In accordance with the Advisers Act, and unless otherwise exempt from registration requirements, investmentadviser firms are required to be registered either with the Securities and Exchange Commission (SEC) or with thestate(s) in which the firm maintains a place of business and/or is otherwise required to register in accordance witheach individual state(s) regulations and de minimis requirements. The registered investment adviser is required tomaintain such registrations on an annual basis through the timely payment of renewal fees and filing of the firm'sAnnual Updating Amendment.

Individuals providing advisory services on behalf of the firm are also required to maintain appropriateregistration(s) in accordance with each state(s) regulations unless otherwise exempt from such registrationrequirements. The definition of investment adviser representative may vary on a state-by-state basis. Supervisedpersons providing advice on behalf of SEC-registered advisers are governed by the federal definition of investmentadviser representative to determine whether or not state IAR registration is required. The investment adviserrepresentative registration(s) must also be renewed on an annual basis through the IARD and the timely paymentof renewal fees.

On February 15, 2012, the SEC adopted amendments to Rule 205-3 increasing the dollar thresholds used todetermine whether an advisory client is a 'qualified client.' In addition to its primary application for ascertainingwhether the adviser may charge a performance-based fee, the definition of a 'qualified client' is an importantcomponent of the federal definition of investment adviser representative.

Beginning in November 2011, FINRA implemented an annual Entitlement User Accounts Certification Process whichrequires the firm's designated Super Account Administrator (SAA) to review and update as necessary each user attheir organization who is authorized to access specific applications on the IARD and/or CRD systems. If the SAAfails to complete the Certification Process within the proscribed 30 days, neither the SAA nor the firm's AccountsAdministrators will be able to create, edit and clone user accounts for the firm until such time as the SAA completethe Certification Process.

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for the implementation and monitoring of ourregistration policy, practices, disclosures and recordkeeping.

Woodstock Corporation - Woodstock Compliance Manual 3-1... III. Regulatory Filings

Wed, Mar 8, 2017 02:26 PM Page 33 of 130

Procedure

Woodstock has adopted various procedures to implement the firm's policy and conducts reviews to monitor andensure the firm's policy is observed, implemented properly and amended or updated, as appropriate, whichinclude the following:

◦ the Chief Compliance Officer, or other designated officer, monitors the state residences of our advisoryclients, and the firm and/or its IARs will not provide advisory services unless appropriately notice filed orlicensed as required, or a de minimis or other exemption exists.

◦ Woodstock's Chief Compliance Officer, or other designated officer, monitors the firm's and IAR registrationrequirements on an on-going and annual basis;

◦ notice filings and IAR licensing filings are made on a timely basis and appropriate files and copies of allfilings are maintained by the Chief Compliance Officer or other designated officer;

◦ Woodstock makes the annual filing of Form ADV within 90 days of the end of the firm's fiscal year (AnnualUpdating Amendment) to update all disclosures, including certain information required to be updated onlyon an annual basis;

◦ the firm's designated SAA will promptly respond to and complete FINRA's annual Entitlement UserAccounts Certification Process to ensure that the firm maintains necessary and appropriate access tothese systems. Annually, the SAA will conduct a full review of individuals authorized as Users on the firm'sIARD/CRD system, including an assessment of each User's current authorization(s). The SAA will terminateor modify such authorizations based on each individual's need to access such applications.

Annually, Woodstock's Chief Compliance Officer, or other designated officer, is responsible for overseeing theIARD/CRD Annual Renewal Program, including:

◦ conducting a review of the current notice filings/registrations for the firm and its IARs prior to FINRA'spublication of the current year's Preliminary Renewal Statement (typically published in early November);

◦ adding any necessary notice filings/registrations and/or withdrawing unnecessary notice filings/registrations on the IARD/CRD systems prior to the issuance of the Preliminary Renewal Statement tofacilitate renewals and avoid payment of unnecessary registration fees;

◦ ensuring that payment of the firm's Preliminary Renewal Statement is made in a timely manner to avoid(i) termination of required notice filings and IAR registrations, and (ii) violations of regulatoryrequirements; and

◦ obtains and reviews the firm's Final Renewal Statement (published by FINRA on the first business day ofthe new year), and ensures prompt payment of any additional registration fees or obtains a refund forterminated registrations, if applicable.

Regulatory Reporting

Introduction

As a registered investment adviser with the SEC, or appropriate state(s), Woodstock's policy is to maintain thefirm's regulatory reporting requirements on an effective and good standing basis at all times. Woodstock alsomonitors, on an on-going and periodic basis, any regulatory filings or other matters that may require amendmentor additional filings with the SEC and/or any states for the firm and its associated persons.

Any regulatory filings for the firm are to be made promptly and accurately. Our firm's regulatory filings may includeForm ADV, Form PF, Schedules 13D, 13G, Form 13F, Form 13H, FBAR and/or TIC Form SLT filings, among othersthat may be appropriate.

Background

Form ADV serves as an adviser's registration and disclosure brochures. Form ADV, therefore, provides informationto the public and to regulators regarding an investment adviser. Regulations require that material changes to FormADV be updated promptly and that Form ADV be updated annually.


Wed, Mar 8, 2017 02:26 PM Page 34 of 130

Pursuant to rules adopted by the SEC implementing Sections 404 and 406 of the Dodd-Frank Act, SEC-registeredinvestment advisers with at least $150 million in private fund assets under management are required toperiodically file Form PF.

Schedules 13D, 13G, and Form 13F filings are required under the Securities Acts related to client holdings in equitysecurities. Form 13H filings are required under the Exchange Act for firms designated as large traders. Form Dfilings under Regulation D of the Securities Act of 1933 allow issuers of private securities to make offerings, e.g.,hedge and private equity fund offerings to investors without registration under the 1933 Act. The SEC hasproposed amendments to Form D pursuant to rules adopted (i) permitting general solicitation and generaladvertising in Rule 506 offerings and (ii) 'Bad Actor' provisions that disqualify securities offerings involving certain"felons" and other 'bad actors' from relying on Rule 506 where an issuer or certain other 'covered persons' havehad a disqualifying event.'

U.S. Department of the Treasury TIC Form SLT is filed with the Federal Reserve Bank of New York to report certainforeign-resident holdings of long-term U.S. securities and/or U.S.-resident holdings of long-term foreign securities.FBAR filings are required for every U.S. person who has a financial interest in,or signature or other authority over,any foreign financial accounts, including bank, securities, or other types of financial accounts in a foreign country,must report that relationship each calendar year by filing an FBAR with Treasury on or before June 30 of thesucceeding year, if the aggregate value of these financial accounts exceeds $10,000 at any time during thecalendar year.

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for the implementation and monitoring of ourregulatory reporting policy, practices, disclosures and recordkeeping.

Procedure


◦ Woodstock makes the annual filing of Form ADV within 90 days of the end of the firm's fiscal year (AnnualUpdating Amendment) to update all disclosures, including certain information required to be updated onlyon an annual basis;

◦ Woodstock promptly updates our Disclosure Document and certain information in Form ADV, Part 1 andPart 2, as appropriate, when material changes occur;

◦ all employees should report to the Compliance Officer or other designated officer any information in FormADV that such employee believes to be materially inaccurate or omits material information; and

◦ as applicable, Woodstock's Chief Compliance Officer, or designated officer, will review Schedules 13D,13G, and Form 13F, 13H and D, FBAR, TIC Forms (e.g., Forms B, C and SLT, as applicable) and Form PFfiling requirements among others and make such filings and keep appropriate records as required.


Wed, Mar 8, 2017 02:26 PM Page 35 of 130

IV. Privacy and Information Safeguarding

Cybersecurity

Introduction

Woodstock's cybersecurity policy, in conjunction with our Firm's Identity Theft and Privacy policies as set forth inthis Manual, recognizes the critical importance of safeguarding clients' personal information as well as theconfidential and proprietary information of the firm and its employees. Maintaining the security, integrity andaccessibility of the data maintained or conveyed through the Firm's operating systems is a fundamental requisiteof our business operations and an important component of our fiduciary duty to our clients. While recognizing thatthe very nature of cybercrime is constantly evolving, Woodstock conducts periodic vulnerability assessmentsbased on our firm's use of technology, third- party vendor relationships, reported changes in cybercrimemethodologies, and in response to any attempted cyber incident, among other circumstances.

Protecting all the assets of our clients, and safeguarding the proprietary and confidential information the firm andits employees is a fundamental responsibility of every Woodstock employee, and repeated or serious violations ofthese policies may result in disciplinary action, including, for example, restricted permissions or prohibitionslimiting remote access; restrictions on the use of mobile devices; and/or termination.

Background

On April 28, 2015, the Securities and Exchange Commission (“SEC”) issued a Guidance Update pertaining to theimportance of cybersecurity and the actions an investment adviser may need to consider in light of increasingcybersecurity risks. The SEC had previously provided guidance in a Risk Alert released by the Office of ComplianceInspections and Examinations in February 2015 which summarized its cybersecurity examinations of investmentadvisers and broker/dealers. The SEC has also stated that the cybersecurity program of a firm needs to considerthe requirements of Regulation S-P, Regulation S-ID, and new standards and best practices described in theNational Institute for Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.

Additionally, Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential PolicyDirective (PPD)-21 Critical Infrastructure Security and Resilience outlined expectations regarding cybersecurity forfinancial services firms and sixteen critical infrastructure sectors.

Responsibility

Woodstock recognizes that appropriate governance of cybersecurity is a firm-wide effort which includes guidanceand support from management and training of employees at all levels. The CCO is responsible for maintainingprocedures and practices related to this Cybersecurity Policy and revising them as may be required from time totime .Any questions regarding Woodstock's cybersecurity policies should be directed to Woodstock's ChiefCompliance Officer.

Procedure

In addition to the firm's procedures as set forth in the Identity Theft and Privacy sections of this manual,Woodstock has adopted various procedures to implement the firm's policy and conducts reviews to monitor andensure the firm's policy is observed, implemented properly and amended or updated, as appropriate, whichinclude the following:

◦ Woodstock has designated Woodstock's Chief Compliance Officer as the firm's Chief Information SecurityOfficer (CISO) with responsibility for overseeing our firm's cybersecurity practices;

◦ Woodstock's cybersecurity policies and procedures have been communicated to all employees of the firm;◦ Woodstock restricts employees' access to those networks resources necessary for their business

functions;

Woodstock Corporation - Woodstock Compliance Manual 3-1... IV. Privacy and Information Safeguarding

Wed, Mar 8, 2017 02:26 PM Page 36 of 130

◦ Woodstock's Chief Compliance Officer conducts periodic risk assessments at least annually to identifycybersecurity threats, vulnerabilities, and potential business consequences;

◦ Woodstock provides training to employees regarding information security risks and responsibilities; suchtraining is provided to all new employees as part of their onboarding process and is provided to allemployees no less than annually; additional training and/or written guidance also may be provided toemployees in response to relevant cyber- attacks;

◦ Woodstock has adopted procedures to promptly eliminate access to all firm networks, devices andresources as part of its HR procedures in the event an employee resigns or is terminated, such employeeis required to immediately return all firm- related equipment and information to Woodstock's ChiefCompliance Officer;

◦ Woodstock has adopted procedures governing the use of mobile devices for firm business purposes;◦ Woodstock prohibits employees from installing software on company owned equipment without first

obtaining written approval from Woodstock's Chief Compliance Officer or other designated person(s);◦ Woodstock's Chief Compliance Officer or other designated person(s) conducts periodic monitoring of the

firm's networks to detect potential cybersecurity events;◦ Woodstock's Chief Compliance Officer oversee the selection and retention of third- party service

providers, taking reasonable steps to select those capable of maintaining appropriate safeguards for thedata at issue.

◦ Woodstock's Chief Compliance Officerrequires third- party service providers having access to the firm'snetworks to periodically provide logs of such activities;

◦ security procedures to protect nonpublic personal information that is electronically stored or transmittedinclude authentication protocols and secure access control measures.

◦ to best protect our clients and the firm, all suspicious activity recognized or uncovered by personnelshould be promptly reported to Woodstock's Chief Compliance Officer and

◦ an employee must immediately notify Woodstock's Chief Compliance Officer to report a lost or stolenlaptop, mobile device and/or flash drive; and

◦ Woodstock maintains a written cybersecurity incident response policy.

Privacy

Introduction

As a registered investment adviser, Woodstock must comply with SEC Regulation S-P (OR if state-registered: withthe Privacy Rule of the Gramm-Leach-Bliley Act (GLB) as administered and enforced by the Federal TradeCommission), which requires registered advisers to adopt policies and procedures to protect the "non-publicpersonal information" of natural person consumers and customers and to disclose to such persons policies andprocedures for protecting that information.

Further, and as a SEC registered advisory firm, our firm must comply with new SEC Regulation S-AM, to the extentthat the firm has affiliated entities with which it may share and use consumer information received from affiliates.

Woodstock must also comply with the California Financial Information Privacy Act (SB1) if the firm does businesswith California consumers.

Background

Under Regulation S-P, adopted by the SEC pursuant to the Gramm-Leach-Bliley Act of 1999, all registeredinvestment advisors and broker dealers are required to have in place policies and procedures designed to protectall Nonpublic Personal Information they may have about individuals (as opposed to trusts, corporations, etc.) whoinvest in their funds or products, or with whom they have a direct Client relationship (e.g. such as a managedaccount). It is a violation of SEC rules to disclose such information to non-affiliated third parties unless necessaryto do so in the proper performance of business (e.g. to a broker or a fund administrator to service the account) oras otherwise permitted or required by law.

The requirements relate to past, current and potential Clients.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Privacy

Wed, Mar 8, 2017 02:26 PM Page 37 of 130

Woodstock Corporation must comply with SEC Regulation S-P (and other applicable regulations), which requiresregistered advisors and broker dealers to adopt policies and procedures to protect the “Nonpublic PersonalInformation” of natural person Clients and to disclose such practices for protecting that information. NonpublicPersonal Information includes nonpublic “personally identifiable financial information” plus any list, description orgrouping of customers that is derived from nonpublic personally identifiable financial information. Such informationmay include personal financial and account information, information relating to services performed for ortransactions entered into on behalf of Clients, advice provided by Woodstock to Clients, and data or analysesderived from such Nonpublic Personal Information.

“Nonpublic Personal Information” should be considered any personally identifiable financial information, including,but not be limited to, Client:

◦ names, addresses, contact details, or information that identifies a person as a customer;◦ social security numbers or tax identification numbers;◦ assets, net worth, income, or other information provided on a financial product application;◦ bank account information;◦ consumer report information;◦ occupation;◦ information acquired through an Internet “cookie”; and/or◦ other information regarding Clients not available to the public.

Likewise, various additional state laws and regulations further require the development of Privacy & InformationSecurity Programs, which Programs must establish minimum standards to be met in connection with thesafeguarding of personal information contained in both paper and electronic records. The objectives of suchregulations “are to insure the security and confidentiality of customer information in a manner fully consistent withindustry standards; protect against anticipated threats or hazards to the security or integrity of such information;and protect against unauthorized access to or use of such information that may result in substantial harm orinconvenience to any consumer.” (see Massachusetts Regulation 201 CMR 17.01(1)). In addition, many other statestatutes specifically require a company to implement reasonable measures to secure “personal information” andensure the appropriate destruction of such data.

In addition, the vast majority of states have enacted laws requiring notification to affected consumers and/or stateagencies in the case of information security breaches. The states that have enacted breach notification laws havevarying definitions of what constitutes “personal information,” what triggers breach notification and notificationrequirements.

Privacy Notices

Regulation S-P also requires the delivery of a Privacy Notice to Clients who are natural persons at the beginning ofeach respective relationship and annually thereafter. Regulation S-P and Regulation S-AM (Subpart B) dictatecertain content of such notices depending on business practices, including with whom information is shared by aninvestment adviser or broker dealer, and for what reasons the information is shared.

Regulation S-AM (see http://www.sec.gov/rules/final/2009/34-60423.pdf for complete rule), allows a Client to blocka financial service provider from sharing information about the Client to an affiliate(s) when the affiliate would usesuch information to market specific services to the Client. (referenced as the sharing of “eligibility information”).

Reg. S-AM does not prohibit sharing of information with an affiliated entity for purposes of providing services to theClient, but instead prohibits an affiliate from using shared information to make directed marketing solicitations toconsumers unless 3 criteria are met:

1. The potential marketing use of the information has been clearly, conspicuously and concisely disclosed tothe consumer in writing (typically via an opt out provision in a Privacy Notice).

2. The consumer has been provided a reasonable opportunity and a simple method to opt out of receivingthe solicitation.

3. The consumer has not opted out per Item 2.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Privacy Notices

Wed, Mar 8, 2017 02:26 PM Page 38 of 130

http://www.sec.gov/rules/final/2009/34-60423.pdf

Reg. S-AM does contain a number of exceptions to its notice and opt-out requirements, such as when an affiliatemaking a marketing solicitation has a pre-existing business relationship with the consumer, or provides marketingmaterial in response to an affirmative request or other communication initiated by the consumer.

In determining if a pre-existing relationship exists, Reg. S-AM provides another three-prong test:

1. Where there is a financial contract in force between a covered person and a consumer.2. When a consumer purchased, rented or leased a covered person’s goods or services, or entered into a

financial transaction with a covered person during the 18 month period immediately preceding the dateon which a solicitation is made.

3. In certain circumstances, when a consumer inquired about, or applied for, a product or service offered bya covered person during the 3-month period immediately preceding the date on which a solicitation ismade.

With respect to Privacy Notices, certain state regulations may require additional opt-out or opt-in requirements andprocedures prior to the sharing of certain information with third parties. Most significantly, the California FinancialInformation Privacy Act, Financial Code section 4050-4060) (frequently referred to as S.B.1), requires thatinvestment advisers and broker dealers offer Clients an opt-out prior to sharing Nonpublic Personal Informationwith affiliates; and requires the Clients must “opt-in” before investment advisers and broker dealers may shareinformation with non-affiliated third parties.

S.B.1, much like Regulations S-P and S-AM, provide exceptions to its opt-out and opt-in provisions that allow firmsto share information in the ordinary course of business, as necessary to provide services to clients, or as otherwiserequired by law. See Appendices A and B, for relevant sections of S.B.1 and Regulation S-P. Additional exceptionsunder these regulatory frameworks are available for “joint marketing” arrangements when constructed inaccordance with the relevant regulations. The following portion of Section 4053(b)(1) of the California FinancialInformation Privacy Act helps to understand certain of these exceptions and the demarcations between permittedand not permitted information sharing:

• A financial institution does not disclose information to, or share information with, its affiliate merelybecause information is maintained in common information systems or databases, and employees of thefinancial institution and its affiliate have access to those common information systems or databases, or aconsumer accesses a Web site jointly operated or maintained under a common name by or on behalf ofthe financial institution and its affiliate, provided that where a consumer has exercised his or her right toprohibit disclosure pursuant to this division, nonpublic personal information is not further disclosed orused by an affiliate except as permitted by this division.

In addition, to the extent a broker dealer or investment adviser is subject to “opt-out” or “opt-in” requirementsunder S.B.1, Section 4053(d) of the California Financial Information Privacy Act delineates certain required deliverymechanisms and means for offering Clients the ability to respond to the notice.

Responsibility

Woodstock’s Privacy Officer and is responsible for reviewing, maintaining and enforcing these policies andprocedures (administration of the Information Security Program) to ensure meeting Woodstock’s privacy goals andobjectives while at a minimum ensuring compliance with applicable federal and state laws and regulations. ThePrivacy Officer shall also be responsible for documenting any actions taken in connection with a breach of securityand performing a post-incident review of events and actions taken, if any, to prevent future breaches.

The Privacy Officer is also responsible for maintaining the security of Woodstock’s electronic security systems asspecified herein with the assistance of Woodstock’s technology service provider.


Wed, Mar 8, 2017 02:26 PM Page 39 of 130

Procedure

In order not to hinder the efficient operation of our business, we do not, as a matter of policy, specifically seek torestrict any firm personnel from access to Nonpublic Client information. However, we nevertheless have in placearrangements for the security of such information in our possession (locking filing cabinets, system passwordcontrols etc.), which are reasonably designed to avoid unauthorized access by third parties and it is theresponsibility of every Supervised Person to use their best efforts to ensure that Clients’ Nonpublic PersonalInformation is securely maintained and not disclosed to any person not employed by Woodstock.

Excluded from this restriction are third parties with which we must share information in order to conduct businessand provide services to our Clients, to which are clients have requested, authorized, or provided consent, or asotherwise specifically approved by the Privacy Officer or Chief Compliance Officer. Nonpublic personal informationalso may be shared with regulators and/or when required by law, rule, regulation, or a subpoena or order issued bya court of competent jurisdiction, or by a judicial, administrative, or legislative body. Please consult with the ChiefCompliance Officer before responding to subpoenas, orders, regulatory inquiries, or other similar requests forinformation.

All Supervised Persons should take precautions to prevent unauthorized individuals from inadvertently ordeliberately gaining access to Nonpublic Personal Information or other confidential information relating to ourClients. If in doubt about the access or disclosure of such information, you should consult with the Privacy Officeror Chief Compliance Officer. Supervised Person may not use Nonpublic Personal Information for their own personaluse or otherwise outside of their employment with Woodstock.

Identification of Internal or External Risks to Nonpublic Personal Information

• The Privacy Officer will review all foreseeable internal and external risks to information security with keyoperations, technology, management and risk control personnel in all areas of the Woodstock’soperations.

• The Privacy Officer will assess the likelihood and potential damage of these threats, the sufficiency of anysafeguards in place to control such risks and, where appropriate, revise policies and procedures toaddress such risks.

• Based upon the policies and procedures provided under this Program, the Privacy Officer will design and/or arrange for the provision of all necessary and appropriate technical and administrative safeguards forprotected information and will test and monitor, as necessary, the effectiveness of such controls, systemsand procedures.

Overview of Security Requirements

• Client files and other Nonpublic Personal Information of Clients must be maintained either electronicallyon the Woodstock computer systems or in lockable desk, filing cabinets, or other secure storage areas.

• Written/printed materials containing Nonpublic Personal Information should be cross-shredded or placedin appropriated locked disposal bin designated for such purposes, rather than placed in rubbish bins.

• Computers/laptops containing Nonpublic Personal Information must have access restrictions in the form ofpasswords.

• The hard drive of any old computers/laptops must be “wiped clean”, destroyed or otherwise renderedincapable of use before being discarded, sold or donated.

• Anyone who has knowledge of suspicious or unauthorized access, use or disclosure of Nonpublic PersonalInformation shall immediately report it to the Privacy Officer or Chief Compliance Officer.

• Unauthorized access, use or disclosure of Nonpublic Personal Information or failure to report suchunauthorized access, use or disclosure, will result in appropriate disciplinary action, which may includetermination of employment.

• Any questions concerning these policies and procedures should be addressed to the Privacy Officer orChief Compliance Officer.


Wed, Mar 8, 2017 02:26 PM Page 40 of 130

Non-Disclosure of Client Information

Woodstock maintains safeguards to comply with federal and state standards to guard each Client's NonpublicPersonal Information. Woodstock does not share any Nonpublic Personal Information with any nonaffiliated thirdparties, except as permitted or required by law and in the following circumstances:

1. As necessary to provide the service that the Client has requested or authorized, or to maintain andservice the Client's account. Nonpublic Personal Information may only be additionally shared with thirdparties with whom we have a written agreement to perform services for and who require such informationto perform their duties under this written agreement. All new contracts with such persons must contain aconfidentiality clause prohibiting them from disclosing Nonpublic Personal Information both during andafter the duration of the contract;

2. As required by regulatory authorities or law enforcement officials who have jurisdiction over Woodstock,or as otherwise required by any applicable law;

3. To the extent reasonably necessary to prevent fraud and unauthorized transactions; or4. As otherwise specifically approved by Woodstock’s management subject to the Privacy Officer or Chief

Compliance Officer’s review of the effect of such additional disclosure on Woodstock’s Privacy Notice andrequired contractual provisions with third parties with which such information may be authorized.

