Highlights

For a summary of all items addressed in this Update (including those highlighted below), please refer to the Table of Contents on the following page.

SEC Lays Out Road Map for CCO Skill Set. The SEC recently discussed the developing role of chief compliance officers and emphasized key areas in which chief compliance officers should develop a clear understanding in order to increase their effectiveness.

SEC Keynote Address: “Five Years On: Regulation of Private Fund Advisers After Dodd-Frank.” The Chairperson of the SEC recently gave a keynote speech following the fifth anniversary of the adoption of the Dodd-Frank Act, addressing the current landscape of regulation and oversight facing the private fund industry and highlighting firm-specific and industry-wide risks affecting private funds and their advisers.

OCIE Reports Observations from Outsourced CCO Initiative. Following examinations of investment advisers using outsourced chief compliance officers, the SEC observed that in order to be effective, outsourced chief compliance officers generally require frequent and personal communications, strong relationships with the registrants, sufficient access to documents, and in-depth knowledge of the registrant’s business, operations and regulatory requirements.

SEC Considering Mandatory Third-Party Compliance Reviews. The SEC recently indicated that it was considering the use of mandatory third-party reviews for registered investment advisers in an effort to better monitor the compliance practices of such registrants.

Investment Adviser Sanctioned for Failing to Adopt Proper Cybersecurity Policies and Procedures. The SEC announced it agreed to settle enforcement proceedings brought against an investment adviser in connection with a cybersecurity breach that compromised personal identifiable information of the firm’s clients that had been stored on its third-party hosted web server.


TABLE OF CONTENTS

Regulatory Developments

SEC Lays Out Road Map for CCO Skill Set. The SEC recently discussed the developing role of chief compliance officers and emphasized key areas in which chief compliance officers should develop a clear understanding in order to increase their effectiveness.

SEC Keynote Address: “Five Years On: Regulation of Private Fund Advisers After Dodd-Frank.” The Chairperson of the SEC recently gave a speech following the fifth anniversary of the adoption of the Dodd-Frank Act, addressing the current landscape of regulation and oversight facing the private fund industry and highlighting firm-specific and industry-wide risks affecting private funds and their advisers.

OCIE Reports Observations from Outsourced CCO Initiative. Following examinations of investment advisers using outsourced chief compliance officers, the SEC observed that in order to be effective, outsourced chief compliance officers generally require frequent and personal communications, strong relationships with the registrants, sufficient access to documents, and in-depth knowledge of the registrant’s business, operations and regulatory requirements.

SEC Considering Mandatory Third-Party Compliance Reviews. The SEC recently indicated that it was considering the use of mandatory third-party reviews for registered investment advisers in an effort to better monitor the compliance practices of such registrants.

Firms Struggle with Third-Party Vendor Cybersecurity Compliance. In light of OCIE’s 2015 Cybersecurity Initiative, the SEC noted it may begin examining registered investment advisers’ practices and controls relating to vendor management and highlighted the struggles advisers and third-party vendors are facing with respect to cybersecurity practices.

FERC Proposes Regulations for Disclosure of “Connected Entities” of Market Participants. The Federal Energy Regulatory Commission recently proposed to amend its regulations to require additional disclosures from market participants regarding its “connected entities,” which include entities having contractual relationships with such market participants.

Enforcement Actions

Investment Adviser Sanctioned for Failing to Adopt Proper Cybersecurity Policies and Procedures. The SEC announced it agreed to settle enforcement proceedings brought against an investment adviser in connection with a cybersecurity breach that compromised personal identifiable information of the firm’s clients that had been stored on its third-party hosted web server.

SEC Fines Investment Adviser for Custody Rule Violations. The SEC recently settled a case with an investment adviser, its two owners and its former CCO for $1 million for repeated violations of the Custody Rule.

Commissioners Gallagher and Piowar Dissent on “Backtest” Requirements. Two SEC Commissioners released a dissent, criticizing a majority opinion with respect to its position against the use of assumed inflation rates, rather than actual historical rates, for back-testing.

Investment Adviser Pays $20 million to Settle SEC Enforcement Action Alleging Non-Disclosure and Breach of Fiduciary Duty. The SEC settled enforcement proceedings brought against Guggenheim Partners Investment Management based on failure to disclose certain conflicts of interest and failure to enforce its code of ethics.


