Adapting your RIA Compliance Program for Crypto
The following blog post was written by Jackie Hallihan, Executive Director of Compliance Services, and Matt Calabro, Director Institutional Services, Compliance Solutions Strategies (CSS).1
Cryptocurrency investing represents a new and rapidly changing frontier for many registered investment advisers (RIAs). With over 80% of financial advisors having recently been asked by clients about cryptocurrencies,3 many Chief Compliance Officers may be asking themselves where to start with this new asset class.
As professionals who have worked in the compliance resources industry for over three decades, our approach to crypto is simple: RIAs should apply the same compliance rigor to cryptocurrency as they do to every other investment, product offering or business line.
Taking this approach requires that compliance has a seat at the table from the very start, helping the firm holistically evaluate the impact of cryptocurrency investing on the firm’s business and client needs, compliance program, and regulatory requirements. While the full extent of the jurisdiction of the Securities and Exchange Commission (SEC) with respect to cryptocurrencies is uncertain, the SEC and its staff are clearly focused on the asset class. SEC staff have already provided guidance to RIAs seeking to invest in cryptocurrencies and have emphasized the need for RIAs to carefully evaluate the safety of cryptocurrency assets, satisfy their fiduciary duty, and implement controls tailored to the risks of cryptocurrencies. We trust that the path forward for RIAs investing in cryptocurrency involves adhering to the principles of fiduciary duty, including the duty of loyalty and duty of care, paired with long-established regulatory and compliance frameworks.
When implementing a cryptocurrency offering, an RIA needs to consider the impacts across its business and ensure that it dedicates the necessary resources to addressing any changes. Among the many compliance tasks that an RIA will need to undertake in order to offer cryptocurrency investing, the following six stand out:
6 Action Items When Bringing Cryptocurrency Investing to Your Clients:
- Analyze whether and how cryptocurrency fits into your business and client needs, including which cryptocurrencies will be offered, client objectives and suitability, the extent of the advisory services you will provide, and the compliance implications for each.
- Select service providers and conduct due diligence; in selecting a platform, consider the provider’s capabilities, reporting, integrations, and user experience; when selecting a custodian, consider best execution capabilities, safety and security, books and records, valuation practices, qualified custodian status and more.
- Update disclosures for Form ADV Part 1, Part 2A, and Form CRS, as well as client, risk and marketing disclosures.
- Amend your Policies and Procedures to incorporate cryptocurrency risks and controls, which may involve updating existing policies or introducing entirely new policies to cover Cryptocurrency and Digital Assets.
- Stay current on regulatory and compliance developments, including speeches by the SEC staff, Risk Alerts, and any proposed rulemaking
- Continue evolving your program to regularly evaluate your cryptocurrency offerings, monitor service providers, revise policies and procedures and conduct regular staff training.
We believe there is a clear path forward for RIAs looking to incorporate cryptocurrency within their business. Chief Compliance Officers need to be an integral part of the process, from product development to ensuring that the RIA continues to meet its fiduciary duty, by ensuring the firm applies the same compliance rigor to cryptocurrency as they do to other initiatives.
We look forward to working with compliance teams to develop strong compliance programs to meet growing market demands in the evolving, rapidly-changing digital asset world—a world where eligible clients can have appropriate access to a carefully thought out, structured cryptocurrency strategy.
1 Jackie Hallihan was a founding partner of a CSS predecessor firm, Ascendant Compliance Management. She was also the founder of National Regulatory Services (NRS), which started the compliance resource business and was a co-founder of the National Society of Compliance Professionals (NSCP). Prior to joining CSS, Matt Calabro served in a variety of compliance and operations roles for investment managers, including as CCO to investment advisers, registered mutual funds and UCITS funds. Since joining CSS, he has also served as the outsourced CCO to investment advisers and registered mutual funds.
2 Flourish Crypto is a cryptocurrency investment account through which investors can trade cryptocurrencies and maintain custody of cryptocurrencies and U.S. dollars. Custody of Flourish Crypto accounts, including all assets in the accounts, and cryptocurrency trading services are provided by Paxos Trust Company, LLC (Paxos). Website and other technology services and support for Flourish Crypto accounts are provided by Flourish Digital Assets LLC . Compliance Solutions Strategies was engaged by Flourish Digital Assets to prepare RIA compliance materials for the convenience of RIAs. These materials were prepared by CSS and not Flourish Digital Assets LLC or Paxos, and will be provided to eligible RIAs by CSS.
