Coming to America – California Adopts GDPR-Like Privacy Regulation
After a number of firms struggled last year to get their marketing and information systems into compliance with the EU’s General Data Protection Regulation (GDPR), advisers to U.S. clients will soon be facing similar requirements on the home front. On the heels of the Cambridge Analytica scandal, California enacted the California Consumer Privacy Act of 2018, which becomes effective in less than a year. If the GDPR challenge is any indication, firms are advised to start preparing now to bring their systems and processes up to speed to address California’s GDPR-like requirements.
Starting on January 1, 2020, consumers in California (defined as natural person residents of California) will have additional privacy rights including, among others:
- The right to ask a business what personal information the business collects and why
- The right to ask with whom the business shares or sells such personal information, and to opt out of such sharing or sale (with a prohibition on the business from discriminating against the consumer for exercising this right – subject to certain exceptions such as if there is a price difference related to the value of the data)
- The right to request that the business delete the individual’s personal information from its records (although this is subject to an exception for businesses that are required to maintain the consumer’s personal information for other legal obligations (for example, recordkeeping requirements under the Advisers Act for SEC-registered advisers).
In addition, the definition of “personal information” is given broad scope under the law.
If your firm collects or maintains personal information about California consumers, we suggest reviewing the law’s requirements and starting preparations to meet its obligations, such as by:
- Making at least two methods available to consumers for submitting information disclosure requests. One of the methods must be a toll-free telephone number, and if the business maintains a website, another method must be via a website address.
- Including on the business website a link titled “Do Not Sell My Personal Information,” which links to a page where the consumer can opt out of such sale. Businesses can satisfy this requirement by maintaining a separate website for California consumers and including the link there and not on the general website.
- Being prepared to produce requested information in response to a consumer’s request, and to deliver that information within 45 days of receipt of such request (a one-time extension of another 45 days is permitted if reasonably necessary and notice to the consumer of the extension is provided.
The California Consumer Privacy Act of 2018 applies to any business that collects personal information of California consumers and does business in California, and meets at least one of the following criteria:
- Annual gross revenues in excess of $25 million (adjusted January of every odd-numbered year in relation to any increase in the Consumer Price Index)
- Alone or in combination, annually buys, receives (for commercial purposes), sells, or shares the personal information of 50,000 or more consumers, households, or devices, or
- Derives 50% or more of its annual revenues from selling consumer’s personal information.
An Overview of MMFR – Article 37 Reporting Requirements
The European Union’s Money Market Funds Regulation (MMFR) applies to any Money Market Fund (MMF) that is authorized as a collective investment scheme under either the Undertakings for the Collective Investment in Transferable Securities Directive (UCITS) or the Alternative Investment Fund Managers Directive (AIFMD). Managers subject to UCITS or AIFMD will continue to be regulated by either directive; however, they will also have to comply with additional reporting requirements under the MMFR for their MMFs.
Article 37 of the MMFR requires managers to report certain information for each MMF that it manages to the relevant National Competent Authority (NCA). This information should be reported on at least a quarterly basis, or for funds with AUM of less than €100 million on at least an annual basis.
The MMFR reporting template can be broken down into six blocks of fields, with each requiring disclosures related to a particular topic. Some of the key points of information required under each block are as follows:
Block 1 – MMF characteristics
Information such as the name, domicile, inception date, base currency, and share classes of the MMF.
Block 2 – Portfolio indicators
Details about the fund’s portfolio liquidity profile, cumulative returns, and performance of the most representative share class.
Block 3 – Stress tests
Results of stress tests and a proposed action plan if stress tests reveal any vulnerability of the MMF.
Block 4 – Information on the assets held in the MMF portfolio
The characteristics of each asset, such as name, country, issuer category (e.g., Sovereign (EU/non-EU), Credit institution, Non-financial corporations), and whether the outcome of the internal credit quality assessment procedure is favorable or unfavorable.
The type of asset, including details of the counterparty in the case of derivatives, repurchase agreements, or reverse repurchase agreements.
