Blog Masonry Full Width

Author: Matt Calabro, Co-Executive Director, Compliance Services, Confluence 

This blog was originally published at Markets Media on October 7, 2022.

Sustainable investing disclosures in the U.S. are currently governed by general fraud prohibitions in advertising and not by formally defined rules, apart from interpretive guidance issued by the SEC in 2010 about certain material impacts caused by climate change. In the absence of ESG regulations, investment managers have latitude to define relevant ESG factors when marketing their strategies. Such lack of standards can lead to “greenwashing “- or making claims that a strategy is more sustainable than it is.

But the end of that era may be coming soon. Earlier this year, the U.S. Securities and Exchange Commission (SEC) proposed a new rule requiring listed corporations to disclose climate-related risks affecting the corporation and information about greenhouse gas emissions. The SEC also proposed disclosure requirements for registered funds and investment managers making ESG claims. Final rules are still pending and would include adoption periods.

U.S. businesses and investment managers have seen increasingly more stringent climate transition and sustainability disclosures adopted in Europe over the past several years. Europe’s Sustainable Finance Disclosure Regulation (SFDR) requires the financial sector to include ESG information in annual reports and prospectuses. If adopted, the U.S. rules would bring the muscle of U.S. businesses towards the advancement and global convergence of technical standards.

There are some key challenges for an investment manager in implementing an ESG strategy. It is critical that portfolio managers and traders are aligned with operations, compliance, and marketing teams. SEC actions against U.S. investment managers to date have centered on firms that have not lived up to their claims. Simply put, an investment manager needs to “walk the talk” and be able to show their work. Challenges also exist in obtaining quality ESG data. Public companies are not required to make many ESG-related disclosures, creating inconsistent data, even within a particular industry. While several firms generate ESG ratings on public companies, there is no standardized approach. Different ratings firms weigh factors differently, potentially resulting in different outcomes and impacting an asset manager’s ability to gain valuable insights. Asset managers must often go to multiple vendors to cover all data gaps, which becomes a logistical and integration headache that consumes time and money.

Investment managers considering offering ESG strategies need to establish an effective ESG framework and implement a tailored solution. Here are three critical points to remember:

1. Understand the regulations: It’s imperative to stay on top of existing and emerging ESG regulations in the U.S. and worldwide. Investment objectives with ESG strategies need to be clearly defined and investment managers must develop a process to follow their policies and procedures. They must ask what ESG risks and opportunities need to be disclosed? Is the ESG framework designed to minimize exposure to future litigation and regulatory risk? Is there a process for documenting the work that is done? When looking at current ESG regulations and those that could follow, firms can consider forming an ESG committee that reviews procedures and stays on top of the latest ESG regulations.
2. Invest in data best practices: The inconsistency of ESG data and the lack of harmonization and comparability of data from different vendors, combined with bias around how ratings are determined, are ongoing challenges for investment managers. The U.K. and E.U. have proposed regulations to create more consistent and transparent data. The U.S. may adopt similar measures in the future. Firms need to conduct a comprehensive inventory of their internal data and develop an ESG data framework to capture and track relevant data. This approach establishes best practices for ESG reporting, provides ESG leaders with relevant reporting data and trends, and sets the organization up for future requirements to disclose ESG data. 
3. Determine the budget: It is critical to dedicate sufficient resources to offering an ESG strategy. The cost of the solution will depend on the size of the firm and complexity of the strategy. While it may not be practical for every firm, larger firms could benefit from building a dedicated ESG unit focusing on ESG-specific factors. Getting the funding you need can be a long process, so remember to start securing it early.

Recent actions by the SEC signal its commitment to standardizing disclosures and ensuring that investment managers’ ESG claims reflect actual practices. While there are several challenges in implementing an ESG strategy, the investment managers who dedicate sufficient resources to the effort will be able to deliver effective solutions.

