November 10, 2015
By: Jaqueline M. Hummel, Managing Director
Toward the end of the year, I take an inventory of the changes to the SEC’s regulatory landscape in the past 12 months. My goal is identify the biggest hot buttons for the regulators and determine where firms should focus their efforts in updating their compliance programs. This year I am presenting this as a two-part series.
The first part of the series focuses on the big takeaways from 2015 for all investment advisers:
- Develop a data security and information protection program to address the SEC’s cybersecurity concerns;
- Update the code of ethics to require additional due diligence to determine whether accounts are “controlled” by an access person;
- Review (or create) AML procedures; and
- For advisers that focus on retirement assets, review the policies and procedures for providing investment recommendations, disclosure of conflicts of interest, supervision of remote offices, and review of marketing
This last point addresses the SEC recent ReTIRE Initiative, a multi-year, targeted review of investment advisers and broker dealers involved in providing services and products for investors saving for retirement.
Advisers may also want to keep the SEC’s proposed amendments to Form ADV on their radar, although I think this proposal will not be enacted as written given the number of comments received.
The second part of the series is for advisers that manage private equity and hedge funds, and includes the following items to consider:
- Top to bottom review of all fees and expenses earned and charged by private funds to determine whether disclosure to investors is required; and
- Procedures for establishing a “substantive relationship” with potential investors using the internet.
My recommendations are based on the messages being sent by the regulators. The SEC has issued three risk alerts and a guidance notice on cybersecurity, making it clear that this topic is a priority. But equally important are the enforcement cases, where the SEC punishes misbehavior using fines, sanctions and industry bans to get the attention of the industry.
The enforcement arm of the SEC has been incredibly active this year with a record 807 enforcement actions file, as compared to 755 in 2014, 686 in 2013 and 734 in 2012. The SEC also expanded its repertoire, bringing a number of “first-of-their-kind” (the SEC’s term) cases, including an action against a private fund adviser for misallocating broken deal expenses, an action against a rating service for misconduct in rating commercial mortgage-backed securities, and charging a national audit firm for issuing deficient audits. The SEC has widened its net, going after gatekeepers and other service providers to investment advisers for aiding and abetting fiduciary breaches.
There has been considerably less movement on the regulatory side. In fact, there were no new regulations adopted under the Advisers Act. There are two outstanding proposals applicable to investment advisers: the SEC’s amendment to Form ADV and FinCen’s regulations requiring investment advisers to establish anti-money laundering programs and to report suspicious activity. And the U.S. Department of Commerce jumped into the regulatory fray through the Bureau of Economic Analysis (the “BEA”) by requiring U.S. persons to file a form disclosing ownership of 10% or more in a foreign business enterprise.
Here are my recommendations for 2016 for investment advisers:
Implement, Assess and Test Your Firm’s Cybersecurity Program
The SEC and FINRA have been quite emphatic about the need to protect confidential client and firm information from hackers, disgruntled employees, and fraudsters who can find their way into firm systems through the internet. To bring this message home, the SEC included cybersecurity on its exam priorities list for the past two years, conducted various cybersecurity sweeps and issued guidance on this issue. Most recently, the National Futures Association jumped on the bandwagon and issued rules and a new Interpretative Notice effective March 1, 2016, that requires its members, including commodity pool operators and commodity trading advisers, to set up information systems security programs.
For investment advisers, the duty to protect client information is codified in Regulation S-P. Most advisers are familiar with Rule 10, the Disclosure Rule, which requires financial institutions to provide notices to customers about their information collection and information-sharing practices. Another rule under Regulation S-P that has taken over the spotlight is Rule 30, the Safeguards Rule, which requires every broker, dealer, investment company and SEC-registered investment adviser to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”
In October 2015, the SEC brought an action against a firm for failure to comply with this rule. In September 2015, R.T. Jones Capital Equities Management, Inc. was fined $75,000 and censured for failing to adopt any written policies and procedure to ensure the security and confidentiality of personal information of its clients.
In July 2013, R.T. Jones discovered that its third-party hosted web server, which included personally identifiable information of the firm’s clients, had been hacked. R.T. Jones took appropriate action once the breach was discovered, hiring cybersecurity firms to determine the source of the attack and assess the scope. All those affected were notified and offered a years’ worth of free identity theft monitoring. There is no indication that that clients suffered any financial harm as a result of the breach.
Despite the firm’s post-breach actions, the SEC still punished R.T. Jones because it failed to have any written policies or procedures to protect client information for four years prior to the breach.
