Coping With Regulatory Change – Office of Investor Advocate

coping with regulatory change

I’m attending a conference sponsored by IA Watch: Coping with Regulatory Change. These are my brief notes.


Rick Fleming, Director of the Office of Investor Advocate at the Securities and Exchange Commission, started with a keynote. His office and position was created by Dodd-Frank. He currently has a staff of ten people. (One of the inherent conflicts at the Securities and Exchange Commission is between investor protection and capital formation.) He created the position of Ombudsman for complaints against the SEC itself. Most of the staff is focused on policy issues, including those of the SROs. He hired an economist to focus on the benefits to investors, not just the cost to the industry, for the cost-benefit analysis of proposed regulatory actions.

He reports to Congress twice a year. The statutory mandate prevents the Commissioners from imposing their views on that report.

If the Office is not happy with an action, it can make a formal recommendation and the SEC must respond according to the statute.

Top Priorities for this year:

  • High frequency trading
  • More effective disclosures to investors
  • Variable annuity disclosures
  • Accounting and auditing issues
  • Millennial investors – how are they different?
  • Fiduciary Duty

He thinks there needs to be more exams of investment advisory firms. He recommended an additional fee to pay for more frequent exams. (He came from a state regulator.) However, he is not a fan of SROs and the FINRA model of self-exam. Review of investment advisers is a legitimate government action. He prefers more funding for SEC exams. He does advocate for third party verification of assets. His current idea is the use of consultants for review.

He thinks the SEC will come out with a Fiduciary Duty rule at some point this year, applying a higher duty to brokers who advertise themselves as something other than a broker. His biggest concern is that Dodd-Frank limits the duty when a proprietary product is being sold. That is where he has seen the most problems.

What To Expect From The SEC In The Year Ahead

These are my notes, live from the forum. (Please pardon the rougher nature.)
Private fund Compliance forum

Speaker:
Marc Wyatt , Deputy Director -Office of Compliance Inspections and Examination, US Securities and Exchange Commission

(Of course, his comments are his own and don’t represent the viewpoints of the Commission or the rest of the staff.) This also only his 16th day in this position.

The “presence exam initiative” was a response to the flood of new registrants coming from Dodd-Frank. The SEC wants to push the results back to the firms.

Capital formation is important. The private equity industry has grown 25% and capital raised has increased by 40% over the last few years. The size of funds currently being marketed is down 14%.

He interprets that the SEC’s oversight is not impeding capital formation.

OCIE’s private fund unit wants to conduct targeted risk-based exams to ensure compliance. The unit spreads the results throughout OCIE to keep examiners aware of risks and what to look for. The unit is also running training sessions for the large population of examiners.

Based on last year’s speech by Bowden, investors are focused on fees.

Disclosures on Form ADV does not work if the disclosure is not made until after the investor comes into the fund.  Get consent if you imposing a new fee or expense.

The SEC is happy to seeing a split between the general counsel and chief compliance officer role.

There is still room for improvement.

By far the most common deficiencies noted by our examiners in private equity relate to expenses and expense allocation. Many managers still seem to take the position that if investors have not yet discovered and objected to their expense allocation methodology, then it must be legitimate and consistent with their fiduciary duty.

Co-investment allocation is an area of concern. All investors must understand where they stand.

In addition to the SEC’s focus on traditional private equity, the National Examination Program began utilizing our Private Funds Unit to systematically look at private equity real estate advisers. There was an observation that real estate managers, especially those executing opportunistic and value-add strategies, tended to be much more vertically integrated than traditional private equity managers.

They found that some ancillary services are not disclosed. More often they found that the manager would charge these additional fees based on the understanding that the fees would be at or below a market rate. Unfortunately, the SEC fund that the manager was not able to substantiate claims that such fees are “at market or lower.” The SEC saw that the managers collects no data to justify their fees at all. Other times, the data is collected informally through calls to other industry participants and is not documented.

I hope that private equity real estate managers who have promised to provide their investors with “rates at or below market rate” review their benchmarking practices to ensure they can support their claims.