Supervised Persons are prohibited, either during or after termination of their employment, from disclosingNonpublic Personal Information to any person or entity outside Woodstock, including family members, exceptunder the circumstances described above.

Privacy Notices

Initial Privacy Notices

Woodstock will provide each natural person Client with an initial Privacy Notice when the relationship isestablished. Woodstock Corporation’s Client Agreements will typically include an acknowledgement from theClient evidencing delivery of the Privacy Notice. The date of the contract signing shall indicate the date ofPrivacy Notice delivery.

Annual Privacy Notices

Annual privacy notices must be sent to all natural person Clients on a yearly basis for the duration of ourclient relationship with them. The Chief Compliance Officer is responsible for ensuring that required noticesare distributed.

Revised Privacy Notices

If at any time, Woodstock adopts material changes to its privacy Procedures and Practices that require anamended Privacy Notice, the firm shall provide each applicable Client with a revised notice.

Privacy Notices Recordkeeping

The Chief Compliance Officer must preserve at least one sample copy of each privacy notice for a period ofat least five years from the end of the fiscal year in which created, in an easily accessible place and at theFirm’s principal office for at least the first two years. Any time that the Firm’s privacy notice is revised, nomatter how insubstantial the changes may be, personnel must ensure that both the old and new versions ofthe notice are retained on file.

Privacy Protocols, Training & Evaluation

• Woodstock’s Privacy Officer shall provide training to Supervised Persons regarding security measuresincluding the transmission of information, the disposal of information, and the creation of unique systempasswords, among other things.

• Woodstock’s Privacy Officer will, on a periodic basis, and at least annually, (i) conduct a review to identifyreasonably foreseeable internal and external risks to the security, confidentiality, or integrity of anyelectronic, paper or other records containing Nonpublic Personal Information; (ii) assess the likelihood andpotential damage of these threats, taking into consideration the sensitivity of the Nonpublic Personal


Wed, Mar 8, 2017 02:26 PM Page 41 of 130

Information; (iii) evaluate the sufficiency of this Program to control those risks; and (iv) revise thisProgram to minimize those risks, consistent with the requirements of federal and state regulations.

• Any questions concerning these policies and procedures should be addressed to the Privacy Officer orChief Compliance Officer.

Electronic System Protections

• Woodstock’s electronic systems shall be protected by enterprise-grade firewall systems which are activelymanaged. Access to systems will be limited to active users and active user accounts only and access shallbe blocked to any user identification after multiple unsuccessful attempts to gain access or the limitationplaced on access for the particular system.

• Woodstock has and will continue to maintain reasonably up-to-date firewall protection and operatingsystem security patches on all systems maintaining Nonpublic Personal Information, that are reasonablydesigned to maintain the integrity of such information.

• Woodstock has and will maintain reasonably up-to-date versions of security software, which will protect allsystems processing Nonpublic Personal Information. This security software will include anti-virus, anti-spam, malware and trojan protection, as well as reasonably up-to-date software patches and security‘definition’ updates.

• Computers/laptops containing Nonpublic Personal Information must have access restrictions in the form ofpasswords. Woodstock assigns unique identifications, and users maintain unique passwords, that aredesigned to maintain the integrity of the security of the access controls, and prohibit the use of vendorsupplied default passwords, to each authorized active user. Access is restricted to active users and activeuser accounts only.

• Woodstock has in place secure user authentication protocols, including (1) control of user IDs, (ii) stronguser account passwords; and (iii) control of how such passwords are maintained in a location and/orformat that does not compromise their privacy. Access to user identification will be blocked after multipleunsuccessful attempts to gain access.

• Back-up tapes of Woodstock servers shall be encrypted.• Woodstock blocks electronic access to Nonpublic Personal Information by former Supervised Persons,

other former service providers of Woodstock and other individuals who are no longer authorized userswith an active user account.

• The hard drive of any computers/laptops shall be “wiped clean” before being discarded, sold or donated.

Processes for Handling Sensitive and Nonpublic Personal Information & Disposal of Nonpublic PersonalInformation

• A Clients’ first or last name, or first initial and last name, in combination with the person's (a) socialsecurity number, (b) driver's license number or other state-issued identification card number; or (c)financial account number, or credit or debit card number, or access code, or personal identificationnumber, or password, or any other information related to access to a financial account is hereby deemed“sensitive information.” Effective March 1, 2010 sensitive information may not be sentelectronically across public networks (for example, email) or wirelessly to Clients or other third partiesunless encrypted during transmission. Exceptions are permitted for the use of smartphones (i.e. iPhones,Blackberrys, etc.) if such transmission is required for immediate delivery and cannot be reasonablyavoided. Supervised Persons shall not, however, store sensitive information on smartphones for anyperiod longer than necessary.

• Supervised Persons shall use cautious discretion in transmitting any Nonpublic Personal Information in anyelectronic transmission and should transmit such information electronically only to the extent that anotherreasonable alternative is not available.

• Effective March 1, 2010, Supervised Persons shall store sensitive information on the firm’s secure internalsystems or encrypted laptops, and not on un-encrypted computers and/or media (such as unencryptedUSB keys or CD/DVD disks).

• Prior to Woodstock engaging any third-party service providers who will have access to Nonpublic PersonalInformation, Woodstock will take reasonable measures to ensure that the third-party service provider is


Wed, Mar 8, 2017 02:26 PM Page 42 of 130

capable of safeguarding Nonpublic Personal Information in the manner required by this Program and incompliance with any applicable federal and state regulations.

• In requesting any data from third parties that may include sensitive information, Woodstock SupervisedPersons will not request and will seek to avoid receiving sensitive information electronically unless suchinformation is encrypted. Woodstock Supervised Persons shall encourage third parties to only providesuch sensitive information in an encrypted format.

• Disposal of any written/printed materials containing Confidential or Nonpublic Personal Information shallbe by means of cross-shredding, firm designated disposal bins, or other complete destruction rather thandisposal in rubbish bins.

• Supervised Persons are prohibited, either during or after termination of their employment, from disclosingNonpublic Personal Information to any person or entity outside Woodstock, including family members,except under the circumstances described above.

• Any sensitive information which is stored on disk, CD, tape or other electronic media shall be cleared,purged, declassified, overwritten and/or encrypted in such a manner so that any information containedtherein cannot be restored or decrypted. After the electronic cleared, purged, declassified, overwritten orencrypted, the Privacy Officer, or designee, shall check that the original information is not backed-up orsaved on a hard drive, recycle bin or other memories.

• Access to records shall be immediately eliminated at the time of the termination of any SupervisedPerson.

• All third party service provider contracts with parties to whom Woodstock may share Client NonpublicPersonal Information must include provisions requiring such third-party service providers to maintainappropriate security measures to protect such Nonpublic Personal Information consistent with applicablestate and federal regulations.

• Woodstock provides education and training regarding this Program and the importance of the security ofNonpublic Personal Information to all Supervised Persons who will have access to Nonpublic PersonalInformation through their positions at Woodstock.

• Unauthorized access, use or disclosure of Nonpublic Personal Information or failure to report suchunauthorized access, use or disclosure, will result in appropriate disciplinary action, which may include,termination of employment.

• Woodstock makes efforts to limit the electronic and paper delivery (via US mail, UPS, FedEx, etc.) ofsensitive information. Woodstock offers Clients an internet site at which Clients may view and downloadquarterly reports and other documents that may include nonpublic information.

• Woodstock seeks to eliminate, as possible, any unnecessary use of account numbers, social securitynumbers, and government identification numbers within written or electronic reports, reviews, invoices,statements, and other documents.

Reporting Breaches and Violations

A breach of security is the unauthorized acquisition or unauthorized use of unencrypted data or, encryptedelectronic data and the confidential process or key that is capable of compromising the security, confidentiality, orintegrity of personal information, maintained by a person or agency that creates a substantial risk of identity theftor fraud. A good faith but unauthorized acquisition of personal information by a person or agency, or employee oragent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personalinformation is used in an unauthorized manner or subject to further unauthorized disclosure. (See MassachusettsRegulation 201 CMR 17.02).

• Any Person who is aware of a possible “breach of security” (knowledge of unauthorized access, use ordisclosure of Nonpublic Personal Information) shall immediately report it to the Privacy Officer or ChiefCompliance Officer. Any Person shall also inform the Privacy Officer or Chief Compliance Officerimmediately of any change in the business practices of Woodstock that may implicate the security orintegrity of records containing personal information.

• Upon notification of a possible breach of security, the Privacy Officer or Chief Compliance Officer willimmediately ascertain the type of information involved and whether the data contains Nonpublic PersonalInformation. The Privacy Officer, in coordination with the Chief Compliance Officer, appropriate legal and

Woodstock Corporation - Woodstock Compliance Manual 3-1... Reporting Breaches and Violations

Wed, Mar 8, 2017 02:26 PM Page 43 of 130

technology personnel, shall also determine whether the compromised information was encrypted andwhat other steps were taken to protect it.

• Upon conclusion of the analysis of the nature and scope of the possible breach of security, the PrivacyOfficer, in coordination with Woodstock’s Chief Compliance Officer and other members of managementand legal counsel, as necessary, shall determine whether there is a statutorily defined security breachsuch that a breach notification is required.

• The Privacy Officer shall document responsive actions taken in connection with any incident involving abreach of security, and mandatory post-incident review of events and actions taken, if any, to makechanges in business practices relating to protection of personal information.

Identity Theft

Introduction

Woodstock's policy is to protect our customers and their accounts from identity theft and to comply with theRegulation S-ID Red Flags Rule. We will do this by developing and implementing this written ITPP, which isappropriate to our size and complexity, as well as the nature and scope of our activities. This ITPP addresses 1)identifying relevant identity theft Red Flags for our firm, 2) detecting those Red Flags, 3) responding appropriatelyto any that are detected to prevent and mitigate identity theft, and 4) updating our ITPP periodically to reflectchanges in risks.

Our identity theft policies, procedures and internal controls will be reviewed and updated periodically to ensurethey account for changes both in regulations and in our business.

In addition to the identity theft Red Flags specifically listed in the ITPP, the Firm also monitors for identity theft RedFlags through other components of our compliance program, including but not limited to Anti-Money Laundering(AML) Program, our Custody Policies and Procedures and our Privacy Policy. These procedures and controls areincorporated by reference into this ITPP.

Responsibility

This ITPP has been reviewed and approved by the Firm’s Board of Directors.

Woodstock’s Chief Compliance Officer, in coordination with the Firm’s Board of Directors, is designated to beresponsible for implementing, administering, reviewing and maintaining this ITPP. The Firm’s senior management isresponsible for enforcing the ITPP.

The Chief Compliance Officer shall also be responsible for providing training on this Program to employees on anannual basis, and for overseeing the Firm’s third party service providers related to this ITPP.

Procedure

I. Identifying Red Flags

Our Firm utilizes the guidelines in the Regulation S-ID adopting release[1] in identifying relevant telltale signs or“Red Flags” of possible identity theft, and incorporates those which are relevant to our Firm. Our Firm incorporatesRed Flags, as appropriate, from sources such as:

1. Incidents of identity theft attempted against the Firm;2. Changes in methods of effecting identity theft; and3. Applicable regulatory guidance.

The Red Flags considered relevant to the Firm (“Identified Red Flags”) takes into consideration relevant Red Flagsfrom the following five categories, as appropriate:

1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers,such as fraud detection services;

2. The presentation of suspicious documents;

Woodstock Corporation - Woodstock Compliance Manual 3-1... Identity Theft

Wed, Mar 8, 2017 02:26 PM Page 44 of 130

3. The presentation of suspicious Identifying Information, such as a suspicious address change or wiringinstructions;

4. The unusual use of, or other suspicious activity related to, a covered account; and5. Notice from clients, victims of identity theft, law enforcement authorities, or other persons regarding

possible identity theft in connection with covered accounts held by the Firm.

The Identified Red Flags are included in Exhibit A (“Identity Theft Red Flags and Responses”). The ChiefCompliance Officer shall be responsible for maintaining this list of Identified Red Flags and responsive actions.

II. Detecting Red Flags

Our ITPP requires Supervised Persons to reasonably detect when Red Flags are present during the account openingprocess for new covered accounts, and when transactions and changes are requested for existing coveredaccounts.

Identity theft Red Flags are most likely to occur during the account opening process and when the Firm receives aclient request to take some action with respect to the client’s account. In both instances, there will likely be aclient request which begins the process. Therefore, our Firm’s procedures are designed to detect Red Flags at thetime they are most likely to occur.

Requests from individuals purporting to be clients may request changes to client information, information aboutthe client’s covered account, or wire transfers or distributions of funds to a third party. It is important thatSupervised Persons take steps to reasonably verify the client’s identity when such requests are received by theFirm. For example, email requests from clients should be verified by calling the client, using the client’s telephonenumber on record rather than a telephone number provided in the client’s email request.

While the specific Identified Red Flags and responses are set forth in Exhibit A, below are the general requirementsour Firm must follow for detecting Red Flags:

1. The Firm shall review the personal information provided by the client or prospective client.2. For individuals, the Firm shall require a current government-issued identification card bearing the client’s

or prospective client’s photograph, or identification containing a physical description of the client.3. For clients or prospective clients meeting in person with a Supervised Person of the Firm, the Supervised

Person shall review whether the individual’s photographic identification is consistent with the likeness ofthe individual presenting the identification. The Firm shall check the personal information provided by theclient or prospective client using the Firm’s Anti-Money Laundering (AML) Program.

4. All Supervised Persons of the Firm are responsible for being aware of the Identified Red Flags, forresponding accordingly as set forth in Exhibit A, and for bringing any known or suspected identity theftincidents to the attention of the Chief Compliance Officer immediately.

5. On at least an annual basis, the Chief Compliance Officer (or a party delegated by the Chief ComplianceOfficer) shall provide training on detecting identity theft Red Flags to all Supervised Persons. AllSupervised Persons shall be required to attend this training and to acknowledge their obligations tomonitor for identity theft Red Flags.

6. The Firm shall monitor and oversee each third party service provider in a position to detect, prevent, ormitigate identify theft in connection with the Firm’s covered accounts.

III. Responding to Red Flags

When a Supervised Person detects, is notified of, or otherwise becomes aware of an Identified Red Flag, the Firmshall follow the procedures and responsive actions identified in Exhibit A.

IV. Updating the Program

On at least an annual basis, the Chief Compliance Officer shall review the Firm’s ITPP for appropriateness takinginto consideration the following:

1. Current identity theft risks for the Firm, and foreseeable internal and external risks to information securityand access to client information, by reviewing these risks with key operations, technology, managementand risk control personnel of the Firm;


Wed, Mar 8, 2017 02:26 PM Page 45 of 130

2. The Firm’s experiences with identity theft incidents;3. Changes in methods used to perpetuate identity theft;4. The likelihood and potential damage of these threats to the Firm;5. Changes in methods to detect, prevent, and mitigate identity theft, and the sufficiency of the technical,

administrative, and procedural safeguards in place to control such risks;6. Changes in the types of accounts we offer or maintain; and7. Changes in our business arrangements, affiliations, operations, and service providers.

Based on the review of the Firm’s ITTP, the Chief Compliance Officer (or a party delegated by the Chief ComplianceOfficer) shall report the following to the Firm’s Board of Directors:

A. The effectiveness of the policies and procedures of the Firm in addressing the risk of identity theft inconnection with the opening of covered accounts and with respect to existing covered accounts;

B. Service provider arrangements: review all of the Firm’s third party service providers with access to orinformation about the Firm’s clients, and review the controls of these third party service providers toprevent, detect, and mitigate the risk of fraudulent access to client information or assets;

C. Significant incidents involving identity theft and management’s response; andD. Recommendations for material changes to the Program

See Appendices: Identity Theft Attestation and Red Flags and Responses

E-Mail and Other Electronic Communications

Introduction

Our policy provides that email, instant messaging, social networks and other electronic communications aretreated as written communications and that such communications must always be of a professional nature. Ourpolicy covers electronic communications for Woodstock Corporation and Woodstock Services Company, LLC(“Woodstock”) to or from our clients, any personal email communications within the firm and social networkingsites.

All Woodstock and client related electronic communications pertaining to Woodstock must be on Woodstock’ssystems, and use of personal email addresses, personal social networks, and other personal electroniccommunications for Woodstock business-related purposes is prohibited. Woodstock prohibits any posting on socialnetworking sites of any confidential Woodstock information, including any information about Woodstock’s clients,investment recommendations, or trading activities.

Woodstock prohibits employees from creating or maintaining any individual blogs or network pages on behalf ofWoodstock.

Woodstock employees may divulge the company’s name and their position on professional networking sites suchas LinkedIn. While employees may divulge the company’s name and their position, employees should not discussWoodstock, their role, or any other information relating to their employment. Any information beyond companyname and position is prohibited without prior approval from the Chief Compliance Officer.

To the extent that an employee utilizes a social networking site for business purposes, all communications are tobe fundamentally regarded as advertising (i.e. testimonials are prohibited as are any untrue statements of materialfact; information provided must not be false or misleading, etc).

Federal securities laws and Woodstock’s policies also prohibit the posting of any privileged or nonpublicinformation on social networks about the company’s business activities, client and specific investmentopportunities.

Personal use of Woodstock’s email and any other electronic systems is permitted but should be used only in aresponsible manner and with the understanding that personal emails may be reviewed by Woodstock or thirdparties including regulators.

Woodstock Corporation - Woodstock Compliance Manual 3-1... E-Mail and Other Electronic Communications

Wed, Mar 8, 2017 02:26 PM Page 46 of 130

Woodstock retains the right to monitor all files and messages stored on and transmitted through Woodstockcomputers – employees should have no reasonable expectation of privacy on the Internet or social network sitesaccessed through Woodstock computers, even if a private account is used.

Woodstock’s Email and Other Electronic Communication Policy will not be construed or applied to limit employees’rights under the National Labor Relations Act (“NLRA”) or applicable law.

Background

As a result of recent financial industry issues and several regulatory actions against major firms involving verysignificant fines, financial industry regulators, e.g., SEC and FINRA are focusing attention on advisers and broker-dealer policies on the use of email, as well as other electronic communications and retention practices.

Social media and/or methods of publishing opinions or commentary electronically is a fast growing phenomenonwhich takes many forms, including internet forums, blogs and microblogs, online profiles, wikis, podcasts, pictureand video posts, virtual worlds, email, instant messaging, text messaging, music and other file-sharing, to namejust a few. Examples of social media applications include, among others, LinkedIn, Facebook, MySpace, YouTube,Twitter, Yelp, Flickr, Second Life, Yahoo groups, Wordpress, and ZoomInfo. The proliferation of such electroniccommunications presents new and ever changing regulatory risks for our firm.

As a registered investment adviser, use of social media by Woodstock and/or related persons of Woodstock mustcomply with applicable provisions of the federal securities laws, including, but not limited to the following lawsand regulations under the Advisers Act, as well as additional rules and regulations identified below:

Anti-Fraud Provisions: Sections 206(1), 206(2), and 206(4), and Rule 206(4)-1 there under;Advertising: Rule 206(4)-1Compliance/Supervision: Rule 206(4)-7Privacy: Regulation S-P; Commonwealth of Massachusetts regulationsRecordkeeping: Rule 204-(2)

For example, business or client related comments or posts made through social media may breach applicableprivacy laws or be considered "Advertising" under applicable regulations triggering content restrictions and specialdisclosure and recordkeeping requirements. When an employee identifies Woodstock in any manner (electronic,written), it is not considered personal anymore. Once Woodstock is identified or an employee is identified as anofficer, employee, or representative of Woodstock, the matter is no longer personal and may now haveimplications for both Woodstock and its clients. Accordingly, Woodstock seeks to adopt reasonable policies andprocedures to safeguard Woodstock and its clients.

Responsibility

Each employee has an initial responsibility to be familiar with and follow Woodstock’s email and electroniccommunication policy with respect to their individual communications. The Chief Compliance Officer has theoverall responsibility for making sure all employees are familiar with Woodstock’s policy, implementing andmonitoring our policy, practices, and recordkeeping.

Procedure

Woodstock has adopted procedures to implement its policy, and conducts internal reviews to monitor and ensurethat the policy is observed, implemented properly, and amended or updated, as appropriate. These include thefollowing:

1. Woodstock's email policy has been communicated to all persons within the company and any changes inour policy will be promptly communicated.

2. All employees are required to sign a written acknowledgement of our Email and Other ElectronicCommunication Policy.


Wed, Mar 8, 2017 02:26 PM Page 47 of 130

3. All employees will be required to provide annual certification that they understand and are complying withour Email and Other Electronic Communication Policy.

4. Unless otherwise prohibited by federal or state laws, Woodstock may request or require employeesprovide the Woodstock's Chief Compliance Officer with access to any approved social networkingaccounts. Furthermore, static content posted on social networking sites must be preapproved byWoodstock's Chief Compliance Officer.

5. Electronic communications records will be maintained and arranged for easy access and retrieval so as toprovide true and complete copies with appropriate backup and separate storage for the required periods.

6. All Woodstock and client related electronic communications must be on the company’s systems, to, fromor copied to your Woodstock email address.

7. Use of personal email addresses, personal social networks, and other personal electronic communicationsfor Woodstock or client communications is prohibited.

8. Woodstock prohibits employees from creating and maintaining any individual blogs or network pages onbehalf of the firm.

9. The Chief Compliance Officer will periodically monitor a random sampling of employee electroniccommunications, survey social media use by employees and maintain documentary evidence of suchsurveillance in an applicable location.

10. Woodstock reserves the right to use content management tools to monitor, review or block content oncompany blogs that violate company blogging rules and guidelines.

11. In order to reasonably protect Woodstock Corporation’s email communications, which may include PrivateInformation of Clients in encrypted format, the Firm requires complex passwords and enforces timeoutsand lockouts. Employees are aware of this policy and may face disciplinary action for attempting tocircumvent any Corporate Password Requirements. Password standards and polices are effected at theserver level and are maintained through Microsoft Exchange ActiveSync.

12. Woodstock Corporation does not allow the use of any cross platform applications such as, but not limitedto, Dropbox, SugarSync, Box.com and Google Drive. Employees may not utilize any cross-platformapplication for storage or transmittal of Corporate or Customer records or information. Additionally, theseapplications may not be installed nor in any way accessed on Woodstock’s local network includingthrough any form of remote login.

13. Woodstock requires employees to report any violation, or possible or perceived violation, to thecompany’s Chief Compliance Officer. Violations include discussions of Woodstock, its clients and/oremployees, any discussion of proprietary information (including trade secrets, or copyrighted ortrademarked material) and any unlawful activity related to blogging or social networking.

14. Woodstock investigates and responds to all reports of violations of the Email and Other ElectronicCommunication Policy and other related policies. Violation of the company’s Email and Other ElectronicCommunication Policy will result in disciplinary action up to and including immediate termination. Anydisciplinary action or termination will be determined based on the nature and factors of any blog or socialnetworking post, or any unauthorized communication. If you have any questions about this policy or aspecific posting on the web, please contact the Chief Compliance Officer.

See Appendices: Email and Other Electronic Communications Attestation


Wed, Mar 8, 2017 02:26 PM Page 48 of 130

Mobile Devices

IntroductionMobile devices enable employees of Woodstock Corporation (the “Firm”) to be productive, but they also present aprivacy risk of data leakage outside the Firm. In addition, if a mobile device is lost or stolen, a data breach couldresult in the Firm’s sensitive information or personal information about its investors being exposed. The followingpolicy applies to all employee mobile devices with access to the Firm’s computer network or electronic resourcesor which are used by Firm employees for business purposes (“Mobile Devices”).

Responsibility

The Firm’s Privacy Officer is responsible for administration, oversight, and recordkeeping in conjunction with thisMobile Device Policy.

Procedure

1. Approved Mobile Devices

The Firm permits employees to bring their own mobile device. The Firm presently does not restrict the type ofMobile Device or the particular mobile carrier used by an employee, provided that the Mobile Device is incompliance with the Firm’s policy.