Block 5 – Information on the liabilities
Information on the liabilities of the MMF, including the country where the investor is established, the investor category, and subscription and redemption activity.
Block 6 – Information on Low Volatility Net Asset Value (LVNAV) MMF
Detailed information about the required disclosures for a LVNAV MMF is set out in Article 37(3) of the MMFR.
Current status of the MMFR
On 13 November 2018, the European Securities and Markets Authority (ESMA) published a Consultation Paper (CP) on draft guidelines concerning the reporting requirements for MMF managers set out under Article 37 of the MMFR, providing further guidance on how to complete the MMFR reporting template. The CP confirmed that managers would need to send their first quarterly reports required under Article 37 to NCAs in Q1 of 2020. In addition, there will be no requirement to retroactively provide historical data for any period prior to the reporting start date. Respondents interested in commenting on the CP must provide their comments to ESMA by 14 February 2019.
SEC Reopened After 35-Day Government Shutdown
SEC Chairman Jay Clayton announced on Saturday, January 26 that with an agreement reached to end the government shutdown, the “Commission has resumed normal staffing levels and is returning to normal operations.”
In total, about 94% of the commission’s approximately 4,400 employees had been furloughed during the 35-day shutdown, according to its operations plan.
In a statement, Chairman Clayton said that the leaders of the SEC’s Divisions and Offices, working with other Staff, will determine how best to transition to the SEC’s normal activities. Certain of the Divisions and Offices will publish their own statement pertaining to their transition plans. Statements regarding transition plans will be available at www.sec.gov.
FINRA Rolls Out New Central Registration Depository Functionality; Annual Verification Deadline Nears
FINRA first introduced enhancements to the Central Registration Depository (“CRD”) on October 1, 2018, which were rolled out in support of FINRA’s restructured qualification examination program as well as the adoption of consolidated FINRA registration rules.
The new enhancements were intended to also more easily assist member firms with satisfying their reporting and compliance obligations. Since the initial rollout, FINRA continues to improve and enhance the new CRD system with a new feature set to be released on January 26, 2019.
Broker-dealer users will now be able to query and view their firm’s associated individuals to review all individual activities, branch deficiency activities as well as firm registration activities. Users will be able to set up and manage their own personalized reports. In addition, the Quick Links feature allows the individual User to personalize their CRD homepage, providing access to the system functions they use most frequently. To check out what’s new and to stay abreast of upcoming enhancements, click here.
Annual Contact Info Verification Deadline
Each year, broker-dealer firms are required to complete an annual verification of their contact information through the FINRA Contact System (“FCS”). This information must be reviewed and confirmed within the first 17 business days of each calendar year. The deadline to complete the FCS is January 25, 2019. If you have not already done so, please be sure to log into the FINRA Gateway and complete your verification.
Report on Operation of AIFMD Highlights Existing Issues
On 10 January 2019, the European Commission (EC) published a report on the operation of the Alternative Investment Fund Managers Directive (AIFMD). The report confirms that AIFMD has significantly contributed to creating a single market for alternative investment funds by establishing a harmonized regulatory and supervisory framework. However, it also identifies various topics that will require further review, including the inconsistent application of rules by National Competent Authorities (NCAs) and issues around reporting, which include the Annex IV requirement. Below are some of the report’s main findings concerning the reporting requirements for firms subject to AIFMD.
Reporting to NCAs
The report highlights that:
- Reporting obligations differ among NCAs due to differences in rule interpretations or additional requirements
- These differences in interpretation and filing procedures further exacerbated the costs of reporting
- Market participants thought that the amount of data required for reporting is disproportionately high
- The redundancy and duplication of reported data (within AIFMD reports or other regulatory reporting) was also considered a major issue
AIFMD and other EU Legislation
The key topics mentioned about the impact of AIFMD reporting in relation to other regulatory reporting requirements are:
- A lack of consistency and coherence (use of different reporting details, channels, data repositories and IT standards, problems of collection, issues for regulators in defining systemic risk, implication of ISO 20022, gold-plating and additional requirements by some EU Member States)
- The need for stronger integration in technological terms (problem of different data standards and formats)
- Higher costs (compliance costs, distribution costs, running costs, increase in reporting volume and obligations)
- Duplication (overlap with EMIR, MiFID II, SFTR, the PRIIP KID; along with the need to rationalize and reduce the information requested)
Next Steps
Currently, there are no formal proposed changes to the existing requirements under AIFMD due to the report’s findings. The EC is required by the AIFMD to undertake a review of the Directive, and the EC’s published report represents the first step in this process. The EC will continue its review of the AIFMD and will issue a report to the European Parliament and the Council in 2020. Firms subject to the Directive should review the report and monitor for additional information to come from the EC’s AIFMD review process.
