Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Private Fund Compliance Forum 2019

I spent Wednesday and will spend Thursday at Private Equity International’s 10th annual Private Fund Compliance Forum. I’ve attended this event at least a half-dozen times and enjoy coming back.

The organizers asked that most of the sessions be off-record. I had detailed notes that I published on Wednesday, but took them down. Instead, I’ll share a few general observations.

It sounds like exams of private equity funds are down. Many regional offices are allocating exam resources to other registrants. New registrants are often getting a hello and welcome to registration message from their regional office. The Private Funds Unit is still active and examining fund managers. It sounds like the focus is on managers who have not yet been examined. The regional offices do act on tips and complaints about fund managers.

When you end up with an SEC exam, make sure you focus on the document request and try to scope it. Scoping is hard, but can save the fund manager and the SEC examiners a great deal of time. Reach out to the SEC to make sure you understand what they are looking for. The document request list often looks like a wide-ranging shotgun blast. Examiners are not looking for huge stacks of documents from smaller firms.

The SEC is stalling registrants from the EU. The concern is that GDPR will prevent the SEC from getting the information they need as part of the reporting and examination process.

There is a great deal of discussion around cybersecurity. None of the attendees indicated that they had subject to any of the cybersecurity sweep exams. Those sweeps are now in their third iteration. See: New SEC Cyber Enforcement Initiative.  If you report a breach, you have increased your chances of a cybersecurity exam from the SEC.

It’s not just SEC examiners who are focused on cybersecurity. Expect investors to also conduct a fair amount of diligence on cyber.

CCOs need to stay laser focused on fees and expenses when that money comes back to the fund manager or an affiliate of the manager. If the fund documents state that a service will be provided at market rate, make sure you are conducting periodic surveys of the market rates. If the fund manager is being reimbursed for an employee’s time spent on a portfolio company, make sure you know what part of the employee’s compensation can be included in the rate. If the fund documents say salary, that means you can’t include the cost of benefits.

There was much more knowledge shared from panelists and even more shared among attendees. Plan on coming next year.

Failed Algorithms

Isaac Asimov’s Three Laws of Robotics, designed to prevent robots from harming humans:

  • A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  • A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
  • A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.

How does this work when the robot is a financial adviser? The Securities and Exchange Commission brought cases against two robo-advisers.

Wealthfront Advisers is an online robo-adviser that provides software-based portfolio management, including a tax-loss harvesting program for clients’ taxable accounts. The SEC alleged that Wealthfront falsely represented to its clients that the robot would monitor their accounts to avoid transactions that might trigger a wash sale. The SEC alleged that Wealthfront failed to conduct such monitoring. That made Wealthfront’s representations misleading.

In a separate case, the SEC alleged that Hedgeable Inc., a robo-adviser, misleadingly compared its results to performances of other robo-advisers. According to the SEC, Hedgeable calculated its returns based on a small subset of client accounts. Further it miscalculated its competitors’ trading returns by using approximations based on information on the competitors’ websites.

While the headlines sound groundbreaking because they involved robo-advisers, the two rob-adviser actions were human misconduct, not malfunctioning algorithms. Those algorithms were fairly basic.

Samathur Li Kin-kan is suing a robo-adviser for not being as sophisticated as promised. Tyndaris Investments’ K1 supercomputer was supposed to comb through online sources like real-time news and social media to gauge investor sentiment and make predictions on U.S. stock futures. It would then send instructions to a broker to execute trades, adjusting its strategy over time based on what it had learned.

Li is suing Tyndaris for about $23 million for exaggerating what the supercomputer could do.  It managed to lose $20 million in one day. THe loss was due to a failed stop-loss order. Li’s lawyers argue that the order wouldn’t have been triggered if K1 was as sophisticated as Tyndaris led him to believe.

For how, it’s the humans being blamed for robots’ shortcomings.