In the administrative order, the SEC gives specific examples of what is considers reasonable steps:
- conducting periodic risk assessments
- employing a firewall to protect the web server containing client personal information
- encrypting confidential client data stored on that server, and
- establishing procedures for responding to a cybersecurity
My recommendation for adviser CCOs is to ensure that their firms are taking the steps listed above. The complexity of data management systems and the many types of threats may seem overwhelming.
Given the intense regulatory scrutiny and the very real risk from hackers stealing your data, I recommend engaging an IT security expert to help you evaluate and test your firm’s controls for confidential client and firm information.
But even simple steps can be very effective. A good firewall and current antivirus and malware software are an essential first line of defense. Training employees how to identify fraudulent emails and phishing attacks can help prevent intrusions by programs designed to steal passwords or unleash malware.
Requiring telephonic confirmation prior to disbursing cash requests received via email can stop fraud. Make sure all mobile company devices are password protected, since a stolen laptop or smartphone can expose customer and confidential firm data. I also recommend immediately revoking an employee’s access to email and all systems when he or she leaves the firm.
There is a wealth of information published by the SEC and various other sources that gives excellent guidance on how to develop and maintain a cybersecurity program. At the very least, advisers should know what types of confidential data they have and where it resides, who has access to it and how that access is acquired, and what protections are in place to keep this information secure. Advisers should plan to perform periodic assessments to determine the adequacy of the protections in place. There should also protocols for addressing breaches, and a process for escalating issue to management. There should be an officer of the firm who is responsible for ensuring that the cybersecurity program is implemented, tested and assessed. The program should also include periodic training to educate employees about potential threats and red flags, as well as how to respond in the event of a suspected breach of security.
Update the Code of Ethics by Beefing up the Process for Determining “Control” Over Accounts
The SEC issued guidance under Rule 204A-1 of the Advisers Act, which requires registered investment advisers to establish, maintain and enforce a written code of ethics. This guidance addresses the definition of “control”, and requires advisory firms to perform due diligence in situations where an individual required to report under the code of ethics (“access person”) asserts that he or she does not have any control over an account (For a more detailed discussion, see Trust But Verify: The Sec Addresses “Control” Under Code Of Ethics Rule.) Generally, if an access person has no control over an account, the account and any activity within that account would not have to be reported under the adviser’s code of ethics.
Compliance officers struggle with the definition of “control”. Many access persons understandably want to avoid or limit the amount of reporting they are required to provide under the firm’s code of ethics, in part because they do not want to disclose to others their financial situation and in part because they do not want to fill out the paperwork. For example, an access person may tell the compliance staff that the broker has discretion over his or her securities account, and he or she does not provide any input with respect to the trading activity. Therefore, the access person argues, no reporting is required. Prior to this guidance, the compliance staff did not have much regulatory firepower to ask for more than a certification from the access person stating that he or she did not exercise any control or influence over the account.
By publishing this guidance, the SEC staff has given compliance officers direction on how to handle these situations. And in the face of executive pushback, compliance professionals now have written permission from the SEC to request the specifics of certain “non-discretionary” accounts. It’s the difference between having to ask politely and having a search warrant.
Here are my recommendations based on this guidance.
- Review your code of ethics for the definition of “control” as it relates personal accounts of access persons. This definition may be buried in the “beneficial ownership” definition. The definition of control means that the access person has the ability to order trades in the account, whether or not that access person has any interest in the account (but excludes accounts managed by an access person on behalf of the firm in his/her role as an portfolio manager or trader). This ability or discretion to trade does not have to be exclusive; it can be shared with others, including a co-trustee. The agreement that governs the account, such as an investment management agreement or the trust, determines whether the access person has discretion to trade. Therefore, even if a third-party adviser has discretion over an account, if the agreement allows the access person to direct trades, the access person still has control. In the case of a trust, an access person has control over the account if he/she is a settler and has the power to revoke the trust without the consent of another person, and controls or shares investment control over the trust’s investments.
- Include a process for allowing exemptions to pre-clearance for accounts where an access person does not have control over an account (a “non-discretionary account”). This process should require an access person to submit a written request to the CCO, along with a copy of the agreement governing the accounts. The form of request should include the definition of “control” from the firm’s Code of Ethics. The CCO would then determine whether any of the accounts were under the control of an access person. As part of this written request, the access person should certify:
- I have no direct or indirect influence or control over the Accounts;
- If my control over the Accounts should change in any way, I will immediately notify you in writing of such a change and will provide any required information regarding holdings and transactions in the Accounts pursuant to the Rule; and
- I agree to provide reports of holdings and/or transactions (including, but not limited to, duplicate account statements and trade confirmations) made in the Accounts at the request of Chief Compliance Officer.