The CSS reporting platform includes solutions for AIFMD, such as Consensus, which helps simplify regulatory reporting through a streamlined design backed by our regulatory expertise. For more information, click here or contact us.
SEC’s Latest Risk Alert Focuses on Electronic Communications
The SEC’s most recent risk alert, “Observations from Investment Adviser Examinations Relating to Electronic Messaging,” issued on December 14, 2019, focuses on the use and maintenance of electronic communications for business purposes. The purpose of the alert is to remind advisers of their obligations related to personal use of electronic messaging and the requirements for business-related electronic messages. Below are some best practices that can be used to help ensure your firm has reasonable controls in place for the use of electronic communications. We encourage all firms to review the full alert.
Policies and Procedures
- Only permit electronic communications for business purposes if the messages can be supervised and retained in compliance with the books and records requirements of the Advisers Act.
- Specifically prohibit the use of apps or other technology that gives employees the ability to communicate anonymously, automatically destroys messages or prohibits third-party backup and reviews.
- If an employee receives an electronic message in a form that is prohibited by the firm for business purposes, require that the employee move the message to another electronic system where the firm can supervise and retain the communication in compliance with the Books and Records Rule. Include specific instructions on how employees can move such messages.
- If a firm permits the use of personally owned mobile devices for business purposes, adopt and implement policies and procedures that address the use of electronic communications by employees, including social media, instant messaging, texting, personal email, personal websites and information security.
- If a firm permits personnel to use social media, personal email accounts or personal websites for business purposes, address how the firm monitors, reviews and retains such communications.
- Inform employees that violations to the firm’s electronic communications policy may result in discipline or dismissal.
Employee Training
- Include training on electronic communications policies and procedures in the firm’s initial and annual employee compliance training. Make sure to address specific restrictions and limitations placed on messaging and apps, along with consequences for violating the firm’s procedures.
- Upon commencement of employment and annually thereafter, have all employees attest to:
– Completion of all required training on electronic messaging
– Compliance with the firm’s policies and procedures
– Continued commitment to comply with the firm’s policies
- Periodically remind employees of the dos and don’ts of electronic messaging.
- Include electronic messaging in the firm’s annual risk assessment. Consider new forms of communications requested by clients or service providers when assessing the firm’s risk.
Supervisory Reviews
- If social media, personal email or personal websites are permitted to be used for business purposes, make sure communications and changes to communications are monitored and archived. Messages should be monitored for key words and phrases.
- Regularly review whether employees are utilizing social media in accordance with the firm’s policies.
- Set up automated internet alerts when the firm’s name or an employee’s name appears on a website to help detect unauthorized use of electronic media (e.g., Google alerts).
- Make sure employees know how they can confidentially report violations to the firm’s electronic communications policy.
Control over Devices
- Require that staff get approval from IT or Compliance for email access on personal devices.
- If a device will be used for business communications, load security software on the device to better protect it from hacking or malware. Software should automatically push out security patches, monitor for prohibited apps and be able to wipe the device if it is lost or stolen.
- Limit access to the firm’s email server or other business applications through virtual private networks or other security apps to segregate remote activity.
As technology continues to evolve and provide more ways to communicate with clients, the regulators will continue to scrutinize how firms are using and maintaining electronic messages. Stay ahead of the game by continuing to evaluate your firm’s risks, practices and controls regarding electronic communications and make improvements to your compliance program as needed.