Sources:


OFAC Issues a Framework for Compliance Commitments

The Department of the Treasury’s Office of Foreign Assets Control (OFAC) is published A Framework for OFAC Compliance Commitments. OFAC wants to provide organizations its perspective on the essential components of a sanctions compliance program.

“As the United States continues to enhance our sanctions programs, ensuring that the private sector implements strong and effective compliance programs that protect the U.S. financial system from abuse is a key part of our strategy.”

Sigal P. Mandelker, Under Secretary for Terrorism and Financial Intelligence.

The United States has increasingly used its financial system to penalize countries it dislikes as well as drug kingpins and terrorists. The dollar has been the standard for international business. That may change if the US continues to weaponize the dollar against countries it disfavors.

OFAC has decided to coin the initialism “SCP” for Sanctions Compliance Program. An SCP has five essential components:

1. Management Commitment

  • Senior management has reviewed and approved the SCOP
  • Senior management delegate sufficient authority and provided direct reporting lines
  • Senior management has given adequate resources to the SCP
  • Senior management promotes a culture of compliance
  • Senior management recognizes the seriousness of deficiencies and violations

2. Risk Assessment

  • Organization has conducted an OFAC risk assessment
  • Organization has a methodology to identify and address the risks it identifies

3. Internal Controls

  • Written policies and procedures
  • Internal controls based on risk assessment
  • Enforces policies and procedures
  • Adequate record-keeping
  • Corrects discovered weaknesses
  • Communicates policies and procedures to relevant staff
  • Personnel appointed to integrate policies and procedures into corporate operations.

4. Testing and Auditing

  • Testing and auditing is accountable to senior management
  • Testing and auditing are appropriately sophisticated
  • Takes corrective actions after a negative result.

5. Training

  • OFAC Training provides adequate information
  • Training scope is appropriate
  • Training frequency is appropriate based on risk profile
  • Updates training after a negative result
  • Training provides easily accessible resources.

The Framework includes a short appendix that offers some analysis of some of the causes of sanctions violations that OFAC identified during its investigative process.

Sources:

Pilfering? a Private Equity Fund

The Securities and Exchange Commission has made the industry very aware that it will look closely at the way private-equity firms handle fund expenses. The latest firm to get caught by the SEC for taking money from investors is Corinthian Capital.

Corinthian agreed to the order, but it contains the usual carve-out that Corinthian neither admits nor denies the findings in the order. Things may have actually happened different, but I’m accepting what’s in there as a warning for what the SEC does not like.

The first problem was related to improperly using a fee offset according to the the fund documents. The order does a poor job of explaining the operation of this particular offset. It seems like Corinthian affiliated limited partners are able not fund part of their capital commitments. The fund documents are silent on whether the offset can be applied retroactively. Corinthian applied it retroactively. Worse, the firm miscalculated the offset.

Compounding the miscalculation problem, Corinthian withdrew more than it was entitled to in fees from the fund to pay down the manager’s line of credit. Once that line was crossed, Corinthian transferred other cash from the fund to pay management expenses.

The second problem was charging the fund for organizational expenses that were not permitted by the fund documents. On problem is that the management company charged the fund for expected formation expenses. The SEC pointed out that this was improper because those expenses had not actually been incurred.

In addition, Corinthian misclassified some expenses as organizational expenses and ended up charging costs to the fund partners that should not have been charged to them. One item specifically reference is a placement agent fee.

“Corinthian also lacked policies and procedures with respect to charging CEF 2 for organizational expenses. Informal practices, dating from a former CFO, were put in place that gave great discretion to estimate and classify organizational expenses. While the CFO tracked and the investment committee determined the amount charged to CEF 2 for organizational expenses as referenced in Paragraph 12, no process was implemented to determine the accuracy of such estimates or whether expenses were properly classified. “

The third problem was that Corinthian’s auditor noticed these problems. The auditor chose to withdraw from the engagement and withdraw its opinion from the prior year’s financial statements. That left Corinthian not timely delivering audited financial statements and therefore in violation of the Custody Rule.