- Require periodic certifications to those access persons with non-discretionary accounts stating:
- I did not suggest that the Manager make any particular purchases or sales of securities for the Accounts during the period;
- I did not direct the Manager to make any particular purchases or sales of securities for the Accounts during the period; and
- I did not consult with the Manager as to the particular allocation of investments to be made in the Accounts during the period.
Review Your AML Procedures
Once again, FinCEN (U.S. Treasury’s Financial Crimes Enforcement Network) issued a proposed rule that would require investment advisers registered with the SEC to establish anti-money laundering (“AML”) programs and report suspicious activity to FinCEN pursuant to the Bank Secrecy Act. In 2002 and 2003, FinCEN first proposed AML program requirements for unregistered investment companies and certain investment advisers. Nothing happened with these rules, and they were eventually withdrawn by FinCEN in November 2008.
The proposal would require registered investment advisers to implement AML programs, to file suspicious activity reports (“SARs”) under the Bank Secrecy Act (“BSA”), to file currency transaction reports (“CTRs”) for transactions exceeding $10,000 and keep records relating to the transmittal of funds. The minimum requirements of an AML program include:
- Establishing and implementing risk-based and reasonable written policies, procedures, and internal controls;
- Providing for periodic independent testing of the program;
- Designating a person or persons responsible for monitoring the operations and internal controls of the program; and
- Providing ongoing training for appropriate
The program would be required to be approved by an adviser’s board of directors or other persons having a similar function.
If the rule is adopted, compliance would be mandated six months after final adoption. Advisers should be prepared to incorporate policies and procedures relating to the prevention of money laundering, and alert employees to red flags. Red flags could include, for example, a customer refusing to reveal any information about business activities, an adviser refusing to disclose the identity of a client where he/she is acting as an agent, or when a client exhibits a total lack of concern regarding performance returns or risk.
It is possible that this time FinCEN will be successful in getting this rule adopted, although I suspect that the scope will be narrowed. Of the 31 comment letters submitted on this latest proposal, many recommend that excluding certain types of advisers and advisory business from the rule. For example, advisers that provide non-management advisory services present no risk for money laundering and may not be able to access sufficient information about a client’s account to detect any suspicious activities, and therefore should not have to adopt AML programs. Other commenters noted that providers of sub- advisory services, including managed account platforms, wrap fee programs and other sub-advised accounts should not be required to adopt AML programs, since they have little or no access to information about the underlying clients investing in these programs, and the principal adviser is in a better position to manage the AML responsibilities. Some commenters requested that the proposed rules allow registered investment advisers to share Suspicious Activity Reports (“SARs”) with affiliated entities so larger entities can identify suspicious transactions occurring throughout a corporate enterprise. Predictably, some commenters objected to the rule as overly burdensome to smaller advisers who pose very little risk of being used as conduits for money-laundering activities.
Review policies and procedures to ensure that the information, advice, products, and services being offered to investors is consistent with applicable laws, rules, and regulations
The SEC’s Office of Compliance Inspections and Examinations (OCIE) announced in June 2015 that it was launching a multi-year targeted review of investment advisers and broker dealers involved in providing services and products for investors saving for retirement. These exams focus on sales, investment and oversight processes, and are part of the “ReTIRE Initiative”.
Advisers that focus on retirement assets should be able to demonstrate to the SEC that they have:
- Procedures for performing due diligence on investment options, applying a consistent process for making investment recommendations, and providing on-going account management;
- Processes for addressing and disclosing conflicts of interest;
- Appropriate controls and supervision for branch offices and representatives with outside business activities; and
- Procedures for reviewing marketing and disclosure materials to ensure they are not deceptive or misleading.
OCIE will be looking at sales and recommendations made by advisers in light of the fees being charged, the services provided and the compensation paid to advisers for various products and services. For example, are investment advisory representatives being paid more for certain types of products and do those products represent a disproportionate share of total firm revenue? Are these products appropriate for investors, or would less lucrative products be a better match? Are the materials being used to market products and services to investors accurate and disclose all material information and potential conflicts of interest? Are investors made aware of additional compensation that may be received by an adviser as a result of the sale of certain investment products?
This initiative may be focused on retirement products but the emphasis on an adviser’s fiduciary duty remains the same as in all examinations. The bottom line is that the SEC wants to make sure that retail investors saving for retirement are being provided with investment recommendations based on their needs and goals, and not on what will make the most money for the investment adviser.