We can expect additional enforcement recommendations involving undisclosed and misallocated fees and expenses as well as conflicts of interest.

The speech was published during the session.  Here it is: Private Equity: A Look Back and a Glimpse Ahead.

Post-speech questions and comments:

OCIE wants to be risk-based, data-driven, and transparent. They don’t want to be a “gotcha” regulator.

How do you get the examiners out of the office faster? Give them accurate and consistent responses quickly. Don’t cross-talk. Make sure you understand the question and understand the definition/terminology. If you data-dump that will slow down the process. If you give the examiners 700 documents, they will have 700 documents to read and that takes time.

Exempt reporting registrants? The SEC will show up if there is a TCR or a sweep.

He looks at CCOs as colleagues to help spread compliance. CCO liability situations came from egregious behavior (Blackstone aside.)

Ensuring Compliance in Your Marketing and Advertising Procedures

These are my notes, live from the forum. (Please pardon the rougher nature.)

Private fund Compliance forum

Speaker:
Julia D. Corelli, Partner, Pepper Hamilton
Ross A. Oliver, Senior Counsel & Chief Compliance Officer, Crestview Partners
Gwen Reinke, Chief Compliance Officer, Vista Equity Partners

You need to think of marketing as a broader area than advertising.

Deal press releases and portfolio company press releases may describe the firm. Make sure it meets the standards. Your website is marketing.

How do you monitor compliance with your policy? Set up the Google search. Look at employee LinkedIn accounts.

You should on-board new employees to make sure they understand the dos and don’ts, followed by annual training.

Are private funds using general solicitation under 506(c)? The proposed rules have raised many unknowns about the downside to using it. Many are skeptical through true general advertising would be a good way to reach potential investors. Some funds are using to avoid the common foot-faults. (like speaking at a conference.)

The SEC has increased its review of marketing materials as part of its examinations. One focus it the inclusion of GP or other non-fee paying LPs in the performance data.

Prospective investors want to see case studies. The regulatory concern is that it could be considered cherry-picking. Best practice is to include a list of all investments with performance results.

When it comes to net returns there was a split in the audience poll. Half calculated as if everyone paid the highest fee, and the other half exclude non-fee or reduced fee investors in the calculation. Regardless of the choice, you need to disclose.

When it comes to books and records, remember you need to keep the performance backup materials for at least five years after last used.

Cybersecurity and Risk Management

These are my notes, live from the forum. (Please pardon the rougher nature of this report.)

Private fund Compliance forum

Speakers:
Terry E. Everett, CFO & COO, Rockland Capital
Garth Nichols, Senior Manager- Financial Services, EY
Christopher Anderson, CCO & General Counsel, KPS Capital Partners LP

First step is to figure out what you want to protect. For private equity and real estate funds the information may be all over the place. It’s not not just a client account database.

It’s not just about digital access, but also physical access. Figure out if people can get into your offices and if they do get in, what can can they get easy access to. Walk around and see if people have passwords stuck to their monitors.

Assess where risks may be coming from. Protect the higher risks.

Look to third parties that you share sensitive information with. Look at their program to make sure it’s up to your standard and not a vulnerability.

Your employees are likely your weakest link. Phishing and spearphishing are common attacks. Accidents happen: employees lose laptops and phones that may offer access to your systems.

You should be able to show that you have been thoughtful, have a plan a place to review, and a plan in place to deal with a breach.

The SEC Exam: What We’ve Learned from Recent Exams

These are my notes, live from the forum. (Please pardon the rougher nature.)
Private fund Compliance forum

Speakers:
Jason Brown, Partner, Ropes & Gray
James Gaven, Senior Counsel and Chief Compliance Officer ,Welsh, Carson, Anderson & Stowe
Byron Pavano, COO & Fund Counsel, Audax Group
Abrielle Rosenthal, Managing Director, Chief Compliance Officer, TowerBrook Capital Partners LP

The new registrant presence exam initiative is over. What’s next?

The exams are much more focused than when the presence exam started. Requests across regional offices are looking more similar. SEC personnel are getting more knowledgeable. Enforcement actions are coming.

