OCIE Highlights Frequent Topics for Compliance Deficiencies for Investment Advisers
On Feb. 7, 2017, the Securities and Exchange Commission’s (SEC’s) Office of Compliance Inspections and Examinations (“OCIE”) published a risk alert outlining the five most frequent compliance topics identified in deficiency letters sent to SEC-registered investment advisers.
The information is intended to assist advisers as they prepare for their compliance reviews. Therefore, advisers should review their compliance programs and related policies and procedures with particular focus on the topics noted in the alert and make improvements as necessary.
Specifically, OCIE identified deficiencies or weaknesses in the following five areas:
Rule 206(4)-7 under the Investment Advisers Act of 1940 (the “Advisers Act”), also known as the “Compliance Rule.”
Required regulatory filings.
Rule 206(4)-2 under the Advisers Act, known as the “Custody Rule.”
Rule 204A-1 under the Advisers Act, or the “Code of Ethics Rule.”
Rule 204-2 under the Advisers Act, known as the “Books and Records Rule.”
The Compliance Rule requires an adviser to meet several regulatory conditions in connection with its business of rendering investment advice to clients. These include:
Adopting and implementing written policies and procedures reasonably designed to prevent the adviser’s violation of the Advisers Act and related SEC rules.
A review of the adequacy of the policies and procedures and the effectiveness of their implementation on a basis no less frequently than annually.
Designating a chief compliance officer (“CCO”), who is responsible for administering these compliance policies and procedures.
OCIE staff provided some possible instances of deficiencies or weaknesses with respect to the Compliance Rule. For example, a deficiency could arise as a result of a compliance manual that is not reasonably tailored to the adviser’s specific business practices, including sections intended to address individualized practices such as particular investment strategies, types of clients, trading practices, valuation procedures and advisory fees. As a result, advisers should be aware that “off the shelf” compliance manuals may not be adequately tailored to address their individual business practices.
This compliance topic related to the accurate completion and timely filing of certain regulatory submissions advisers must provide to the SEC. The alert mentioned various filing requirements, such as advisers’ annual Form ADV update, Form PF and Form D filings. In this regard, OCIE indicated that it has identified deficiencies or weaknesses that included inaccurate disclosures in Form ADV filings, untimely Form ADV amendments, and incorrect or untimely Form PF and Form D filings.
The Custody Rule applies to advisers with custody of client cash or securities, and the rule includes several requirements designed to protect client assets from unlawful activities or financial problems of the adviser. Specifically, an adviser is considered to have custody if it or its related persons directly or indirectly hold client funds or securities, or have any authority to obtain possession of them, such as an adviser serving as the general partner, managing member or other comparable position of a pooled investment vehicle.
OCIE noted the following deficiencies or weaknesses with respect to the Custody Rule: advisers who did not recognize that they may have custody due to online access to client accounts; advisers who obtained surprise examinations that failed to meet the rule’s requirements due to the failure to provide the accountants with a complete list of accounts over which the adviser had custody or otherwise failed to meet the rule’s requirements (e.g., the surprise examinations may not have been conducted on a “surprise” basis); and advisers that did not recognize they may have custody as a result of certain authority over client accounts (e.g., advisers that were granted powers of attorney over a client’s account authorizing them to withdraw client cash and securities have custody of that account’s assets).
Code of Ethics Rule
The Code of Ethics Rule requires an investment adviser to adopt and maintain a code of ethics, which must meet several requirements, including establishing a standard of business conduct that the adviser requires of all its supervised persons; requiring an adviser’s “access persons” to periodically report their personal securities transactions and holdings to the adviser’s CCO or other designated persons; and requiring access persons to obtain the adviser’s preapproval before investing in an IPO or private placement.
Deficiencies or weaknesses with respect to the Code of Ethics Rule identified by OCIE included not identifying all of an adviser’s access persons, omitting required information in the code of ethics, untimely submission of transactions and holdings by access persons, and a failure of the adviser’s Form ADV to describe the code of ethics and indicate that the adviser’s code of ethics is available to clients upon request.
Books and Records Rule
Finally, the Books and Records Rule requires advisers to make and keep certain books and records relating to their investment advisory business, including typical accounting and other business records as required by the SEC.
Deficiencies or weaknesses noted with respect to the Books and Records Rule included:
The failure to maintain all required records.
Books and records that are inaccurate or not updated.
Inconsistent recordkeeping practices (e.g., some advisers maintained contradictory information in separate sets of records).
NYDFS Cybersecurity Rules for Financial Services Firms Come Into Effect
Financial services companies in New York state are now subject to enhanced cybersecurity regulations.
The New York Department of Financial Services (NYDFS) announced that, effective March 1, covered entities including banks, insurance companies and other financial services institutions must comply with the first-in-the-nation regulations. Created in response to a series of high-profile hacking incidents and the increased role of technology in the industry, the regulations are designed to protect both the stability of the state’s financial services industry and customers’ private data.