3 The Bitwise/ETF Trends 2021 Benchmark Survey of Financial Advisor Attitudes Toward Cryptoassets
I am raw html block.
Click edit button to change this html
Subscribe today and receive our latest industry updates and articles.
You may unsubscribe at anytime with our simple “unsubscribe” link at the bottom of each communication. Please see our privacy notices below for further information, including a list of affiliates covered by this consent.
Custody Rule Vigilance
In a recent settlement order, the SEC reminded the investment advisory community that the SEC remains vigilant in enforcing the Custody Rule, Rule 206(4)-2 of the Investment Advisers Act of 1940. The SEC also again telegraphed that it will institute enforcement proceedings even when there has been no client harm, in fact, even when it appears that clients financially benefitted.
Although the facts provided are minimal, the Order states that the adviser had separately managed account clients, whose securities were appropriately custodied at a Qualified Custodian. However, things went askew when the adviser’s president/majority owner implemented an opportunity for some clients without proper custodial controls. The Order states that a client owned and controlled company was seeking additional capital; the adviser’s president/majority owner suggested to this client that some of the adviser’s other high net worth clients could lend funds to that client’s company if at a favorable interest rate. The president/majority owner went to several of the advisory clients, and, following agreement, promissory notes were issued (paying rates of 9 or 10%).
The notes were held outside of the clients’ advisory accounts, although it appears that possibly there were some lines of credit to fund the notes, secured by some of the advisory accounts held at the Qualified Custodian. At the direction of the president/majority owner, the adviser placed copies of the notes in each client’s online ‘drop box’ associated with the advisory accounts. However, the clients’ account statements from the Qualified Custodian did not reflect the investments. The adviser’s chief compliance officer and chief investment officer were not aware of the notes, and thus they did not have the ability to monitor or evaluate the investments as required by the adviser’s written policies and procedures.
Based on these facts, the SEC found that the adviser had custody of the notes. The Order states that the adviser violated the Custody Rule because the adviser “failed to comply with the custody rule requirements, including ensuring that a qualified custodian maintained the client assets.”
Neither the adviser nor its president/majority owner received any compensation in connection with the promissory notes. Within the year of the notes’ issuance (2019), the company repaid, early and in full, all of the advisory clients. The Order clearly states “no [advisory] client lost money in the promissory note investments.”
Understanding and fulfilling the requirements of the Custody Rule can be more cumbersome than one may initially think. The Rule does not address directly many scenarios, so each adviser must regularly assess conduct to determine first if there is custody under the Custody Rule—which is much more than physical possession—and, secondly, if there is custody, if the many Custody Rule requirements are being met. To the SEC, “misuse of client assets” has wider meaning than financially harming clients, just as ‘custody’ has wider meaning than ‘possession.’ We have heard that the SEC soon may be revising the Custody Rule to provide clarity to the advisory community, but, until then, please remain vigilant in meeting the Custody Rule requirements.
Additionally, there is a sub-story to this case. The adviser was not registered with the Commission at the time of the conduct, although it “was required to be registered then” due to the amount of assets under management. This statement alone is a reminder that correctly calculating regulatory assets under management (“RAUM”) is critical, and that enforcement is not avoided by not registering where the Commission has jurisdiction.
As we approach this year end, this case serves as a timely prompt. Now is a good time to review all forms of authority over client assets and implementation of all provisions of the Custody Rule. Additionally, and in coordination with the mandatory Form ADV Annual Updating Amendment (for those advisers with a December 31 fiscal year end), now is the time to review how one calculates the RAUM, the accuracy of the RAUM calculation, and the impact of RAUM to jurisdiction and Form ADV disclosures.
For more information or to speak with a regulatory expert, please email info@cssregtech.com.
I am raw html block.
Click edit button to change this html
Subscribe today and receive our latest industry updates and articles.
You may unsubscribe at anytime with our simple “unsubscribe” link at the bottom of each communication. Please see our privacy notices below for further information, including a list of affiliates covered by this consent.
SEC Staff Statement on Form CRS Disclosures
The SEC’s December 17, 2021 Staff Statement Regarding Form CRS Disclosures essentially tells the industry that there are mistakes everywhere. The SEC cites failures to follow format requirements, to provide required information, and to limit information to what is required by the instructions. In other words, many firms did not follow the instructions carefully enough, or did not understand what the SEC was trying to do.
