Regulatory Changes Impacting RICs and Service Providers
A year ago, the SEC adopted Investment Company Reporting Modernization Rules and Forms, as well as rules pertaining to liquidity risk management programs and swing pricing. New forms N-Port and N-Cen along with amendments to Regulation S-X significantly change the current reporting regime for most registered investment companies (RICs) because they require more comprehensive disclosure and more frequent reporting of portfolio holdings. The SEC has stated that obtaining such information will assist the Commission with overseeing and monitoring RICs and formulating policy.
During Ascendant’s recent conference, “Compliance Disruptors: Seismic Shifts of the Regulatory Landscape,” Mark Perlow of Dechert, Ronan Brennan of MoneyMate Group, Kevin Gleason of Voya Investment Management and Peter Guarino of Ascendant Compliance Management discussed regulatory changes impacting RICs and service providers.
Mr. Perlow noted that the genesis of the Modernization rulemaking, which occurred shortly before the Presidential election, was to address the purported systemic risk associated with the financial services industry. However, in the ensuing year the focus on systemically important entities has shifted away from the original intent.
Currently, the industry is focusing on compliance with the Liquidity Risk Management Program, which is designed to assess a RIC’s ability to meet redemption requests without significant dilution of remaining investors’ interests in the fund. Fund complexes with greater than $1 billon in AUM are required to comply by December 1, 2018 and the compliance date for complexes with less than $1 billion is June 1, 2019. The panel noted that the Liquidity rule poses a challenge to the industry because it combines a complicated data management exercise with real-time judgement and decision making. The industry trade organizations have sought regulatory guidance from the SEC regarding provisions of the rule that are not clear or are raising questions. Trade organizations have also recommended that the SEC delay the compliance date to give fund complexes additional time to develop appropriate reporting systems and to address the data breaches the SEC recently reported.
One of the biggest questions that the industry faces regarding compliance with the liquidity rule is “who is going to pay”? Compliance with the rule requires not only additional reporting but also administrative resources. The Liquidity rule is not just a compliance rule; it touches all aspects of a fund’s governance and administration. Compliance with the rule will take a village. Thus, fund boards are asking management to recommend a solution and then the board will consider the proposal. Issues around fees include:
- Will a sponsor have to pay the associated fees if the fund or fund complex reaches its fee caps?
- Fund management position is that the expense should be borne by the fund.
Another issue the industry is tackling is the use of vended solutions to meet the Liquidity rule requirements. Questions regarding how a vendor will know what the classifications of data should be or the strength of an algorithm are being considered. The industry is also asking how frequently a fund will need to review its classifications and whether there are different requirements for different types of investment instruments. The panelists all suggested that there is currently a lack of confidence in the data that will form the basis of a fund’s reporting.
In closing, the panel cautioned that, despite the state of flux surrounding the Liquidity rule, funds and fund complexes need to move forward with preparing to comply with the rule.
Regulation Can Be Scary…But Is a RegTech Solution a Trick or Treat?
AAAAGH!
That’s the frightened response we expect asset management company executives to make when they are hit by yet another set of rules – and within the industry, it is universally accepted that increased regulation is here to stay.
Unfortunately, the compliance department is often perceived by others within the firm as a burning hole for profits. Pressurized timelines and tight deadlines often lead to makeshift internal builds and the stopgap hiring of third-party vendors, often without thinking of the bigger picture or a holistic approach. When another regulation is announced, the process to find a quick and easy solution begins again.
Hence RegTech solutions can be viewed as a trick – not agile enough to cope with or solve emerging rules at a fast and cost-effective pace. As a result, it is becoming increasingly difficult for compliance departments to get firm-wide buy in as processes become unnecessarily complicated and costly, and departmental silos emerge.
However, we believe it is imperative for firms to view their RegTech investment as a treat for the entire company, and not just a compliance issue. For example, as the N-PORT deadline of June 2018 approaches it is easy to view the data requirements from a narrow N-PORT-needs-only lens. Instead, a broader perspective sets the firm up to use the data to serve clients better, win market share, boost regulatory standing and, when all combined, increase profits. Having a clean store of data ready to fill and populate any form and task is no doubt, a treat for any marketing or distribution executive, RFP team lead, as well as a compliance officer.
We know this from 20 years of established data management expertise; that experience makes Accudelta the one-stop shop for all future regulatory reporting, data management and distribution needs.
Why not take a closer look at the entire suite of CSS regulatory solutions – if you dare?