Work hard to get documents in by the deadline or before the deadline to the SEC examiners. Speed makes you look good.

Don’t underestimate the importance of the process. Make sure you know who is going to do what. Decide who to notify. Plan on how to leverage outside counsel and consultants to help with the process.

Focus on how to use attorney-client privilege for disclosure. It does change the tenor of the exam process.

How to stay ready for an exam.

Mock audits. Maybe it’s better to have a deeper dive on specific issues than a full audit.

Grab an example of a request list and make sure you can get all of the documents.

Have a day one pack ready at all times, with an introductory presentation.

The SEC will be focused on fees and expenses. Make sure you have that information put together. Examiners are focused on the allocation of expenses between the funds and the management company. Keep an eye on broken deal expenses. Focus on employee/consultant/operating partner expenses. The SEC will be looking at a general ledger and deep-diving.

Are examiners giving credit to ADV and LPAC disclosures? It seems to be a mixed bag. You definitely can’t amend the LPA through the ADV. It won’t save you if there is an actual issue. Don’t say “may” if you are actually doing the act and always doing it.

Accelerated monitoring fees are continuing to be a hot button. It’s moving from a deficiency to an enforcement action.

You need to be accurate and full-some in your responses. You also need to make sure you understand the question. The SEC questions tend be one-side fits all. You don’t need to answer more than what is asked.

Consultant versus employee and charging to the portfolio companies. If the person is exclusive, then the SEC is going to take the default position that the person is an employee, regardless of how the firm treats the person.

Valuation is continuing to be a focus are for the SEC when examining private funds, private equity and real estate in particular. The SEC will want to see what caused changes in valuation. The focus is on good process. The SEC has hired evaluation experts. The examiners are challenging underlying assumptions. Of course, examiners are looking for documentation.

Allocation of opportunities has been a point of focus. Examiners are looking for allocations among funds and allocations among co-investors. The key is to disclose what you are going to do and to make sure you follow that disclosure. It’s okay to cherry-pick as long as that what was disclosed.

In at one exam, there was  side letter in which the investor expressed an interest in co-investment opportunities. The examiners determined that that provision required the manager notify when there was a co-investment even if that opportunity was not offered to that investor.

The Custody Rule is still a tough fit for private equity firms. They are looking for thoughtful consideration of the rule.

Compliance Today: What’s Impacting the Compliance Community

These are my notes, live from the forum. (Please pardon the rougher nature.)
Private fund Compliance forum

Moderator:
Rob Kotecki, Reporter, Private Funds Management

Speakers :
Roman A. Bejger, Esq., General Counsel & Chief Compliance Officer, Providence Equity
Danielle Ryea, Senior Manager, EY
David Smolen, General Counsel & Chief Compliance Officer, GI Partners

The Blackrock enforcement action was levied against the firm and the CCO for a conflict of interest issue with an investment and one of its portfolio managers. The portfolio manager had disclosed the conflict to the CCO. The charge was that the CCO failure to report a “material compliance matter” to the board of directors. The CCO was personally liable and had to pay a fine of $60,000.

On the other hand, a CCO can be a whistleblower and get the financial windfall of the bounty. (Assuming the company fails to fix the problem.

If the firm retaliates, the SEC can pass along part of the award for the retaliation.

How does an internal procedure for reporting problems compete with large whistleblower payments?

Life of a whistleblower is difficult. Few see the big financial reward and if they do, it takes a long time to get to the point of an award being granted. It’s more like winning the lottery, with long odds.

You CAN’T contractually prevent employees from being whistleblowers or talking to regulators. See the KBR case: SEC Action for Stifling Whistleblowers in Confidentiality Agreements.

Take a look at the Shelton case. The administrative order required the firm to split the general counsel and chief compliance officer roles:

“For a period of five (5) years from the entry of this Order, [Shelton Financial Group] shall employ a Chief Compliance Officer whose sole responsibility will be serving in that position.”

The burden of compliance is only continuing to grow.