The SEC “observed relationship summaries that omitted required information, modified prescribed language, or failed to follow the prescribed order or formatting requirements because firms appeared to rely on the proposed instructions to Form CRS (or portions thereof), rather than the adopted final instructions to Form CRS.” You may recall that the SEC published sample templates at the time of the proposed rule publication, but did not subsequently update those templates. Numerous Form CRS disclosure documents have been out there based on the proposed rule. That’s how confused some firms were.
In the new Statement, the SEC seemingly runs through all of the instructions to point out errors everywhere. “Some firms referred to themselves as ‘fiduciaries’ or stated that they are subject to a ‘fiduciary duty’ when describing the applicable standard of conduct instead of using the prescribed language in Item 3 of the form”, wrote the SEC Staff, as an example of what the SEC called “Shortcomings.”
We all may also recall when the New York Times published its observations that firms did not have correct answers to disciplinary questions, and then the SEC issued a Joint Statement Regarding the New FAQs on Form CRS (Oct. 8, 2020) highlighting the failure of many firms to fail to report required disclosures.
If you need a Form CRS, Form ADV, Form PF, or Form 13H reviewed and/or filed, contact our Compliance Services Team at info@cssregtech.com.
I am raw html block.
Click edit button to change this html
Subscribe today and receive our latest industry updates and articles.
You may unsubscribe at anytime with our simple “unsubscribe” link at the bottom of each communication. Please see our privacy notices below for further information, including a list of affiliates covered by this consent.
2021 RegTech in Retrospect
The RegTech space on the buy-side of the investment management industry has taken a little longer to mature than many expected, but 2021 witnessed an acceleration of maturity and the emergence of several firms with scale and a breadth of offering that provides more opportunity for strategic engagement.
A few years ago, RegTech on the buy-side was an industry that was seen by many as immature and proliferated by smaller, niche, single solution firms that carved out a “best-in-class” approach to a narrow problem set. In the last five years, the industry has witnessed the entrance of private equity firms as they seek to build RegTech offerings with scale, and a platform appeal addressing many inter-related problem spaces. Our industry is awake to the issues created by engaging multiple smaller boutiques and the duplicative integrations, operational inefficiencies, and balance sheet risks these bring to the table. The second round of private equity in-flow to the space is well and truly underway with the roll-ups of five years ago, being rolled up again in this second wave of investment – examples being the acquisition of Compliance Solutions Strategies by Confluence Technologies.
The recognition that the strategic approach applies as far upstream as possible with a comprehensive approach to centralization normalization and preparation of data for multiple (re-)use in compliance management and regulatory reporting use cases, is in many cases driving the emergence the scalable larger players. Successful RegTech firms recognize the strategic importance of data as the keystone in their product outlook – that core foundational element of product strategy that stands up their value propositions and solution stack for the long-haul.
Another key area for successful RegTech firms in 2021 was a clear recognition that RegTechs hold their people and the knowledge of their people in the same stead they hold their technology. The ability to monitor the regulatory landscape and adjust the product strategy accordingly, while keeping their client base constantly updated and in touch with the change dynamic, is a critical engagement criterion when investment firms are assessing their options.
Looking forward, we see the 2021 trending topics amplifying and become stronger. The focus on cybersecurity will only become more intense in 2022 as the industry unravels exposure to the Log4J zero-day exploit. Meanwhile, the continued presence of the pandemic in our daily lives has become the new normal, and is forcing firms and regulators to address key supply chain and outsourcing oversight. Regulators are also taking a longer-term view on work-from-home and the oversight and risk mitigations it expects firms to deploy when their workforce is in large part remote from the core office locations.
The mainstreaming of digital assets and cryptocurrency is not going away, and there is an emerging RegTech segment addressing the front-to-back-office value chain. We expect to see this solidify in 2022 as the regulatory community starts to draw crypto formally under their umbrella.
Finally, we cannot look back at 2021, nor look-forward to 2022 without a close look at ESG – while the European Union leads the vanguard with its sustainable finance package encompassing SFDR, The EU (Green)Taxonomy and CSRD, we see the UK very close behind with SDR (Sustainability Disclosure Requirements) and adoption of TCFD (Task Force on Climate-related Financial Disclosures) in the pension space, while the regulatory program of Chair Gensler at the SEC is clearly focusing on ESG as a core topic.