Post by Kate Horgan
Publicly Available Information Heightens Need for Cybersecurity Vigilance
For any business, “ports” that allow for communication generally need to be open (for example, ports 80 and 443 for websites, and port 500 for VPN access). While most of these ports allow you to engage in critical functions, there are often ports that remain open despite being unneeded or unused. These available ports present an attack surface that can be exploited.
A scary development in cybersecurity is that specialized skill is no longer required to hack into firms; indeed, “how-to” videos found on YouTube can be easily followed to create a breach. The point of a penetration test is to try to find vulnerabilities on your network before the bad guys do.
If you have been hacked or breached, there are certain sites on the web, such as Pastebin, where hackers post your information.
Criminal hackers search for any information that will make their jobs easier, and often search publicly available web tools for any vulnerable network devices, Cyber 51 LLC’s Martin Voelk and Ascendant’s Adam DiPaolo recently told attendees at Ascendant’s “Compliance Disruptors: Seismic Shifts of the Regulatory Landscape” conference.
Shodan.io is a vulnerability search engine that allows anyone to see internet-connected devices. “Google dorking” is another way to search for specific documents like confidential documents relating to a certain company that may have been posted online, intentionally or inadvertently.
Once you identify what’s on the network, such as type of firewall and version number, then you can search vulnerability databases for vulnerabilities relating to that device and version.
Reporting of threats should be made using the Common Vulnerability Scoring System (CVSS). Scores are calculated based on various metrics and measure from a 0 to 10 range, with 10 being the most severe. It is a great way for senior management to easily understand high, medium, and low risks.
You can have 999 non-critical vulnerabilities but if you find one critical vulnerability, that alone makes your overall risk profile critical.
Firms should engage in scanning as well as internal and external pen testing, with the testing process described in a report. Scanning is a passive enumeration of vulnerabilities and usually involves software tools that are designed to test for exposure to known vulnerabilities. A penetration test is more active in that it attempts to exploit those vulnerabilities. Using a combination of all these tests in an effort to identify vulnerabilities and their severity levels remain a key part of a vigilant cybersecurity program.
Best Practice Tips for the Use of Expert Networks in Investment Research
In general, an expert network platform facilitates the exchange of information between “experts” and investment professionals. Unfortunately, certain industry participants have misused expert networks, and in many insider trading cases, the analysts sought to cultivate relationships with experts outside of a structured platform.
At the recent Ascendant Compliance Management Conference “Compliance Disruptors: Seismic Shifts of the Regulatory Landscape” held in Napa, California, we discussed best practices for leveraging expert networks, political intelligence agencies, and direct paid consultants in the investment research process.
The following were the key takeaways provided by panelists Laurence Herman of Gerson Lehman Group, Jonathan Streeter of Dechert LLP, and Samantha Addonizio of Ascendant:
- Develop compliance policies, procedures and controls that:
1) are separate from those provided by the platform;
2) are tailored to the specific risks of the information source; and
3) address how the Firm intends to monitor the activities of the experts on the platform or direct paid consultants.
- Do not speak to experts that are current employees of a public company. Use the six-month rule!
- Government employees should be subjected to the same compliance controls as “experts.” Government information can be just as sensitive and the SEC is currently focused on political intelligence agencies.
- When speaking to direct paid consultants, verify and document the source of the information being exchanged. Require the consultant to sign an acknowledgement of compliance.
- Monitor your analysts’ social networks (both online and offline). Do they have connections to officers at public companies on LinkedIn, Facebook, or Twitter? Is the portfolio invested in any of those companies?
- If speaking to former officers at public companies, research whether they have ever had issues with Regulation FD.
- Require employees to obtain pre-approval to schedule a call. Maintain a log of when calls occurred, and what individual securities and/or sectors were discussed.
- Ask analysts to prepare notes of each consultation to provide to compliance for review!
Ascendant’s Jackie Hallihan Honored at NSCP 30th Anniversary Celebration
On October 16, hundreds gathered at the Omni Shoreham Hotel in Washington D.C. to celebrate the 30th anniversary of the National Society of Compliance Professionals (NSCP), which was founded in 1987 by Ascendant Partner Jackie Hallihan.
NSCP is a non-profit organization dedicated to providing resources and support to compliance professionals in the financial services industry throughout the U.S. and Canada. Since its inception, NSCP has grown to overs 2000 members and offers a platform for information exchange, continuing education and networking opportunities for its members both virtually and in-person through regular roundtables, meetings and conferences.
Ascendant partner Jackie Hallihan
Jackie’s road to the compliance industry and establishing NSCP began in a role she took for a broker-dealer in the early 1980s. She recounted how she noticed the firm was receiving a number of letters from state regulators that everyone else seemed to ignore.