The Firm’s Privacy Officer will periodically review the types of devices accessing Firm resources. If at any time thePrivacy Officer determines that a Mobile Device does not meet the security and recordkeeping requirements of theFirm or which the Firm has otherwise decided not to support, the Privacy Officer shall discuss a feasible alternativedevice with applicable personnel.

2. Enrollment / Reporting of Mobile Devices Used for Business Purposes

At the start of employment and upon adding, removing, or changing a Mobile Device, employees are required tonotify the Privacy Officer of the Mobile Device change. The Privacy Officer maintains an inventory of all mobiledevices that are or, in the past, have been, registered.

The Firm uses ActiveSync to centrally administer all registered mobile devices. ActiveSync provides a layer ofprotection to the Mobile Devices through mandated security profiles, including authentication requirements,location tracking, remote lock/wipe capabilities, which can be pushed onto the Mobile Devices.

The Privacy Officer or an appropriate delegate is responsible for enrolling Mobile Devices and making andconfiguration changes in the MDM system.

The Privacy Officer shall maintain a log of the Mobile Devices used by employees using the log in Appendix A.

3. Configuring Approved Access to Corporate Resources

Employees are prohibited from configuring Mobile Device access to the Firm’s e-mail on their own. The PrivacyOfficer or an appropriate delegate shall be responsible for authorizing and granting employee’s access to theFirm’s computer network and electronic resources.

4. Securing the Mobile Device

Employees must take steps to secure their Mobile Devices. Employees are required to restrict access to theirMobile Device by including one of the following:

a. A numerical PIN of no less than 4 digits,b. An alphanumerical passcode of no less than 8 characters, orc. A biometric access restriction (e.g. fingerprint scan).

Woodstock Corporation - Woodstock Compliance Manual 3-1... Mobile Devices

Wed, Mar 8, 2017 02:26 PM Page 49 of 130

5. App Policy

In order to protect the confidentiality of the data of the Firm and its clients, the Firm prohibits employees fromusing public cloud- based file sharing or file collaboration applications (“apps”) on their Mobile Device for anybusiness purposes.

From time to time, the Privacy Officer may make approved Firm or third party mobile applications available foremployees to

install on their Mobile Device. The Firm prohibits the use of such mobile applications as Dropbox on Mobile Devicesfor storage or transference of any company information or customer records.

Employees are prohibited from using any app for business purposes that has not been pre-approved by the PrivacyOfficer.

The Firm prohibits the use of Mobile Device features for business purposes which are not subject to surveillance orarchival. These features include, but are not limited to, instant messaging, SMS/MMS or other mobile to mobilemessaging.

6. Monitoring

The Privacy Officer and/or The Chief Compliance Officer may perform a spot-check of an employee’s authorizedand enrolled mobile device at any time to review whether the device is in compliance with the Firm’s policy tomaintain a PIN or passcode on the device. Any employee with a registered device that is not in compliance withthis policy can face disciplinary action.

7. Reporting Lost, Stolen, or Compromised Devices

Employees are required to notify the Privacy Officer, or in the absence of the Privacy Officer, the Chief ComplianceOfficer, immediately upon becoming aware that a Mobile Device has been lost, stolen, or which otherwise mayhave been compromised.

Upon being notified of such an event, the Privacy Officer will assess the facts and circumstances and take remedialaction as the Privacy Officer deems appropriate. This may include taking steps to mitigate the loss of confidentialor sensitive data on such Mobile Device, including but not limited to performing a “remote wipe” of the MobileDevice.

Should the Privacy Officer and/or Chief Compliance Officer determine that a “remote wipe” is necessary, s/he willcontact the Firm’s Email Administrator immediately and request the device be wiped.

The Privacy Officer shall maintain a record of the reporting of lost and stolen devices, and a record of any actiontaken in response.

8. Consent to Mobile Device Wipe Policy

Firm employees who choose to use a Mobile Device for business purposes understand that their personalinformation stored on the Mobile Device may be irretrievably lost as a result of an onsite or remote wipe.

See Appendices: Mobile Device Attestation

Incident Management & Response Plan

Introduction

Woodstock defines incident management and response as the capability to effectively manage disruptive eventsrelated to technology and security, unintentional or targeted, through a defined and consistent number of steps(response) designed to restore services while minimizing impact.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Incident Management & Response Plan

Wed, Mar 8, 2017 02:26 PM Page 50 of 130

Rule 206(4)-7 under the Advisers Act requires each investment adviser to adopt and implement written policiesand procedures reasonably designed to prevent the adviser from violating the Advisers Act. Similar to theregulatory basis for Business Continuity, Woodstock acknowledges the fiduciary responsibility to our clients tomaintain policies and procedures to effectively manage technology and security incidents in order to reduce risksrelated to the inability to perform services due to disruption. Networks, systems, and technology are commonlyutilized to maintain books and records which Woodstock has “so as to reasonably safeguard them from loss,alteration, or destruction.” (Advisers Act Rule 204-2(g)) In addition, regulatory agencies have emphasized theimportance of cybersecurity in an environment where IT security incidents and target breach have beenconsistently rising.

While our policy and procedures are designed to create a framework for managing incidents, our Firm’s approachto identifying and managing incidents remains flexible as the threat landscape is constantly changing and we mustdecide, in the context of our process, which incidents should be escalated and how they should be categorized.Please note that our Firm utilizes this Incident Management and Response Program in conjunction with both ourBusiness Continuity Plan for managing disruption and for categorizing and responding to perceived Red Flags ofidentity theft with respect to requirements of Regulation S-ID, Identity Theft.

Responsibility

Incident Management Team

Our Incident Management Team (“IMT”) is designed to most foster awareness from an Enterprise Risk Managementstandpoint and also across critical functional units and stakeholders in our business. The primary goals of the IMTare to assess the current threat landscape, manage the Incident Response Program including the review andupdating of the Program on a periodic basis, and work together to manage incidents. We view the IncidentManagement and Response Program and the IMT as important links in our Firm’s culture of security.

The IMT consists of the following individuals:

• Elena Gillespie,Chief Compliance Officer• Dave Levesque, Privacy Officer• Jerry Kelliher, IT Consultant

Individuals participating on this committee may be adjusted based upon the priority and scope of any givenincident as determined by the Incident Management Team.

Procedure

If unexplained or suspicious activity involving the firm’s information technology resources or data is detected, theIMT shall be immediately notified.

Upon such activity being identified, reported, and escalated within our business, a determination is made by IMTmembers whether or not this activity is:

1. Valid (in such case, monitoring will take place to confirm a “false positive” or good intent report on thepart of an employee); or

2. Invalid activity (in the event of such determination, the IMT may elect isolate and continue to monitorsuch activity.

If physical security, network, systems, or data breach is suspected or confirmed, declaration andimplementation of the Incident Management and Response Plan, beginning at Step number 2 will takeplace.

Incident Management and Response Plan

The IMT shall be responsible for:

1. Assessment and Planning:


Wed, Mar 8, 2017 02:26 PM Page 51 of 130

• Conducting research and development and assessing the Threat Landscape;• Creating procedures and building response capability through tools and resources; and• Communicating the plan through awareness and reporting/escalation training.

2. Detection, Triage and Containment

• To the extent feasible, attempting to detect and confirm the incident type, associated risk impact low,medium, high), and risk response priority level (low, medium, high);

• Initiating IMT communication and notification (should a BCP disruption be declared); and• Isolating the area, network/system to prevent further propagation of the threat and to enable forensic

analysis, if necessary.

3. Analysis, Tracking, and Recovery

• Analyzing and Identifying the source of the incident, as feasible;• Determining necessity for Compliance, Legal, and/or external Agency, consultant intervention/reporting

(evidence handling);• Determining the necessity for client or investor notification; and• Executing a recovery strategy in line with BCP/DRP or as defined by the IMT on a case-by-case basis.

4. Post incident Assessment, Lessons Learned, and Closure

• Documenting a postmortem of all aspects of the incident, from threat detection to reporting through planimplementation and evaluation of execution;

• Assessing how to prevent similar, future incidents, including additions and enhancements to employeetraining, testing and revisions to the Program, and assessing whether any perceived weaknesses in thefirm’s detection or response can be used to enhance the Incident Management and Response Plan on aprospective basis; and

• Documenting the nature of the incident, including whether or not it constituted an ID Theft Red Flag or IDTheft incident.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Incident Management and Response Plan

Wed, Mar 8, 2017 02:26 PM Page 52 of 130

V. Marketing

Advertising

Introduction

Woodstock uses various advertising and marketing materials to obtain new advisory clients and to maintainexisting client relationships. Woodstock's policy requires that any advertising and marketing materials must betruthful and accurate, consistent with applicable rules, and reviewed and approved by a designated officer.Woodstock's policy prohibits any advertising or marketing materials that may be misleading, fraudulent, deceptiveand/or manipulative. Our policy also prohibits the use of testimonials.

Woodstock's policies and procedures governing the use of social media for business purposes incorporate thesesame prohibitions. Our firm's comprehensive Email and Other Electronic Communications policy andprocedures, incorporating policies and procedures pertaining to Social Media, are separately set forthin this manual.

Background

An advertisement is generally defined as any written communication, which includes websites and e-mails,directed to more than one person concerning advice or recommendations about the purchase or sale of securitiesor any other advisory service.

The SEC anti-fraud rules under the Advisers Act prohibit advisers from engaging in advertising practices which arefraudulent, deceptive, or manipulative activities. The manner in which investment advisers portray themselves,services and their investment returns to existing and prospective clients is highly regulated. SEC no-action lettersalso provide guidelines and prohibitions relating to an adviser's advertising and marketing practices.

Pursuant to the SEC's exam sweep focused on investment advisers' use of social media, the Commission issued aNational Examination Risk Alert in January 2012, which identified various factors an adviser should consider inevaluating its policies and procedures governing the use of social media, noting that such practices must complywith various provisions of federal securities laws, including, but not limited to, the antifraud, compliance andrecordkeeping provisions.

Woodstock typically uses a number of marketing materials including a firm website (woodstockcorp.com), a firmbrochure, a quarterly newsletter, and prospective client presentation material to market its advising services.

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for implementing and monitoring our policy, and forreviewing and approving any advertising and marketing to ensure any materials are consistent with our policy andregulatory requirements. Woodstock's Marketing Manager is responsible for maintaining, as part of theWoodstock's books and records, copies of all advertising and marketing materials with a record of reviews andapprovals in accordance with applicable recordkeeping requirements.

Procedure

Woodstock has adopted procedures to implement the firm’s policy and reviews to monitor and insure the firm’spolicy is observed, implemented properly and amended or updated, as appropriate, which include the following:

◦ All advertisements and promotional materials must be reviewed and approved prior to use byWoodstock's President or Compliance Officer.

◦ Woodstock's President or Compliance Officer must also review other written communications prepared forexisting clients or prospective clients including any quarterly letters.

Woodstock Corporation - Woodstock Compliance Manual 3-1... V. Marketing

Wed, Mar 8, 2017 02:26 PM Page 53 of 130

◦ The initialing and dating of the advertising and marketing materials will document approval. However, useof the firm's standard compliance approval sticker is recommended.

◦ Each employee is responsible for ensuring that only approved materials are used and that approvedmaterials are not modified without the express written approval of Woodstock's President or ComplianceOfficer.

◦ Woodstock's President or Compliance Officer must also review advertising material prepared for existingclients or prospective clients including any quarterly letters.

◦ Woodstock's Marketing Manager is responsible for maintaining copies of any advertising and marketingmaterials, including any reviews and approvals, for a total period of five years following the last time anymaterial is disseminated.

◦ Our firm's policies and procedures regarding the use of social media are consistent with our policiesgoverning advertising and marketing, i.e., prohibiting any communications that may be misleading,fraudulent, deceptive and/or manipulative, or could be construed as a testimonial of our firm or ourrelated persons.

Performance

Introduction

Woodstock, as a matter of policy and practice, does prepare and distribute various performance informationrelating to the investment performance of the firm and advisory clients. Performance information is treated asadvertising / marketing materials and designed to obtain new advisory clients and to maintain existing clientrelationships. Woodstock's policy requires that any performance information and materials must be truthful andaccurate, and prepared and presented in a manner consistent with applicable rules and regulatory guidelines andreviewed and approved by a designated officer.

Woodstock's policy prohibits any performance information or materials that may be misleading, fraudulent,deceptive and/or manipulative.

Woodstock Corporation claims compliance with the Global Investment Performance Standards (GIPS®). Please seeWoodstock Corporation's current Performance Standards & Procedures Compliance Manual for more information.

Background

An investment adviser's performance information is included as part of a firm's advertising practices which areregulated by the SEC under Section 206 of the Advisers Act, which prohibits advisers from engaging in fraudulent,deceptive, or manipulative activities. The manner in which investment advisers portray themselves and theirinvestment returns to existing and prospective clients is highly regulated. These standards include howperformance is presented. SEC Rule 206(4)-1 proscribes various advertising practices of investment advisers asfraudulent, deceptive or manipulative and various SEC no-action letters provide guidelines for performanceinformation.

Responsibility

The Operations Supervisor has the responsibility for implementing and monitoring our policy for the preparation,presentation, review and approval of any performance information to ensure any materials are consistent with ourpolicy and regulatory requirements. This designated person is also responsible for maintaining, as part of theWoodstock's books and records, copies of all performance materials, including the supporting records todemonstrate the calculation of any performance information for the entire performance information periodconsistent with applicable recordkeeping requirements, as well as records of reviews and approvals.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Performance

Wed, Mar 8, 2017 02:26 PM Page 54 of 130

Procedure


◦ all performance information and materials must be reviewed and approved prior to use by a designatedofficer, the President or another officer of the firm (other than the individual who prepared such material),who is familiar with applicable rules and standards for performance advertising;

◦ the initialing and dating of the performance materials will document approval;

◦ each employee is responsible for ensuring that only approved materials are used, and that approvedmaterials are not modified without the express written authorization of the designated officer;

◦ the designated officer will conduct semi-annual reviews of materials containing performance reports toensure that only approved materials are distributed; and

◦ the designated officer is responsible for maintaining copies of any performance materials and supportingdocumentation for the calculation of performance materials.

Also see Woodstock's GIPS Policies and Procedures, Appendix X

Solicitor Arrangements

Introduction

Woodstock, as a matter of policy and practice, may compensate persons, i.e., individuals or entities, for thereferral of clients to the firm provided appropriate disclosures and regulatory requirements are met.

Background

Registered investment advisers may pay cash compensation to others to seek out new clients on their behalf,commonly called “solicitors” or “finders,” if they meet certain conditions (under Rule 206(4)-3 of the AdvisersAct):

• The solicitor is not subject to certain disciplinary actions.

• The fee is paid pursuant to a written agreement to which the firm is a party and (with limited exceptions)the agreement must: describe the solicitor’s activities and compensation arrangement; require that thesolicitor perform the duties assigned in compliance with the Advisers Act; require the solicitor to provideclients with a current copy of the Adviser’s disclosure document; and, if seeking clients for personalizedadvisory services, require the solicitor to provide clients with a separate written disclosure documentcontaining specific information.

• Adviser receives from the solicited client, prior to or at the time of entering into an agreement, a signedand dated notice confirming that he/she was provided with the disclosure document and, if required, thesolicitor’s disclosure document.

• The firm has a reasonable basis for believing that the solicitor has complied with the terms of theagreement.

Responsibility

The CCO has the responsibility for the implementation and monitoring of our solicitation policy, practices,disclosures and recordkeeping.


Wed, Mar 8, 2017 02:26 PM Page 55 of 130

https://www.ascendantcompliancemanager.com/library/library/52556a2384ae61c2e7e34b07

Procedure

The CCO must review and approve any and all new solicitor arrangements. No employee or associated personmay enter into an agreement with a solicitor on an oral or written basis without such approval. The CCO shallensure the proposed solicitor meets appropriate registration requirements, as appropriate, on a case-by-casebasis. The CCO reviews and approves any solicitor arrangements including approval of the particular solicitor'sagreement(s), reviews of the solicitors' business background (including regulatory filings regarding possibledisciplinary history), compensation arrangements, and related matters.

If Woodstock engages any solicitors, the CCO will ensure that a financial record of cash payments to solicitors ismaintained and will ensure that Form ADV and other client disclosures regarding solicitors are consistent withactual practices.

Woodstock’s CCO periodically monitors the firm's solicitor arrangements to note any new or terminatedrelationships, makes sure appropriate records are maintained and solicitor fees paid, and ensures Form ADVdisclosures are current and accurate. On an annual basis, the CCO will complete an annual review of all solicitorrelationships.

Compliance Point

Under many state regulations, solicitors are required to be registered investment advisers.

Communications With the Press and PublicIt is the policy of Woodstock that the CCO must (i) receive all requests for information about Woodstock from thepress or members of the public; (ii) approve all requests for speaking engagements by Employees; and (iii) reviewall information about Woodstock that is or could be provided to the press or members of the public generally. Assuch, all employees are required to contact the CCO prior to responding to any public inquiries to ensure that allapplicable requirements are met. Any material to be utilized in contacts with the public must also be pre-approvedprior to use by the CCO, whose signature or initials on the applicable material will document approval.


Wed, Mar 8, 2017 02:26 PM Page 56 of 130

VI. Client Account Maintenance

Establishing New Client Relationships

Introduction

The U.S. Securities and Exchange Commission regulates and reviews communications with prospective clients,existing clients, and the public generally. The fiduciary standards set forth in the previous section should generallybe considered in conjunction with any communications by Woodstock, its senior management, employees and allSupervised Persons.

The SEC further sets forth certain required disclosures and information that must be provided to new and existingclients. These requirements mandate the delivery of various documents to clients and outline the required contentof such documents. Many of these content requirements are too detailed to specifically include in full as part ofthis Policies and Procedures Manual.

The CCO is responsible for assisting all supervised persons of Woodstock with knowing and understanding the rulesand regulations associated with establishing and maintaining client relationships. Each Supervised Person mustcommunicate and review with compliance personnel any third party communications if, after reviewing thefollowing materials in the Manual, the Supervised Person has questions about acceptable content or means ofdelivery.

Background

Based on the Regulatory Requirements described in these Policies and Procedures, the following practices shall beimplemented for each new client relationship.

Procedures and Practices

Delivery of Form ADV

A representative of Woodstock will provide a copy of the firm’s current Form ADV, Part 2 Disclosure Document(including all Part 2B Supplements for advisory personnel of the firm) to each prospective client either: at the timeof entering into an advisory agreement with a client or some earlier time.

Delivery of Privacy Notice

No later than the time a new client agreement is executed, a representative will deliver a copy of the firm’s PrivacyNotice.

Delivery of GIPS Presentation

Confirm client received a a GIPS compliant presentation as a prospective client.

Review of Client Contract and Related Documents

A written Investment Advisory Agreement (“IAA”), a contract for advisory services, is provided to all new clientrelationships. The IAA allows the firm to delegate discretion to Independent Managers. Upon receipt of theAgreement, an authorized Investment Adviser Representative of Woodstock shall sign and execute the IAA andplace a copy of the signed Agreement in the client's file (maintained in a central location known to all). If anychanges have been made to the Agreement, including the fee schedule, an account change form is required. Asigned copy of the Agreement shall also be provided to the client after its execution. All completed IAA’s will bescanned and saved electronically.. This allows for a convenient back-up storage of the advisory agreements. Anyamended IAA’s and account change forms will also be scanned and saved electronically.

Woodstock Corporation - Woodstock Compliance Manual 3-1... VI. Client Account Maintenance

Wed, Mar 8, 2017 02:26 PM Page 57 of 130

Performance of Anti-Money Laundering Review

Before the firm begins managing a new client account, the portfolio administrator or other designated individual,will review the Department of Treasury Office of Foreign Assets Control’s list of Specially Designated Nationals andBlocked Persons to ensure that the client is not included on the list. The portfolio administrator or designatedindividual will document this review. (See AML Section.)

Preparation of an IPS

At the outset of the investment advisory relationship, the Investment Adviser Representative for the client accountwill collect background information about the client’s financial circumstances, investment guidelines andobjectives, investment restrictions, and risk profile, among other things, through an interview and informationgathering process. The Investment Adviser Representative will then complete an Investment Policy Statement.

Review of Firm Registration/Notice Filing Status

Before the firm begins managing a new client account, the CCO will determine the domicile of the new client. Ifthe client is domiciled in the USA, the CCO will review the firm’s current notice filing status in the client’s state orterritory and complete any necessary notice filings. If the client is domiciled outside of the USA, the CCO, with theassistance of an outside regulatory consultant will review the regulatory requirements of the client’s homejurisdiction and complete any registration or filing that is necessary in connection with the firm’s provision ofservices to the client.

Establishment of ERISA Bond

Before the firm begins managing a new client account, the CCO will determine whether the client is an employeebenefit plan subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). If the client is subject toERISA and the firm is required by the client to acquire the ERISA fiduciary bond, the CCO will coordinate with seniormanagement with all of the necessary information to complete the bond application. The CCO will follow up toensure that the bond is established promptly and will maintain a record of this confirmation.

Anti-Money Laundering

Introduction

It is the policy of the firm to prohibit and actively prevent money laundering and any activity that facilitates moneylaundering or the funding of terrorist or criminal activities.

Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origins ofcriminally derived proceeds so that the unlawful proceeds appear to have derived from legitimate origins orconstitute legitimate assets. Generally, money laundering occurs in three stages. Cash first enters the financialsystem at the "placement" stage, where the cash generated from criminal activities is converted into monetaryinstruments, such as money orders or traveler's checks, or deposited into accounts at financial institutions. At the"layering" stage, the funds are transferred or moved into other accounts or other financial institutions to furtherseparate the money from its criminal origin. At the "integration" stage, the funds are reintroduced into theeconomy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal the origin orintended use of the funds, which will later be used for criminal purposes.Background

Title 3 of the Patriot Act and the Bank Secrecy Act of 1970 are the primary sources of AML regulation. In addition,the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) collects information relating topotential money laundering abuses, analyzes the information and disseminates news to the financial community tohelp stop money laundering from occurring.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Anti-Money Laundering

Wed, Mar 8, 2017 02:26 PM Page 58 of 130

Although the Investment Adviser’s Act of 1940 does not technically require investment advisers to establish anAML program, U.S. Treasury Rules proposed in 2003 would require that investment advisers adopt proceduresrequiring the following:

• A system of internal controls to ensure continuing requirements with AML regulation;• Independent annual testing of AML compliance;• Daily coordination of AML compliance by a designated person;• Training for appropriate personnel; and• A summary disclosure document provided to clients at account opening regarding the firm’s AML and

Customer Identification Programs.

While these rules have not been adopted, it provides guidance for AML procedures. SEC and SRO regulations,Treasury rules and OFAC lists and requirements provide further guidance to AML program development.

Responsibility

Woodstock has designated Walter Zagieboylo as Woodstock]’s AML Compliance Officer. In this capacity, the AMLCompliance Officer is responsible for coordinating and monitoring the firm’s AML program as well as maintainingthe firm’s compliance with applicable AML rules and regulations. The AML Compliance Officer will review anyreports of suspicious activity which have been observed and reported by employees.

ProcedureWoodstock has adopted procedures to implement the firm’s policy and reviews to monitor and insure the firm’spolicy is observed, implemented properly and amended or updated, as appropriate, which include the following:

Client Identification Procedures

As part of Woodstock's AML program, the firm has established procedures to ensure that all clients’ identities havebeen verified before an account is opened.

Before opening an account for an individual client, Woodstock will require satisfactory documentary evidence of aclient’s name, address, date of birth, social security number or, if applicable, tax identification number. Documentsto be reviewed may include driver's license, passport, registration card, etc. Before opening an account for acorporation or other legal entity, Woodstock will require satisfactory evidence of the entity’s name, address andthat the acting principal has been duly authorized to open the account. Documents to be reviewed may includearticles of organization, partnership agreement, trust agreement, business license, etc. The firm will retain recordsof all documentation that has been relied upon for client identification for a period of five years.

Prohibited Clients

Woodstock will not open accounts or accept funds or securities from, or on behalf of, any person or entity whosename appears on the List of Specially Designated Nationals and Blocked Persons maintained by the U.S. Office ofForeign Assets Control, from any Foreign Shell Bank or from any other prohibited persons or entities as may bemandated by applicable law or regulation.