Generally, the regulations require firms to perform periodic risk assessments to assist them as they devise and implement a cybersecurity program particular to their business. Covered entities must also evaluate the security of any third-party service providers to ensure they maintain similar standards. The regulations include a host of other oversight and reporting requirements. A more detailed summary of the requirements can be found in this previous Funds Talk article.
NYDFS had been devising the regulations since 2014, and a previous version was initially due to come into effect on Jan. 1, 2017. However, after the industry expressed concerns regarding some of the requirements, NYDFS delayed implementation and issued a revised set of regulations on Dec. 28, 2016. Given New York’s central role in the U.S. market, the regulations are expected to establish best practices within the financial services industry and may inform other state and federal regulators as they draft their own rules.
Cybersecurity Takes Center Stage Among SEC’s Regulatory Activities
After initially focusing on assessing financial firms’ cybersecurity preparedness in order to identify weaknesses and guide them toward best practices, the Securities and Exchange Commission (SEC) has begun to shift its attention toward compliance and enforcement.
Cybersecurity was listed among the regulator’s examination priorities in both 2016 and 2017, with the SEC noting an intent to “advance” efforts to test and assess “firms’ implementation of [cybersecurity] procedures and controls.” The regulator’s sweep of covered entities in 2013-14 found 88% of the broker-dealers and 74% of investment advisers examined had already experienced a cyberattack. In May 2016, then-SEC chair Mary Jo White identified cybersecurity as the largest single threat facing the financial system and warned that some major exchanges, dark pools and clearinghouses did not have adequate cyber policies or procedures to manage the level or nature of risk they face.
As a result, fund managers and investment firms must know their obligations and ensure they are in compliance with the SEC’s expectations. This should include establishing and regularly reviewing cybersecurity risk management controls, disclosure policies and practices, and employee training, which the SEC has addressed in previous guidance.
In addition, several SEC regulations govern firms’ cybersecurity responsibilities. For example, Regulation S-P requires registered broker-dealers, investment companies and investment advisers to “adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” The regulation requires that these policies and procedures be reasonably designed to:
Ensure the security and confidentiality of customer records and information;
Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Regulation Systems Compliance and Integrity (Regulation SCI) covers entities such as self-regulatory organizations including stock and options exchanges, registered clearing agencies, FINRA and the MSRB, alternative trading systems trading NMS and non-NMS stocks exceeding specified volume thresholds, disseminators of consolidated market data, and certain other exempt clearing agencies. The regulation is designed to strengthen the U.S. securities market technology infrastructure in order to:
Reduce the occurrence of systems issues;
Improve resiliency when systems problems do occur; and
Enhance the SEC’s oversight and enforcement of securities market technology infrastructure.
Rule 13n-6 of the Securities Exchange Act requires every security-based swap data repository to establish, maintain and enforce written policies and procedures reasonably designed to ensure that its systems provide adequate levels of capacity, integrity, resiliency, availability and security. Similarly, Exchange Act Rule 15c3-5 – also known as the Market Access Rule – requires a broker or dealer with market access, or one that provides a customer with access to an exchange or alternative trading system, to “establish, document and maintain a system of risk management controls and supervisory procedures” reasonably designed to manage the financial, regulatory and other risks of this business activity.
These regulations demonstrate the common theme in the SEC’s approach to cybersecurity, which is one that emphasizes protecting systems and infrastructure, preventing hacking attacks, privacy breaches and other cyber events through the creation and regular updating of adequate policies and procedures.
Since initiating its first cyber-related action against an investment adviser that failed to meet these requirements and exposed the information of 100,000 brokerage clients through a cyberattack, the SEC has increased its focus from only examining for cybersecurity shortcomings to bringing enforcement actions for noncompliance. In April 2016, the regulator’s Enforcement Division announced it had already initiated several enforcement actions against firms that allegedly failed to protect client data pursuant to the Regulation S-P privacy rule – and warned there would be more to follow.
With the SEC’s recently enhanced attention to covered entities’ cybersecurity practices, fund managers and other investment firms should be doing the same to ensure their compliance with the regulator’s cyber-related guidance and regulations. When it comes to addressing cyber threats, the SEC has emphasized the importance it places on prevention efforts. In the event of a cybersecurity breach, proper response and disclosure remain essential to maintain compliance.
U.S., EU Enter Into Covered Agreement on Insurance; Congress Reacts
On Jan. 13 – in the waning days of the Obama administration – the U.S. Department of the Treasury and the Office of the U.S. Trade Representative (USTR) released the terms of the long-awaited covered agreement between the U.S. and the European Union (the “Covered Agreement”) on prudential insurance matters. A congressional hearing held on February 16 exposed concerns in connection with the Covered Agreement around process, federalism and the direction of U.S. insurance regulation.
Once effective, the Covered Agreement will have a significant impact on international insurance groups doing business between the two regions. For instance, it has been estimated that $40 billion of collateral, currently posted by European reinsurers in the U.S. pursuant to state laws, could be released once the Covered Agreement is fully implemented.
Generally, the Covered Agreement imposes reciprocity, as between a U.S. state on the one hand and any EU jurisdiction on the other, in three areas of insurance regulation: reinsurance, group supervision and exchange of information between regulators’ jurisdictions.