Are the SEC rules getting in the way of private equity compliance? The SEC rules mandates you to pre-clear trades and monitor employee trading, but the big issue is monitoring fees and expenses charged to portfolio companies. (UPDATE: Pre-clearance is not required by SEC rules.)

How have things changed since Bowden’s sunshine speech? Some have changed the Form ADV. Some have increased testing. Some have changed their policies. The LPA can’t be changed, so fees and expenses need to be in compliance with the agreement.

Cybersecurity- How does a compliance officer get his or her hands around this without a technology background? It is a tough gap to bridge. The SEC at least wants you to be thoughtful. (At least we think so.)

Private Fund Compliance Forum 2015

I’m spending a few days in New York attending PEI’s Private Fund Compliance Forum. Last year, the SEC’s Drew Bowden dropped his illegal expenses bombshell. I wonder what his acting replacement, Marc Wyatt, will do as follow up later today.

Private fund Compliance forum

I plan to live-blog my notes during the conference. We’ll see how the power and internet access function in the conference’s rooms.

Speakers confirmed for 2015 include:
Doug Cornelius Anthony S. Dell April E. Evans David A. Smolen Marc Wyatt
View speaking list

Professional Ethics at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Dorothy (Dot) C. Kelly, Director, Training & Outreach for the Professional Conduct Program, CFA Institute
Wendy L. Pirie, Director, Curriculum Projects, CFA Institute
Robert Stirling, Senior Consultant, Investment Adviser Services, NRS

According to the 2013 Edelman Trust Barometer, the Financial Services industry is the least trusted industry globally. Only 46% trust the financial services industry to do the right thing.

THE GOAL OF ETHICS EDUCATION
•To recognize that ethical issues are a normal and predictable part of life.
•To build upon a culture of compliance and develop a culture of ethical decision-making.
•To discuss approaches for dealing with ethical issues.

Economist Intelligence Unit Report: A Crisis of Culture: Valuing Ethics and Knowledge in Financial Services
Key Findings:
• 91% of financial executives support the notion that aspiring to a globally recognized set of ethical standards would make the financial services industry more resilient.
• 53% of financial services executives say strictly adhering to ethical standards inhibits career progression at their firm.

LAW versus ETHICS

Law: a clearly defined set of enforceable rules that applies to everyone. It represents a minimum level of expected conduct that everyone must observe. (CAN YOU?)

Ethics: address situations not covered by the law (relations with competitors, interpersonal relations at work) and also contributes to the creation of laws. (SHOULD YOU?)

FUNDAMENTAL ETHICAL PRINCIPLES

– Place client interests first
– Maintain independence and objectivity
– Avoid/manage conflicts of interest
– Make full and fair disclosure
– Preserve confidentiality
– Deal fairly
– Reasonable care & prudent judgment
– Maintain integrity of profession
– Promote integrity of capital markets

A FRAMEWORK FOR ETHICAL DECISION-MAKING

Identify the Issue(s):

  • Duties/Obligations
  • Conflicts of Interest
  • Relevant Facts
  • Ethical Principles

Consider:

  • Situational Influences – External & Internal
  • Alternative Actions
  • Additional Guidance

Then Act and Reflect.

WARNING PHRASES:

-Everybody else does it, so it must be okay.
-That is the way they do it at Firm X.
– If we do not do it, someone else will.
-This is the way it has always been done.
– It doesn’t really hurt anyone.
– It’s not a big deal.
– It’s not my responsibility.
– I want to be a team player; l want to be loyal.

 

 

 

Risk Management Panel at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Robert B. Hirth, Chairman, Committee of Sponsoring Organizations of the Treadway Commission
Fred Shane, Chief Risk Officer, Commonwealth Financial Network

Should CCOs be Taking on the Additional Role of a Chief Risk Officer?

It Depends, of Course
• Compliance requirements, degree of regulation, risk
• Objectives
• Complexity
• Size
• Ability to source talent
• Peer companies
• Regulatory constraints
• NO single right answer, NO one size fits all

The SEC is starting use concepts of risk measurement in their inspection program.