Woodstock will also not accept high-risk clients (with respect to money laundering or terrorist financing) withoutconducting enhanced, well-documented due diligence regarding such prospective client.

Red Flags

Red flags that signal possible money laundering or terrorist financing include, but are not limited to:

• The customer exhibits unusual concern about the firm's compliance with government reportingrequirements and the firm's AML policies (particularly concerning his or her identity, type of business andassets), or is reluctant or refuses to reveal any information concerning business activities, or furnishesunusual or suspicious identification or business documents.

• The customer wishes to engage in transactions that lack business sense or apparent investment strategy,or are inconsistent with the customer's stated business or investment strategy.


Wed, Mar 8, 2017 02:26 PM Page 59 of 130

• The information provided by the customer that identifies a legitimate source for funds is false, misleading,or substantially incorrect.

• Upon request, the customer refuses to identify or fails to indicate any legitimate source for his or herfunds and other assets.

• The customer (or a person publicly associated with the customer) has a questionable background or is thesubject of news reports indicating possible criminal, civil, or regulatory violations.

• The customer exhibits a lack of concern regarding risks, commissions, or other transaction costs.

• The customer appears to be acting as an agent for an undisclosed principal, but declines or is reluctant,without legitimate commercial reasons, to provide information or is otherwise evasive regarding thatperson or entity.

• The customer has difficulty describing the nature of his or her business or lacks general knowledge of hisor her industry.

• The customer attempts to make frequent or large deposits of currency, insists on dealing only in cash, orasks for exemptions from the firm's policies relating to the deposit of cash.

• The customer engages in transactions involving cash or cash equivalents or other monetary instrumentsthat appear to be structured to avoid the $10,000 government reporting requirements, especially if thecash or monetary instruments are in an amount just below reporting or recording thresholds.

• For no apparent reason, the customer has multiple accounts under a single name or multiple names, witha large number of inter-account or third-party transfers.

• The customer is from, or has accounts in, a country identified as a non-cooperative country or territory bythe FATF.

• The customer's account has unexplained or sudden extensive wire activity, especially in accounts thathad little or no previous activity.

• The customer’s account shows numerous currency or cashier’s check transactions aggregating tosignificant sums.

• The customer's account has a large number of wire transfers to unrelated third parties inconsistent withthe customer's legitimate business purpose.

• The customer's account has wire transfers that have no apparent business purpose to or from a countryidentified as a money laundering risk or a bank secrecy haven.

• The customer's account indicates large or frequent wire transfers, immediately withdrawn by check ordebit card without any apparent business purpose.

• The customer makes a funds deposit followed by an immediate request that the money be wired out ortransferred to a third party, or to another firm, without any apparent business purpose.

• The customer makes a funds deposit for the purpose of purchasing a long-term investment

• The customer makes a funds deposit for the purpose of purchasing a long-term investment followedshortly thereafter by a request to liquidate the position and transfer of the proceeds out of the account.

• The customer engages in excessive journal entries between unrelated accounts without any apparentbusiness purpose.

• The customer requests that a transaction be processed to avoid the firm's normal documentationrequirements.

• The customer, for no apparent reason or in conjunction with other red flags, engages in transactionsinvolving certain types of securities, such as penny stocks, Regulation S stocks, and bearer bonds, which


Wed, Mar 8, 2017 02:26 PM Page 60 of 130

although legitimate, have been used in connection with fraudulent schemes and money launderingactivity. (Such transactions may warrant further due diligence to ensure the legitimacy of the customer'sactivity.)

• The customer's account shows an unexplained high level of account activity with very low levels ofsecurities transactions.

• The customer maintains multiple accounts, or maintains accounts in the names of family members orcorporate entities, for no apparent purpose.

• The customer's account has inflows of funds or other assets well beyond the known income or resourcesof the customer.

Responding to Red Flags and Suspicious Activity

When a member of the firm detects any red flag he or she will investigate further under the direction of the AMLCompliance Officer. This may include gathering additional information internally or from third-party sources,contacting the government, freezing the account, or filing a Form SAR-SF.

Annual Training

Woodstock expects all Supervised Persons to maintain the integrity and professionalism of the firm and to bediligent in protecting Woodstock against illegal activity, including money laundering.

The AML Compliance Officer will conduct annual employee training programs for appropriate personnel regardingthe AML program in order to refresh Supervised Persons understanding of money laundering, as well as tofamiliarize Supervised Persons with new, unusual or suspicious transactions or other recent developments inmoney laundering prevention. Such training programs will review applicable laws, regulations and recent trends inmoney laundering and their relation to Woodstock’s business. Attendance at these programs is mandatory forappropriate personnel, and session and attendance records will be retained for a five (5) year period.

Annual Review

The Annual Review, as part of the SEC’s Compliance Program Rule, will include a review of the firm’s AMLProcedures and Practices. The annual review will evaluate Woodstock’s AML program for compliance with currentAML laws and regulations.

Compliance Guidance

When conducting due diligence or opening an account, Woodstock will immediately call Federal law enforcementwhen necessary, and especially in these emergencies: a legal or beneficial account holder or person with whomthe account holder is engaged in a transaction is listed on or located in a country or region listed on the OFAC list,an account is held by an entity that is owned or controlled by a person or entity listed on the OFAC list, a customertries to use bribery, coercion, or similar means to open an account or carry out a suspicious activity, the firm hasreason to believe the customer is trying to move illicit cash out of the government’s reach, or there is reason tobelieve the customer is about to use the funds to further an act of terrorism. Woodstock will first call the OFACHotline at 1-800-540-6322. The other contact numbers to be used are: Financial Institutions Hotline(1-866-556-3974), local U.S. Attorney’s Office (617) 748-3100, local FBI Office (857) 386-2000, and local SEC Office(617) 573-8900..

Woodstock Corporation - Woodstock Compliance Manual 3-1... Compliance Guidance

Wed, Mar 8, 2017 02:26 PM Page 61 of 130

Custody

Introduction

Woodstock does maintain “custody” of client funds and securities, as the term “custody” is defined by the SEC.However, as a matter of policy and practice, Woodstock and its employees are prohibited from actually takingpossession of any cash or security from a client. As an adviser with custody, Woodstock’s general policy is toensure that client funds and securities are maintained with "qualified custodians," which provide at least quarterlyaccount statements directly to clients or a selected "independent representative" of the client.

Background

Rule 206(4)-2 of the Investment Advisers Act of 1940 defines custody as holding, directly or indirectly, client fundsor securities, or having any authority to obtain possession of them. Custody includes: (i) Possession of client fundsor securities, (but not checks drawn by clients and made payable to third parties,) unless received inadvertentlyand returned promptly to the sender in any case within three (3) business days of receiving them; (ii) Anyarrangement (including a general power of attorney) under which Woodstock is authorized or permitted towithdraw client funds or securities maintained with a custodian upon instruction to the custodian; and (iii) Anycapacity (such as general partner of a limited partnership, managing member of a limited liability company or acomparable position for another type of pooled investment vehicle, or trustee of a trust) that gives Woodstock orits supervised person legal ownership of or access to client funds or securities. The Custody Rule requires advisersto maintain client funds and securities with "qualified custodians," which include banks, registered broker-dealers,and certain foreign custodians. Clients must receive account statements on a quarterly basis directly from theircustodians. Advisers who maintain actual custody of private securities must undergo a surprise annual inspectionby a PCAOB independent accounting firm who must complete an independent control report, except advisers tolimited partnerships who have annual surprise examinations by PCAOB firms are not required to undergo theadditional surprise exam of self-custodied private securities.) Advisers with custody because of authority overclient accounts such as trustee, check writing or general powers of attorney (not including the debiting of fees)must contract with an independent accountant (CPA) for a surprise examination of the advisory accounts involvingthe client relationship. An adviser is deemed to have custody when its affiliate has custody unless the adviser andaffiliate are “operationally independent”—a presumption that will be hard to overcome. Written agreements withan independent accountant must provide for the first examination to occur within six months of becoming subjectto the paragraph above, except that, if you maintain client funds or securities pursuant to this section as aqualified custodian, the agreement must provide for the first examination to occur no later than six months afterobtaining the internal control report. The written agreement must require the accountant to: (i) File a certificate onForm ADV-E (17 CFR 279.8) with the Commission within 120 days of the time chosen by the accountant inparagraph (a)(4) of this section, stating that it has examined the funds and securities and describing the natureand extent of the examination; (ii) Upon finding any material discrepancies during the course of the examination,notify the Commission within one business day of the finding, by means of a facsimile transmission or electronicmail, followed by first class mail, directed to the attention of the Director of the Office of Compliance Inspectionsand Examinations; and (iii) Upon resignation or dismissal from, or other termination of, the engagement, or uponremoving itself or being removed from consideration for being reappointed, file within four business days FormADV-E accompanied by a statement that includes: (A) The date of such resignation, dismissal, removal, or othertermination, and the name, address, and contact information of the accountant; and (B) An explanation of anyproblems relating to examination scope or procedure that contributed to such resignation, dismissal, removal, orother termination.

Responsibility

The CCO has the responsibility for policies and practices related to the SEC Custody Rule.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Custody

Wed, Mar 8, 2017 02:26 PM Page 62 of 130

Procedure

Woodstock has adopted various procedures to implement the firm's policy, conducts reviews to monitor andensure the firm's policy is observed, properly implemented and amended or updated, as appropriate. As anadvisory firm with custody, Woodstock's procedures include the following practices:

• Securities and funds of clients must be maintained with a "qualified custodian.” Broker dealers and banks,along with mutual fund transfer agents, are qualified custodians. (Woodstock clients are generallycustodied with Fidelity.)

• No Supervised Person of the firm shall accept possession of any certificated security, cash or any cashequivalent from a client. If a Supervised Person inadvertently receives any of the above-described assets,the asset should be reported to the CCO who will keep a log of such asset(s) and return the asset(s)directly to the client.

• Checks made payable to third party custodians for deposit in a client account may be accepted, andSupervised Persons are responsible for forwarding such deposits to account custodians as soon aspossible. A record of such receipt and copy of the check shall be documented in the client file, or aseparate sub-file.

• No employee or Supervised Person of Woodstock shall knowingly accept actual possession of any clientfunds or securities. Supervised Persons receiving a request from a client to deposit a stock certificate orother redeemable asset, including a check payable to Woodstock (other than for fees or monies clientowes to the firm), with a qualified custodian may assist the client to complete necessary forms and/ormailings, but shall not take actual possession of the funds or securities (i.e., client must actually deliver ormail the assets to the qualified custodian). Any record of such receipt and subsequent return to clientshall be documented in the client file, or a separate sub-file. If Woodstock inadvertently receives from aclient any funds or securities, these assets shall be returned to the client as soon as reasonably possiblei.e., within three business days of receipt; (the assets are not to be forwarded to the independent qualifiedcustodian by the firm). Any record of such receipt and subsequent return to client shall be documented inthe client file, or a separate sub-file. This prohibition does not include checks made payable to a qualifiedcustodian.

• Supervised Persons are prohibited from accepting any position of custodial authority over client accountssuch as trustee without the prior written consent of the Chief Compliance Officer.

• Woodstock will contract with an independent CPA for a surprise examination of the advisory accountsinvolving Custody and require the independent CPA to file the necessary Form ADV-E with the SEC.

• Woodstock must have a reasonable belief, after “due inquiry,” (i.e. Woodstock has access to duplicatecopies of account statements sent by qualified custodians or Woodstock will acquire a list of client mailingaddresses used by the independent qualified custodian from the qualified custodian) that the qualifiedcustodian(s) holding client assets provides at least quarterly account statements directly to clients or toan "independent representative" of a client’s choosing that does not have a "control" relationship withWoodstock and has not had a material business relationship within the past two years with Woodstock.

• Because of the possibility of creating a custody issue, no Supervised Person shall come into possession ofa client’s user name and password for a client’s outside brokerage or bank account(s) without review,preauthorization and approval of the CCO.

• Any custody problems, issues, concerns or questions should be immediately brought to the attention ofthe Chief Compliance Officer.

• Woodstock's account statements to clients include notification urging the client to compare theinformation contained therein with the account statements received directly from the custodian;


Wed, Mar 8, 2017 02:26 PM Page 63 of 130

• In response to a (Non-Agawam) client's email requesting a transfer or check payable to a thirdparty, Woodstock will contact the client directly to obtain verification of the request prior to effecting suchtransfer;

• In response to a (Non- Agawam) client's call requesting a transfer or check payable to a third party,Woodstock generally requests that the client provide written confirmation of their request prior toprocessing such transaction

• In response to an Agawam client request for a transfer or check payable to a third party, Agawam willinitiate transfer or check payable and provide paperwork including trustee signature/approval prior toprocessing transaction.

• If Woodstock receives inadvertently from a client any funds or securities, these assets shall be returned tothe client promptly,

• No employee or supervised person of Woodstock shall knowingly accept actual possession of any clientfunds or securities. Persons receiving a request from a client to deposit assets with a qualified custodianmay assist the client to complete necessary forms and/or mailings, but shall not take physical possessionof the funds or securities;

• Woodstock will report, in response to Item 9 of Part 1A of Form ADV, that it has custody of client funds orsecurities.

• additional books and records are maintained for those clients for which Woodstock maintains custodyregarding client transactions, receipts/deliveries of funds and securities, confirmations and positions;

• Woodstock has engaged an independent PCAOB-regulated public accountant to annually conduct asurprise examination to verify client funds and securities and submit the required report via the IARDsystem.

Furthermore, pursuant to our authority to directly debit advisory fees from client accounts, Woodstock generallywill follow additional procedures below:

• conduct review of client fee calculations to verify accuracy;

• segregate duties among those employees responsible for:processing fees due from clients

• reviewing such invoices/fee listings for accuracy, and

• reconciling those fees with deposits of advisory fees by the custodians into our firm's bank account toconfirm accurate fee amounts were deducted.

Advisory Agreement

Introduction

Woodstock requires a written investment advisory agreement (“IAA”) for each client relationship which includes adescription of services, discretionary authority, advisory fees, important disclosures and other terms of the clientrelationship. Woodstock’s IAA must meet all appropriate regulatory requirements and the conditions set forthbelow.

All advisory contracts should include terms related to the following topics, among others:

• Scope of adviser’s authority over client account and limitations on any such authority, includinginvestment restrictions

• Non-assignment clauses• Standards of care and limitation of liability• Responsibility for brokerage matters• Any terms limiting brokerage authority or ability to place trades

Woodstock Corporation - Woodstock Compliance Manual 3-1... Advisory Agreement

Wed, Mar 8, 2017 02:26 PM Page 64 of 130

• Proxy voting authority• Fee schedule and billing terms• Acknowledgement by client of receipt of the firm’s ADV Part 2 and Privacy Notice• Fees and allocation of charges and expenses (and refunding of fees)• Notice of assignment term and termination

BackgroundContracts with clients must include some specific provisions (which are set forth in Section 205 of the AdvisersAct). Advisory contracts (whether oral or written) must convey that the advisory services provided to the clientmay not be assigned by the adviser to any other person without the prior consent of the client. An assignmentmay occur if a controlling share of the investment adviser’s ownership is sold or transferred.

With limited exceptions, contracts cannot include provisions providing for compensation to be based on theperformance of the client’s account. Performance-based fees, pursuant to Rule 205-3 of the Advisers Act, mayonly be charged to qualified clients as that term is defined in the Rule.

In addition, the SEC staff has stated that an adviser should not enter into contracts with clients that contain termsor clauses commonly referred to as a “hedge clause” because such clauses or provisions are likely to lead clientsto believe falsely that they have waived their rights of legal action, whether under the federal securities laws orcommon law. The SEC has held for many years that so-called “hedge clauses,” defined generally as contractterms that would lead a person to believe they have waived certain legal rights against a fiduciary, are prohibitedand a breach of an adviser’s fiduciary duty. (See Section 215 of the Investment Advisers Act.)

Responsibility

• Senior Management has the responsibility, with the guidance of the CCO, for approving all investmentadvisory agreements prior to use.

• Any Supervised Person receiving client instructions related to the management of the client’s accountmust document such instructions and communicate modifications to the CCO.

Procedure

• A written IAA, a contract for advisory services, is provided to all new client relationships.

• Upon receipt of the IAA, an authorized Investment Adviser Representative of adviser shall sign andexecute the IAA and place a copy of the signed Agreement in the client's file (maintained in a centrallocation known to all).

• If any changes have been made to the IAA, including the fee schedule, a Account Change Form must becompleted.

• A signed copy of the IAA shall also be provided to the client after its execution.

• All completed IAA’s will be scanned and saved electronically. This allows for convenient back-up storage ofthe advisory agreements.

• Any amended IAA’s will also be scanned and saved electronically.

• Woodstock's standard advisory agreement and fee schedule are used unless otherwise approved by thePresident.

• The fee schedules are periodically reviewed by Woodstock to be fair, current and competitive.

• The Compliance Officer periodically reviews the firm’s disclosure brochure, marketing materials, advisoryagreements and other material for accuracy and consistency of disclosures regarding advisory servicesand fees.


Wed, Mar 8, 2017 02:26 PM Page 65 of 130

https://www.ascendantcompliancemanager.com/library/library/542dadc790ee99f5e804205d

• Client investment objectives or guidelines are obtained, or recommended as part of a client's advisoryagreement.

• Client investment objectives or guidelines are monitored on an on-going and also periodic basis forconsistency with client investments/portfolios.

• New client relationships must be reviewed by the Chief Compliance Officer to ensure that any requiredfilings are made.

• New advisory contracts are reviewed by the Chief Compliance Officer prior to managing a new clientaccount.

• Any additional compensation arrangements are to be monitored by the President and Chief ComplianceOfficer, approved and disclosed with appropriate records maintained.

• Any solicitation/referral arrangements and solicitor/referral fees must be in writing, reviewed andapproved by Woodstock Corporation's President, meet regulatory requirements and appropriate recordsmaintained.

• Performance-based fee arrangements are appropriately disclosed, reviewed and approved by thePresident.

Compliance Guidance

1. Non-assignment clauses should be standard terms of any client agreement, and have the effect ofrequiring client consent to extend a contract if a significant change in ownership occurred (typicallygreater than 25%).

2. Investment restrictions, including limitations on portfolio management and non-standard brokeragearrangements can be difficult to implement operationally, and therefore, such contract terms must becarefully reviewed and considered before entering into client engagements.

3. As stated in Form ADV Part 2, standard fee schedules exist for client account services; however, fees andbilling arrangements are negotiable under certain circumstances.

Disclosure Brochures

Introduction

Woodstock, as a matter of policy, complies with relevant regulatory requirements and maintains requireddisclosure brochures on a current and accurate basis. Our firm's Form ADV Part 2 provides information about thefirm's advisory services, business practices, professionals, policies and any actual and potential conflicts ofinterest, among other things.

Background

In July 2010, the SEC unanimously approved and adopted Amendments to Form ADV (Release No. IA-3060, File No.S7-10-00, publicly available 07/28/2010), significantly changing the form and content of disclosures that registeredinvestment advisers are generally required to provide to clients and prospective clients. The new Part 2 iscomprised of three parts:

◦ Part 2A, Firm Brochure;◦ Part 2A Appendix 1, Wrap Fee Program Brochure (only required to be filed by investment advisers who

sponsor wrap programs; refer to the section below for more detailed information); and◦ Part 2B, Brochure Supplement.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Compliance Guidance

Wed, Mar 8, 2017 02:26 PM Page 66 of 130

An adviser's Form ADV Part 2 is a narrative disclosure document, written in plain English. Investment advisers arerequired to respond to each of the required items in a consistent, uniform manner that will facilitate clients' andpotential clients' ability to evaluate and compare firms. Each brochure must follow the prescribed format, includinga table of contents that lists the eighteen separate items for SEC-registered advisers (nineteen for state-registeredadvisers), using the headings provided in the current 'form'. All advisers are required to respond to each item, evenif it is inapplicable to the adviser's business; however, if required disclosure is provided elsewhere in the brochure,the adviser can direct the reader to that item rather than duplicate disclosure.

As a registered investment adviser, Woodstock has a duty to comply with the disclosure brochure deliveryrequirements of Rule 204-3 under the Advisers Act, or similar state regulations.

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for maintaining Woodstock's required Brochures on acurrent and accurate basis, making appropriate amendments and filings, ensuring initial delivery of the applicableBrochure (s) to new clients, annual delivery of the Brochures or a Summary of Material Changes, and maintainingall appropriate files.

Procedure

Woodstock has adopted various procedures to implement the firm's policy and conducts reviews to monitor andensure the firm's disclosure policy is observed, implemented properly and amended or updated, as appropriate,which include the following:

1. Initial Delivery

◦ a representative of Woodstock will provide a copy of the Firm Brochure to each prospective client eitherprior to or at the time of entering into an advisory agreement with a client;

◦ deliver to each client or prospective client a current Brochure Supplement for a supervised person beforeor at the time that supervised person begins to provide advisory services to the client; and

◦ the Compliance Officer will maintain dated copies of all Woodstock's Brochure(s) so as to be able toidentify which Brochures were in use at any time.

2. Annual Delivery

◦ deliver to each client, annually within 120 days of the firm's fiscal year end and without charge, if thereare material changes since the firm's last Annual Updating Amendment ("AUA"), either (i) a current copyof the Firm Brochure (and/or Wrap Fee Program Brochure, if applicable), or (ii) a summary of materialchanges and an offer to provide clients with a copy of the firm's current Brochure(s) without charge. Thesummary of material changes will include, as applicable, contact information by which a client mayrequest a copy of the Brochure(s):

3. Review and Amendment

◦ the designated officer will annually review the firm's required Brochure(s) to ensure they are maintainedon a current and accurate basis, and properly reflect and are consistent with the firm's current services,business practices, fees, investment professionals, affiliations and conflicts of interest, among otherthings;

◦ when changes or updates to the Brochure(s) are necessary or appropriate, the designated officer willmake any and all amendments timely and promptly, deliver either the revised Brochure(s) or a summaryof material changes to clients, and maintain records of the amended filings and subsequent delivery toclients as required; and

◦ if the amendment adds disclosure of an event, or materially revises information already disclosed, inresponse to Item 9 of Part 2A or Item 3 of Part 2B (Disciplinary Information), respectively, the designatedofficer will promptly deliver, (i)the amended Firm Brochure and/or Brochure Supplement(s), as applicable,along with a statement describing the material facts relating to the change of disciplinary information, or(ii) a statement describing the material facts relating to the change in disciplinary information.


Wed, Mar 8, 2017 02:26 PM Page 67 of 130

Wrap Fee Advisor

IntroductionWoodstock does not act as an adviser or subadviser in any wrap fee program.

Background

A wrap fee program is defined as any program under which any client is charged a specified fee or fees not baseddirectly upon transactions in a client's account for investment advisory services (which may include portfoliomanagement or advice concerning the selection of other investment advisers) and execution of client transactions.

Wrap fee programs also typically include custody services as part of the all-inclusive services in the program.

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for insuring the firm's policy is followed and thatWoodstock does not participate as an adviser/subadviser in any wrap fee programs unless appropriately approvedand all regulatory requirements are met.

Procedure


◦ Woodstock's designated officer annually monitors the firm's businesses and advisory services, includingreviews of the firm's Form ADV and disclosures; and

◦ Woodstock's designated officer also monitors the firm's advisory services to ensure that participation inany wrap fee programs as an adviser/subadviser would only be allowed after appropriate managementapprovals, disclosures and meeting regulatory requirements.

Wrap Fee Sponsor

Introduction

Woodstock, as a matter of policy and practice, does not sponsor any wrap fee program.

Background

A wrap fee program is defined as any program under which any client is charged a specified fee or fees not baseddirectly upon transactions in a client's account for investment advisory services (which may include portfoliomanagement or advice concerning the selection of other investment advisers) and execution of client transactions.

Wrap fee programs also typically include custody services as part of the all-inclusive services in the program.