Some specific rule and regulatory changes to be alive to next year would be Rule 18F-4 in the US as it applies to use of derivatives by mutual funds, and the roll-in period to go-live on 1January 2023 of PRIIPs 2.0 and the ending of the grandfather period for UCITS, and Level 2 application of SFDR and the Taxonomy.
For more information or to speak with a regulatory expert, please email info@cssregtech.com.
I am raw html block.
Click edit button to change this html
Subscribe today and receive our latest industry updates and articles.
You may unsubscribe at anytime with our simple “unsubscribe” link at the bottom of each communication. Please see our privacy notices below for further information, including a list of affiliates covered by this consent.
Hackers Return to the Field with a Proven Playbook
What’s worked
Back in April 2021, when the SolarWinds hack was publicly disclosed, much of the world discovered just how vulnerable it is to a major cyberattack against common systems and applications. Instead of targeting individual organizations, hackers came to realize that they could do a lot of damage in a relative short amount of time by simply targeting the software used by a lot of companies. Reports filed with the SEC indicate that SolarWinds had over 33,000 customer organizations who were using its Orion software. Hackers managed to break into SolarWinds systems and maliciously alter the Orion code. When SolarWinds subsequently pushed out a software update to its customers, it didn’t realize that the update included the malicious code added by the hackers. SolarWinds, a major cybersecurity vendor, was unknowingly used as a conduit for the hackers to introduce malware onto company systems all over the world.
The playbook
Much like an NFL football team that keeps running the same play route if it keeps working, hackers are re-using their playbook because it worked so well before. This time, the software being targeted is a piece of code used by software development teams all over the world in their applications. The software is called log4j and is made available as an open source tool by the Apache Software Foundation. Just as its name implies, log4j is Java software (i.e. “log for Java”) that logs actions within an application, typically for debugging and troubleshooting purposes. The log4j code is so useful, in fact, that it has been downloaded millions of times from Apache and has become one of the most widely used pieces of code in business applications all over the word. And just like with the SolarWinds hack, the widespread use by corporate networks of the log4j software code makes it a particularly attractive target for hackers. Exploiting a zero-day vulnerability in log4j (computer-speak for a brand new, never before published vulnerability for which no fix was available yet), hackers demonstrated an ability to remotely execute code on target machines that were running the software. The ability to remotely execute code means that hackers could do almost anything they want on computers with log4j, including installing malicious programs to steal data, encrypting files with ransomware, and installing software to mine for cryptocurrency.
Companies are racing to inspect their software and systems to determine the extent of any impacts. Others are reaching out to their critical vendors as part of ongoing due diligence to inquire about any potential impacts.
Hackers are clearly finding creative new ways to identify and target the least common denominator – tools and software used by large portion of the world – to move swiftly and exploit a large number of computers in a short amount of time.
In the age of zero day vulnerabilities, even regular patching practices likely can’t do much to help us prevent these types of cyberattacks initiated by nation-state actors. By its very definition, a zero day issue has no patch available when the vulnerability is first being exploited.
What can we do?
What we can do is improve reaction times. We can promptly patch systems as soon as word gets out about a new threat such as a log4j vulnerability. We can continue to exercise reasonable due diligence over our third party vendors, and continue to invest in strong cybersecurity controls, testing, and security awareness training to maintain an otherwise strong set of defenses against the known threats that are out there.
For more information or to speak with a regulatory expert, please email info@cssregtech.com.
I am raw html block.
Click edit button to change this html
Subscribe today and receive our latest industry updates and articles.
You may unsubscribe at anytime with our simple “unsubscribe” link at the bottom of each communication. Please see our privacy notices below for further information, including a list of affiliates covered by this consent.
New ESMA Q&A on PRIIPs KID
A new Q&A on the PRIIPs KID has just been released from ESMA. View it here. Some key updates include:
- Clarification on the monitoring of changes in the moderate performance and the scenarios that will trigger a KID update
- Clarification of how to categorize an AIF investing in linear return profile securities with variable levels of leverage
- Clarification of treatment of funds with pricing frequencies not specifically called out in the RTS
- Clarification of how stress scenario should be calculated for a fund that is Category 1 according to Point 4.(c)
- Clarifications for non-fund type products and cost updates
- Clarification of how total cost should be shown on the KID