Code of Ethics: SEC Focus Shifts Radar to Retail Firms
Each investment adviser’s Code of Ethics and other compliance policies set forth the standards of business conduct to which supervised persons must adhere. The challenge can often be monitoring compliance with the policies and assisting supervised persons with understanding their responsibilities. CCOs should put themselves in the SEC’s position – review your Code of Ethics (“Code”) as if you are doing so for the first time. Read recent deficiencies from the sec.gov website and the various “Risk Alert” publications published by the SEC.
The SEC continues to see many deficiencies in fiduciary responsibilities with respect to new retirees, unsophisticated investors, and rollover IRAs, Korrine Kohm and John Gentile said during the recent conference held by CSS business unit Ascendant Compliance Management in Charleston, South Carolina. Wrap advisory programs are another focus as they are highly marketed to retail investors while bundling investment management and brokerage fees into a single fee. The fee may be as high as 2 1/2% based on the value of the account; buyer beware.
A few of the items to focus on with your Code would be:
- Access Persons vs Supervised Persons – To summarize: “Supervised Persons” include any employees, partners, officers, directors (or other persons occupying a similar status or performing similar functions) as well as any other persons that provide advice on the investment adviser’s behalf and are subject to the investment adviser’s supervision and control; “Access Persons” are any of the investment adviser’s supervised persons who have access to non-public information regarding any investment advisory client’s purchase or sale of securities, or nonpublic information regarding the portfolio holdings of any reportable fund, or any person who is involved in making securities recommendations to investment advisory clients, or who has access to such recommendations that are nonpublic. If providing investment advice is an investment adviser’s primary business, all of its directors, officers and partners are presumed to be access persons.Large organizations can more easily differentiate between Supervised Persons and Access Persons as various divisions of employees and can be physically separated by walls, floors, and separate buildings. Smaller firms may not have this luxury. The CCO needs to distinguish which employees fall into either group. Smaller firms generally code all employees as Access Persons; just be sure to document your reasoning behind your decision.
- Code Aligned with Regulations – The SEC wants to see that the CCO and firm are regularly reviewing the firm’s Code. Keeping abreast of regulatory changes is critical, and reflecting those changes in your Code is what the regulators want to see.
- Late Reporting – Annual and quarterly attestations of the Code are a requirement, and those attestations are due on specific dates after each quarter and year-end. As consultants, Ascendant has seen many instances in which employees seem to think that reporting a day or two late is no big deal. What they don’t understand is that even one day late is a violation and the SEC will usually write this up as a deficiency against the firm.
- Inaccurate Disclosures – A firm’s ADV Part 2A describes your Code. Ensure that when you update your Code that you also update the language in the Part 2A.
The rule requiring firms to have a Code is now 14 years old and basically remains the same. Of course, new requirements have been added in that time. Even with new requirements, some of the original Code rules remain “hot topics.” This is due to the fact that even after 14 years, the SEC continues to see violations of the original rules. These include:
- Reporting of 529s, 401Ks and Other Accounts — reporting securities acquired through a gift or inheritance
- Outside Business Activities — Reporting any employees’ LLCs, corporations or other entities for U4 and ADV Part 2B purposes. States are diligently reviewing the U4s and comparing to state records. Hammer in the reporting obligations of outside business activities, as doing so will mitigate risk to the employee, the client and the firm.
- Technology and Vendor Maintenance of Books and Records – Are you using a vendor? If so, are you properly maintaining your books and records? Don’t forget to document your initial and ongoing vendor due diligence.
- Political Contributions – 2017 saw SEC Enforcement action against 10 firms violating pay-to-play rules. Political contributions that triggered sanctions were relatively small, many around $500. Some Advisers voluntarily disclosed contributions and sought relief from the SEC.
- Managed accounts – Is your managed account annual attestation language adequate to meet the exemption from personal securities rules?
- Bitcoins — reportable or not reportable? Bitcoins, like equities, are traded throughout the day; do firms really want their employees trading all day?
The main takeaway from this session was to ensure, that as CCO, you have the responsibility to review and update your Code at least annually. Have the conversation before it happens, make sure company policies and reward systems drive the desired behavior, and watch for potential conflicts in contracts, business arrangements, real estate deals, compensation plans, or general guidance.