Sources:

Compliance Bricks and Mortar for May 10

These are some of the compliance-related stories that recently caught my attention.

Who to Sue When a Robot Loses Your Fortune
By Thomas Beardsworth and Nishant Kumar
Bloomberg Business

The timeline leading up to the legal battle was drawn from filings to the commercial court in London where the trial is scheduled to begin next April. It all started over lunch at a Dubai restaurant on March 19, 2017. It was the first time 45-year-old Li, met Costa, the 49-year-old Italian who’s often known by peers in the industry as “Captain Magic.” During their meal, Costa described a robot hedge fund his company London-based Tyndaris Investments would soon offer to manage money entirely using AI, or artificial intelligence.

https://www.bloomberg.com/news/articles/2019-05-06/who-to-sue-when-a-robot-loses-your-fortune

U.S. v. Connolly: “Outsourcing” a Government Investigation — And How to Avoid It
by David B. Massey, James Q. Walker, Lee S. Richards III, Shari A. Brandt, Audrey L. Ingram, Daniel C. Zinman, Arthur Greenspan, and Rachel S. Mechanic
NYU Law’s Compliance & Enforcement

On May 2, in a widely-watched case, the U.S. District Court for the Southern District of New York found that the government “outsourced” a criminal LIBOR investigation to Deutsche Bank and its outside counsel, and thereby violated defendant Gavin Black’s Fifth Amendment rights when outside counsel interviewed the defendant under threat of termination from his employment.  United States v. Connolly, 16 Cr. 370 (CM), Memorandum Decision and Order Denying Defendant Gavin Black’s Motion for Kastigar Relief, ECF Document 432, slip op. at 19, 29 (May 2, 2019).  But because the DOJ did not use the defendant’s compelled statements at trial and the investigation was not otherwise tainted, the Court found no Kastigar violation and held that, even if there was, any error was harmless.  Connolly, slip op. at 40-41, 43-44.  


https://wp.nyu.edu/compliance_enforcement/2019/05/07/u-s-v-connolly-outsourcing-a-government-investigation-and-how-to-avoid-it/

CBS Beefs Up Ethics & Compliance
By Matt Kelly
Radical Compliance

Most notably, CBS will place “human resources production partners” on set at all of its programs, so actors and other staff will have someone they can approach with any complaints. That seems directly related to Michael Weatherly, star of CBS’ hit show Bull. He was accused in December of harassing co-star Eliza Dushku, and then squeezing her off the show in 2016 when Dushku complained about his behavior to CBS executives.

CBS also said it has hired a new chief ethics and compliance officer, Hazel Mayers. Mayers started the job in March, after working since 2015 as general counsel at Simon & Schuster — but Mayers also previously worked at CBS for 12 years before that, as assistant general counsel and chief compliance officer.

http://www.radicalcompliance.com/2019/05/07/cbs-beefs-ethics-compliance/

The Ruthless, Secretive, and Sometimes Seedy World of Hedge Fund Private Investigators
by Michelle Celarier
Institutional Investor

Work for activist hedge funds is a particularly revealing task, according to Barakett. “I’m never surprised by what we find,” he says, mentioning a public company executive who had a “wife and kids in one city, and another wife and kids in another city in another — nonadjacent — state.” Another married CEO of a public company “had his gay lover on the payroll and was also living in a condo owned by the company,” Barakett says.

https://www.institutionalinvestor.com/article/b1f6yg8n93jyfh/The-Ruthless-Secretive-and-Sometimes-Seedy-World-of-Hedge-Fund-Private-Investigators

What characteristics do the World’s Most Ethical Companies have in common?
By Aarti Maharaj
The FCPA Blog