SEC’s “Core Initial Information Examiners Request of Investment Advisers” includes the following:

  • “On-going Risk Identification and Assessment Inventory of compliance risks that forms the basis for policies and procedures and notations regarding changes made to the inventory.
  • Documents mapping the inventory of risks to written policies and procedures.
  • Written guidance provided to employees regarding compliance risk assessment process and procedures to mitigate and manage compliance risks.”

The SEC has published an “Investment Adviser Scenario Analysis/Risk Matrix” on its web site: http://www.sec.gov/info/cco/cco_matrixguide.pdf

The SEC has also published a “Risk Inventory Guide” on its web site:  – http://www.sec.gov/info/cco/red_flag_legend_2007.pdf The Guide lists twelve categories of risks for an investment adviser. According to the SEC,

“[a]s a CCO responsible for your firm’s compliance, you should determine what risks are present and how they might affect your firm and its operations, assess whether the controls in place to manage or mitigate these risks are adequate, and make or recommend modifications to the compliance policies and procedures as necessary.”

Risk management is a bigger scope than compliance.

Risk Reporting and Tracking

Use a Risk Management Database

  • Impact Risk
  • Likelihood Risk
  • Vulnerability Risk
  • Priority Risk
  • Velocity – how fast does it happen?
  • Persistent – How long is the impact?

Internal controls – GO beyond the brute force automated systems and think of them as control activities. Meetings can be a control.

Update articulates principles of effective internal control

Control Environment

1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment

6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities

10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication

13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities

16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

Information Technology and Cybersecurity

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Ted Kobus, Baker Hostetler
Karen M. Aavik, First Niagara Financial Group
Tammy Eisenberg, CLS Bank International

In 2012 the average cost of a data breach was $5.4 million. IBM 2014 Cost of Data Breach Study

More breaches happen from lost laptops and media than third-party hackers. Malicious employees may steal information. Ill-informed employees may leave systems open inadvertently. Also keep an eye on employee’s departure. Make sure you shut down the employee’s remote access.

Malware is hard to stop, but it takes a concerted effort. Phishing and spear-phishing are more common. The attacker tries to cause you to voluntarily open a breach by giving them your account information and password.

Vendors cause a substantial portion of breaches. They may not be as careful as you. At the end of contract, you need to make sure you get the data back and they delete the information.

Data Breach Decisions

  • Is it a breach?
  • Who are the key internal personnel that should be involved in the response?
  • Do you involve law enforcement?
  •  Do you hire a forensics company?
  • Do you retain outside counsel?
  • Do you involve regulatory agencies?
  • Is crisis management necessary?
  • Do you offer credit monitoring?
  • Do you get relief from a “law enforcement” delay?

One silver lining. You will be better prepared for the next breach.

What do regulators expect?

  • Transparency
  • prompt and thorough investigation
  • Corrective action
  • appropriate and prompt notification to regulators and customers

Best practices

  • Prepare and practice a response plan
  • respond quickly
  • Bring in the right team
    • Preserve evidence
    • Contain & remediate
    • Let the forensics drive the decision-making
    • Law enforcement
    • Document analysis
    • Involve the C-suite
    • Plan for likely reaction of customers, employees, & key stakeholders
    • Mitigate harm

FTC Recommended Internal Safeguards

Over 50% of data breaches originate from inside the company.
Train and retrain all employees to:
(1) Limit access to customer information to employees who have a business reason to view;
(2) Secure deal jackets and information;
(3) Lock rooms and file cabinets;
(4) Use strong passwords on computers (and don’t share);
(5) Remove access for terminated employees;
(6) Securely dispose of customer information;
(7) Think about what data is provided to a vendor;
(8) Protect customer information.

Identity Theft Red Flag Rules

The key is to see if you are a “covered account” or “financial institution”

Policies/procedures must be based on a periodic identification of client accounts and a risk assessment of potential identity theft, including:
– account opening processes;
– account access processes; and
– previous experiences with identity theft.

The procedures must include the following four elements:
– identifying red flags;
– detecting red flags;
– responding to red flags; and
– periodically updating the program.