Annual Compliance Program Review | Compliance Programs | Conflicts of Interest | Cybersecurity | Disclosures | Investment Advisers | Seniors and Vulnerable Investors

SEC’s Top 10 Hits: Investment Adviser Regulatory Review 2019 – Part 2

Here the remaining top 5 hits from our investment adviser regulatory review. (Check out Part 1 here.)

5.    Make sure you are on top of Regulation S-P compliance obligations and enhance protocols for security on the cloud.

The SEC remains concerned about information security, including cyber-related risks, and 2020 is no different.  OCIE stated in its 2020 Examination Priorities that it would continue to focus its examinations on assessing registered investment advisers’ protection of clients’ personal financial information.  OCIE’s scrutiny will include oversight practices for service providers and network solutions, including cloud-based storage. In light of these priories,  OCIE’s two Risk Alerts, Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies and Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features should be required reading for RIAs.

In the risk alert on Regulation S-P issues, OCIE found advisers and broker-dealers are aware of the Safeguards Rule and Regulation S-P but have not followed up with administrative, operational and physical safeguards.  Firms also stumbled when it comes to training their staff on using encryption, password protection, or other available tools to protect client information.  Some firms have also failed to address the widespread use of personal devices like laptops and cellphones for storing client information without the appropriate anti-theft safeguards.

In the second risk alert, Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features, OCIE provides firms with samples of effective practices, such as policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the cloud-based storage systems.  Investment advisers and broker-dealers should use the risk alert as a guide for improving their information security protocols.

Recommendation 1

Review your firm’s privacy policies and procedures to see if they include the administrative, operational, and physical safeguards that the SEC expects to see. Make sure you have addressed the most common deficiencies and weaknesses identified in the alert:

  • Failing to provide initial and annual notices, and submitting inaccurate privacy notices.
  • Failing to include an opt-out right to clients where firms share nonpublic personal information with non-affiliated third parties.
  • Writing policies and procedures that discuss the requirements of Rule 30(a) of Regulation S-P (the “Safeguards Rule”) without describing the firm’s processes for actually protecting client information.
  • Failing to reasonably design or implement policies to safeguard customer records and information. Firm policies should address the following:
    • the use of personal devices and how they should be configured to protect customer information
    • requiring the use of encryption when using email to send personally identifiable information, and prohibiting the use of unsecure networks to access client information
    • periodic training and monitoring for firm employees to ensure private client information is being protected
    • ensuring that outside vendors have sufficient safeguards to protect clients’ private information
    • actions to take in the event of a cybersecurity incident
    • physically securing private client information restricting access to private client information (locked file cabinets)
    • promptly removing access rights for departing employees.

Recommendation 2

Compare OCIE’s Risk Alert on Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features to your firm’s current policies and procedures regarding storage of electronic customer records.  Compliance officers should work with IT professionals to:

  • Develop standards for security controls and security configuration for network storage solutions;
  • Perform initial and ongoing due diligence on third-party vendors providing network storage solutions.
  • Draft vendor management policies and procedures that include regular implementation of software patches and hardware updates, followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration; and
  • Perform testing to ensure that network storage solutions are working as intended.

6.    Confirm whether you have sufficient supervisory processes.

OCIE issued a risk alert describing findings from its 2017 “Supervision Initiative” that reviewed the supervisory practices of more than 50 firms that employed individuals with disciplinary histories.   Deficiencies identified by OCIE included inadequate disclosure of disciplinary events and failure to adequately supervise their employees and representatives.  Advisers should take a close look at the examples cited in this risk alert and compare them against their current processes and practices.

In addition to keeping a close eye on employees with regulatory blemishes, firms should also close potential holes in their supervision processes.  As noted in the risk alert, SEC staff found weak supervisory practices in determining asset valuation, calculating and reporting performance, fee billing and monitoring supervised persons’ activities in remote offices.  Gaps in supervision can lead to serious compliance issues.

Along with this Risk Alert, the SEC brought several cases against advisers as a direct result of failures to supervise certain higher-risk activities.  Four cases dealt with valuation: Deer Park Road Management Company, L.P. (“Deer Park”) and Scott E Burg,  In the Matter of Swapnil Rege, and Nomura Securities International, Inc. (SEC Order for CMBSSEC Order for RMBS).  These cases share similar fact patterns.  First, the securities at issue did not have a readily available market price, and the traders had discretion in determining their value.  Second, in almost all cases, the traders received performance-based compensation.  Third, those overseeing the valuation process were either not paying attention or were not experienced enough to identify the traders’ price manipulations.  Fourth, supervisors were not held accountable for traders’ valuations (at least until the SEC came on the scene).

Another classic example of the pitfalls of failing to supervise is the case of Richard Diver.  For seven years, Diver was able to steal $6 million from his firm, M&R Capital Management, and its clients, to fund his lavish lifestyle.  Diver was a co-founder of the firm and its Chief Operating Officer (COO) and was responsible for managing the firm’s revenues and expenses, including payroll and client billing. He used his position to inflate his salary and by overbilling clients. Ultimately, the SEC investigated and referred the case to the U.S. Attorney for the Southern District of New York, which filed criminal charges against Diver and arrested him for embezzlement.