_{Disclaimer: The information contained in this communication is for informational purposes only. Confluence/StatPro is not providing, legal, financial, accounting, compliance or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business.}

Author: Compliance Solutions Strategies

The SEC’s new Marketing Rule that came into effect last year expanded the definition of advertising. It allows for marketing via new channels and enhances existing disclosure requirements. It will have significant compliance impacts on advertising and cash solicitations for investment advisers registered with the SEC.

Replacing both the old advertising and solicitation rules, the new SEC Marketing Rule is accompanied by a detailed, 430-page release and requires advisers to adopt the entire rule all at once by November 4, 2022. Yet, many firms are unprepared to meet the deadline which is only weeks away. During a recent webinar, we asked attendees to rate how prepared they are to meet the deadline. Only 18% said they are “ready to go”, while 64% are implementing a solution now and expect to be ready by the deadline. The remaining 18% were not sure they will make the deadline – or are hoping for an extension.

The SEC’s new Marketing Rule is not just a codification of existing rules; it introduces new performance language, processes and considerations that have never been considered before. Here are six keyways to simplify your firm’s compliance with the new Marketing Rule for a smooth transition.

1. Implement advertisement changes
   Do not wait until the November 4 deadline to make sure advertisements are updated to meet the new rules. Make changes to advertisements along with September 30th marketing decks. This way, you will be already complying with the rule while avoiding confusion about which deck version to use and when.
2.  Follow your policies and procedures
   Your staff should be up to speed on the rules and how to implement them. Policies and procedures also make great training tools for new hires, or anyone transitioning into a new department. Have the appropriate resources and support in place, such as internal and external counsel and compliance consultants, to help wherever assistance is needed.
3. Get specific with disclosures
   In your pitch book, consider what references get placed in the body of the deck versus footnoted at the end to make sure disclosures are “clear and prominent” and that the information is relevant and understandable to the intended audience. Think about explicitly showing the reader what disclosure is for what content, and title and number them clearly. 
4. Become GIPS^® (Global Investment Performance Standards) Standards compliant
   The new Marketing Rule includes 26 references to the GIPS Standards and encourages firms to follow many of the same requirements. In short, GIPS compliance can get you the most bang for your compliance in two keyways.
   First, completing the heavy lifting of composite creation makes complying with the marketing rule easier. Although the new Marketing Rule does not require composites, a composite will be needed to compare, justify and substantiate your use of a model account, or provide that composite or related performance. And second, most of your competitors likely are GIPS compliant and can check that box on RFPs. In fact, 72% of our recent webinar attendees said they were already GIPS compliant and 12% said they were “absolutely” taking extra steps to become compliant.
5. Keep good records
   As a best practice, firms should keep track of the following details and have an audit trail built around the entire process:
   
   • Any participation in ratings or rankings to show your due diligence
   • Standard content drafts and final approved versions
   • Substantiated performance calculations and material facts
   • Back-up support for claims made in advertising
   • Your team’s experience and track record
   • The status of individuals providing endorsements and testimonials, compensation (if any), and conflicts of interest
     
     Also, make sure these records are stored centrally and easy to access when needed.
6. Automate and streamline the process
   Many advisers choose to do all their performance work in Excel, which can be rife with accuracy, efficiency, and audit problems. In our recent webinar, 59% of attendees said they are using a combination of in-house and external solutions, and 15% are using an external solution.
   Having a system capable of managing composites can help you get into compliance with the rule faster, maintain that compliance going forward, and accommodate future changes. Look for a solution that:
   • Incorporates net returns based on the actual fees, but also accommodates any model fee to different audiences.
   • Calculates performance and statistics based on multiple fund/account level returns or different fee schedules for multiple time periods.
   • Provides a reporting tool with the flexibility to add additional measures and statistics for additional time periods without intervention from the vendor.
   • Has the ability to calculate numerous statistics, which may become a future requirement.
7. Building a compliance foundation
   While many of the new rule provisions are not completely new to the industry, many of them refine past definitions and rules, and center around requirements to avoid untrue, unsubstantiated, or misleading statements, and to have fair and balanced presentation material.
   Although more clarification, staff interpretation and learnings will likely come to light in the next year or so, now is the time to get your compliance house in order. Make the best use of technology tools, counsel, and compliance experts to ensure you are ready to comply with the changes driven by the marketing rule – and any future ones down the road.