I have some additional recommendations. For firms that are registered both as investment advisers and broker dealers, there should be protocols in place to ensure that clients are being placed in the right types of commission- or fee-based accounts. The SEC will also be closely watching recommendations made by advisers for clients to rollover 401(k) assets into individual retirement accounts, so advisers should have a process to assess when a rollover is appropriate for the client. Finally, the SEC is also concerned about advisers recommending complex, yield-seeking products which may not be suitable for retail investors who may not fully appreciate the risks involved. Advisers offering these types of products should ensure that the due diligence process for selecting these investments is solid, and that investors are provided with ample disclosures regarding the risks.
Prepare for proposed Form ADV Amendments? Maybe later…
The SEC’s proposed changes to Form ADV will require advisers to provide more detailed information on separately managed accounts (including aggregate information on assets under management, investments and use of derivatives and borrowing). (For more detail on these proposed changes, see SEC Asks For More Data From Funds And Advisers.) Additionally, the proposal includes disclosure on advisers’ use of social media, branch offices and whether the adviser or some other entity is compensating the Chief Compliance Officer. Other proposed amendments are aimed at establishing a more efficient method for the registration of multiple private fund adviser entities operating a single advisory business. There are also a few technical amendments intended to make the form easier to complete.
There were 45 comment letters submitted on these proposed changes, and seven meetings with SEC officials from industry representatives. Many advisers are concerned about the burden of having to provide information about the derivatives and categories of investments in separately managed accounts, especially if this data must be reported more than once a year. Many commenters were even more unsettled by the fact that this data would be public, which could potentially reveal sensitive information about client accounts and investment strategies.
Not surprisingly, several commenters responded to the SEC’s question about any “ambiguities or concerns” that should be addressed in the Form ADV, stating that Item 9 on Form ADV Part 1A relating to custody is confusing and should be re-written.
From the many comment letters and meetings, my guess is that the SEC is facing a substantial amount of industry opposition to many of its proposed changes. Therefore, I would not recommend that advisers revise their current Form ADV processes to comply with this proposal at this time.
Next Post: Part 2 of a 2-part Series: Recommendations for Private Equity and Hedge Fund Advisers
 More details are available on the BEA website at http://www.bea.gov/surveys/respondent_be10.htm; for a brief overview of the regulation, see https://www.linkedin.com/pulse/new-filing-investment-advisers-hedge-funds- form-be-10-hummel.
 FINRA conducted Cybersecurity Sweeps, starting in January 2014, http://www.finra.org/industry/cybersecurity- targeted-exam-letter; FINRA Report on Cybersecurity Practices, https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf;
 OCIE announced cybersecurity as part of its 2015 examination priorities http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf;
 In March 2014, SEC sponsored a Cybersecurity Roundtable, at http://www.sec.gov/news/otherwebcasts/2014/cybersecurity-roundtable-032614.shtml; April 2014, OCIE published a Risk Alert announcing cybersecurity sweep exams, http://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert–Appendix—4.15.14.pdf; February 2015, OCIE published its findings from the cybersecurity sweep, http://www.sec.gov/about/offices/ocie/cybersecurity- examination-sweep-summary.pdf;
 In March 2014, SEC sponsored a Cybersecurity Roundtable, at http://www.sec.gov/news/otherwebcasts/2014/cybersecurity-roundtable-032614.shtml;
 See SIFMA’s Guidance for Small Firms: How small Firms can protect their Business, http://www.sifma.org/issues/operations-and-technology/cybersecurity/guidance-for-small-firms. OCIE Cybersecurity Initiative, April 15, 2014, http://www.sec.gov/ocie/announcement/Cybersecurity-Risk- Alert–Appendix—4.15.14.pdf, which includes a sample document request that OCIE uses in its cybersecurity sweep exams, Framework for Improving Critical Infrastructure Cybersecurity, National Institute of Standards and Technology, February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf; OCIE’s Cybersecurity Examination Sweep Summary, February 3, 2015 at http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf; IM Guidance Update, April 2015, http://www.sec.gov/investment/im-guidance-2015-02.pdf; OCIE’s 2015 Cybersecurity Examination Initiative, September 15, 2015, http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination- initiative.pdf.
 Massachusetts provides useful tools for smaller advisers to use to develop a written information security program. For example, the Office of Consumer Affairs and Business Regulation of the Commonwealth of Massachusetts put out a ‘how to” manual for putting together a written information security program. A Small Business Guide: Formulating a Comprehensive Written Information Security Program, at http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf. Massachusetts has also published its “Data Privacy Report” in 2012 at http://www.mass.gov/ocabr/docs/2012-data-privacy-report.pdf, and 2013 at http://www.mass.gov/ocabr/docs/-oca/2013-data-privacy-report.pdf. The 2012 report is especially helpful, since it information on how specific companies responded to data breaches.