Ascendant’s Melanie Mendoza Authors Due Diligence Journal Article
Ascendant Senior Consultant Melanie Mendoza has over 30 years of investment compliance industry experience, focused on investment advisers, registered investment companies and private investment funds. That experience came to great use when Wolters Kluwer asked her to cover the top topic of due diligence for Practical Compliance & Risk Management For the Securities Industry, a journal written by the securities industry’s leading experts.
Her article, published in the March/April 2018 edition, covers both pre- and post-hire due diligence of advisers and sub-advisers, and details the key resources necessary for strong assessment.
The article can be read by clicking here.
Evolution of Fiduciary Rules Begins to Take Shape in SEC
On April 18, 2018, the SEC voted to propose several new rules and reforms related to fiduciary standards. The package intends to raise and clarify standards of conduct for broker-dealers and investment advisers, and to provide clarity regarding fees, conflicts and other material matters. It also aims to ensure that the standards can be understood by retail investors, are implementable by industry professionals, and will be enforceable by the regulators.
First, Proposed Regulation Best Interest would require broker-dealers to act in the best interest of its retail customers; a broker-dealer would not be allowed to put its financial interests ahead of the interests of a retail customer’s in making recommendations. While some of the Commission members felt the naming of this regulation could confuse retail investors, overall, they felt it was a step in the right direction.
The Commission also generally supported the implementation of Form CRS (Customer Relationship Summary), a disclosure document of no longer than four pages, that serves to describe principal services offered, legal standards of conduct that apply, fees customers will pay, and material conflicts. Form CRS is geared toward providing retail investors with easy-to-understand information that would supplement more detailed disclosures.
The proposal will also include labeling rules pertaining to the use of the terms “advisor” and “adviser.” Certain broker-dealers would be restricted from using the terms as part of their name or titles with retail investors. The staff discussed how the advisor/adviser terminology has been confusing or misleading for many retail investors, and in its proposal, indicated that restricting use would provide clarity as to who is providing the advice.
Next Steps
The SEC is opening the proposals to public and industry comment for 90 days to ensure the initiatives are clear, implementable, and enforceable. Several of the Commission members felt more work needs to be done to reduce ambiguity and add further clarity, but generally they were in support of the spirit of the 1,000-page proposal and in receiving public comments to improve upon it. The SEC developed a two-page tear sheet meant to summarize the hefty proposal so that retail investors can engage in the discussions and the commission can consider the implications of the proposals on the public. The Chairman further recommended that the next steps should focus on Form CRS, the Relationship Summary document, which will be a daunting task in and of itself.
The full proposal and related materials are available here. Ascendant recommends you discuss the proposals with your compliance consultant and encourages your comments.
2018’s Chief Compliance Officer
A key message we picked up at a recent conference was how the role of the Chief Compliance Officer (CCO) has changed dramatically in progressive buy-side firms.
Think about how historically the role of the Chief Financial Officer (CFO) was belittled and marginalized with throwaway descriptions of bean-counters. Not too long ago, similar descriptions of the CCO as a chief box-ticker were thrown around with abandon. The office of the CCO was simply seen as a necessary evil in response to the onslaught of regulation faced by firms; an office whose only function was to produce audit tick sheets and ensure the correct ticks ended up in the right boxes.
Today the CFO is seen as a strategic partner that adds value across all aspects of the business and rightfully has a chair at the senior executive table. Similarly we are seeing an evolution of the CCO position within firms that have a strategic regulatory response in their DNA.
Key points I picked out of the panel discussions were:
- The CCO should act as, and be seen as a strategic partner to the business
- The CCO should be a member of the senior executive team in their own right, and not an adjunct to the GC/CFO
- The CCO should focus on growing the breadth of skills and capability in their organization to respond to the needs of the new demands on compliance
The CCO in the CCO 2.0 office establishes the tramlines in a clear and unambiguous manner, allowing the firm to operate fearlessly in pursuit of the returns demanded by investors. They seek to engage the business agenda in a clear and unambiguous manner. They are facilitators that shine a light on the righteous path rather than erecting barricades on the paths of regulatory darkness.
Barricades are not necessary when the correct road is well sign posted!