_{Disclaimer: The information contained in this communication is for informational purposes only. Confluence/StatPro is not providing, legal, financial, accounting, compliance or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business.}

Author: E.J. Yerzak, Director, Cyber IT Services, CSS, a Confluence company

The dust has barely settled on the U.S. Securities and Exchange Commission’s proposed cybersecurity risk management rules for investment advisers and investment companies. That hasn’t stopped financial industry experts and compliance practitioners from expressing concern about the rules and whether they will actually help mitigate the growing number of cyber threats facing financial firms.

On September 20, 2022, Confluence hosted a live discussion, “Unpacking the SEC Cybersecurity Rules and Impacts,” with a group of esteemed practitioners who shared their views on the proposed rules. Moderated by Confluence’s Director of Cyber IT Services, E.J. Yerzak, the discussion featured a power panel of collective industry knowledge featuring Laura Grossman (Associate General Counsel of the Investment Adviser Association), Desiree Moore

(Partner at K&L Gates and founding member and co-lead of K&L’s Digital Crisis Planning and Response group), and Adan Araujo (Chief Compliance Officer of Jasper Ridge Partners and former Senior Counsel at the SEC’s Division of Enforcement). 

Confluence was pleased to welcome the panel for an insightful and lively discussion on the potential impacts of the proposed cyber rules. Leading things off, Grossman conveyed the IAA’s stance on the proposed regulation by walking through various points expressed in the IAA’s comment letter submitted to the SEC. While the IAA generally supported the rationale behind the rulemaking – that is, to improve cybersecurity among registrants and protect investors – Grossman noted that the forty-eight-hour incident reporting timeframe appeared quite burdensome, particularly for smaller advisers.

Araujo echoed that concern, explaining that when a firm is in the midst of responding to an incident, its energy and attention are devoted to the immediate crisis at hand. Having to divert some of those resources to file a report with the SEC before a complete picture is known about the incident can be challenging to many firms. It seemed questionable whether the SEC has the present capabilities to do anything useful with the incident reporting to possibly alert other firms to similar attack vectors, although the panel conceded that some information sharing would be beneficial.

Is the SEC’s cyber rule proposal too little too late, or does it come at a critical time for the financial industry? Moore shared her perspectives that the interplay of various state and federal breach reporting requirements, as well as the fact that multiple agencies are exerting their jurisdiction over cyber with sometimes competing sets of requirements, can be a challenging maze to navigate without the help of outside experts. Moore reminded the audience of the importance of preserving claims of privilege for communications surrounding incident response. Grossman added that it is equally important to conduct cybersecurity risk assessments to avoid an incident in the first place hopefully.

On the other hand, the panel acknowledged that the SEC felt it had good reasons to propose its cyber rules. It seems that the agency was not satisfied with the collective state of cyber preparation across the industry, as numerous risk alerts over the last several years continue to find significant weaknesses in cyber controls among registrants. The SEC seems to have recognized that notwithstanding existing rules such as Regulation S-P and S-ID that touch on cyber, perhaps the principles-based approach was leaving too much room for interpretation. In fact, even this week, the SEC brought another enforcement action for alleged failures by a dual registrant to securely sanitize media containing client personal information before disposing of numerous hard drives and equipment. 

The good news? The SEC’s cyber rule is still awaiting final action by the agency. It remains to be seen whether the rule will be adopted entirely as proposed or what tweaks may find their way into the final version. And as Araujo pointed out, firms should address cyber risk because it makes business sense to do so. He’s absolutely right. A cyber breach is bad for business. Cyber risk is business risk. And financial firms are well-advised to get their cyber act together well in advance of an incident. If you wait until an incident happens to start assessing your cyber preparedness, Araujo cautioned, “it’s too late.”

_{Disclaimer: The information contained in this communication is for informational purposes only. Confluence/StatPro is not providing, legal, financial, accounting, compliance or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business}