Regulatory Developments

SEC Lays Out Road Map for CCO Skill Set

During a recent speech before chief compliance officers of investment advisers and broker-dealers, Andrew Donohue, Chief of Staff at the U.S. Securities and Exchange Commission (the “SEC”), observed that chief compliance officers (“CCOs”) are confronted with a complex environment that is constantly changing and firms that are innovating and introducing new products and services. Mr. Donohue noted the importance of CCOs staying on top of these developments and changes to meet the evolving requirements of the financial industry. 

In his speech, Mr. Donahue emphasized nine key areas of which CCOs should develop a clear understanding and knowledge base in order to increase their effectiveness, including (1) the various laws and regulations applicable to a firm, (2) the firm, its structure and internal operations, (3) how the firm identifies, reviews, and resolves conflicts of interest that may exist, (4) the clients and customers of the firm and what services and products are being provided to them, (5) the compliance and technology resources utilized by the firm and their implications in developing a compliance program, (6) the policies and procedures of the firm and specifically, how they are monitored and applied, (7) the markets and industries in which the firm operates, the investment products and strategies of the firm and any concerns that they may raise, (8) the culture of the firm and (9) what additional information and knowledge is required to maintain an effective compliance program.

Mr. Donohue also highlighted several ways the SEC is working to assist CCOs in supporting their compliance functions and provide them with guidance to preemptively address potential risks within a firm. Such directives include the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) meeting and engaging with senior management of investment advisers to emphasize the importance of setting a “culture of compliance” within a firm and allowing such persons to speak with OCIE staff more informally, outside of the context of an examination or enforcement action. Other SEC support initiatives include the active publishing of materials (including risk alerts and annual examination priorities) to provide concrete guidance to CCOs with respect to those topics the SEC views as important compliance risks and potential pitfalls, and the conducting of seminars and industry-focused outreach events to discuss key risks within the industry, including observed deficiencies, as well as potential areas of improvement.

The full text of Mr. Donohue’s speech is available here

SEC Chairperson Delivers Keynote Address: “Five Years On: Regulation of Private Fund Advisers after Dodd-Frank”

In October, Mary Jo White, Chairperson of the SEC, gave the keynote speech at the Managed Funds Association conference in New York. Following the fifth anniversary of adoption of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), Chairperson White addressed the current landscape of regulation and oversight facing the private funds industry in the wake of the financial crisis and the implementation of various Dodd-Frank Act reforms.

Chairperson White emphasized that the fundamental mission of the Dodd-Frank Act is to “protect investors, maintain market integrity, and promote capital formation.” In light of this goal, she described many benefits the Dodd-Frank Act’s comprehensive regulatory regime and reporting requirements provide, including firm transparency (which helps the SEC obtain a more fulsome picture about private funds, their business, operations and relationships), and the ability of the SEC to monitor trends within the broader asset management industry. The data provided by private fund advisers also allows the SEC to have a better understanding of the risk profiles of the asset management industry and the larger financial system as a whole. In her speech, Chairperson White detailed two broad areas of risk affecting private fund advisers: risks impacting the broader asset management industry and financial system and potential risks specific to individual firms. 

Specific risks that impact the asset management industry include:

  • Risks Arising from Services and Activities. Chairperson White explained that potential risks can cast a wide net across the asset management industry, arising from providing services to the funds, investors and activities of a wide-range of financial market participants. She noted that the SEC was working diligently to propose a series of measures to ensure the regulatory program applicable to private fund advisers would address the challenges and risks posed by an evolving and growing marketplace.
  • Operational Risks. Chairperson White described risks that can arise from non-existent, weak, or inadequate processes and systems at a private fund adviser (including those related to third-party service providers). Specifically, she highlighted cybersecurity risks, market stress and transitional risk. With respect to risks arising in connection with the transition of client accounts, Chairperson White announced that the SEC was preparing recommendations to aid advisers in navigating the challenges that arise when an investment adviser had to transition the advisory services of its clients. The recommendations will be aimed at assisting advisers in their assessment of, and planning for, the impact of these transitions, such as transferring management or liquidating a fund, on the investors. She noted that presently, the industry lacks clarity on the risks that might arise when a private fund fails and the forthcoming guidance would help advisers evaluate and plan for a contingency situation in the event it was unable to serve its clients.
  • Changes in Broader Regulatory Framework. Chairperson White discussed the broader regulatory framework and systemic risks that indirectly affected private fund advisers, including the Volcker Rule and clearing agency risks.