Some of the findings include:
Diversity at the highest levels: Among the 128 companies from Ethisphere’s 2019 awards list, women hold 28.1 percent of the director positions (a four percent increase over last year). That compares with 21.1 percent overall on the large cap index.
Disseminating information about disciplinary actions: Amazingly, one out of every ten employees surveyed by Ethisphere indicated that they either disagree or strongly disagree that the rules and associated disciplinary actions for unethical behavior or misconduct are the same for every employee. That said, nearly one-third (32 percent) of honorees do communicate publicly about how such concerns were reported, the types of concerns reported, and the substantiation rates of corresponding investigations. This figure represents a noticeable increase over 2018, when less than a quarter of 2018 honorees communicated such information publicly.
Supporting middle management: An employee’s immediate manager is the most commonly used resource for not only asking questions but also reporting observed instances of misconduct, so supporting middle management with tools to ease the intake and tracking process is important to the World’s Most Ethical Companies. The majority (84 percent) of 2019 honorees use a tracking tool or case management system that tracks all reports and related investigations, regardless of how the report was originally made.

http://www.fcpablog.com/blog/2019/4/24/what-characteristics-do-the-worlds-most-ethical-companies-ha.html

We Select Best-in-Class… of those that pay us

Deutsche Bank marketed a robust, independent due diligence process to identify, evaluate, and select best-in-class asset managers.  But failed to disclose that it only recommended hedge funds that shared their management fees with the bank.

DB disclosed that it might receive revenue sharing and actually disclosed the amount it received in the subscription agreement. DB can recommend only its own products to its clients, as long as there is good disclosure.

However, the SEC felt that DB did not have good disclosure. The marketing for the fund failed to disclose that it was only recommending funds that agreed to pay a kickback to DB. 

The SEC has been focusing on these “retrocessions.”  What is interesting about this case is that the bank was not a registered adviser or broker-dealer. The bank was charged with violating the Securities Act’s anti-fraud provisions (17(a)(2)).

This is not the first time this has happened. JP Morgan paid a $267 million settlement to the SEC in 2016. The bank was investigated for steering high-net-worth clients toward its own proprietary investment funds that could cost more rather than those managed by other institutions.

Sources:

DOJ’s New Evaluation of Corporate Compliance Programs

The Justice Department released a refreshed set of guidelines on how prosecutors should evaluate corporate compliance programs.

The Principles of Federal Prosecution of Business Organizations in the United States Attorney’s Manual describe factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. One of these factors is “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The Guidelines are meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective.

For those of us involved in compliance for high-regulated companies in finance, I take the guidance with a word of caution. Regulators are the first line of compliance program creation. If you screw up badly, they pull in the agency’s lawyers. It’s only when you end up in the super serious list, like criminal charges, that you end up with the Department of Justice where these Guidelines are operative.

So what has changed in the Guidelines document?

It’s bigger. The original guidance was only four pages. The new guidance blossoms up to 19 pages.

It’s written for non-compliance people. The previous guidelines were written more like a checklist for those with a compliance background. I heard the new guidelines were released in a training session for DOJ attorneys. I guess it will be the front-line prosecutors using these guidelines to help in their decision-making process.

I need to take a deeper dive into the guidelines. More to come.

Sources:

Compliance Bricks and Mortar for May 3

I’m in Chicago today at the SCCE Regional Compliance & Ethics Conference. I’m speaking in the morning on compliance and corporate governance.

If you’re also attending, grab me for a cup of coffee.

Meanwhile, here are some of the compliance-related stories that recently caught my attention.

Whistleblower Challenges SEC Over Delay on Award Decision
by Kristin Broughton
Risk & Compliance Journal in WSJ.com

Between 2014 and 2017, the SEC took an average of more than two years to decide if a whistleblower deserved a reward, according to an analysis by The Wall Street Journal. That is more than twice as long as in 2012 and 2013, the early years of the whistleblower program.
The decision-making process has taken longer as the agency has sorted through a flood of requests for awards and tips on potential corporate wrongdoing. The SEC last year received 5,282 whistleblower tips, an increase of 18% from a year earlier, and nearly twice the number received in 2012, the first full year after the program took effect, according to an SEC report to Congress.

https://www.wsj.com/articles/whistleblower-challenges-sec-over-delay-on-award-decision-11556668694

New Compliance Evaluation Guidelines
By Matt Kelly
Radical Compliance

In fact, that was my biggest impression when comparing the 2017 and 2019 guidelines; that the new guidelines are more comprehensive, so they can be used by people less familiar with corporate compliance. Whether that’s comforting news for corporate compliance officers sitting across the negotiating table, or exasperating news, I’m not sure.