Recommendation 1

Review OCIE’s Risk Alert on Compliance, Supervision, and Disclosure of Conflicts of Interest and determine whether your firm has sufficient processes, policies and procedures in place to supervise individuals with disciplinary histories.  This includes performing background checks, adopting “heightened supervision” procedures for supervised persons with disciplinary events, such as those related to “misappropriation, unauthorized trading, forgery, bribery, and making unsuitable recommendations.  Consider whether your firm can adequately supervise the activities of supervised persons in remote offices, particularly those with disciplinary histories.

Recommendation 2

If heightened supervision is necessary, have a plan in place.  Advisers can take a page from broker-dealers and review FINRA Regulatory Notice 18-15: “Guidance on Implementing Effective Heightened Supervisory Procedures for Associated Persons With a History of Past Misconduct” for guidance on how to draft a plan.  Briefly, the plan should include:

  • Appointing a principal that has the experience to implement and enforce the plan;
  • Training the employee subject to the plan on his or her responsibilities under the plan; and
  • Reviewing the plan periodically to assess its effectiveness.

Recommendation 3

Review the cases above and consider whether your policies and procedures provide sufficient controls to prevent similar outcomes.  For example, for valuation, address conflicts with strong oversight.  While a trader can participate, include others in the valuation process.  Consider establishing a valuation committee with representation by senior management to mitigate the impact of the trader’s conflicted position.

Higher risk activities should include a system of checks and balances. Even if you trust your COO, a second set of eyes reviewing client billing is an essential safeguard — not only to prevent fraud but to reveal potential flaws in the process.  In the Diver case, testing by a compliance officer after the fact could have uncovered this fraud much earlier.  In that case, Diver, as COO, managed the payroll process and was able to inflate his own income for years since no one was reviewing his work.

7.    Confirm whether your policies and procedures to protect senior and other vulnerable Investors address state law requirements. 

As we noted last year, more than 20 states have adopted laws addressing the financial exploitation of seniors and vulnerable clients.  Some states, like Ohio, require investment advisers to report suspected or actual financial exploitation of seniors and vulnerable clients to state adult protective services agencies. Most recently, New Jersey adopted the “Safeguarding Against Financial Exploitation Act,” which goes into effect in mid-April 2020 (See Governor Murphy Provides Seniors With Added Protection Against Financial Exploitation).  The new law imposes mandatory reporting of suspected financial exploitation of an “eligible adult” by “qualified individuals,” which include investment advisers and broker-dealers.  Other states that have mandatory reporting requirements include Alabama, California, and Florida.

Recommendation

Check out the 50-state survey of senior and vulnerable investor laws produced by Bressler Amery Ross to see whether your firm may need to develop a process for reporting suspected financial exploitation of seniors and vulnerable clients.  If the answer is yes, make sure your procedures include training employees and representatives on how to identify and report such abuse.

8.    Review regulatory activity within the states relevant to your business to see if any developments affected your firm.

Just because your firm is federally registered doesn’t mean you can ignore state law, as evidenced by Item 7 above on state laws protecting seniors and other vulnerable investors.  Other examples include statutes dealing with registration of investment adviser representatives.  States have also begun beefing up regulations in other areas, such as cybersecurity.  State-specific examples include:

  • The California Consumer Privacy Act (“CCPA”) affects firms with California clients and that meet certain thresholds. The CCPA requires certain for-profit businesses that collect personal information from California consumers (i) provide consumers access to their personal information; (ii) delete their personal data if so requested and (iii) stop selling personal information if consumers opt out of the sale.
  • Massachusetts amended its Data Breach Notification Law. Broker-dealers and investment advisers subject to this Massachusetts law are now required to provide a minimum of 18 months of free, third-party credit monitoring services to affected consumers when there is a breach involving social security numbers.
  • New Hampshire became the 47th jurisdiction to join the “Automatic Fail to Renew Program,” eliminating its grace period for broker-dealers and investment advisers to renew their registrations. Firms that failed to renew by December 31, 2019, automatically had their registrations terminated and are no longer be eligible to conduct securities or investment advisory business in New Hampshire.  Firms that violate this policy may be subject to enforcement action.

Referral arrangements are governed by state law.  For example, in many states registration as an investment adviser representative is required to receive referral fees (check out 12 Things You Need to Know about Adviser Referral Arrangements and the Cash Solicitation Rule).

Investment advisers that work (or want to work) with state retirement systems should be aware of state lobbying laws.  Many states have adopted lobbying laws that define “lobbying” to include activities related to contracting with a governmental entity to provide investment management services.  This law may require firms, their employees and representatives, including solicitors, to register as lobbyists before pitching advisory services to state retirement plans. These laws vary from state to state, so if your firm actively solicits state retirement plans for their investment advisory business, I recommend that you consult with counsel on the applicability of lobbying laws.  Some local governments also require lobbyist registration, so it is essential to review local rules to determine whether registration as a lobbyist and lobbyist employer is required.  (K&L Gates produced an excellent Investment Management Alert on this topic.)

Recommendation

Federally registered investment advisers cannot ignore state law. Advisers should pay close attention to the states where they are located and where their clients live for new laws or regulations that may affect their business.

As noted above, Massachusetts and California have enacted legislation with expansive data protection standards, and other states are expected to follow.  I’ve included some resources below under Privacy and Data Security: State Law to help advisers keep track of changes to state laws.   

Firms with limited resources should focus their efforts on states that are more likely to take enforcement action as opposed to states that may cite a firm for deficiencies after an exam.  Massachusetts seems to be the most aggressive in going after investment advisers that have clients and operate in that state (check out the case recently filed against Summit Financial).  Firms that do business there should keep an eye on the Massachusetts’ securities division website.  The North American Securities Administrators Association (NASAA) website is another resource for monitoring state laws affecting investment advisers.

9.    Mutual fund advisers need to step up their compliance game.

As indicated in the 2018 Risk Alert on Risk-Based Examination Initiatives Focused On Registered Investment Companies, OCIE performed a series of examinations focused on mutual funds “to assess industry practices and regulatory compliance in certain areas that may have an impact on retail investors.”  As a follow-up, in 2019, OCIE issued the Risk Alert on Top Compliance Topics Observed in Examinations and Investment Companies and Observations from Money Market Fund and Target Date Fund Initiatives, discussing its findings.  One group that OCIE focused on was advisers relatively new to managing mutual funds, and I expect this influenced its overall results.  This risk alert highlighted deficiencies in meeting some basic compliance requirements, including:

  • failing to follow or enforce policies and procedures;
  • failing to perform an annual review, or conducting an annual review that did not address the adequacy of policies and procedures;
  • making inadequate disclosures to investors; and
  • failing to implement, follow or enforce the code of ethics.

OCIE also addressed money market and target-date funds.  Overall, the funds examined appeared to be in “substantial compliance” with their governing rule, with lapses in maintaining required documentation, inadequate disclosures, and incomplete or missing policies and procedures.

Recommendation 1

Advisers to mutual funds should read this alert carefully and consider whether their compliance programs adequately address the issues cited.  A great place to start is to review the final release for Compliance Programs of Investment Companies and Investment Advisers.

Recommendation 2

Advisers new to mutual fund compliance should reach out for help.  The rules governing mutual fund compliance are complicated and technical.  Consider joining industry groups (like the Investment Company Institute or National Society of Compliance Professionals), attending conferences, or hiring professional help, like compliance consultants and law firms.  Sign up for free newsletters from law firms and compliance consultants to help you keep up to date on current regulatory issues.

10.     Consider policies and procedures for UTMA/UGMA accounts. 

Although this may not currently be on the radar screen for most firms, FINRA has been cracking down on firms that continued to let parents, as custodians of UGMA and UTMA accounts (Uniform Transfer to Minors Act and Uniform Gifts to Minors Act), manage these accounts after the beneficiaries (the children) reached the age of majority.

When an account is opened for a minor under the Uniform Gift to Minors Act or Uniform Transfers to Minors Act, the assets are an irrevocable gift to the minor. The funds must be handed over to the child at the age of maturity, typically from 18 to 21. The custodian of the UGMA or UTMA account, presumably the parent or another relative, is a fiduciary for those assets.  As a fiduciary, the custodian is required to invest the funds following the prudent man rule, and can only use the funds in the best interest of the minor.

Investment advisers, as fiduciaries, should also be paying attention.  Once a child reaches the age of majority, the custodian no longer has the right to manage or access those funds.  The SEC could start sanctioning investment advisers for a breach of fiduciary duty for allowing the custodian to continue managing the account after the account beneficiary reaches the age of majority.

Recommendation

Advisers should have processes in place to track when UGMA and UTMA account beneficiaries reach the age of majority and ensure that responsibility for the account is transferred.

In closing, I hope that this overview helps advisers focus their compliance efforts for 2020.  If you need help, please contact Hardin Compliance Consulting at 1.724.935.6770, or visit our website at www.hardincompliance.com.

Recommended Resources

California Consumer Privacy Act

Compliance

Cybersecurity

Failure to Supervise

Mutual Fund Advisors

Privacy and Data Security:  State Law

Protecting Seniors and Vulnerable Investors

UTMA/UGMA Accounts

____________________________________________________________________________________

Partner with Hardin Compliance

Have a compliance question or want an independent review of your compliance program?  Hardin Compliance can help!  Call us today at 1.724.935.6770, or visit our website at www.hardincompliance.com for more information.

____________________________________________________________________________________

Hardin Compliance Consulting provides links to other publicly-available legal and compliance websites for your convenience. These links have been selected because we believe they provide valuable information and guidance.  The information in this e-newsletter is for general guidance only.  It does not constitute the provision of legal advice, tax advice, accounting services, or professional consulting of any kind.