Chairperson White also addressed firm-specific risks, noting that those were the kind of risks that could harm investors more directly and in a more impactful manner. Chairperson White suggested that private fund advisers could face renewed scrutiny from the SEC with regard to their fiduciary duties owed to investors, specifically citing instances in which advisers cherry-picked investments in performance disclosure, improperly used data for marketing purposes, and failed to disclose the hiring of related parties. While Chairperson White did not confirm that these issues had been escalated to enforcement actions, her comments raise the possibility of future actions. Chairperson White elaborated further on the necessity of proper disclosure of conflicts, noting that disclosure has become a strong investor safeguard. To emphasize this point, she detailed several examples of SEC concern where advisers failed to adequately disclose conflicts with respect to allocation of investment opportunities and allocation of fees and expenses. 

Finally, Chairperson White expressed the SEC’s concerns with the fee and expense practices of private equity funds, including with respect to allocation and collection of accelerated monitoring fees without adequate disclosure. Her remarks emphasized the general need to provide investors with the essential information regarding the adviser and its funds to ensure their investment decisions are well-informed. 

Chairperson White concluded by noting that strong compliance cultures and programs established by private fund advisers were vital to foster a robust and successful financial system, and in the upcoming five years, she believes the SEC will continue “to build a strong regulatory framework that protects investors while preserving the vibrant diversity of private funds.”

The full text of Chairperson White’s keynote address is available here

OCIE Reports Observations from Outsourced CCO Initiative 

In order to address the growing trend of outsourcing the role of CCOs to third parties, OCIE staff conducted nearly 20 examinations to identify and raise awareness of compliance issues relating to use of such outsourced roles. Summarizing its findings in a recent Risk Alert, OCIE observed that in order to be effective, outsourced CCO’s generally required regular and in-person communication, strong relationships with registrants, sufficient access to registrants’ documents, and knowledge of the registrants’ business and regulatory requirements. More specifically, OCIE identified the following as critical factors affecting outsourced CCO performance:

  • Communications: Outsourced CCOs with frequent, ongoing and personal interaction with adviser and fund employees (as opposed to impersonal and infrequent interaction, via electronic communication or pre-defined checklists) developed a better understanding of the registrants’ businesses, operations and risks.
  • Resources: Outsourced CCOs who served numerous unaffiliated firms often lacked sufficient resources to perform fulsome compliance duties for the registrants, particularly where the firms serviced were varied in operations, industry and structure, leading to more significant compliance-related issues.
  • Empowerment: Outsourced CCOs having the authority to obtain the records they deemed necessary for conducting annual reviews were able to better fulfill their roles than those conducted by CCOs who had to rely on the firm to preselect the records for their review. More specifically, where firm employees had discretion to determine which documents were provided to the outsourced CCOs, the accuracy and completeness of these registrants’ annual reviews appeared to have been compromised.
  • Standardized checklists: Outsourced CCOs that utilized generic standardized checklists did not appear to fully capture the compliance risks applicable to the registrant. Outsourced CCOs sometimes lacked sufficient knowledge about the registrant to identify and resolve incorrect or inconsistent responses to standardized questionnaires.
  • Policies, procedures, and disclosures: In some situations, the SEC observed outsourced CCOs utilizing compliance manual templates that were not properly tailored to registrant’s businesses and practices, causing compliance deficiencies and/or inconsistencies and resulting in policies and procedures not being followed by firm employees. Furthermore, where an outsourced CCO was not proficient in a registrant’s business and operations, it was unable to identify or resolve such discrepancies.
  • Annual Reviews: Outsourced CCO’s responsible for conducting and documenting registrants’ annual reviews, which included testing for compliance with existing policies and procedures, often failed to maintain adequate documentation evidencing the testing. Additionally, when an outsourced CCO had limited authority at a firm, the CCO’s ability to implement changes in disclosure regarding pertinent areas affecting the firm were affected.

Based on its observations, the OCIE staff recommended that registered investment advisers with outsourced CCOs review their business practices in light of the risks it observed to determine whether these practices comport with their responsibilities and confirm that an outsourced CCO is able to establish, implement, monitor and review an effective and robust compliance program.

SEC Considering Mandatory Third-Party Compliance Reviews

The SEC’s Division of Investment Management Director, David Grim, indicated in a recent speech that the SEC may begin requiring third-party reviews for all registered investment advisers, noting that the SEC is considering these mandatory reviews in an effort to better monitor the compliance practices of investment advisers. Within the SEC, the Division of Investment Management is collaborating with OCIE in considering this program, which is intended to address criticism regarding the small number of adviser examinations OCIE conducts annually. In his remarks, Director Grim explained that, “[t]he review would not replace examinations conducted by OCIE, but would supplement them in order to improve compliance by registered investment advisers.” 

