Blog Masonry Full Width

By Victoria Olson, CRCP, Senior Consultant

Compliance Services

Reading enforcement actions against investment advisers serves two purposes for me: (1) I get a chance to pat myself on the back and rejoice that it wasn’t my firm, and (2) I learn about what went wrong (allegedly), and then I take a look at my compliance program to make sure I’m not doing the same thing. This is a practice I picked up as a kid reading Aesop’s Fables — if you can learn the lesson from reading, you don’t have to suffer the same fate in real life! To that end, I’m here to tell you that it seems like it’s time for all of us to take a good look at our Identity Theft Prevention Programs (the “Programs”).

The common thread of recent Regulation S-ID violations

On July 27, the SEC announced three settlements totaling over $2.5 million relating to violations of Regulation S-ID.¹ The charges against three firms reveal a common thread: policies and procedures that were not reasonably tailored to the firms’ businesses, and a lack of effective supervision of the Programs.  

What does this mean to me and you?

FIRST:

• Review where risks of identity theft may exist in your business
• Document types of accounts and note the methods by which clients can access their accounts
• Evaluate the risks presented by, or alleviated by, each of these methods
• Evaluate the firm’s experiences with identity theft occurrences and attempts
• Examine identity theft risks your service providers may pose
• Document the entire process

NEXT:

• Are there any gaps in your policies and procedures, or opportunities to strengthen the existing program? 
• Do you have specific, customized procedures? 
• Does your list of red flags reflect risks and circumstances that relate to your business? 
• Do you need to add any new red flags? 
• Document that the review occurred, the date of the review, and any changes

PRO TIPS:

• Don’t go it alone 
• Ask the folks who are involved in doing the work (e.g., meeting with clients, opening and servicing accounts) for their input 
• Finally, make sure to update the principals responsible for Program oversight, now and on a regular basis

Turning knowledge into regulatory resiliency 

In The Lion, the Ass & the Fox, Aesop teaches us the importance of learning from the misfortunes of others, not to mention that a lion’s opinion of fairness may differ from your own. So, while the exact regulatory violations we read about from time to time will vary, you can pretty much be assured that the SEC won’t be satisfied if the extent of tailoring policies and procedures is limited to dropping in the firm’s name or leaving them to gather dust. Learn the lessons from others and be wary that you may need to please a lion.

Contact us at CSS, A Confluence Company, to learn more about how we can help evaluate your program and strengthen your procedures and processes. 

¹ Each of the orders indicates that the firm has undertaken substantial remedial efforts, and the settlements were reached in consideration of such undertakings.

² Securities Exchange Act of 1934 Release No. 95367 and Investment Advisers Act Release No. 6073 (July 27, 2022).

³ Securities Exchange Act of 1934 Release No. 95368 and Investment Advisers Act Release No. 6074 (July 27, 2022).

⁴ Securities Exchange Act of 1934 Release No. 95369 (July 27, 2022).

The EU’s comprehensive sustainable finance action plan aims to mandate that companies integrate sustainability risks into their investment management and disclosure processes, including their impact on the market environment.

Its goals are to:

• Provide greater transparency on ESG investment products
• Use a taxonomy to set a common definition of sustainable activity
• Set market standards for financial products including green bonds, benchmarks and eco labels

Companies are regulated under the Non-Financial Reporting Directive (NFRD) and soon the Corporate Sustainability Reporting Directive (CSRD), while financial products will be regulated under the Sustainable Finance Disclosure Regulation (SFDR).

As displayed above, the EU is imposing an aggressive timeline for compliance over the next several years, including major milestones that are imminent. A key challenge is the discrepancy in the timing of disclosure requirements: financial firms are being required to report ESG information which relies on data from corporates — who themselves are not required to disclose that data until later dates.

Meanwhile in the UK, climate-related disclosure requirements have been drafted for the financial sector and corporates, and their dates of implementation follow close on the heels of EU requirements. Contents of disclosures are based on the recommendations of the Task Force on Climate-related Financial Disclosures (TCFD), which have emerged globally as the prevailing approach outside of the EU.