Recall that when the Justice Department first developed their evaluation guidelines in 2016 and 2017, the department had a compliance counsel: Hui Chen. She was a seasoned veteran in corporate compliance, and the thinking at the time was that Chen (or subsequent compliance counsels) would help prosecutors evaluate the compliance programs of companies under investigation.

Benczkowski eliminated that compliance counsel role.

http://www.radicalcompliance.com/2019/04/30/new-compliance-evaluation-guidelines/

Insider Trading and Disclosure: The Case of Cyberattacks
By Eli Amir, Shai Levi and Tsafrir Livne
The CLS Blue Sky Blog

When a cyberattack with material negative consequences occurs, security regulations require companies to disclose information on the event to the public, as in other incidents with material negative effects. Executives can opportunistically sell shares (or avoid buying shares or granting stock options) before disclosing information on cyberattacks to the public. However, they are unlikely to trade on private information that the firm intends to disclose. Disclosure of the negative information will expose and label preceding sales as insider trading, and executives will not sell shares if they wish to avoid the legal ramifications of insider trading. In some cases, however, firms withhold information and do not disclose the cyberattack to investors; and if the firm chooses to withhold information on the cyberattack, insiders’ sales of shares are less likely to be identified as insider trading.

We predict that the likelihood of insider trading is higher for firms that withhold the information than for firms that voluntarily disclose it. 

http://clsbluesky.law.columbia.edu/2019/04/25/insider-trading-and-disclosure-the-case-of-cyberattacks/

Teaching Compliance Part I of III
by Veronica Root Martinez
NYU Law’s Compliance & Enforcement

I decided to tackle teaching the course in a manner that I hoped would allow students to think through the different roles they might play within compliance efforts, followed by a few classes dedicated to specific compliance areas in an attempt to allow students to better understand how their role might look in practice.  To do so, I draw on enforcement, compliance, behavioural ethics, and professional responsibility materials.  Each class session has one dedicated case study to help students understand the concept being presented.

https://wp.nyu.edu/compliance_enforcement/2019/04/16/teaching-compliance-part-i-of-iii/

New SEC/Musk settlement spells out which Tesla tweets require preapproval
by Anne Sherry, J.D.
Jim Hamilton’s World of Securities Regulation

Musk’s response to the contempt proceedings argued that the “500k” tweet could not reasonably be considered material. Settlement 2.0 attempts to clear up any ambiguity by substituting a more specific list of topics for 1.0’s materiality standard. Pointedly, the list includes “potential or proposed mergers, acquisitions, dispositions, tender offers, or joint ventures” and “production numbers or sales or delivery numbers” that are new or deviate from previously published guidance.

https://jimhamiltonblog.blogspot.com/2019/04/new-secmusk-settlement-spells-out-which.html

Regulation S-P – Privacy Notices and Safeguard Policies

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on compliance issues related to privacy regulations. The alert comes from recent examinations of broker-dealers and registered investment advisers.

Regulation S-P is the primary SEC rule regarding privacy notices and safeguards. The Risk Alert doesn’t cover all of the requirements of Reg S-P or all of the problems OCIE found regarding Reg S-P over the last two years.