“I took it upon myself to read them and understand them,” she recalled. “Through that experience, I understood what an enormous need there was for resources for compliance professionals.”
This recognition led her to found her own company in 1984, National Regulatory Services, which started the compliance resource industry and where she would serve as President for two decades, and then to found NSCP in 1987 with the assistance of her colleague, Joan Hinchman. Jackie sought to create “a forum for compliance professionals to exchange information, develop a community and find a shared voice.” In 2006, Jackie would go on to co-found Ascendant Compliance Management with other prominent industry leaders.
“Jackie’s founding of NSCP was truly ahead of its time,” notes Ascendant CEO, Jon Higgins. “This was in 1987 – so, before the Compliance Program Rule, before the Code of Ethics Rule, before the Custody Rule. She saw the need and through grit and determination, laid the foundation for an entire industry. I’m proud to have partnered with her to co-found Ascendant Compliance Management.”
Earlier in the conference, Jackie served as a panelist on the Women in Compliance Roundtable, alongside fellow Ascendant Partner Korrine Kohm, Chief Compliance Officer of Landmark Partners, Annie Lazarus and Vice President of Compliance at Prudential, Tracey Abbott. When the panel was asked what advice they would give a young woman today, Jackie’s entrepreneurial spirit shone through in her answer: “Never be afraid to fail,” she responded.
Congratulations to the National Society of Compliance Professionals on 30 successful years, and thank you to Jackie Hallihan for her many contributions to the compliance profession.
For more information regarding NSCP membership, please visit their website.
Ascendant Compliance Conference Takeaways: 10 Tools of Behavioral Ethics
Hope and fear play a major role in behavior ethics. Behavior ethics is teaching us that we are teaching ethics all wrong. We cannot rationally try to persuade people to act ethically.
People see themselves as ethical, but often don’t see the ethics of the situation. Behavior ethics gives us tools to help people make a more ethical decision.
Set the moral compass in the ethical direction.
Does hope and fear filter into the topic of behavioral ethics? Well, that was the underlying theme that started off Ascendant’s Fall conference: Compliance Disruptors: Seismic Shifts of the Regulatory Landscape. The pre-conference session started out with an incredible presentation on incorporating behavioral ethics into your everyday culture of compliance. Keynote speaker John Walsh, a longtime advocate of behavioral ethics, provided the top 10 tools of behavioral ethics for compliance professionals to consider.
John Walsh’s 10 tools of behavioral ethics:
- Do not be afraid to draw bright lines
Ethical fading is a slippery slope. Everyone is able and even willing to cheat so long as they feel good about themselves. Ethical fading usually begins with small unethical behavior breaches, but when it starts to feel bad, then people will stop the behavior. Draw a bright line of honest! Don’t tolerate the behavior. - Use ethical framing to your advantage
Framing tells us that we are more likely to make an ethical decision if we are aware that there is an ethical aspect to the situation. Bring ethics into the decision. - Brainstorm about possible outcomes, because myopia is a very common problem
Humans tend to fixate on one outcome, so bring the awareness to other outcomes. In the complex world we live in, anything is possible. Ask questions about other options, and present other outcomes for consideration. - Say it out loud – “Everyone else is not doing it!”
Be the voice of reason within your organization. - Beware of the dynamic of distancing
Distancing allows people to process situations unethically because they distance themselves from the situation. Don’t distance yourself from the situation. It’s not someone else’s fault; ethics is everyone’s responsibility. - Be careful about how you burst someone’s behavior bubble
When you speak up, understand that others may not always believe you because they don’t think anything unethical will happen. - Be careful with after-the-fact penalties; they don’t work
Fines and penalties after the fact just don’t work. Create remedial actions to modify the behavior. The last step is termination. - Be honest with yourself about your real-world expectations
The reason we sometimes fail to do the right thing is because when we are in the moment, there are often other motives at play. If you are sitting there silent, you will not do well as a compliance professional. Compliance needs to be the voice of reason, and a loud voice at that. - Be open to real-world motivations
Compliance training often lacks effectiveness because of the many variables in play. Consider people, personalities, circumstances, etc. - Stay true to yourself!
We have to recognize that we are also subject to ethical fading because we are human.
The reality is that Compliance professionals need to build their arsenal to make training more effective. Additionally, Compliance professions need to train their employees to view all situations as ethical situations and not just business situations – because in reality, almost every business decision affecting investment advisers is an ethical consideration! Set the moral compass in the ethical direction.