While this proposal has been raised before by the SEC, it appears to be gaining momentum however many questions remain as to how it would be implemented, including which organization(s) would be responsible for such reviews and what costs would be involved in establishing such a program.

Following Mr. Grim’s speech, former SEC investment management head Norm Champ wrote an op-ed in the Wall Street Journal criticizing the proposal, noting that it imposed a costly burden on registered investment advisers without internally investigating the SEC’s inefficiencies in conducting examinations. In his article, Mr. Champ further noted that the SEC’s plan fails to address the inefficient management within the SEC, and overlooks the SEC’s recent difficulty in collaborating on compliance matters with credit rating firms and proxy advisor firms

The full text of Mr. Grim’s remarks is available here

Firms Struggle with Third-Party Vender Cybersecurity Compliance

In response to OCIE’s 2015 Cybersecurity Examination Initiative, (as discussed in more detail here) and recent SEC remarks noting it may examine a firm’s practices and controls related to vendor management, investment advisers have been working to address issues arising in connection with third-party vendors, including cybersecurity concerns over shared data.

Many clients are exploring ways to regulate information provided to them by vendors via standardized reports, such as the Service Organization Controls 2 audit or the standard information gathering questionnaire, to provide a baseline of data for vendor oversight. While such reports can help alleviate the burden on vendors of overwhelming data requests, they still tend to be long and complex to fill out, and these reporting tools are also sometimes insufficient to satisfy client demands.

Ultimately, investment advisers and vendors are in agreement that these standards and requirements need to be discussed more thoroughly during the vendor contracting process—an area where few investment advisors have historically focused, but one where vendors are already seeing increased involvement.

FERC Proposes Regulations for Disclosure of “Connected Entities” of Market Participants

The Federal Energy Regulatory Commission (“FERC”) recently proposed to amend its regulations to require additional disclosures from market participants in regional transmission organizations (“RTOs”) and independent system operators (“ISOs”). While the proposal does not broaden the definition of those “market participants” required to make a filing with the FERC, it would replace existing disclosure requirements regarding “affiliates” of market participants with a unified concept, “Connected Entities,” which would include entities having a contractual relationship with such market participants, including asset managers. Market participants would be required to describe the nature of their relationship to such Connected Entities as well as the major provisions of contracts between them, such as start and end dates, a brief description, and renewal provisions. To the extent such information is not already public, it would not be publicly available in this filing.

Many industry groups believe these new requirements are burdensome and inappropriate as related to the disclosure of information about a market participant’s “Connected Entities” and have submitted comment letters to the FERC in this regard.

A copy of the proposed rule is available here.  

Enforcement Actions

Investment Adviser Sanctioned for Failing to Adopt Proper Cybersecurity Policies and Procedures

On September 22, 2015, the SEC announced that it had agreed to settle enforcement proceedings brought against an investment adviser, R.T. Jones Capital Equities Management, in connection with a cybersecurity breach that compromised the personally identifiable information (“PII”) of the firm’s clients. According to the SEC settlement order, the adviser stored PII on its third-party hosted web server, which was attacked in July 2013 by an unknown cyber-intruder. The intruder gained access and copy rights to the data on the server, compromising the PII of more than 100,000 individuals, including thousands of the adviser’s clients. 

After the breach was discovered, the adviser hired cybersecurity consultants and the origin of the attack was traced to China. The adviser provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider. As of the date of the settlement, the firm had not received any indications that clients suffered financial harm as a result of the data security breach.

In the settlement order, the SEC noted that the adviser provided advice to retirement plan participants through a managed account option administered by a retirement plan administrator and offered by various retirement plan sponsors. The managed account program included several strategies through model portfolios maintained by the adviser. After consulting with a participant, the adviser would recommend a model portfolio. If the participant agreed with the recommendation, the adviser provided trade instructions to the retirement plan administrator, which then effected the transactions. The adviser did not control or maintain client accounts or client account information. During the relevant period, in order to verify eligibility to enroll in the managed account program, the adviser required prospective clients to log on to its website using their name, date of birth and social security number. This information was then compared against the PII of eligible plan participants that was provided by the plan sponsors, and stored, without modification or encryption, on the adviser’s third party-hosted web server. According to the SEC, the plan sponsors provided the adviser with information about all of their plan participants, not just the participants that were interested in the managed account program. Although the adviser had fewer than 8,000 plan participants as clients, its web server contained the PII of over 100,000 individuals.