The most frequent deficiencies and weaknesses:

  • Failure to provide notification, including initial privacy notices, annual privacy notices, and opt-out notices.
  • Lack of policies and procedures as required by Regulation S-P.
  • Lack of safeguards of customer data on personal devices
  • Sending unencrypted email communication with personally identifiable information (PII)
  • Lack of data privacy training
  • Sending PII to networks outside of the registrant’s network
  • Failure to follow privacy policies regarding outside vendors
  • Failure to maintain a PII inventory
  • Insufficient incident response plans
  • Storage of PII in insecure physical locations
  • Making customer login information available to more employees than permitted under the firm’s policies and procedures
  • Failure to remove login rights from departed employees

Sources:

Howey Test – Framework for “Investment Contract” Analysis of Digital Assets

To show the markets that the Securities and Exchange Commission is not just about slapping around wrong-doers, but also trying to help people navigate the securities laws, the SEC’s FinHub published a framework for analyzing whether a digital asset is a security.

The framework is not intended to be an exhaustive overview of the law; rather, it is a tool to help market participants assess whether the federal securities laws apply to the offer, sale, or resale of a particular digital asset.

Did anyone find it strange that the “framework” document had not statement of the author or publisher? There is not even an SEC symbol.

That should be a warning that you can’t rely on it. It’s not official guidance. It’s not a no-action letter.

It is a comprehensive look at the Howey test in the lens of cryptocurrency. The Supreme Court’s decision in SEC v. W.J. Howey Co. found that an “investment contract” exists when there is the investment of money in a common enterprise with a reasonable expectation of profits to be derived from the efforts of others.  If it’s an “investment contract,” it’s a security and subject to securities laws.

The framework quickly jumps over the first two prongs of the Howey test:
the “investment of money” and “a common enterprise.” That’s true in most of the “What is a Security?” cases. 

The framework focuses on the “expectation of profits from the effort of others” prong of the Howey test. The Framework splits that into two parts.

Generally, if you make an investment you expect to make a profit. Otherwise it’s just a purchase for use. I bought a cup of coffee this morning. I had not expectation of profit. I had an expectation of getting coffee. I bought it with a stored value card from Starbucks. It’s not an investment. Those could have been Starbucks coins.

You can see an obvious problem with ICOs that talk about how much the coins are going to increase in value. That injects an expectation of profit. The framework lays out a long list of characteristics that make sit likely the SEC will see that there is an expectation of profits.

Lambo, Lambo, Lambo” was not specifically on the list. They took a more demure “able to earn a return on their purchase.”

The framework inquiry into whether a digital coin purchaser is relying on the “efforts of others” focuses on two key issues:

  • Does the purchaser reasonably expect to rely on the efforts of an active participant in running the underlying platform?
  • Are those efforts “the undeniably significant ones, those essential managerial efforts which affect the failure or success of the enterprise,” as opposed to efforts that are more ministerial in nature?

If there is a key person responsible for the development of the platform and making the decisions, that makes it look an investment.

To put this framework into play the SEC also announced a no-action letter for the Turnkey Jet token sale (TKJ) and found that it would not recommend enforcement because it was not a securities offering.

In reaching this position, we particularly note that:

1. TKJ will not use any funds from Token sales to develop the TKJ Platform, Network, or App, and each of these will be fully developed and operational at the time any Tokens are sold;
 
2. the Tokens will be immediately usable for their intended functionality (purchasing air charter services) at the time they are sold;
 
3. TKJ will restrict transfers of Tokens to TKJ Wallets only, and not to wallets external to the Platform;
 
4. TKJ will sell Tokens at a price of one USD per Token throughout the life of the Program, and each Token will represent a TKJ obligation to supply air charter services at a value of one USD per Token;
 
5. If TKJ offers to repurchase Tokens, it will only do so at a discount to the face value of the Tokens (one USD per Token) that the holder seeks to resell to TKJ, unless a court within the United States orders TKJ to liquidate the Tokens; and
 
6. The Token is marketed in a manner that emphasizes the functionality of the Token, and not the potential for the increase in the market value of the Token.

The Turnkey Jet token is a stored value card saved on the blockchain instead of a central account. That’s closer to buying a cup coffee than it is to investing.

Of course, the framework is just the SEC’s view on securities law question under federal law. There are also state law analyses that need to be done.

Sources: