United States: Investment Management Special Report - 2017-18 Compliance Developments & Calendar For Private Fund Advisers

Introduction

Despite an anticipated de-regulatory push, there are significant new regulatory concerns for investment advisers to address in connection with their annual review of their compliance manuals.

Developments

• Changes to Form ADV. The Securities and Exchange Commission (SEC) amended Part 1A of Form ADV effective as of October 1, 2017, to (i) codify the SEC staff's (the "Staff") guidance permitting "relying advisers" to use the filings of related "filing advisers" to become registered with the SEC; (ii) require additional reporting regarding separately managed accounts; and (iii) require additional information regarding the adviser, including use of social media and outsourced chief compliance officers.1 All investment advisers filing a Form ADV as an amendment to a current filing or report will be required to use the new form after the effective date. Most of the new information will be required to be included in the new form in connection with the annual amendments relating to the 2017 fiscal year (due April 2, 2018, for most advisers) and for subsequent years. If an investment adviser files an unanticipated "other-than-annual" amendment to its Form ADV prior to its first annual amendment using the revised form, it may use zeros as placeholders and note in the "miscellaneous" section of Part 1A of Form ADV that they are placeholders.2

As part of the adoption of the new form, the Staff provided guidance regarding what a "separately managed account" (SMA) is and what a "private fund" is for purposes of the amended Form ADV. Per the SEC guidance, a "fund of one" is generally not a private fund. Funds with one investor because either (i) only one investor remains after others have redeemed or (ii) funds that are open to subscriptions from other investors, but only one person has invested, are still deemed to be private funds.3 Managers to entities that have single investors and are currently reported on Item 7B of Form ADV should consider either opening the funds of one up to other investors or moving them off of Item 7B and reporting them as SMAs.

• ERISA. On June 9, 2017, after years of proposals, comments and revisions, the Department of Labor's (DOL) new fiduciary rule became partially effective. The DOL's stated purpose in promulgating the rule was to expand the circumstances under which advisers to employee benefit plans subject to ERISA and individual retirement accounts (IRAs) could be considered ERISA "fiduciaries" to such plans and accounts. Of note, the fiduciary rule contains a general carve-out for plans and accounts represented by independent financial experts.

On April 7, 2017, the DOL introduced a transition period, which is currently set to expire on January 1, 2018, during which fund managers and other financial institutions may satisfy a streamlined set of conditions known as the "impartial conduct standards" to comply with the rule, rather than having to comply with all of the conditions of the rule and its related exemptions. The "impartial conduct standards" generally require that fund managers and financial institutions give prudent advice that is in the best interests of retirement investors, charge no more than reasonable compensation therefore and not make misleading statements.

On August 31, 2017, the DOL published a proposed rule that would extend by 18 months the transition period for the fiduciary rule from January 1, 2018 to July 1, 2019. In the interim, many managers and other financial institutions are obtaining representations from their plan clients regarding the availability of the financial expert carve-out. This has led the same managers and institutions to seriously consider ceasing to do business with IRAs.

In addition, some managers and other financial institutions are reviewing their communications with existing and potential clients with the aim of avoiding communications that could be viewed as investment recommendations under the new rule.

• Books and Records Rule and Electronic Messaging. Effective October 1, 2017, the SEC also amended its books and records rule to require registered investment advisers to retain the following irrespective of the number of recipients: (i) all supporting material for performance claims in any communications and (ii) any written communications with performance claims.4

In addition, the Staff conducted a sweep in 2017 relating to the use of electronic messaging in which the Staff inquired into the monitoring, security, and recordkeeping practices and policies with respect to electronic messaging. Registered investment advisers and exempt reporting advisers should revise their recordkeeping policies and procedures to retain all performance claims and electronic messages that could constitute records.

• Cybersecurity. The SEC and other regulators continue to focus on cybersecurity risks, policies and protections. In August, the Staff published its observations from examinations of registered investment advisers, broker-dealers and investment companies regarding their governance and risk assessment (including penetration testing), access rights and controls, data loss prevention (including the use of tools for detecting access), vendor management (including periodic reassessments), training and incident response planning (including for cyber-related business continuity, denial of service and intrusion).5 While the Staff observed that cybersecurity preparedness had improved since it previously evaluated cybersecurity practices, it still noted that many policies and procedures were vague and were not tailored to the particular business. The Staff also criticized policies that required frequent reviews of customer protection measures or supplemental security measures that were performed only annually or less frequently and policies that conflicted with other portions of the compliance manual. As with the Staff's alert earlier in 2017 relating to the WannaCry ransomware,6 the Staff reminded registrants to continually monitor for availability of software patches, the absence of which could leave their systems vulnerable.

In addition, the Staff provided guidance regarding policies and procedures that it observed at firms with "robust controls," including:

• maintenance of an inventory of data, information and vendors
• detailed cybersecurity-related instructions, including information regarding evaluation of penetration tests and effectiveness of security solutions, security monitoring and system auditing, access rights (such as tracking access) and reporting guidelines
• maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including patch management policies and beta testing thereof
• established and enforced controls to access data and systems, including acceptable use of firm's equipment and networks, enforced restrictions and controls for mobile devices, such as passwords and software that encrypts communications, logs of activity from third-party vendors and immediate termination of rights of terminated employees
• mandatory employee training.

The Staff noted that policies are more effective when they are vetted and approved by senior management.

To view the full article please click here.

Footnotes

1 See the following for a comparison: https://www.sec.gov/rules/final/2016/ia-4509-form-adv-summary-of-changes.pdf.

2 See guidance at https://www.sec.gov/divisions/investment/imannouncements/im-info-2017-06.pdf.

3 See the ADV FAQ at http://www.sec.gov/divisions/investment/iard/iardfaq.shtml.

4 For further discussion see https://www.sec.gov/rules/final/2016/ia-4509.pdf.

5 For the full results, see https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf. 6 For further discussion, see https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.