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for the implementation and monitoring of our wrap feepolicy that the firm prohibits sponsoring any wrap fee programs unless appropriately approved and all regulatoryrequirements are met.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Wrap Fee Advisor

Wed, Mar 8, 2017 02:26 PM Page 68 of 130

Procedure


◦ Woodstock's designated officer monitors the firm's businesses and advisory services, including semi-annual reviews of the firm's Form ADV and disclosures to prohibit any arrangements for sponsoring anywrap fee program; and

◦ Woodstock's designated officer also monitors the firm's advisory services to ensure that anyarrangements to sponsor any wrap fee program would only be allowed after appropriate managementapprovals, disclosures and meeting regulatory requirements.


Wed, Mar 8, 2017 02:26 PM Page 69 of 130

VII. Managing Client Accounts

Investment Processes

Introduction

As a registered adviser, and as a fiduciary to our advisory clients, Woodstock is required, and as a matter of policy,to obtain background information as to each client's financial circumstances, investment objectives, investmentrestrictions and risk tolerance, among many other things, and provides its advisory services consistent with theclient's objectives, etc., based on the information provided by each client.

Background

The U.S. Supreme Court has held that Section 206 (Prohibited Activities) of the Investment Advisers Act imposes afiduciary duty on investment advisers by operation of law (SEC v. Capital Gains Research Bureau, Inc., 1963).

Also, the SEC has indicated that an adviser has a duty, among other things, to ensure that its investment advice issuitable to the client's objectives, needs and circumstances, (SEC No-Action Letter, In re John G. Kinnard and Co.,publicly available 11/30/1973).

Every fiduciary has the duty and a responsibility to act in the utmost good faith and in the best interests of theclient and to always place the client's interests first and foremost.

As part of this duty, a fiduciary and an adviser with such duties, must eliminate conflicts of interest, whether actualor potential, or make full and fair disclosure of all material facts of any conflicts so a client, or prospective client,may make an informed decision in each particular circumstance.

Responsibility

The firm's investment professionals responsible for the particular client relationship have the primary responsibilityfor determining and knowing each client's circumstances and managing the client's portfolio consistent with theclient's objectives. Woodstock's President has the overall responsibility for the implementation and monitoring ofour investment processes policy, practices, disclosures and recordkeeping for the firm.

Procedure


◦ Woodstock obtains substantial background information about each client's financial circumstances,investment objectives, and risk tolerance, among other things, through an in-depth interview andinformation gathering process which includes client profile or relationship forms;

◦ advisory clients may also have and provide written investment policy statements or written investmentguidelines that the firm reviews, approves, and monitors as part of the firm's investment services, subjectto any written revisions or updates received from a client;

◦ Woodstock provides the firm's applicable Form ADV Part 2 (to all prospective clients, disclosing the firm'sadvisory services, fees, conflicts of interest and portfolio/supervisory reviews and investment reportsprovided by the firm to clients;

◦ Woodstock may provide quarterly reports to advisory clients which include important information about aclient's financial situation, portfolio holdings, values and transactions, among other things. The firm mayalso provide performance information to advisory clients about the client's account performance, whichmay also include a reference to a relevant market index or benchmark;

Woodstock Corporation - Woodstock Compliance Manual 3-1... VII. Managing Client Accounts

Wed, Mar 8, 2017 02:26 PM Page 70 of 130

◦ investment professionals may also schedule annually client meetings or upon client request, to review aclient's portfolio, performance, market conditions, financial circumstances, and investment objectives,among other things; and to confirm the firm's investment decisions and services are consistent with theclient's objectives and goals. Documentation of such reviews should be made in the client file; and

◦ client relationships and/or portfolios may be reviewed on a periodic basis by designated supervisors ormanagement personnel.

Valuations of Securities

Introduction

As a registered adviser and as a fiduciary to clients, Woodstock has adopted this policy which requires that allclient portfolios and investments reflect current, fair and accurate market valuations. Any pricing errors,adjustments or corrections are to be verified, preferably through independent sources or services, and reviewedand approved by the firm's appropriate person(s). While valuation of securities effects billing and reporting toclients, our policy is based on the overall assessment that we advise clients on the purchase and sale of securitieswith readily available market values.

Background

As a fiduciary, the firm must always place client interests first and foremost and this includes pricing processes,which ensure fair, accurate and current valuations of client securities of whatever nature. Proper valuations arenecessary for accurate performance calculations and fee billing purposes. Because of the many possibleinvestments, various pricing services and sources and diverse characteristics of many investment vehicles,independent sources, periodic reviews and testing, exception reporting, and approvals and documentation orpricing changes may be necessary with appropriate summary disclosures as to the firm's pricing policy andpractices. Independent custodians of client accounts may serve as the primary pricing source.

Responsibility

The CCO has overall responsibility for the firm's pricing policy, determining pricing sources, pricing practices,including any reviews and re-pricing practices to help ensure fair, accurate and current valuations.

Procedure


• Woodstock utilizes, to the fullest extent possible, recognized and independent pricing services and/orqualified custodians for timely valuation information for advisory client securities and portfolios;

• whenever valuation information for specific illiquid, foreign, derivative, private or other investments is notavailable through pricing services or custodians, Woodstock's designated officer, trader(s) or portfoliomanager(s) will obtain and document price information from at least one independent source, whether itbe a broker-dealer, bank, pricing service or other source;

• any securities without market valuation information are to be reviewed and priced by the Woodstock'sChief Compliance Officer or a pricing committee in good faith to reflect the security's fair and currentmarket value, and supporting documentation maintained;

• Woodstock's Chief Compliance Officer will arrange for monthly reviews of valuation information fromwhatever source to promptly identify any incorrect, stale or mispriced securities;

• any errors in pricing or valuations are to be resolved as promptly as possible, preferably upon a same dayor next day basis, with repricing information obtained, reviewed and approved by the Woodstock's ChiefCompliance Officer ; and

• a summary of the firm's pricing practices should be included in the firm's investment managementagreement.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Valuations of Securities

Wed, Mar 8, 2017 02:26 PM Page 71 of 130

See Appendices: Pricing Information

Soft Dollars

Introduction

Woodstock as a matter of policy does utilize research, research-related products and other brokerage services on asoft dollar commission basis. Woodstock's soft dollar policy is to make a good faith determination of the value ofthe research product or services in relation to the commissions paid. Woodstock also maintains soft dollararrangements for those research products and services which assist Woodstock in its investment decision-makingprocess.

In the event Woodstock obtains any mixed–use products or services on a soft dollar basis, Woodstock will make areasonable allocation of the cost between that portion which is eligible as research or brokerage services and thatportion which is not so qualified. The portion eligible as research or other brokerage services will be paid for withdiscretionary client commissions and the non-eligible portion, e.g., computer hardware, accounting systems, etc.,which is not eligible for the Section 28(e) safe harbor will be paid for with Woodstock's own funds. For any mixed-use products or services, Woodstock will maintain appropriate records of its reviews and good faith determinationsof its reasonable allocations

Woodstock periodically reviews the firm's soft dollar arrangements, budget, allocations, and monitors the firm'spolicy.

Background

Soft dollars generally refers to arrangements whereby a discretionary investment adviser is allowed to pay for andreceive research, research-related or execution services from a broker-dealer or third-party provider, in addition tothe execution of transactions, in exchange for the brokerage commissions from transactions for client accounts.

Section 28(e) of the Securities Exchange Act of 1934 allows and provides a safe harbor for discretionaryinvestment advisers to pay an increased commission, above what another broker-dealer would charge forexecuting a transaction, for research and brokerage services, provided the adviser has made a good faithdetermination that the value of the research and brokerage services qualifies as reasonable in relation to theamount of commissions paid. Further, under SEC guidelines, the determination as to whether a product or serviceis research or other brokerage services, and eligible for the Section 28(e) safe harbor, is whether it provides lawfuland appropriate assistance to the investment manager in performance of its investment decision-makingresponsibilities.

In Interpretative Release Commission Guidance Regarding Client Commission Practices Under Section 28(e), dated7/24/2006, the SEC revised and clarified "brokerage and research services" in view of evolving technologies andindustry practices. The Release updated prior Section 28(e) guidance and revised definitions including eligible andnon-eligible research products and services for the Section 28(2) safe harbor. The SEC Release was effective 7/24/2006.

In 2008, the SEC proposed guidance about the responsibilities of boards of directors of investment companiesregarding portfolio trading practices including soft dollars and best execution practices. (See Release Nos.34-58264, IC-28345, and IA-2763, 7/20/2008).

On July 30, 2013, staff of the SEC's Division of Trading and Markets issued a no action letter confirming thatcommissions from certain fixed-income trades conducted on an agency basis can qualify for the Section 28(e) safeharbor, and that commissions from these fixed-income trades may be used to purchase third-party research,provided that (i) all applicable conditions of the Section 28(e) safe harbor are met and (ii) the institutional assetmanagers and [CCM] are otherwise complying with federal securities laws. (See Carolina Capital Markets, Inc., SECNo-Action letter, available 7/30/2013)

Woodstock Corporation - Woodstock Compliance Manual 3-1... Soft Dollars

Wed, Mar 8, 2017 02:26 PM Page 72 of 130

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for the implementation and monitoring of our softdollar policy, practices, disclosures and recordkeeping.

Procedure


◦ Woodstock's CCO will initially review and approve, and thereafter review each of the firm's soft dollararrangements and brokerage allocations for soft dollar research services and products on an annual basis.

◦ Woodstock's Head Traders monitors soft dollar arrangements;

◦ Woodstock will not make any formal or contractual commitments for any soft dollar obligations;

◦ Form ADV disclosures regarding Woodstock's soft dollar policy and soft/mixed use services and productswill be reviewed by the designated officer for consistency with the firm's policy and practices, at leastannually, and will provide specific information regarding the soft dollar services and products receivedduring the firm's preceding fiscal year.

ERISA

Introduction

Woodstock may act as an investment manager for advisory clients which are governed by the EmploymentRetirement Income Security Act (ERISA). As an investment manager and a fiduciary with special responsibilitiesunder ERISA, and as a matter of policy, Woodstock is responsible for acting solely in the interests of the planparticipants and beneficiaries. Woodstock's policy includes managing client assets consistent with the “prudentman rule,” exercising proxy voting authority if not retained by a plan fiduciary, maintaining any ERISA bonding thatmay be required, and obtaining written investment guidelines/policy statements, as appropriate.

Background

ERISA imposes duties on investment advisers that may exceed the scope of an adviser's duties to its other clients.For example, ERISA specifically prohibits certain types of transactions with ERISA plan clients that are permissible(with appropriate disclosure) for other types of clients. Under Department of Labor (DOL) guidelines, when theauthority to manage plan assets has been delegated to an investment manager, the manager has the authorityand responsibility to vote proxies, unless a named fiduciary has retained or designated another fiduciary withauthority to vote proxies. In instances where an investment manager's client agreement is silent on proxy votingauthority, the investment manager would still have proxy voting authority. (Plan document provisions supersedeany contractual attempt to disclaim proxy authority.) In the event plan documents are silent and an adviser'sagreement disclaims proxy voting, the responsibility for proxy voting rests with the plan fiduciary(s). In certaininstances, the Internal Revenue Code may impose requirements on non-ERISA retirement accounts that may mirrorERISA requirements.

In March 2006, the DOL issued guidance for employers, including advisers, to file annual reports (LM-10) todisclose financial dealings, including gifts and entertainment, with representatives of a union subject to a $250 deminimis.

Union officers and employees have a comparable reporting obligation (Form LM-30) to report any financial dealingswith employers, including the receipt of any gifts or entertainment above the de minimis amount.


Wed, Mar 8, 2017 02:26 PM Page 73 of 130

QPAM Exemption

The DOL adopted an amendment to ERISA prohibited transaction exemption 84-14 (the "QPAM Exemption"),expanding the coverage of the exemption to include in-house pension and other employee benefit plansmaintained by investment advisers for their own employees. Under the amended exemption, a QPAM may managean investment fund containing assets of an employee benefit plan sponsored by the QPAM and rely on the QPAMExemption to avoid prohibited transactions that might occur in the management of such assets if: (i) the QPAMadopts written policies and procedures that are designed to assure compliance with the conditions of the amendedexemption; (ii) the QPAM engages an independent auditor to conduct an annual exemption audit; and (iii) anyother applicable requirements already provided in the QPAM Exemption are satisfied.

QDIA Regulation

The DOL adopted the QDIA Regulation (ERISA Section 404(c)(5)) to provide relief to a plan sponsor from certainfiduciary responsibilities for investments made on behalf of participants or beneficiaries who fail to direct theinvestment of assets in their individual accounts.

For the plan sponsor to obtain safe harbor relief from fiduciary liability for investment outcomes the assets must beinvested in a "qualified default investment alternative" (QDIA) as defined in the regulation. While investmentproducts are not specifically identified, the regulation provides for four types of QDIAs:

1. a product with a mix of investments that take into consideration the individual's age or retirement date(e.g., a life- cycle or target date fund);

2. an investment services that allocated contributions among existing plan options to provide an asset mixthat takes into consideration the individual's age or retirement date (i.e., a professionally-managedaccount);

3. a product with a mix of investments that takes into account the characteristics of the group of employeesas a whole rather than each individual (a balanced fund, for example); and

4. a capital preservation product for only the first 120 days of participation (an option for plan sponsorswishing to simplify administration if employees opt-out of participation before incurring an additional tax).

A QDIA must either be managed by (i) an investment manager, (ii) plan trustee, (iii) plan sponsor, or (iv) acommittee primarily comprised of employees of the plan sponsor that is a named fiduciary, or be an investmentcompany registered under the Investment Company Act of 1940.

ERISA Disclosures - Final Regulation 408(b)(2)

Revising its previously issued final regulation, on January 25, 2012 the DOL issued its final rule under ERISA section408 (b)(2) which requires investment advisers and other covered service providers to provide to the responsibleplan fiduciary of certain of their ERISA plan clients with advance disclosures concerning their services andcompensation. This regulation amends a prohibited transaction rule under ERISA and the Internal Revenue Code.That rule stated that it is a prohibited transaction for a 'covered plan' to enter into an arrangement with a coveredservice provider unless the arrangement is reasonable and the compensation being received by the serviceprovider is reasonable. The final regulation imposes specific disclosure requirements intended to enable the plan'sresponsible plan fiduciary to determine whether a service provider arrangement is reasonable and identifiespotential conflicts of interest.

This final rule also revised the compliance date to July 1, 2012 (an extension of 90 days from the previouscompliance date of April 1, 2012). This revised compliance date further resulted in a 90-day extension of thecompliance deadline for certain ERISA 'participant-directed plans' subject to DOL Rule 404a-5 (Fiduciaryrequirements for disclosure in participant-directed individual account plans).

Investment Advice – Participants and Beneficiaries

On October 25, 2011, the DOL once more issued a final regulation (the 'replacement final regulation' (the "FinalRule")) implementing the statutory exemption from the prohibited transaction provisions of ERISA for investmentadvice rendered to plan participants. The Final Rule is effective December 27, 2011, and applies to transactionsoccurring on or after that date.


Wed, Mar 8, 2017 02:26 PM Page 74 of 130

Under the Final Rule, a fiduciary adviser is permitted to render investment advice to participants – and receivecompensation for such advice – pursuant to an "eligible investment advice arrangement." Such arrangement mustprovide for either:

◦ level compensation, meaning that any direct or indirect compensation received by the fiduciary advisermay not vary depending on the participant's selection of a particular investment option, or

◦ a computer model, which an independent expert must certify as being unbiased.

Responsibility

Woodstock's Chief Compliance Officer has the responsibility for the implementation and monitoring of our ERISApolicy, practices, disclosures and recordkeeping.

Procedure

Woodstock has adopted various procedures to implement the firm's policy, conducts reviews to monitor andensure the firm's policy is observed, properly implemented and amended or updated, as appropriate, whichinclude the following:

◦ on-going awareness and quarterly reviews of an ERISA client's investments and portfolio for consistencywith the "prudent man rule";

◦ a designated person or proxy committee is responsible for overseeing and conducting semi-annualreviews to ensure that any proxy voting functions are properly met and that ERISA plan client proxies arevoted in the best interests of the plan participants;

◦ on-going awareness and quarterly review of any client's written investment policy statement/guidelines soas to be current and reflect a client's objectives and guidelines;

◦ annually verify that the plan fiduciaries have established and maintain and renew any ERISA bonding thatmay be required; or if plan documents require the investment manager to maintain required ERISAbonding, Woodstock will ensure that such bonding is obtained and renewed on a timely basis;

◦ provide the responsible plan fiduciary of an ERISA-covered defined benefit plan or defined contributionplan with required disclosures to enable the plan fiduciary to determine the reasonableness of totalcompensation received for services rendered and identifying potential conflicts of interest. Suchdisclosures will be reviewed on at least quarterly to ensure accuracy, with any revisions promptlydelivered to the responsible plan fiduciary;

◦ monitor for and make any annual DOL filings (Form LM-10) for reporting financial dealings with unionrepresentatives;

◦ if Woodstock acts as investment manager, general partner or managing member of any private or hedgefunds or pooled investment vehicle, the firm will monitor quarterly the percentage of ERISA plan and IRAassets in each fund for ERISA 25% Plan Asset Rule purposes;

◦ identify and monitor any party in interest affiliations or relationships existing between the firm and anyclient ERISA plans to avoid any prohibited transactions; and

◦ ensure oversight of third party service providers with regard to current disclosure requirements.

If an ERISA fiduciary seeking to obtain safe harbor relief under the QDIA regulation, include the following:

◦ ensure assets are invested in a QDIA;◦ ensure that participants and beneficiaries have been given an opportunity to provide investment

direction, but have not done so, and maintain appropriate supporting documentation;◦ provide initial and annual notice to participants and beneficiaries in accordance with regulatory

requirements;◦ conduct quarterly reviews to ensure that materials, such as investment prospectuses, are furnished to

participants and beneficiaries;◦ ensure participants and beneficiaries have an opportunity to direct investments out of a QDIA as

frequently as from other plan investments, but at least quarterly; and◦ ensure that the plan offers a "broad range of investment alternatives" as defined under Section 404(c) of

ERISA.


Wed, Mar 8, 2017 02:26 PM Page 75 of 130

If applicable as a QPAM, include the following:

◦ monitor quarterly transactions effected on behalf of the plan to ensure compliance with the requirementsof the exemption with respect to the management of those plan assets.

◦ engage an independent auditor to conduct the annual exemption audit; and◦ in the event that the audit report identifies a deficiency, to promptly address the deficiency.

(AND, if the transaction relies on Part I of the QPAM Exemption, which is applicable to general transactionsbetween the plan or fund managed by the QPAM and parties in interest with respect to such plans, then thewritten policies and procedures must also include requirements that):

◦ the party in interest (i) does not have disqualifying power over the QPAM (i.e., the power to terminate theQPAM or to negotiate the terms of the QPAM's management agreement), and (ii) is neither the QPAM itselfnor a party related to the QPAM;

◦ no more than 20 percent of the total client assets managed by the QPAM consist of assets of the in-houseplan plus any assets of other plans established or maintained by the QPAM and its affiliates; and

◦ the transaction is not exempt pursuant to prohibited transaction exemptions 2006-16 (securities lending),83-1 (acquisitions by plans of interest in mortgage pools) or 82-87 (certain mortgage financingarrangements).

If a fiduciary adviser and providing investment advice to participants for separate compensation, ensure that suchadvice is provided under one of the following two arrangements:

◦ as a fiduciary adviser, investment advice will only be provided to participants for separate compensationpursuant to an eligible investment advice arrangement that provides for either:

◦ level compensation being earned, i.e., any direct or indirect compensation received will not varydepending upon the participant's selection of a particular investment option, or such advice willbe rendered utilizing a computer model which has been certified as being unbiased by anindependent expert.

Best Execution

Introduction

As an investment advisory firm, Woodstock has a fiduciary and fundamental duty to seek best execution for clienttransactions.

Woodstock, as a matter of policy and practice, seeks to obtain best execution for client transactions, i.e., seekingto obtain not necessarily the lowest commission but the best overall qualitative execution in the particularcircumstances.

Background

Best execution has been defined by the SEC as the "execution of securities transactions for clients in such amanner that the clients' total cost or proceeds in each transaction is the most favorable under the circumstances."The best execution responsibility applies to the circumstances of each particular transaction and an adviser mustconsider the full range and quality of a broker- dealer's services, including execution capability, commission rates,and the value of any research, financial responsibility, and responsiveness, among other things.

Responsibility

Woodstock's Woodstock's Chief Compliance Officer has the responsibility for the implementation and monitoring ofour best execution policy, practices, disclosures and recordkeeping.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Best Execution

Wed, Mar 8, 2017 02:26 PM Page 76 of 130

Procedure

Woodstock has adopted procedures to implement the firm’s policy and reviews to monitor and insure the firm’spolicy is observed, implemented properly and amended or updated, as appropriate, which include the following:

◦ As part of Woodstock's brokerage and best execution practices, Woodstock has adopted and implementedwritten best execution practices.

◦ Woodstock's Head Trader has responsibility for monitoring our firm’s trading practices, gathering relevantinformation, periodically reviewing and evaluating the services provided by broker-dealers, the quality ofexecutions, commission rates, and overall brokerage relationships, among other things.

◦ The firm updates an approved broker list based upon the firm's reviews.◦ Woodstock Director of Research has responsibility for periodically reviewing and evaluating the quality of

research provided by the broker-dealers.◦ Woodstock also conducts periodic reviews of the firm’s brokerage and best execution practices, evaluates

services and documents these reviews, and discloses a summary of brokerage and best executionpractices in our Form ADV Part 2.

◦ A Best Execution file is maintained for the information obtained and used in Woodstock's periodic bestexecution reviews and analysis and to document the firm’s best execution practices.

Proxy Voting

Introduction

Woodstock, as a matter of policy and as a fiduciary to our clients, has responsibility for voting proxies for portfoliosecurities consistent with the best economic interests of the clients. Our firm maintains written policies andprocedures as to the handling, research, voting and reporting of proxy voting and makes appropriate disclosuresabout our firm's proxy policies and practices. Our policy and practice includes the responsibility to monitorcorporate actions, receive and vote client proxies and disclose any potential conflicts of interest as well as makinginformation available to clients about the voting of proxies for their portfolio securities and maintaining relevantand required records.

Woodstock has retained an independent third party proxy service, Broadridge, for their fundamental research onproxy questions and subsequent recommendations. Proxies are voted by Broadridge in accordance with proxyvoting guidelines with the intent of serving the best interest of Woodstock’s clients. Proxies are voted according topre-established voting guidelines that address specific topics. Issues outside of such guidelines are considered on acase-by-case basis. In this regard, Woodstock's voting responsibility is to protect and enhance the value of assetsunder management for the exclusive benefit of the clients’ portfolio beneficiaries. All material conflicts of intereston proxy matters when identified will be disclosed to the client.

The policies and procedures for voting securities held by accounts managed by Woodstock are applicable if:

• The underlying advisory agreement or any other written agreement entered into with the client expresslyprovides that Woodstock shall be responsible for voting securities held in the client’s account; or

• The underlying advisory agreement entered into with the client is silent as to whether or not the Advisershall be responsible for voting securities held in the client’s account and Woodstock has discretionaryauthority over investment decisions for the client’s account.

Woodstock maintains records on proxy voting. Woodstock clients may obtain information about how their proxieswere voted by calling Woodstock.

Background

Proxy voting is an important right of shareholders and reasonable care and diligence must be undertaken to ensurethat such rights are properly and timely exercised.


Wed, Mar 8, 2017 02:26 PM Page 77 of 130

Investment advisers registered with the SEC, and which exercise voting authority with respect to client securities,are required by Rule 206(4)-6 of the Advisers Act to (a) adopt and implement written policies and procedures thatare reasonably designed to ensure that client securities are voted in the best interests of clients, which mustinclude how an adviser addresses material conflicts that may arise between an adviser's interests and those of itsclients; (b) to disclose to clients how they may obtain information from the adviser with respect to the voting ofproxies for their securities; (c) to describe to clients a summary of its proxy voting policies and procedures and,upon request, furnish a copy to its clients; and (d) maintain certain records relating to the adviser's proxy votingactivities when the adviser does have proxy voting authority.

Responsibility

Woodstock's Operations Supervisor has the responsibility for the implementation and monitoring of our proxyvoting policy, practices, disclosures and record keeping, including outlining our voting guidelines in our procedures.

Procedure

Woodstock has adopted procedures to implement the firm’s policy and reviews to monitor and insure the firm’spolicy is observed, implemented properly and amended or updated as appropriate. All employees will forward anyproxy materials received on behalf of clients to Operations Supervisor.

Disclosure

◦ Woodstock will provide required disclosures in response to Item 17 of Form ADV Part 2A summarizing thisproxy voting policy and procedures, including a statement that clients may request information regardinghow Woodstock voted a client's proxies;

◦ Woodstock's disclosure summary will include a description of how clients may obtain a copy of the firm'sproxy voting policies and procedures; and

◦ Woodstock's proxy voting practice is disclosed in the firm's advisory agreement(s).

Voting Proxy Guidelines

See Appendices: 2017 Proxy Voting Guidelines

Client Requests for Information

◦ All client requests for information regarding proxy votes, or policies and procedures, received by anyemployee should be forwarded to Operations Supervisor.

◦ In response to any request the firm's Operations Supervisor will prepare a written response to the clientwith the information requested, and as applicable will include the name of the issuer, the proposal votedupon, and how the client’s proxy was voted with respect to each proposal about which client inquired.

Recordkeeping

Operations Supervisor shall retain the following proxy records in accordance with the SEC’s five-year retentionrequirement.

◦ These policies and procedures and any amendments;◦ A record of each vote that Woodstock casts;◦ Any document Woodstock created that was material to making a decision how to vote proxies, or that

memorializes that decision.◦ A copy of each written request from a client for information on how Woodstock voted such client’s proxies,

and a copy of any written response.

Trading


Wed, Mar 8, 2017 02:26 PM Page 78 of 130

Account Reconciliation

Woodstock performs daily reconciliations for all accounts active in trading. This process compares positionsreceived from custodial systems to those recorded in our portfolio management software. Woodstock facilitatesthe communication of all trading between Advent and Fidelity by uploading a daily Advent-file into Fidelity'saccounting system. Additionally, Advent gathers transactional data from custodians with whom links have beenbuilt and transmits the data to Woodstock each day.

Trade Errors

IntroductionThe purpose of this Trade Error Policy (the “Policy”) is to provide guidance in correcting trade errors. Woodstockstrives to avoid trade errors through the use of technology and well trained operations and investment staff.

Trade Error Definition

Trade errors may be defined as any trading activity that is inconsistent with contractual, legal, or regulatoryrestrictions or is inconsistent with investment management intent. If the error is caused by Woodstock, the clienttransaction will be corrected and Woodstock shall be responsible for any client loss resulting from a Trade Error.

Examples of trade errors include, but are not limited to, the following:

• Purchasing securities not permissible for a client account.• Purchasing or selling securities for an account that are different than the portfolio manager intended to

purchase or sell.• Purchasing or selling securities for a different account than the account the portfolio manager intended.

Trade errors may be identified through various sources at Woodstock and may include but are not limited to,directidentification from portfolio management staff, post trade testing, or identification by oversight groups.

Trade Error Escalation Process

Upon identification of a potential trade error, the applicable compliance, operations, and/or management teamsmust be notified immediately. Such groups shall work with the investment management team to seek a promptand equitable resolution to the trade error consistent with the standards noted below.

Trade Error Resolution Standards

After a trade error has been identified and an appropriate resolution has been implemented to resolve the tradeerror Woodstock will calculate the amount of gain or loss resulting from the resolution of the trade error.

If the trade error results in loss the client shall be reimbursed for such loss, however, if the trade error results in again the client shall retain the gain. If the trade error is identified prior to the routine settlement of the security,Woodstock may transfer the security to an error account and shall be responsible for all future gains and lossesassociated with the security.

Recordkeeping

The Adviser shall maintain documentation regarding any trade error and its resolution consistent with its booksand records obligations.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Account Reconciliation

Wed, Mar 8, 2017 02:26 PM Page 79 of 130

The Chief Investment Officer must ensure the completion of a Trade Error Form. This form will include a summaryof the error, the cause of the error, the corrective action taken, and the cost or profit to the client.

Woodstock will ensure that any unrealized or realized loss incurred by a client from a Trade Error will be paid byWoodstock or the broker at fault, but in no instance shall a client experience any monetary loss from a Trade Error.In all cases, it is the firm’s responsibility to ensure each client is "made whole" for any Trade Error. Each paymentmade by Woodstock to a client for any Trade Error must be reviewed by the CCO..

Trade Recordkeeping

All trades will be properly recorded on order memoranda that will contain the following information per trade:

1. Name of account(s);2. Name and amount of security;3. Type and condition of trade order, i.e. buy or sell, market, limited, or other;4. Name of broker or bank used to execute transaction;5. Name of person recommending transaction, i.e. one of Woodstock portfolio managers;6. Name of person placing trade;7. Date and time of trade placement and execution;8. Indication of whether the trade was placed pursuant to discretionary authority.

The order memoranda will be maintained on either a paper or electronic basis and must always consist of theinformation required above. Most securities trade orders will be electronically communicated to the TradingDepartment by the portfolio managers via Advent's order management system (the "Trading System"), which willstore all the required information in one or more screens that may be customized by Woodstock. The Head Traderis responsible for ensuring proper completion of each order memorandum ("Order Ticket") for an advisory accounttransaction. Actual generation or completion of an Order Ticket is the combined responsibility of the portfoliomanagers and the trader. On occasion, when the Trading System is not used by a portfolio manager to generate,record, store and communicate a trade order (e.g. if an order is transmitted via telephone by a portfolio managerfrom a remote location), a trader will be responsible for the completion of an Order Ticket. Currently, all OrderTickets are maintained on an electronic basis in the Trading System unless otherwise approved and documented bythe Head Trader.

On transactions in which multiple client account orders are aggregated, the Order Ticket and/or Trading Systemmust reflect the specific accounts included in the bunched trade and the amounts of a security that each of theseaccounts is to, and does, receive in the allocation.

Broker Selection

The Trader will select the broker for execution based upon: best execution and research, and client directedbrokerage, if necessary. Woodstock’ primary intent on a per trade basis is to obtain best execution from theselected broker, regardless of any directed brokerage or soft dollar arrangements that may be in existence.Several factors are involved in determining whether a broker-dealer can provide best execution on a specific trade.Among them are the commission rates, the broker’s capital commitment capability, the difficulty and timeliness ofexecution, experience with a broker dealer, prior involvement of a broker dealer with a security, and the currentmarket and security conditions (e.g. liquidity, volatility).

Generally, Woodstock utilizes the major brokerage firms to execute client trades since these firms are usually mostable to provide our clients with superior executions on the positions we collectively take on behalf of our clients.Orders are typically placed with smaller brokerage firms because of specific investment ideas and/or securities thatthey are most likely to provide a satisfactory execution.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Trade Recordkeeping

Wed, Mar 8, 2017 02:26 PM Page 80 of 130

In coordination with pricing and liquidity considerations, Woodstock executes client securities trades with brokerswho are able to effectively supply research appropriate to our investment decision making process. Brokers whoprovide investment research services to Woodstock in connection with the generation of trading commissions canbe divided into "bundled service" brokers, who have in-house research departments, and "third party" brokers, whoacquire research from independent providers and make it available to Woodstock. In the former case, research ismade available as part of an ongoing trading relationship, and the level of commissions is based on Woodstock’evaluation of the research. Any receipt, use and evaluation of research services and products from a bundledservice or third-party broker is solely done in accordance with the guidelines set forth under the safe harborprovisions of Section 28(e) of the Securities Exchange Act of 1934. The specific procedures established byWoodstock for the proper utilization of this safe harbor when electing to effect client trades through brokers thatprovide Woodstock with brokerage and research services are described in the Soft Dollar section of this Manual.

The trading and research capability of brokers are reviewed annually. These reviews encompass each broker’sexecution ability, the firm’s capital commitment capability and the extent and quality of economic, industry andcompany analysis.

See the Directed Brokerage section of this manual for information on directed brokerage.

Trade Aggregations and Allocations

Woodstock has a fiduciary responsibility to prevent potential conflicts of interest in its trading practices and toensure that client interests are placed first. In an effort to enhance our ability to obtain best execution for clientsand provide fair and equitable treatment to all managed client accounts, a portfolio manager and/or the TradingDepartment may aggregate the trade orders for clients of such portfolio manager as well as aggregate thoseorders with orders for other Woodstock clients.

The following procedures have been developed to facilitate an equitable and reasonable aggregation andallocation of trades.

Aggregation and Allocation

The aggregation or blocking of client transactions may allow an adviser to execute transactions in a more timely,equitable, and efficient manner and seeks to reduce overall commission charges to clients.

Our firm’s policy is to aggregate client transactions only when it believes that aggregation is consistent with itsfiduciary duty to its clients and is consistent with the terms of its advisory agreement with each client for whichtrades are being aggregated. The firm may aggregate trades for its affiliated accounts with client trades.

Each client that participates in an aggregated order will participates at the average share price for all the firm'stransactions in a given security in the aggregated trade order, with transaction costs shared pro-rata based oneach clients participation in the transaction.

If any order is partially filled, it will be allocated pro-rata based upon each clients participation in the transaction.Associated persons of the firm will not participate in partially filled block trades, so as to make possible tradesavailable to advisory clients.

Notwithstanding the foregoing, the order may be allocated on a basis different from that specified above if allclient accounts receive fair and equitable treatment and the reason for different allocation is explained in writingand is approved by the firm's chief compliance officer no later than one hour after opening of the markets on thetrading day following the day the order was executed.

As a matter of policy, an adviser's allocation procedures must be fair and equitable to all clients with no particulargroup or client(s) being favored or disfavored over any other clients.

IPOs

Woodstock Corporation - Woodstock Compliance Manual 3-1... Trade Aggregations and Allocations

Wed, Mar 8, 2017 02:26 PM Page 81 of 130

Initial public offerings (“IPOs”) or new issues are offerings of securities which frequently are of limited size andlimited availability. These offerings may trade at a premium above the initial offering price.In the event Woodstockparticipates in any new issues, Woodstock's policy and practice is to allocate new issues shares fairly and equitablyamong our advisory clients according to a specific and consistent basis so as not to advantage any firm, personalor related account and so as not to favor or disfavor any client, or group of clients, over any other.

Any changes to the allocation procedures above are to be documented promptly in this Manual as well as in Part 2of the firm’s Form ADV Brochure.

Directed Brokerage

IntroductionWoodstock may accept client instructions for directing the client's brokerage transactions to a particular broker-dealer. Any client instructions to Woodstock are to be in writing with appropriate disclosures that for any directedbrokerage arrangements Woodstock will not negotiate commissions, may not obtain volume discounts oraggregate directed transactions, and that commission charges will vary among clients and best execution may notbe obtained.

BackgroundClients may direct advisers to use a particular broker-dealer under various circumstances, including where a clienthas a pre-existing relationship with the broker or participates in a commission recapture program, among othersituations.

Pursuant to the SEC's adoption of Amendments to Form ADV (Release No. IA-3060), advisers that routinelyrecommend, request or require clients to direct brokerage are required to disclose their practices in response toItem 12 of the new Form ADV Part 2. Such disclosures should include:

◦ a description of the firm's practices; and◦ disclose that not all advisers require clients to direct brokerage.

If the adviser recommends or requires clients to direct brokerage to an affiliated broker, or to a broker with whomthe adviser has another economic relationship that creates a material conflict of interest, the adviser must also:

◦ describe the relationship and identify the resultant conflicts of interest; and◦ inform clients that by directing brokerage, Woodstock may be unable to achieve most favorable execution

of client transactions, which may cost clients more money.

Advisers that permit clients to direct brokerage must describe the firm's practices and, if applicable, disclose thatWoodstock may be unable to achieve most favorable execution of client transactions, which may cost clients moremoney. For example, clients may pay higher brokerage commissions because the firm is unable to aggregateorders to reduce transaction costs, or the client may receive less favorable prices.

Advisers selecting or recommending the use of a broker-dealer in return for client referrals from the broker or otherthird party must describe their practices, including:

◦ the resultant conflicts of interest;◦ disclosure that the adviser has an incentive to select or recommend the broker based on its interest in

receiving client referrals rather than on clients' interest in receiving most favorable execution; and◦ an explanation of the firm's procedures during the last fiscal year to direct client transactions to a

particular broker- dealer in return for client referrals.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Directed Brokerage

Wed, Mar 8, 2017 02:26 PM Page 82 of 130

ResponsibilityWoodstock's Chief Compliance Officer has the responsibility for the implementation and monitoring of our directedbrokerage policy, practices, disclosures and recordkeeping.

ProcedureWoodstock has adopted various procedures used to implement the firm's policy andconducts periodic reviews tomonitor and ensure the firm's policy is observed, implemented properly and amended or updated, as appropriate,which include the following:

◦ any client directed brokerage instructions and arrangements are to be in writing and must be reviewed bythe Compliance Officer;

◦ Woodstock provides appropriate disclosures in response to Item 12 of Part 2A of Form ADV: Firm Brochureand the firm's advisory agreement;

◦ any client brokerage instructions are maintained in the client document file; and

◦ any relationships and conflicts of interest relating to arrangements in which brokers refer clients to thefirm will be disclosed to clients.

Principal and Agency Cross Transactions

It is Woodstock's policy that the firm will not affect any principal or agency cross securities transactions for clientaccounts.

Principal transactions are generally defined as transactions where an adviser, acting as principal for its ownaccount or the account of an affiliated broker-dealer, buys from or sells any security to any client.

An agency cross transaction is defined as a transaction where a person acts as an investment adviser in relation toa transaction in which the investment adviser, or any person controlled by or under common control with theinvestment adviser, acts as broker for both the client and for another person on the other side of the transaction.Agency cross transactions may arise where an adviser is dually registered as a broker-dealer or has an affiliatedbroker-dealer.


Wed, Mar 8, 2017 02:26 PM Page 83 of 130

VIII. Appendices

Annual Holdings Form

Title Exchange ticker symbol or CUSIP Type of Security Number of Shares Amount Broker

Name (Please Print): __________________________________________________

Signature: __________________________________________________ Date: ____________________

Reviewed By: __________________________________________________ Date: ____________________

Information must be current as of no more than 45 days before the report is submitted.

Woodstock Corporation - Woodstock Compliance Manual 3-1... VIII. Appendices

Wed, Mar 8, 2017 02:26 PM Page 84 of 130

Code of Ethics Attestation (Initial and Annual)

WOODSTOCK CORPORATIONCode of Ethics Acknowledgement

I acknowledge that I have read and understand Woodstock Corporation’s Code of Ethics and will comply in allrespects with such code.

_________________________________ Date: _____________________

(Signature)

_________________________________

(Print/Type Name)

Woodstock Corporation - Woodstock Compliance Manual 3-1... Code of Ethics Attestation (Initial and Annual)

Wed, Mar 8, 2017 02:26 PM Page 85 of 130

WOODSTOCK CORPORATION

ANNUAL CERTIFICATION OF COMPLIANCE WITH WOODSTOCK CORPORATION'S CODE OF ETHICS

I certify that during the year ended as of the date written below:

1. I have read and understand Woodstock Corporation’s Code of Ethics.2. I have fully disclosed all Securities holdings in which I have, or a member of my immediate

family (sharing the same household) has, a beneficial interest.3. I have obtained pre-clearance for all investments in initial public offerings (“IPO’s”), limited

offerings and private placements as required in which I have, or an immediate member of myfamily (sharing the same household) has, a beneficial interest except for which I have receivedan exception in writing from the CCO.

4. I have reported all “Reportable Securities” transactions as described in Woodstock’s Code ofEthics in which I have, or any member of my immediate family (sharing the same household)has, a beneficial interest except for transactions for which I have received an exception inwriting from the CCO.

5. I have complied with the Code of Ethics in all other respects.

_____________________________________________

Signature

_____________________________________________

Print Name

Date: _______________________________________

Woodstock Corporation - Woodstock Compliance Manual 3-1... Code of Ethics Attestation (Initial and Annual)

Wed, Mar 8, 2017 02:26 PM Page 86 of 130

Compliance Manual Attestation

Woodstock CorporationCompliance Manual Attestation

I have read and reviewed Woodstock Corporation's IA Policies and Procedures and have obtained an interpretationof any sections about which I had a question. I accept responsibility for understanding, complying with and whenappropriate, seeking guidance regarding the firm's current policies and procedures.

I will report violations of any laws, regulations or other firm policies of which I am aware or that I suspect havetaken place. I understand that I am required to cooperate fully with Woodstock Corporation in any investigation ofviolations. I understand that my failure to comply with laws, regulations, firm policies or procedures may result indisciplinary action, up to and including termination.

__________________________________________ __________________Signature Date

__________________________________________Print Name

Woodstock Corporation - Woodstock Compliance Manual 3-1... Compliance Manual Attestation

Wed, Mar 8, 2017 02:26 PM Page 87 of 130

Disaster Recovery

2017 Call Tree

Disaster Recovery/Business ContinuityCall Tree* Elena, Bill, and Adrian will initially contact one another to discuss appropriate protocol. Then the below call treeresumes

ThisPerson

Home Phone Mobile Phone Alternate Email Address Contacted(Yes/No)

LeftMessage?(Yes, No)

TimeContacted

ElenaGillespie

781-821-4546 781-820-5700 [email protected]

WillContact:

Ann Kane 603-926-1800 603-918-7653 [email protected]

DavidLayden

N/A 617-877-7468 [email protected]

DavidLevesque

781-294-1651 617-335-2419 [email protected]

AdrianDavies

978-443-5350 978-460-0844 [email protected]

WillContact:

MaureenMurphy

781-749-5559 508-954-0868 [email protected]

Ted Felton 508-359-7230 N/A N/A

LawrieFoster

617-505-5782 508-843-0321 [email protected]

PeterHartzel

781-326-2999 781-237-9410 [email protected]

LarryDooley

508-359-1063 617-840-7950 [email protected]

PeteSimpson

781-631-4598 781-631-1583 [email protected]

TomStakem

781-944-1409 781-789-9299 [email protected]

Woodstock Corporation - Woodstock Compliance Manual 3-1... Disaster Recovery

Wed, Mar 8, 2017 02:26 PM Page 88 of 130

mailto:[email protected]










mailto:[email protected]%C2%A0%C2%A0

Ann Kane 603-926-1800 603-918-7653 [email protected]

Will Contact: Hank Phippen 978-969-1668 978-314-8122 [email protected]

Julie Phippen 978-969-1668 978-697-4035 [email protected]

Mariya Kubishyn N/A 617-833-2091 [email protected]

Lacresha Duncan N/A 617-869-7507 [email protected]

Jeanne FitzGerald 781-562-1266 617-780-1584

Tom Lespasio 617-471-3236 N/R [email protected]

Walter Zagieboylo 508-520-8760 508-847-0338 [email protected]

Dave Layden N/A 617-877-7468 [email protected]

Will Contact: Michael Zampitella 781-322-6384 781-738-1203 [email protected]

David Levesque 781-294-1651 617-335-2419 [email protected]

Will Contact: Kim Curtis 617-846-4923 508-561-7585 [email protected]

Holly Perry N/A 508-269-7324 [email protected]

Woodstock Corporation - Woodstock Compliance Manual 3-1... 2017 Call Tree

Wed, Mar 8, 2017 02:26 PM Page 89 of 130




mailto:[email protected]%C2%A0









Intermedia Instructions

Woodstock Intermedia Cloud Email Informationwww.intermedia.net

Instructions for login:

Click "Login" at top right corner of screen (highlighted above) and select "Customer Login".

At login page, select "Webmail" and enter your Woodstock email address. The password is the one you use to loginto your email (or the one you used to originally set up your email).

Instructions for logout:

When you login, the banner at the right top says “Welcome, (your name)!” Just to the left of the “Welcome”banner, you will see a “logoff” button.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Intermedia Instructions

Wed, Mar 8, 2017 02:26 PM Page 90 of 130

http://www.intermedia.net

**If you forget to log out, the application will log you out automatically when you hit the “close” button.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Intermedia Instructions

Wed, Mar 8, 2017 02:26 PM Page 91 of 130

Disaster Recovery Attestation

Woodstock CorporationDisaster Recovery Plan Attestation

I, the undersigned employee of Woodstock, hereby acknowledge and certify that I have read, reviewed andunderstood the entire contents of Woodstock’s Disaster Recovery Plan.

____________________________________________

Printed Name of Employee

____________________________________________

Signature

_______________________

Date

Woodstock Corporation - Woodstock Compliance Manual 3-1... Disaster Recovery Attestation

Wed, Mar 8, 2017 02:26 PM Page 92 of 130

Phone and Remote Login Instructions

DSCI Phone System and Computer Remote Login InformationTo access your DSCI phone profile via the Internet, please go to:

• http://www.dscicorp.com/support/introduction-dsci-web-portal/

• https://xsp-web2.dsci-net.com/Login/

• Your login is your phone [email protected]

(ie. [email protected])

• If you have not set up a password for yourself, the default password is D14376 (webportal first timeuser password).

For information on retrieving your voicemail, please visit:

• http://www.dscicorp.com/assets/sites/2/Quick_Reference_Guide_Voicemail_Rev1214.pdf

How to Log in to LogMeIn – Woodstock’s Remote Desktop Service

1. Contact Dave Levesque for a Remote Access Policy to read and sign off.

1. Go to: https://secure.logmein.com/

2. Sign up for a free Logmein account.

3. Omniworks will provide you with access once you have an account. Coordinate this set up with DavidLevesque.

4. Once you’ve been granted access, click on “Log In.”

5. Enter your email address and password.

6. Click on your computer.

7. Complete your normal log in steps as you would when in the office.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Phone and Remote Login Instructions

Wed, Mar 8, 2017 02:26 PM Page 93 of 130

http://www.dscicorp.com/support/introduction-dsci-web-portal/

https://xsp-web2.dsci-net.com/Login/



http://www.dscicorp.com/assets/sites/2/Quick_Reference_Guide_Voicemail_Rev1214.pdf

https://secure.logmein.com/

Woodstock Floor Plan

Woodstock Corporation - Woodstock Compliance Manual 3-1... Woodstock Floor Plan

Wed, Mar 8, 2017 02:26 PM Page 94 of 130

Due Diligence Vendor ChecklistVendor Name: _________________________

1. Vendor Address: _____________________________________________2. Vendor Contact: _____________________________________________3. Years in Business: ____________________________________________4. Service Provided: _____________________________________________5. Location(s) where data are stored (onsite, offsite, cloud, etc.)

____________________________________________________________

Due Diligence Response Comments

Reviewed vendor’s most recent Privacy Policy and/or Information Security Policy?

☐ Yes ☐ No ☐ N/A

Assessed security and privacy features and risks? ☐ Yes ☐ No ☐ N/A

Is vendor/software mission-critical? ☐ Yes ☐ No ☐ N/A

Is vendor/software addressed in Woodstock'sBusiness Continuity Plan?


Reviewed vendor’s BCP? ☐ Yes ☐ No ☐ N/A

Has vendor experienced any significant personnelchanges?


Reviewed any conflicts of interest? ☐ Yes ☐ No ☐ N/A

Does vendor have access to sensitive orconfidential information of Woodstock, its clients, orits investments?


Has vendor signed a Non-Disclosure Agreement(NDA)?


Reviewed Service Level Agreement (SLA)? ☐ Yes ☐ No ☐ N/A

Has vendor experienced any data breaches withinthe last year?


Does vendor have any pending litigation /arbitration?


Inquired as to any material changes to the vendor’sbusiness, operations, risks, and financial stability?


Woodstock Corporation - Woodstock Compliance Manual 3-1... Due Diligence Vendor Checklist

Wed, Mar 8, 2017 02:26 PM Page 95 of 130

Email and Other Electronic Communications Acknowledgment

Woodstock Corporation Email and Other Electronic Communications AcknowledgmentAcknowledgment

I acknowledge that I have read and understand Woodstock’s Email and Other Electronic Communication Policy andwill comply in all respects with such policy.