Under Rule 30(a) of Regulation S-P, every investment adviser is required to adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. According to the settlement order, the adviser failed to adopt written policies and procedures reasonably designed to safeguard its clients’ PII, as required by Rule 30(a). The SEC noted that the adviser’s policies and procedures were not “reasonably designed” in that they did not include provisions for conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident. 

While none of the adviser’s clients were shown to have suffered any harm, the adviser agreed to pay a civil monetary penalty of $75,000 as part of the settlement.

SEC Fines Investment Adviser for Custody Rule Violations

The SEC recently settled a case with Sands Brothers Asset Management LLC, an investment advisory firm (“Sands Brothers Asset Management”), as well as its two owners and its former CCO, for $1 million for repeatedly failing to provide investors with audited financial statements of the funds in a timely manner consistent with Rule 206(4)-2 under the Investment Advisers Act of 1940, as amended (the “Custody Rule”). 

In 2010, Sands Brothers and its co-owners were the subjects of an enforcement action for violations of the custody rule and agreed to settle the charges by paying a $60,000 penalty. In its recent release, the SEC noted that the co-owners “missed their opportunity to right a previous wrong and instead merely repeated their custody rule violations….”, resulting in more severe consequences.

In addition to the fine, the two owners will be suspended for a year from raising new funds, and they must have a compliance monitor for at least three years. Additionally, the former CCO agreed to pay a fine and will be suspended for one year from acting as a CCO or practicing as an attorney before the SEC. 

A copy of the SEC Press Release is available here. A copy of the SEC order against Sands Brothers Asset Management and its co-owners is available here, and a copy of the SEC order against the CCO is available here

Commissioners Gallagher and Piwowar Dissent on “Backtest” Requirements

Following the release of SEC Opinion In the Matter of Raymond J. Lucia Companies, Inc. and Raymond J. Lucia, Sr., Securities Exchange Act Release No. 75837 (Sept. 3, 2015), SEC Commissioners Gallagher and Piwowar released a forceful dissent, criticizing the majority for needless “rulemaking by opinion” with respect to its position against the use of assumed inflation rates, rather than actual historical rates, for backtests.

The case centered on a slideshow presentation used by the respondents to advertise a particular investment advisory approach. To illustrate the relative advantage of their approach—termed “Buckets of Money”—during a market decline, respondents made use of a backtest based on an actual 1973 bear market scenario. Despite using actual historical returns in this scenario, respondents used an assumed inflation rate of 3%, which was consistent with the assumed rate used for other scenarios. The majority took issue with this assumed inflation rate, finding the use of an historical backtest without the corresponding actual historical inflation rates to be fraudulent.

In contrast, the dissent stated that “[i]t is appropriate to use a consistent, assumed inflation rate when comparing the results among portfolios.” Commissioners Gallagher and Piwowar focused their reasoning on disclosure, finding that the test for fraud is objective and therefore based on the perspective of a reasonable investor. By that logic, clear disclosure of inflation rate assumptions used in backtests should be all that is required.

A copy of the SEC’s majority opinion is available here and the dissent is available here

Investment Adviser Pays $20 Million to Settle SEC Enforcement Action Alleging Non-Disclosure and Breach of Fiduciary Duty 

On August 10, 2015, the SEC settled enforcement proceedings brought against Guggenheim Partners Investment Management, LLC (“GPIM”), an investment adviser primarily to institutional clients, high net worth individuals and private funds, based on a breach of fiduciary duty and violations of the Advisers Act. The SEC order stated that that the SEC determined that GPIM breached its fiduciary duty by not disclosing that a GPIM senior executive received a $50 million loan from a client that allowed the executive to participate personally in a deal led by GPIM’s corporate parent. As a result of the loan, the SEC found that GPIM had a potential conflict of interest whereby GPIM might place the lending client’s interests over the interests of other clients. The SEC noted that GPIM did not disclose the loan when GPIM placed certain of its other clients in two transactions on different terms from the client who made the loan. The allegations included a number of additional violations of provisions of the Advisers Act, including the adviser’s failure to enforce its code of ethics with respect to recording the loan. In settlement of these alleged violations, GPIM agreed to pay a civil monetary penalty of $20 million. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.