The U.S. has also issued climate-related disclosure requirements for both financial firms and issuers. Based on global frameworks such as the TCFD recommendations and the GHG Protocol, the SEC-authored rules are scheduled to be implemented in stages beginning in 2023, and require specific climate-related data to be provided in registration statements, periodic reports, fund prospectuses and other filings.

All these regulations are positive developments designed to enhance and stabilize climate-related disclosures while generating more data to assist all parties with assessing companies’ performance and to drive regulatory reporting.

Time is running out to comply with the European Union’s (EU) new Packaged Retail and Insurance-based Investment Products (PRIIPs) reporting requirements, and adjust to new formats and content for preparing key investor documents (KIDs) by January 1, 2023.

On top of this, the regulation will extend to all Undertakings for Collective Investment in Transferrable Securities (UCITS) products that have an exemption in place until December 31, 2022. Meanwhile, many other regulatory initiatives are underway, particularly focused on ESG.

Asset managers, banking institutions, insurance companies, and other firms must adopt a streamlined and efficient approach to their data, calculations, and processes to meet the PRIIPs and other evolving regulatory requirements.

FIVE MAIN CHALLENGES TO BE AWARE OF WHEN PREPARING DATA, SYSTEMS, AND PROCESSES FOR PRIIPS:

1. Missing Data

You will need 10 years of historical NAV data, either actual fund history, where available, or representative proxy/index data. Products with more than a five-year recommended holding period will require a greater extent of history. You will also need a record of all portfolio transaction costs since January 1, 2018, based on arrival and trade value, and fill any data gaps.

2. Constrained Resources

Your compliance, legal and operations teams may be stretched thin as the PRIIPs deadline runs parallel with the EU Taxonomy and Sustainable Finance Disclosure Regulation (SFDR) and other regulations.

3. Separate UK KIIDs/KIDs

You will need to produce two stand-alone documents for UCITS products: an English UCITS-like KIID for UK investors and a PRIIPs KID for EU investors. Instances that require a PRIIPs KID in the UK will have a different version of the document for Europe with the removal of performance scenarios and a different methodology for transaction costs.

4. EPT Template and Data Connectivity

You may also need to create different versions of the European PRIIPs template (EPT): a UK version for UK-based insurance providers and an EU version for EU-based providers. The EU EPT, per the latest FinDatEx guidance, should align at all times to the PRIIPs KID data and figures only updated when the PRIIPs KID is updated – a significant change for many asset manager processes today.

5. Different Regulation Interpretations

Debates continue around the European PRIIPs Template, FCA calculations and the transaction cost floor, among others. Confusion around different interpretations of the regulatory language within the KID may hold up progress and cause missteps.

SEVEN MUST-HAVE PRIIPS CAPABILITIES

Debates continue around the European PRIIPs Template, FCA calculations and the transaction cost floor, among others. Confusion around different interpretations of the regulatory language within the KID may hold up progress and cause missteps.

The right PRIIPs solution should help you streamline the entire process – from pre-production of KIDs to compliance monitoring, including the calculation of ex-ante costs, summary risk indicators and performance scenarios. It should improve operational efficiency, maintain data integrity, and reduce risk and total cost of ownership.

Whether you build/modify, buy or outsource, here are the eight main attributes you should look for:

1. End-to-end capabilities
2. Control and flexibility
3. Simplified document approval
4. A managed service option
5. Regulatory and industry expertise
6. Full transparency
7. Multi-jurisdictional capabilities

GET STARTED NOW

Time is running out fast. Your firm should be talking to providers now to start onboarding plans in September, complete onboarding by November, and be fully tested and ready to go by early December.

If you are puzzled by the different PRIIPs interpretations, concerned about your current reporting capabilities, or are unsure of how your teams will handle the additional workload, we can help you sort it out. Talk with us today.

LEARN MORE

Read our full article, “Preparing for PRIIPs KID: Key Considerations,” for a deeper dive on:

• The main challenges of meeting the PRIIPs reporting requirement
• Best practices for ensuring you have a solid framework in place
• The full checklist of must-have PRIIPs solution features