_________________________________ Date:_____________________

(Signature)

_________________________________

(Print/Type Name)

Woodstock Corporation - Woodstock Compliance Manual 3-1... Email and Other Electronic Communications Acknowledgment

Wed, Mar 8, 2017 02:26 PM Page 96 of 130

Identity Theft

Identity Theft Attestation

Woodstock CorporationIdentity Theft Attestation

I hereby acknowledge that I have received, read, understand and will comply with all provisions applicable to mein Woodstock’s Compliance Manual, including Woodstock’s Identity Theft Prevention Program adopted pursuant toRegulation S-ID.

I understand that it is my obligation as a Supervised Person of Woodstock to be aware of certain identity theft RedFlags in connection with the Woodstock’s covered accounts.

I agree to respond to identity theft Red Flags as set forth in this Identity Theft Prevention Program. I further agreeto bring all known or suspected identity theft incidents involving Woodstock to the attention of the ChiefCompliance Officer.

Printed Name: ___________________________________

Signature: ___________________________________

Date: ___________________________________

Woodstock Corporation - Woodstock Compliance Manual 3-1... Identity Theft

Wed, Mar 8, 2017 02:26 PM Page 97 of 130

Identity Theft Red Flags and Responses

Below is a list of identity theft Red Flags as set forth in Appendix A and Supplement A in the Regulation S-IDAdopting Release.2 Not all of these Red Flags may be relevant to the Firm; however, they are included here forreference in order to provide guidance in the event that the Firm encounters any of the Red Flags identified inconnection with the covered accounts the Firm offers or maintains.

Red Flag Type Occurs During Firm Response

Identificationpresented looksaltered orforged.

SuspiciousDocuments

Account Opening;

Email Requestfrom IndividualPurporting to beClient [and/orInvestor]

For existing clients [and/or investors] opening a newaccount, the Firm may verify the client’s [orinvestor’s] information by contacting the client [orinvestor] by telephone using a verified client [and/orinvestor] contact number on record at the Firm suchas in the [Investment Management Agreement /fundsubscription document].

For new or prospective clients [and/or investors](“Applicant”), the Firm shall rely upon its AMLProgram as well as the KYC/AML Program of any ofits counterparties, independent, external sources ofinformation, and/or shall request financial records oradditional verifiable information from the applicant.

If the Firm determines that Red Flags suggest use ofa false identity, the Firm:

1. Shall not open the account in the client’s[and/or investor’s] name;

2. Shall document the nature andcircumstances of the denial;

3. Shall notify law enforcement andregulatory authorities, as determinedappropriate by the CCO; and

4. May file a Suspicious Activity Report(“SAR”).

2. See 17 C.F.R. §248.201 Adopting Release (“Appendix A to Subpart C of 248—Interagency Guidelines on Identity TheftDetection, Prevention, and Mitigation”). See also 17 C.F.R. §248.201 Adopting Release (“Supplement A to Appendix A”).

Woodstock Corporation - Woodstock Compliance Manual 3-1... Identity Theft Red Flags and Responses

Wed, Mar 8, 2017 02:26 PM Page 98 of 130

Information ontheidentificationdiffers fromwhat theidentificationpresenter issaying.

SuspiciousDocuments

Account Opening For clients [and/or investors] or prospective clients[and/or investors] meeting in person with aSupervised Person of the Firm, the SupervisedPerson shall review whether the individual’sidentification is consistent with the likeness of theindividual.

If the Firm determines that Red Flags suggest use ofa false identity, the Firm:

1. Shall not open the account in the client’sand/or investor’s] name;



4. May file a Suspicious Activity Report.

Information ontheidentificationdoes not matchotherinformation theFirm has on filefor the client[and/orinvestor], suchas the originalaccountapplication,signature, or[InvestmentManagementAgreement /SubscriptionDocument]

SuspiciousDocuments

Account Opening;


The Firm shall ensure that the identificationpresented and other information we have on filefrom the account are consistent.

If the Firm determines Red Flags suggest use of afalse identity, the Firm:






Wed, Mar 8, 2017 02:26 PM Page 99 of 130

The applicationand/ordocumentspresented bythe client [and/or investor]looks like theyhave beenaltered, forgedor torn up andreassembled.

SuspiciousDocuments

Account Opening;


A Supervised Person responsible for the client [and/or investor] shall carefully review the application orother documents for evidence of alteration, forgery,or reassembly.

If an existing client [and/or investor], the SupervisedPerson responsible for the client [and/or investor]relationship shall attempt to contact the client [and/or investor] using a verified client [and/or investor]contact number on record at the Firm such as in the[Investment Management Agreement /fundsubscription document].

If the Supervised Person determines Red Flagssuggest use of a false identity, the Firm:

1. Shall not open the account in the client’s(and/or investor’s) name;


3. Shall notify law enforcement andregulatory authorities, as determinedappropriate by the CCO;



Wed, Mar 8, 2017 02:26 PM Page 100 of 130

Inconsistenciesexist betweenthe informationpresented andother things weknow about thepresenter orcan find out bychecking readilyavailableexternalsources, suchas:(1) an address

that does notmatch aconsumer creditreport,(2) the SocialSecurityNumber (SSN)has not beenissued or islisted on theSocial SecurityAdministration's(SSA’s) DeathMaster File, or(3) the SSN ortelephonenumber belongsto someone whois already aclient [and/orinvestor] of theFirm.

SuspiciousIdentifyingInformation

Account Opening The Firm shall check Identifying Informationpresented to us using our AML Program, OFACscreening, checking the SSN against those of ourcurrent and former clients [and/or investors],checking the SSN provided against the SocialSecurity Administration’s Master Death File(http://www.ntis.gov/products/ssa-dmf.aspx) toensure that the SSN given is not associated with adeceased individual, and/or checking other keyinformation presented by the client [and/or investor]against information our Firm has on file.

If the Supervised Person determines that Red Flagssuggest use of a false identity, the Firm:



3. Shall notify law enforcement andregulatory authorities, as determinedappropriate by the CCO;

4. May contact the actual client [and/orinvestor] identified in the informationprovided; and


Inconsistenciesexist in the keyinformation thatthe client [and/or investor]gives us, suchas a date ofbirth that doesnot fall withinthe numberrange on theSSA’s issuancetables.


Account Opening The Firm shall check the DOB presented forconsistency with other documents and/or forappropriate ranges in the SSA’s issuance tables.







Wed, Mar 8, 2017 02:26 PM Page 101 of 130

http://www.ntis.gov/products/ssa-dmf.aspx

IdentifyingInformationpresented hasbeen used onan account ourfirm knows wasfraudulent.


Account Opening;

Email Requestfrom Individualpurporting to beClient [and/orInvestor]

The Firm shall maintain a log of account informationwhich the Firm knows to be fraudulent, and shallcheck the information presented by the clientagainst this list.

Upon a client [and/or investor] presentinginformation which the Firm knows to be associatedwith a fraudulent account, a Supervised Person shallverify with the client [and/or investor] that theinformation presented is correct.






IdentifyingInformationpresentedsuggests fraud,such as anaddress that isfictitious, a maildrop, or aprison; or aphone numberis invalid, or isfor a pager oransweringservice.


Account Opening The Firm shall perform an internet search to verifywhether the address presented by the client [and/orinvestor] appears legitimate and are not a mail dropor prison. The Firm shall also call each telephonenumber provided by the client [and/or investor]during the account opening process to verify thatthe numbers are legitimate, and that they do notcall a pager, answering service, or appear to befictitious.

The Firm shall document the addresses andtelephone numbers verified or reviewed and thedate on which the information was verified orreviewed.

If the address or telephone number provided isassociated with a mail drop, prison, or otherwiseappears fictitious, the Firm:






Wed, Mar 8, 2017 02:26 PM Page 102 of 130

A person whoomits requiredinformation onan applicationor other formdoes notprovide it whentold it isincomplete.


Account Opening Our staff will monitor for incomplete applications orcontracts or instances in which a client [and/orinvestor] have not responded to requests forinformation.

The Firm shall follow up with the client [and/orinvestor] to determine the reason for the missinginformation.

If the client [and/or investor]is unable to provide areason suitable to the Firm to explain why theinformation cannot be provided, the Firm:

1. May choose not to open the account in theclient’s [and/or investor’s] name;

2. Shall document the nature andcircumstances of the denial or missinginformation;



Soon after ourfirm gets achange ofaddress requestfor an account,we are asked toadd additionalaccess meansor authorizedusers for theaccount.

SuspiciousAccountActivity

Client Request We will verify change of address requests bysending a notice of the change to both the new andold addresses so the client [and/or investor] willlearn of any unauthorized changes and can notifyus.

An accountdevelops newpatterns ofactivity such asa big change inthe frequencyof requests forwires/distributions orthe partiesmaking suchrequests onbehalf of anaccount.


AccountMaintenance

We will review our accounts on a periodic basis forsuspicious patterns of activity such as a big changein the frequency of requests for wires/distributionsor the parties making such requests on behalf of anaccount.


Wed, Mar 8, 2017 02:26 PM Page 103 of 130

An account thatis inactive for along time issuddenly usedagain.


Client Request The Firm shall contact the client [and/or investor] toreview particular circumstances of account recentactivity.

Mail our firmsends to aclient [and/orinvestor] isreturnedrepeatedly asundeliverableeven thoughthe accountremains active.


AccountMaintenance

The Firm shall review the addresses, telephonenumbers and/or e-mail address, review if theinformation was ever verified or reviewed and thedate on which the information was verified orreviewed.

If appropriate verification of an alternative methodof communication was completed, the Firm shallcontact the client [and/or investor] via telephone torequest change of address information. The Firmshall take appropriate steps to verify client’s [and/orinvestor’s] identity and confirm new address isappropriate.

We learn that aclient [and/orinvestor] is notgetting his orher paperaccountstatements.


AccountMaintenance;Client Request

The Firm shall log that the client [and/or investor]has not received paper or electronic statements oraccount information from the Firm. The Firm shallinvestigate the circumstances, including reviewingthat the mailing and/or email address the Firm hason file is correct.


Wed, Mar 8, 2017 02:26 PM Page 104 of 130

We are notifiedthat there isunauthorizedaccount activity.


AccountMaintenance;

Client Request

1. The Firm will thoroughly investigate thecircumstances around the unauthorizedaccount activity.

2. The Firm shall immediately notifyappropriate service providers, such as theaccount custodian, of unauthorized activity.

3. As appropriate, the Firm shall contact theclient [and/or investor], using the client’s[and/or investor’s] verified telephonenumber on record at the Firm, and reviewthe circumstances of the event.

4. The Firm shall not undertake any activityfor the account until all facts andcircumstances of the unauthorized accountactivity have been determined.

5. The Firm may also take one or more of thefollowing actions, as appropriate:

6. Increasing its monitoring of the impactedaccount(s) and similar accounts until suchtime as the Firm determines is appropriatein light of the risks, facts, andcircumstances.

7. Changing account logins, passwords, orother access information andcommunicating these to the appropriateclients [and/or investors].

8. Cancelling or closing the existingaccount(s) and assigning the client(s) [and/or investor(s)] new accounts or accountnumbers.

We are told thatan account hasbeen opened orusedfraudulently bya client [and/orinvestor], anidentity theftvictim, or lawenforcement.

Notice FromOtherSources

AccountMaintenance;

Client Request

The Firm shall verify that the account is an accountat the Firm. The Firm shall review the manner bywhich the account was opened or used.


Wed, Mar 8, 2017 02:26 PM Page 105 of 130

We learn thatunauthorizedaccess to theclient [and orinvestor]personalinformationtook place orbecame likelydue to data loss(e.g., loss ofwallet, birthcertificate, orlaptop),leakage, orbreach.

Notice FromOtherSources

AccountMaintenance;

Client Request

1. The Firm shall contact the client [and/or investor], using the client’s [and/orinvestor’s] verified telephone number on record atthe Firm, and verify whether the client [and/orinvestor] accessed the information.

2. The Firm shall attempt to identify, to theextent practicable, whether personally-identifiableclient [and/or investor] information regarding theclient’s [and/or investor’s] account has beenaccessed by an unauthorized party. The Firm shalldocument, if available, the nature of the informationaccessed, the dates and times of such accessattempts, whether any unauthorized transactionswere made using the account, and whether theclient [and/or] suffered any financial loss as a resultof the unauthorized transactions.

3. If the Firm determines that personally-identifiable client [and/or investor] information hasbeen accessed:

a. The Firm shall review its insurance policiesfor appropriate guidance.

b. The Firm shall attempt to mitigate harm tothe client(s) [and/or investor(s)] by takingone ormore of the following actions, asappropriate:

1. Increasing its monitoring of theimpacted account(s) and similaraccounts until such time as theFirm determines is appropriate inlight of the risks, facts, andcircumstances.

2. Contacting the client [and/orinvestor] by preparing anddistributing a notice to affectedclients [and/or investors] or allclients [and/or investors]describing the nature of theinformation breach.

3. Changing account logins,passwords, or other accessinformation and communicatingthese to the appropriate clients[and/or investors].

4. Cancelling or closing the existingaccount(s) and assigning theclient(s) [and/or investor(s)] newaccounts or account numbers.

5. Not opening a new coveredaccount.


Wed, Mar 8, 2017 02:26 PM Page 106 of 130

6. Closing an existing coveredaccount entirely.

7. Offering credit-monitoring servicesfor a specified time period.

8. Determining that no response oraction is warranted under theparticular circumstances.

c. The Firm, in coordination with SeniorManagement and legal counsel, asnecessary, shall determine whether there isa “breach of security” such that breachnotification is required. The Firm shallprepare and file any notice and completerequired procedures or processespertaining to the information breach asrequired under federal or state law.


Wed, Mar 8, 2017 02:26 PM Page 107 of 130

Mobile Device Policy AttestationWoodstock CorporationEmployee Acknowledgement and Consent toMobile Device Policy

Name: __________________________________________________ Date: ____________________

If you have a Mobile Device on which you have access to business records, data, or information of WoodstockCorporation, please complete the following form by checking Yes or No in response to each question, and sign andreturn this acknowledgement form to the Privacy Officer.

If you do not have a Mobile Device, or if you have a Mobile Device that you do not wish or intend to use forbusiness purposes pertaining to Woodstock Corporation, please skip Section 1 and complete Section 2 below, andsign and return this acknowledgement form to the Privacy Officer.

SECTION 1: For personnel using a Mobile Device for business purposes

Certification Yes No

1. I have been provided a copy of the Woodstock Corporation Mobile Device Policy.

2. I have read and understand the Woodstock Corporation Mobile Device Policy.

3. I understand that in order to use my Mobile Device(s) for business purposes, I must subjectsuch Mobile Device(s) to the Woodstock Corporation Mobile Device Policy, including therequirement to maintain appropriate security controls on such Mobile Device(s) as stated in theWoodstock Corporation Mobile Device Policy.

4. I understand that I must notify the Privacy Officer or Chief Compliance Officer immediatelyupon becoming aware that my Mobile Device has been lost, stolen, or otherwise compromised,and that Woodstock Corporation may respond by taking corrective measures including remotelywiping part or all of the Mobile Device. I further understand that a remote wipe may result inthe irretrievable loss of all data, including business as well as personal data, stored on suchMobile Device.

SECTION 2: For personnel not a Mobile Device for business purposes

(please check here if applicable)

_____ I do not wish or intend to use a Mobile Device for business purposes pertaining to Woodstock Corporation.

Signature: __________________________________________________

Woodstock Corporation - Woodstock Compliance Manual 3-1... Mobile Device Policy Attestation

Wed, Mar 8, 2017 02:26 PM Page 108 of 130

Employee Mobile Device Log

Mobile Device Surveillance Performed on: ____________________

Performed By: __________________________________________________

Device in Compliance?

EmployeeName

DeviceManufacturer

DeviceModel

Serial#

CarrierDateAdded

DateRemoved

Authorizedto AccessEmail

PasscodeEnabled

AuthorizedApps

Woodstock Corporation - Woodstock Compliance Manual 3-1... Employee Mobile Device Log

Wed, Mar 8, 2017 02:26 PM Page 109 of 130

Personal Securities Transaction FormWOODSTOCK CORPORATION

Report of Security TransactionsQuarter Ending ________________

Amt/Shs Name ofSecurity

Date ofPurchase

Date of Sale Price Broker/Bank WhereSecurities are Held

I certify that I have reported above all personal security transactions required to be reported underWoodstock’s current policies and procedures for the quarter indicated.

I also certify that I have reviewed, understand and agree to comply with all Woodstock’s current policiesand procedures regarding personal securities trading and insider trading activity.

Signed: _________________________________________________ Date: _____________________

Print Name: _________________________________________________

Reviewed by: _________________________________________________ Date: _____________________Compliance Officer

Woodstock Corporation - Woodstock Compliance Manual 3-1... Personal Securities Transaction Form

Wed, Mar 8, 2017 02:26 PM Page 110 of 130

Pricing Information

Security Type Primary Source Primary Method Secondary Source(s) Frequency

Corporate Bonds IDC

3PM benchmark basedevaluations

Automated Feed Bloomberg / Standard andPoors / Thomson Reuters

Daily

Equities IDC Automated Feed Bloomberg / Thomson Reuters Daily

Mortgage-backedsecurities

IDC



Daily

Municipal Bonds IDC


Automated Feed Bloomberg / Standard andPoors

Daily

Mutual Funds IDC (receive the 1st and2nd session of NASDAQ)

Fidelity Funds are priced byFidelity

Automated Feed NSCC

Files 1-20

Daily

Options IDC

Flex options are priced by OCC

Automated Feed Daily

US GovernmentTreasury and AgencyObligations

IDC



Daily

LimitedPartnerships Classifiedas AlternativeInvestments

RA Stanger Automated Feed Monthly

Brokered CDs IDC Automated Feed Bloomberg / Standard andPoors / Thomson Reuters

Daily

Foreign securities Interactive Data Corporation Automated Feed Bloomberg / Standard andPoors / Thomson Reuters

Daily

Woodstock Corporation - Woodstock Compliance Manual 3-1... Pricing Information

Wed, Mar 8, 2017 02:26 PM Page 111 of 130

Privacy

Appendix A California Financial Code Section 4056(b)

Notwithstanding the restrictions in the act regarding the sharing of information with third parties,

“a financial institution may release nonpublic personal information under the following circumstances:

(1) The nonpublic personal information is necessary to effect, administer, or enforce a transactionrequested or authorized by the consumer, or in connection with servicing or processing a financial productor service requested or authorized by the consumer, or inconnection with maintaining or servicing the consumer's account with the financial institution, or withanother entity as part of a private label credit card program or other extension of credit onbehalf of that entity, or in connection with a proposed or actual securitization or secondary market sale,including sales of servicing rights, or similar transactions related to a transaction of the consumer.

(2) The nonpublic personal information is released with the consent of or at the direction of the consumer.

(3) The nonpublic personal information is:

(A) Released to protect the confidentiality or security of the financial institution's records pertainingto the consumer, the service or product, or the transaction therein.

(B) Released to protect against or prevent actual or potential fraud, identity theft, unauthorizedtransactions, claims, or other liability.

(C) Released for required institutional risk control, or for resolving customer disputes or inquiries.

(D) Released to persons holding a legal or beneficial interest relating to the consumer, including forpurposes of debt collection.

(E) Released to persons acting in a fiduciary or representative capacity on behalf of the consumer.

(4) The nonpublic personal information is released to provide information to insurance rate advisoryorganizations, guaranty funds or agencies, applicable rating agencies of the financial institution, personsassessing the institution's compliance with industry standards, and the institution's attorneys, accountants,and auditors.

(5) The nonpublic personal information is released to the extent specifically required or specificallypermitted under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978(12 U.S.C. Sec. 3401 et seq.), to law enforcement agencies, including a federal functional regulator, theSecretary of the Treasury with respect to subchapter II of Chapter 53 of Title 31, and Chapter 2 of Title I ofPublic Law 91-508 (12 U.S.C. Secs. 1951-1959), the California Department of Insurance or other stateinsurance regulators, or the Federal Trade Commission, and self-regulatory organizations, or for aninvestigation on a matter related to public safety.

(6) The nonpublic personal information is released in connection with a proposed or actual sale, merger,transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublicpersonal information concerns solely consumers of the business or unit.

(7) The nonpublic personal information is released to comply with federal, state, or local laws, rules, andother applicable legal requirements; to comply with a properly authorized civil, criminal, administrative, orregulatory investigation or subpoena or summons by federal, state, or local authorities; or to respond tojudicial process or government regulatory authorities having jurisdiction over the financial institution forexamination, compliance, or other purposes as authorized by law.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Privacy

Wed, Mar 8, 2017 02:26 PM Page 112 of 130

(8) When a financial institution is reporting a known or suspected instance of elder or dependent adultfinancial abuse or is cooperating with a local adult protective services agency investigation of known orsuspected elder or dependent adult financial abuse pursuant to Article 3 (commencing with Section 15630)of Chapter 11 of Part 3 of Division 9 of the Welfare and Institutions Code.

(9) The nonpublic personal information is released to an affiliate or a nonaffiliated third party in order for theaffiliate or nonaffiliated third party to perform business or professional services, such as printing, mailingservices, data processing or analysis, or customer surveys, on behalf of the financial institution, providedthat all of the following requirements are met:

(A) The services to be performed by the affiliate or nonaffiliated third party could lawfully beperformed by the financial institution.

(B) There is a written contract between the affiliate or nonaffiliated third party and the financialinstitution that prohibits the affiliate or nonaffiliated third party, as the case may be, from disclosingor using the nonpublic personal information other than to carry out the purpose for which thefinancial institution disclosed the information, as set forth in the written contract.

(C) The nonpublic personal information provided to the affiliate or nonaffiliated third party is limitedto that which is necessary for the affiliate or nonaffiliated third party to perform theservices contracted for on behalf of the financial institution.

(D) The financial institution does not receive any payment from or through the affiliate ornonaffiliated third party in connection with, or as a result of, the release of the nonpublic personalinformation.

(10) The nonpublic personal information is released to identify or locate missing and abducted children,witnesses, criminals and fugitives, parties to lawsuits, parents delinquent in child support payments, organand bone marrow donors, pension fund beneficiaries, and missing heirs.

(11) The nonpublic personal information is released to a real estate appraiser licensed or certified by thestate for submission to central data repositories such as the California Market Data Cooperative, and thenonpublic personal information is compiled strictly to complete other real estate appraisals and is not usedfor any other purpose.

(12) The nonpublic personal information is released as required by Title III of the federal United andStrengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of2001 (USA Patriot Act; P.L. 107-56).

(13) The nonpublic personal information is released either to a consumer reporting agency pursuant to theFair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from a consumer report reported by a consumerreporting agency.

(14) The nonpublic personal information is released in connection with a written agreement between aconsumer and a broker-dealer registered under the Securities Exchange Act of 1934 or an investmentadviser registered under the Investment Advisers Act of 1940 to provide investment management services,portfolio advisory services, or financial planning, and the nonpublic personal information is released for thesole purpose of providing the products and services covered by that agreement.

Woodstock Corporation - Woodstock Compliance Manual 3-1... Appendix A California Financial Code Section 4056(b)

Wed, Mar 8, 2017 02:26 PM Page 113 of 130

Appendix B Regulation S-P, Rules 13, 14 & 15

Rule 13.

a. General rule.

1. The opt out requirements in Rule 7 and Rule 10 do not apply when you provide nonpublicpersonal information to a nonaffiliated third party to perform services for you or functions onyour behalf, if you:

1. Provide the initial notice in accordance with Rule 4; and

2. Enter into a contractual agreement with the third party that prohibits the third partyfrom disclosing or using the information other than to carry out the purposes for whichyou disclosed the information, including use under an exception in Rule 14 or Rule 15 inthe ordinary course of business to carry out those purposes.