Under the Covered Agreement, both U.S. and EU jurisdictions would rescind regulations requiring reinsurers to post collateral as a condition to allowing such a reinsurer that has its head office or is domiciled in the territory of the other party (a “Home Party Assuming Reinsurer”) to enter into, or take balance sheet credit for, a reinsurance agreement with a ceding insurer that has its head office or is domiciled in the foreign territory (a “Host Party Ceding Insurer”), where such requirement would treat the Home Party Assuming Reinsurer less favorably than counterparts that have their head office or are domiciled in the same jurisdiction as a Host Party Ceding Insurer.
Additionally, the Covered Agreement prevents a party from imposing a condition that the Home Party Assuming Reinsurer have a local presence in the host jurisdiction, where such requirement would result in such less favorable treatment.
In order to qualify for this treatment under the Covered Agreement, the assuming reinsurer must meet several criteria, including maintaining, on an ongoing basis, at least €226 million (for EU reinsurers) or $250 million (for U.S. reinsurers) of own funds or capital and surplus; maintaining a solvency ratio of 100% SCR under Solvency II or an RBC of 300% Authorized Control Level, as applicable in the territory in which the assuming reinsurer has its head office or is domiciled; and agreeing to provide prompt, written notice and explanation to the regulator in the territory of the ceding insurer if any regulatory action is taken against it for serious noncompliance with applicable law, or if it falls below such minimum own funds or capital and surplus, as applicable, or the solvency or capital ratio, as applicable. Various other requirements set forth in the Covered Agreement are outlined in greater detail here.
Prudential Group Supervision
The Covered Agreement stipulates that a “home party” (the jurisdiction of a group’s worldwide parent entity) insurance or reinsurance group is subject only to worldwide prudential insurance group supervision by its “home” supervisory authorities, and is not subject to group supervision at the parent level by any other “host” jurisdiction where it operates. However, the host supervisor may exercise group supervision at the level of the “parent undertaking in its territory.”
The Covered Agreement outlines specified exceptions in which a host supervisor may exercise some level of group supervision. A notable exception relates to Own Risk and Solvency Assessments (ORSA) required in the various jurisdictions of both the U.S. and the EU. The exception applies:
Where a worldwide risk management system, as evidenced by the submission of a worldwide group ORSA, is applicable to a home party insurance or reinsurance group, and the home regulator that requires the ORSA provides a summary of the worldwide group ORSA to the host supervisory authorities, if they are members of the group’s supervisory college, as well as to the supervisory authorities of significant subsidiaries or branches of that group in the host party, at the request of those supervisory authorities.
Where no such worldwide group ORSA is applicable to a home party group, and the relevant U.S. state or EU member state regulator provides equivalent documentation.
This summary must include a description of the insurance or reinsurance group’s risk management framework, an assessment of the group’s risk exposure, and a group assessment of risk capital and a prospective solvency assessment. If the summary of the worldwide group ORSA exposes any serious threat to policyholder protection or financial stability in the host jurisdiction, the host regulator may impose “preventive, corrective or otherwise responsive measures” after consulting with the relevant home regulator.
The Covered Agreement also clarifies that the group supervision limitations and restrictions are not intended to limit or restrict the ability of EU or U.S. regulators to exercise authority over entities that own or control credit or depository institutions, or have banking operations, in either jurisdiction.
Exchange of Information
Finally, the Covered Agreement includes a nonbinding model memorandum of understanding (MOU) for supervisory authorities in the U.S. and EU, pursuant to which such parties should exchange information. The MOU includes best practices for time, manner and content of information requests and responses, including standards for the confidential treatment of the information. The Covered Agreement explicitly disclaims that the MOU does not address requirements that may apply to the exchange of personal data by supervisory authorities.
The Covered Agreement “enters into force” seven days after the parties notify each other that they have completed their internal requirements. In the U.S., under Dodd-Frank, these internal requirements consist mainly of the submission of the Covered Agreement to specified congressional committees (which occurred on January 13, 2017) and the expiration of a 90-day period thereafter. The Covered Agreement begins to “apply” on the later of such date of “entry into force” and the date that is 60 months from the date the Covered Agreement was signed. However, the Covered Agreement also contemplates that the parties will “provisionally apply” certain terms of the Agreement even prior to entry into force or formal application.
The Housing and Insurance Subcommittee of the House Financial Services Committee held a hearing on February 16 addressing the Covered Agreement. Witnesses included representatives from both the insurance industry and the regulatory community. Testimony concerning the merits of the Covered Agreement was split, even within the groups of industry representatives and regulatory witnesses, and much of the questioning from the subcommittee members was skeptical, particularly concerning the timing of the Covered Agreement’s release (a week prior to the new incoming administration), the impact of the Covered Agreement on the pre-eminence of the state-based regulatory system and the role of congressional involvement. This suggests a potentially uncertain road to effectiveness in the U.S., although, barring any superseding action, Congress is subject to the 90-day time limit imposed by Dodd-Frank, which expires April 13.