Cyber Threat – Why the Best Defenders are Often the Worst Responders
The firms with the best and most pro-active cyber defenses are often the worst responders if their defenses are actually breached. Why so? Because a breach is new to them and they are immediately thrown off-kilter by the attack, unless of course, they have rigorous and frequent table-top exercises to prepare for such situations.
So it’s ironic that the firms that respond best are probably those that had an attack in the last year – the imprint of the lessons learned are burnt hard into their response psyche.
At a recent conference I attended, we heard that the No.1 lesson that arose in the post-mortem/lessons-learned meeting after a cyber-attack was to call outside counsel (OC) as soon as a breach was suspected. So why call your OC? And why call them first?
- If cyber breaches are new and rare to you, knowing exactly what to do and when may not come naturally. Your external counsel, on the other hand, is working with many of your peers, and they will have an immediate playbook that they bring to the table regarding how to respond.
- Your General Counsel and CCO have natural conflicts that are difficult to steer around in periods of stress; it is precisely times like this that you need the calm, clear and unambiguous view of your OC and their plain-talking view on what needs to be done.
- The OC can handle quite a few things that will free you up to do the essential and immediate work of understanding what happened, the full scope of the breach and the impact on clients. For example, the OC can immediately engage your insurance agents.
- If appropriate, the OC can inform applicable law enforcement and state authorities. This is a critical benefit as your communications with the OC are privileged. This allows you to disclose in full all of your fears, which in turn allows the OC to make the correct and appropriate disclosures to the proper authorities within the legislative timelines mandated by the scope and geo-nature of the breach.
- Your OC should also be able to recommend an excellent cyber-event forensic analysis firm to fully understand what happened and the full breadth of the attack.
So how does one prepare for the correct response to an attack, without actually experiencing one for real? Simple – you engage in regular table-top exercises and implement short/no-notice war games to prepare the broader team for the exact scenario you hope will never happen. Ideally, you will engage your OC in these exercises and work with them to develop a cyber war chest with call sheets and an immediate-actions plan for handling an event. Theory is great, but practice and experience beat it every day of the week!
Finally, after each table-top/war game exercise, ensure you hold a lessons-learned debrief session and a post-mortem on the exercise to identify weaknesses in the response and preparation.
You need good and proactive defenses – such as CSS Shield — but you also need to plan and be prepared for the worst-case scenario of a breach to ensure that your team is ready and not caught in the headlights like a startled rabbit.
Compliance Office 2.0 – The Roles They Are a Changing…
If we go back to the original compliance office, it was staffed with folks from the office of the General Counsel – it had a very strong, if not exclusive, legal slant. In some firms the Chief Compliance Officer (CCO) was actually a position within the office of the GC, with augmentation of resources from the Chief Financial Officer (CFO) office to provide accounting expertise.
In the modern “Compliance Office 2.0” (or CCO 2.0 as I like to call it), we have witnessed a sea change in the resource make-up. Without doubt there’s still a heavy concentration toward the traditional legal and accounting mix, for we will always need folks that are comfortable wading through boxes and reams of paperwork to establish understanding of the rules and regulation onslaught.
At the same time though it is now (thankfully) not a big surprise to see some of the following resources:
- Data scientists and detectives – to make sense of the mountains of data that CCO 2.0 needs to assimilate and understand. These resources can be almost prescient in their ability to identify and act on any high-risk signals.
- Six sigma black belts – to establish rock solid policies, standards, processes and procedures. The firm wants to operate fearlessly “within the tramlines” – these guys make sure those lines are visible.
- IT, cyber and Infosec specialists – these teams are needed to ensure the business is operating on a solid foundation and not exposed to cyber risk, and that PPI data is being handled with the integrity and sensitivity required.
- Front-office domain expertise with trading experience – we need these people to help us find where to set those tramlines mentioned above. Trading activity makes up a large swath of the compliance spectrum and it behooves the CCO 2.0 to have appropriate resource to set policy activity correctly.
- Program management specialists – the old adage of “fail to prepare, prepare to fail” comes to mind. To be prepared, you need a resource that can manage an ongoing program of activity and identify good technology that provides a solid framework for roll-out of the compliance program (like our Ascendant Compliance Manager solution).
In summary, while there’s no doubting the value of lawyers and accountants, the compliance function is much better serviced by a variety of expertise. Roll on, CCO 2.0.