2. Example. If you disclose nonpublic personal information under this section to a financialinstitution with which you perform joint marketing, your contractual agreement with thatinstitution meets the requirements of paragraph (a)(1)(ii) of this section if it prohibits theinstitution from disclosing or using the nonpublic personal information except as necessary tocarry out the joint marketing or under an exception in Rule 14 or Rule 15 in the ordinary courseof business to carry out that joint marketing.

b. Service may include joint marketing. The services a nonaffiliated third party performs for you underparagraph (a) of this section may include marketing of your own products or services or marketing offinancial products or services offered pursuant to joint agreements between you and one or more financialinstitutions.

c. Definition of joint agreement. For purposes of this section, joint agreement means a written contractpursuant to which you and one or more financial institutions jointly offer, endorse, or sponsor a financialproduct or service.

Rule 14.

a. Exceptions for processing and servicing transactions at consumer's request. The requirements for initialnotice in Rule 4(a)(2), for the opt out in Rule 7 and Rule 10, and for initial notice in Rule 13 in connectionwith service providers and joint marketing, do not apply if you disclose nonpublic personal information asnecessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or inconnection with:

1. Processing or servicing a financial product or service that a consumer requests or authorizes;

2. Maintaining or servicing the consumer's account with you, or with another entity as part of aprivate label credit card program or other extension of credit on behalf of such entity; or

3. A proposed or actual securitization, secondary market sale (including sales of servicing rights), orsimilar transaction related to a transaction of the consumer.

b. Necessary to effect, administer, or enforce a transaction means that the disclosure is:

Woodstock Corporation - Woodstock Compliance Manual 3-1... Appendix B Regulation S-P, Rules 13, 14 & 15

Wed, Mar 8, 2017 02:26 PM Page 114 of 130

1. Required, or is one of the lawful or appropriate methods, to enforce your rights or the rights ofother persons engaged in carrying out the financial transaction or providing the product orservice; or

2. Required, or is a usual, appropriate, or acceptable method:

1. To carry out the transaction or the product or service business of which the transactionis a part, and record, service, or maintain the consumer's account in the ordinary courseof providing the financial service or financial product;

2. To administer or service benefits or claims relating to the transaction or the product orservice business of which it is a part;

3. To provide a confirmation, statement, or other record of the transaction, or informationon the status or value of the financial service or financial product to the consumer or theconsumer's agent or broker;

4. To accrue or recognize incentives or bonuses associated with the transaction that areprovided by you or any other party;

5. To underwrite insurance at the consumer's request or for reinsurance purposes, or forany of the following purposes as they relate to a consumer's insurance: Accountadministration, reporting, investigating, or preventing fraud or materialmisrepresentation, processing premium payments, processing insurance claims,administering insurance benefits (including utilization review activities), participating inresearch projects, or as otherwise required or specifically permitted by federal or Statelaw; or

6. In connection with:

1. The authorization, settlement, billing, processing, clearing, transferring,reconciling or collection of amounts charged, debited, or otherwise paid using adebit, credit, or other payment card, check, or account number, or by otherpayment means;

2. The transfer of receivables, accounts, or interests therein; or

3. The audit of debit, credit, or other payment information.

Rule 15.

a. Exceptions to notice and opt out requirements. The requirements for initial notice in Rule 4(a)(2), for theopt out in Rule 7 and Rule 10, and for initial notice in Rule 13 in connection with service providers andjoint marketing do not apply when you disclose nonpublic personal information:

1. With the consent or at the direction of the consumer, provided that the consumer has notrevoked the consent or direction;

2.1. To protect the confidentiality or security of your records pertaining to the consumer,

service, product, or transaction;


Wed, Mar 8, 2017 02:26 PM Page 115 of 130

2. To protect against or prevent actual or potential fraud, unauthorized transactions,claims, or other liability;

3. For required institutional risk control or for resolving consumer disputes or inquiries;

4. To persons holding a legal or beneficial interest relating to the consumer; or

5. To persons acting in a fiduciary or representative capacity on behalf of the consumer;

3. To provide information to insurance rate advisory organizations, guaranty funds or agencies,agencies that are rating you, persons that are assessing your compliance with industrystandards, and your attorneys, accountants, and auditors;

4. To the extent specifically permitted or required under other provisions of law and in accordancewith the Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcementagencies (including a federal functional regulator, the Secretary of the Treasury, with respect to31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments andTransactions) and 12 U.S.C. Chapter 21 (Financial Recordkeeping), a State insurance authority,with respect to any person domiciled in that insurance authority's State that is engaged inproviding insurance, and the Federal Trade Commission), self-regulatory organizations, or for aninvestigation on a matter related to public safety;

5.1. To a consumer reporting agency in accordance with the Fair Credit Reporting Act (15

U.S.C. 1681 et seq.), or

2. From a consumer report reported by a consumer reporting agency;

6. In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of abusiness or operating unit if the disclosure of nonpublic personal information concerns solelyconsumers of such business or unit; or

7.1. To comply with federal, State, or local laws, rules and other applicable legal

requirements;

2. To comply with a properly authorized civil, criminal, or regulatory investigation, orsubpoena or summons by federal, State, or local authorities; or

3. To respond to judicial process or government regulatory authorities having jurisdictionover you for examination, compliance, or other purposes as authorized by law.

b. Examples of consent and revocation of consent.

1. A consumer may specifically consent to your disclosure to a nonaffiliated mortgage lender of thevalue of the assets in the consumer's brokerage or investment advisory account so that thelender can evaluate the consumer's application for a mortgage loan.

2. A consumer may revoke consent by subsequently exercising the right to opt out of futuredisclosures of nonpublic personal information as permitted under Rule 7(f).


Wed, Mar 8, 2017 02:26 PM Page 116 of 130

Appendix C

Dear [Advisor Privacy Officer or CCO]:

I attest that I (or my company) has the requisite skill and knowledge to implement electronic systems on behalf ofAdviser that are materially secure and protected from third party intrusion and theft. I have reviewed [ADVISER]'sPrivacy & Information Security Program and attest that the [ADVISER]'s electronic systems are maintained inconformance with such required standards. I also attest that my company's services are performed as a thirdparty vendor in a manner designed to safeguard all Nonpublic Personal Information to which I and my companyhave access.

The systems in place are described as follows

[Describe electronic access controls, including use authentication and authorization, firewall configuration,and security advisories or vulnerabilities.]

I (we) further attest that the electronic systems of [ADVISER] have no known vulnerabilities, and have not beencompromised in any manner [or otherwise describe known vulnerabilities and/or security breaches thathave occurred].

Very truly yours,

Woodstock Corporation - Woodstock Compliance Manual 3-1... Appendix C

Wed, Mar 8, 2017 02:26 PM Page 117 of 130

Privacy Policy Attestation

I certify that I have read, understand and agree to comply with Woodstock’s current Privacy and InformationSecurity Program.

________________________________________ Date: ____________________(Signature)

________________________________________(Print/Type Name)

Woodstock Corporation - Woodstock Compliance Manual 3-1... Privacy Policy Attestation

Wed, Mar 8, 2017 02:26 PM Page 118 of 130

Record Retention Chart

Document Description Duration Responsibility Adviser'sLocation

A. Adviser's Organizational Records

1 Formation Documents. Articles of incorporation,or certificates of formation, as well as anyamendments to these documents.

3 years aftertermination

Clerk Corporate Files

2 Governance Documents. Minute books. 3 years aftertermination

Clerk Corporate Files

3 Entity Ownership Records. Stock certificatebooks (or similar evidence of entity ownership).

3 years aftertermination

Clerk Clerk Files

B. Adviser's Accounting Records

1 Journals. All journals, including cash receipts anddisbursements records, and any other records oforiginal entry forming the basis of entries in anyledger.

6 years Controller AccountingFiles

2 Ledgers. All general and auxiliary ledgers (or othercomparable records) reflecting asset, liability,reserve, capital, income and expense accounts.


3 Bank Account Information. All check books,bank statements, cancelled checks, and cashreconciliations of the adviser.


4 Bills and Statements. All bills or statements (orcopies), paid or unpaid, relating to the business ofthe adviser.


5 Trial Balances and Internal Audit WorkingPapers. All trial balances and any internal auditworking papers relating to the business of theadviser.


6 Financial Statements. All financial statementsrelating to the business of the adviser.


C. Portfolio Management Records

1 Trade Tickets and Client Instructions 6 years Trader File Room B

(a) Required Memoranda. A memorandum of:

Woodstock Corporation - Woodstock Compliance Manual 3-1... Record Retention Chart

Wed, Mar 8, 2017 02:26 PM Page 119 of 130

(1) Trade Orders. Each order given by the adviserfor the purchase or sale of any security;

(2) Trade Related Instructions. Any instructionreceived by the adviser concerning the purchase,sale, receipt or delivery of a particular security; and

(3) Modification and Cancellation Instructions. Anymodification or cancellation of any such order orinstruction.

(b) Required Content. Each memorandum must:

(1) Show the terms and conditions of the order,instruction, modification or cancellation;

(2) Identify the person connected with the adviserwho recommended the transaction to the client andthe person who placed the order;

(3) Show the client account for which thetransaction was entered, the date of entry, and thebank, broker or dealer by or through whom thetransaction was executed where appropriate; and

(4) Designate as such any orders entered pursuantto the exercise of discretionary power.

2 Allocation Statements. An "allocation statement"for each aggregated order (and a written statementexplaining any deviations therefrom). The allocationstatement should specify the client accountsparticipating in the aggregated order and indicatehow the adviser intends to allocate securitiesamong those clients. Once completed, theallocation statement should be attached to thecorresponding trade ticket.

6 years Trader File Room B

3. Trade Blotter. OperationsSupervisor

Network Folder

4 Securities Transaction Records. For each clientwho receives "investment supervisory ormanagement service, a separate record, such as ajournal, showing the securities purchased and sold,and the date, amount and price of each transaction.

6 years CustodySupervisor

ClientStatements


Wed, Mar 8, 2017 02:26 PM Page 120 of 130

5 Securities Position Records. For each security inwhich a client receiving "investment supervisory ormanagement service" has a current position,information from which the adviser can promptlyfurnish the name of each such client, and thecurrent amount or interest of such client.

current basis CustodySupervisor

Fidelity

6 Monitor Lists. 6 years Director ofResearch

Network Folder

7 Research Committee Minutes. 6 years Director ofResearch

Network Folder

8 Best Execution. Information sufficient todemonstrate the periodic and systematicevaluation of the quality and cost of servicesreceived from broker /dealers who execute theadviser's trades, information received andevaluated, conclusions reached and decisionsmade, and determinations that practices areconsistent with disclosures in the adviser's FormADV.

6 years CCO Compliance A

9 Soft Dollars Arrangements.(a) Written Agreements (if applicable). Copies of allwritten agreements entered into relating to softdollar arrangements.(b) "Mixed Use" Allocation Calculations. Where anadviser accepts "mixed use products," records ofthe basis for allocations of mixed-use products andservices between their hard and softdollarcomponents.(c) Products and Services List. A list of all productsand services received from broker-dealers.


D. Client Relationship Records

1 Advisory Contracts. An original or copy of eachadvisory contract entered into by the adviser withany client.The advisory contract should include afee schedule in its body or as an attachment.

6 years (aftertermination ofcontract)

PortfolioAdministrator

Client LegalFiles andNetwork

2 Other Written Client Agreements. A copy ofevery other written agreement entered into by theadviser with any client.

6 years PortfolioAdministrator


3 Discretionary Powers. A list or other record of allaccounts in which the adviser is vested with anydiscretionary power with respect to the securities ortransactions of any client.


Fidelity andClient LegalFile


Wed, Mar 8, 2017 02:26 PM Page 121 of 130

4 Powers of Attorney. All powers of attorney andother evidences of the granting of discretionaryauthority by any client to the adviser (or copies).



5 Written Communication 6 years (Formarketingmaterials, fiveyears fromthe end of thefiscal year inwhich thematerialswere lastpublished ordisseminated)

Various Various;typically fileroom, clientlegal, financial,orcorrespondencefiles.

(a) Requirement. Originals of all writtencommunications received and copies of all writtencommunications sent by the adviser relating to:

(i) Any recommendation made or proposed to bemade and any advice given or proposed to begiven;

(ii) Any receipt, disbursement or delivery of fundsor securities; or

(iii) The placing or execution of any order topurchase or sell any security.

These documents would include, for example: (i)privacy and opt-out notices delivered to clients andpotential clients pursuant to Regulation SP; (ii)account statements sent to clients; (iii) tradeconfirmations; (iv) fee invoices; (v) notices tocustodians; (vi) principal and agency transactionnotices; (vii) letters describing directed-brokeragearrangements; and (viii) marketing materials (asdiscussed in more detail below).

(b) Exceptions. The adviser is not required tokeep:

(i) Any unsolicited market letters and other similarcommunications of general public distribution notprepared by or for the adviser; and


Wed, Mar 8, 2017 02:26 PM Page 122 of 130

(ii) A record of the names and addresses of thepersons to whom the adviser sent any notice,circular or other advertisement offering any report,analysis, publication or other investment advisoryservice if such document is sent to more than 10persons (except that if such notice, circular oradvertisement is distributed to persons named onany list, the adviser must retain with the copy ofthe notice, circular or advertisement amemorandum describing the list and its source).

6 Complaint File. Copies of written client complaintsand any responses.


7 Part 2 of Form ADV Delivery. 6 years PortfolioAdministrator

Contract

(a) Copies of Part 2 Form ADV. A copy of Part IIof Form ADV and each amendment or revision tothe document, given or sent to any client orprospective client of the adviser in accordance withRule 204-3.

(b) Dates of Actual Delivery. A record of thedate that each Part 2 of Form ADV, and eachamendment or revision, were given to any client orprospective client who subsequently became aclient.

(c) Dates of Annual Delivery. A record of thedate that Part 2 of Form ADV or material changesthereto was provided to existing clients, as part ofthe annual requirement.

8 Custody Requirements. If the adviser hascustody or possession of securities or funds of anyclient, the adviser must make and keep thefollowing additional records:

6 years CustodySupervisor

(a) Journals. A journal or other record showing allpurchases, sales, receipts and deliveries ofsecurities (including certificate numbers) for"custody" accounts and all other debits and creditsto such accounts. (Fidelity Report)

Network

(b) Separate Ledger Accounts. A separateledger account for each "custody" client showing allpurchases, sales, receipts and deliveries ofsecurities, the date and price of each suchpurchase and sale, and all other debits andcredits.(Statement Download)

Network


Wed, Mar 8, 2017 02:26 PM Page 123 of 130

(c) Confirmations. Copies of confirmations of alltransactions effected by or for the account of any"custody" client.

Client Files

(d) Securities Cross Reference Record. Arecord for each security in which any "custody"client has a position, which must show the name ofeach such client having any interest in the security,the amount or interest of each such client, and thelocation of each such security.

Fidelity andNetwork

9 Electronic Communications.

(a) Electronic communications will be maintainedin electronic media.

CCO Network

(b) Documentation maintained related to theongoing or periodic monitoring of electroniccommunications.

CCO Net and GlobalRelay

E. Marketing Records

1 Marketing Materials. A copy of each notice,circular, advertisement, newspaper article,investment letter, bulletin or other communicationthat the adviser circulates or distributes, directly orindirectly, to 10 or more persons (other thanpersons connected with the adviser).

6 years afterthe end of thefiscal yearwhen lastused

MarketingManager

Compliance B

2 Recommendation Rationale Memoranda (ifapplicable). A separate memorandum indicatingthe reason for a recommendation if a notice,circular, advertisement, newspaper article,investment letter, bulletin or other communication(a) recommends the purchase or sale of a specificsecurity and (b) does not state the reasons for therecommendation.


MarketingManager

Compliance B

3 Use of Performance in Advertisements (ifapplicable). If the adviser uses performanceinformation in advertisements, the adviser mustretain the following records:


OperationsSupervisor

Network


Wed, Mar 8, 2017 02:26 PM Page 124 of 130

(a) Requirement. All accounts, books, internalworking papers, and any other records ordocuments that are necessary to form the basis foror demonstrate the calculation of the performanceor rate of return of any or all managed accounts orsecurities recommendations in any notice, circular,advertisement, newspaper article, investmentletter, bulletin or other communication that theinvestment adviser circulates or distributes to 10 ormore persons (other than persons connected withthe adviser).

(b) Satisfactory Records. With respect to theperformance of managed accounts, an adviser maylimit its retention of documents to (1) all accountstatements, provided the statements reflect alldebits, credits, and other transactions in a client'saccount for the period of the statement, and (2) allworksheets necessary to demonstrate thecalculation of the performance or rate of return ofall managed accounts.

4 Use of Solicitors. If the adviser pays cash to anyemployee, principal or third party in return for clientreferrals, the adviser must retain the followingrecords:

6 years (afterclientrelationship isterminated)

(a) Written Agreements. Agreements withsolicitors establishing the solicitation arrangement(includingspecified terms in the case of third-party solicitors).

CCO Compliance A

(b) Solicitor's Separate DisclosureDocuments. Copies of the separate writtendisclosure documents prepared by third-partysolicitors and delivered to clients.

CCO Compliance A

(c) Client Acknowledgments. Copies of eachsigned and dated client acknowledgment of receiptof the solicitor's written disclosure document.

CCO Compliance A

(d) Third-Party Solicitor Questionnaires.Copies of any due diligence questionnairescompleted by third-party solicitors relating to pastconduct that might disqualify the person fromacting as a solicitor.

CCO Compliance B

(e) Client List. A list of each client accountobtained through a solicitor, with a cross referenceidentifying the solicitor.

CCO Compliance A

F. Personnel Supervision Records


Wed, Mar 8, 2017 02:26 PM Page 125 of 130

1 (a) Insider Trading Policies and Procedures.Copies of all policies and procedures reasonablydesigned, taking into consideration the nature ofthe adviser's business, to prevent the misuse inviolation of the Advisers Act or the Exchange Act, orthe rules and regulations thereunder, of materialnonpublic information by the adviser or any personassociated with the adviser.

Permanently CCO Compliance B

(b) Annual Acknowledgement form. Formindicates that they have read, and understand theadviser's Policies and Procedures for the Preventionof Insider Trading, and will comply in all respectswith such policies and procedures.

2 Code of Ethics. 6 years afterdate last used

CCO Compliance B

(a) A copy of the investment adviser's code ofethics adopted and implemented that is in effect, orat any time within the past five years was in effect;

(b) A record of any violation of the code of ethics,and of any action taken as a result of the violation;and

(c) A record of all written acknowledgements of theCode of Ethics for each person who is currently, orwithin the past five years was, a supervised personof the investment adviser.

3 Personal Securities Holdings TransactionsReports.


(a) A record of each holdings and transactionsreports made by an access person, including anyinformation, duplicate confirmations or statementsin lieu of such reports;

(b) A record of the names of persons who arecurrently, or within the past five years were, accesspersons of the investment adviser; and

(c) A record of any decision, and the reasonssupporting the decision, to approve the acquisitionof securities in IPOs or limited offerings by accesspersons, for at lease 5 years after the end of thefiscal year in which the approval is granted.

4 Compliance Policies and Procedures. 65 years CCO Compliance A


Wed, Mar 8, 2017 02:26 PM Page 126 of 130

(a) A copy of the adviser's current compliancepolicies and procedures

(b) Records documenting the adviser's annualreview of the policies and procedures.

5 Employment Records. All employment recordsincluding for each employee, officer and director(as applicable):

Permanently,on a currentbasis

Controller AccountingFiles

(a) Dates of Employment;

(b) Addresses and social security number; and

(c) Disciplinary history.

6 Employee and All Other Business Contracts.All written agreements (or copies) entered into bythe adviser relating to the business of the adviseras such, including for example (a) Employmentcontracts; (b) Rental agreements and propertyleases; and (c) contracts with pricing services andother service providers.


G. Form ADV Source Records

1 Entity Overview Materials. The adviser'sorganizational chart, employee lists and a scheduleor chart of affiliated entities.

Permanently Controller Compliance B

2 Litigation Lists (if applicable). A record of past,present and pending litigation involving the adviseror its officers, directors or employees that mayhave a material effect on the adviser or otherwisetrigger disclosure obligations.

Permanently CCO Compliance A

H. SEC Related Records

1 Form ADV I, including all amendments. Permanently CCO Compliance B

2 Registration Order. SEC order granting AdvisersAct registration.


3 Exchange Act Reports. Reports required to befiled under the Exchange Act of 1934, including, ifapplicable

OperationsSupervisor

Compliance B

(a) Schedules 13D and 13G. (where the adviserowns more than 5 percent of an issuer's securities).

(b) Forms 13F (for advisers who have investmentdiscretion over $100 million in equity securities).


Wed, Mar 8, 2017 02:26 PM Page 127 of 130

(c) Forms 3, 4, and 5 pursuant to Section 16.(where the adviser is required to report securitiesholdings by virtue of being a "statutory insider" orbeneficial owner of more than 10 percent of a classof an issuer's registered equity securities).

4 SEC Correspondence. Copies of allcorrespondence with the SEC including any


(a) Exemptive Orders;

(b) No-action interpretations; and

(c) Past deficiency letters.

I. Proxy Voting

1 Copies of all policies and procedures required by275.206(4)-6.


2 A copy of each proxy statement that theinvestment adviser receives regarding clientsecurities. An investment adviser may satisfy thisrequirement by relying on a third party, the EDGARsystem, for copies of proxy statements.

6 years CCO File Room

3 A record of each vote cast by the investmentadviser on behalf of a client.

6 years CCO Electronic/FileRoom

4 A copy of any document created by the adviser thatwas material to making a decision how to voteproxies on behalf of a client or that memorializesthe basis for that decision.

6 years CCO File Room

5 A copy of each written client request for informationon how the adviser voted proxies on behalf of theclient, and a copy of any written response by theinvestment adviser to any (written or oral) clientrequest for information on how the adviser votedproxies on behalf of the requesting client.


J. Other Regulator Records

1 State Notice Filings. Copies of all notice filingssent to states where the adviser has a place ofbusiness.


2 Investment Advisory Representatives. A list ofall of the adviser's "investment adviserrepresentatives" and the states in which thesepersons have a "place of business," as defined inRule 203A-3.



Wed, Mar 8, 2017 02:26 PM Page 128 of 130

3 State Filings for Advisory Representatives.Copies of all state filings made on behalf ofinvestment adviser representatives, as well ascopies of all state licenses obtained by investmentadviser representatives, if any.


4 State Correspondence. Copies of allcorrespondence with any state.


5 Self Regulatory Organization Correspondence(if applicable). Copies of all correspondence withany self regulatory organization.

Permanently CCO N/A

6 Miscellaneous. 6 years Various Client LegalFiles

(a) New Account Form

(b) Trust Agreement

(c) IRA Agreement

(d) Wills

(e) Prior Custodian Records


Wed, Mar 8, 2017 02:26 PM Page 129 of 130

Trade Error Report

Trade Error Report

TRADE DATE: ____________________ SETTLEMENT DATE: _______________________

SECURITY/SHARES: ____________________ TRANSACTION B/S: _____________________

ACCOUNT NAME: _______________________________________________________________________________

PORTFOLIO MANAGER: ______________________________________________________________________________

EXECUTING BROKER: ____________________ CONTACT/TELEPHONE: ____________________

ERROR MADE BY: _____________________________________________________________________________________

SUMMARY DESCRIPTION OF ERROR:

___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

RESOLUTION OF ERROR:

___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

IS ERROR PROFIT/LOSS & HOW WAS ERROR ALLOCATED:

__________________________________________________________________________________________________________________________________________________________________________________________________________________

REPORT REVIEWED BY:

PORTFOLIO MANAGER:

___________________________________________________ _____________________Signature Date

TRADER:

___________________________________________________ _____________________Signature Date

COMPLIANCE OFFICER:

___________________________________________________ _____________________Signature Date

Woodstock Corporation - Woodstock Compliance Manual 3-1... Trade Error Report

Wed, Mar 8, 2017 02:26 PM Page 130 of 130

Investment Adviser Policies and Procedures Manual

Documents

Transcript of Investment Adviser Policies and Procedures Manual