Recent Risk Alert from the SEC’s Division of Examinations
On July 21, 2021, the SEC’s Division of Examinations released a Risk Alert addressing their observations from examinations of investment advisers managing wrap fee programs. The SEC focused on this topic due to the growing amount of retail client assets participating in such programs.
Based on the Risk Alert, the SEC was specifically looking at the conflicts of interest for advisers and the risks to investors participating in such programs. Based on their examination of 100 advisers, the Risk Alert focuses on the following deficiencies noted with advisers serving as portfolio managers, sub-adviser or sponsors of wrap programs:
The most frequently cited deficiencies were related to: (1) compliance and oversight, including policies and procedures regarding the tracking and monitoring of the wrap fee programs; and (2) disclosures, including disclosures regarding conflicts, fees, and expenses. In some instances the staff questioned the appropriateness of recommendations of wrap fee programs for clients, particularly when the clients had no or low trading volume in their accounts.
Here is what the SEC highlighted as deficiencies:
- Advisers did not monitor the trading activity in clients’ accounts or their monitoring activities were ineffective. (Any trading-away? Any undisclosed fees? Infrequent trading?)
- Advisers did not have a reasonable basis to believe that the wrap fee programs were in the clients’ best interests. (SEC expects initial and on-going analysis of this.)
- Inconsistent disclosures regarding the same topic in various documents. For example: The staff identified inconsistencies across advisers’ Part 2A of Form ADV (the firm brochure), sponsors’ Part 2A Appendix 1 of Form ADV (the wrap fee program brochure), advisory agreements, and other account documents and agreements for wrap fee clients.
- Conflicts of interest which were not disclosed: For example, the advisers recommending wrap fee programs to their clients did not disclose that accounts with low trading volumes, high cash balances, or significant fixed income weightings may be able to receive similar services at a lower cost outside of a wrap fee program.
- Compliance programs were weak and could be improved: citing advisers did not adopt policies and procedures to address the initial and on-going best interest reviews when recommending wrap fee programs. Risk inventories did not address managing client portfolios within wrap programs. (RISK MATRIX)
Does your firm manage client assets in one of these wrap fee programs, either as the sponsor, adviser, or sub-adviser? If so, then here is what the SEC wants advisers participating in wrap fee programs to do:
- Conduct reviews of wrap fee programs – both initially and periodically thereafter – to assess whether the programs recommended to clients are in the best interests of clients, using information obtained directly from clients (e.g., through interviews, discussions, IPS and/or questionnaires).
- Communicate with clients to educate them on the programs available, such as wrap and non-wrap platforms. This should include the assessments of the fees, expenses, and other costs involved.
- Provide clients with disclosures regarding the advisers’ conflicts of interest related to transactions executed within the wrap fee programs.
- Make sure you address the topic of wrap fee programs in your risk matrix.
For those advisers managing or involved in these types of programs, now is the time to perform a thorough review of your policies, procedures and ADV disclosure.
For more information or to speak with a regulatory expert, please email info@cssregtech.com.
Hacking Tesla, Tractors, and the Hotel Elevator: Ten Observations from the DEF CON hacker conference in Las Vegas
Fresh off the plane from attending the DEF CON 29 hacker conference held at Paris and Bally’s hotels in Las Vegas, Nevada, I am back with a fresh perspective on just how vulnerable we all are when it comes to cyber risk. And it’s even worse than we realize.
I braved the 115 degree heat and entered the den of the hackers, and I have put together a list of the top ten things I observed about our collective preparedness as it relates to land, sea, and air, and what risks are on the horizon.
Enjoy!
- Hackers are a very diverse group who seem to share one thing in common: using creative problem-solving to find vulnerabilities in systems. There were undoubtedly cybercriminals in attendance at the conference – one of the reasons that the FBI, NSA, and CIA have been known to show up, particularly if a black hat hacker (the bad ones who break into things for criminal reasons) will be on stage delivering a rousing demo of how they successfully took down a company. Yet for every black hat hacker, there are untold numbers of genuinely good white hat hackers, security researchers, and tech geeks who simply love a good challenge and love to talk ones and zeroes.
- Due to the aforementioned presence of cybercriminals, I wisely chose to stay off the hotel Wi-Fi and the cellular network. Public networks are unsecure even under normal circumstances. Put a bunch of hackers in a room and watch how quickly rogue / fake wireless access points start appearing to mimic the real hotel wireless network to trick users into connecting. Cellular networks can also be spoofed by setting up fake base stations with stronger signals than the nearest legitimate cell tower, enabling unauthorized access even to encrypted calls. Sound unrealistic? This technique was actually demonstrated back in 2010.
- The elevators in the hotel had display screens which were usually used to showcase ads for restaurants, concerts, and events. During the hacker conference, the elevator displays simply read “Disk read error” and various other technical messages and computer code. Do you want to be in an elevator when it gets hacked?
- You can be whoever you want at a hacker conference. Some attendees are well known by (and only known by) their online handles. Jeff Moss, who founded the DEF CON conference twenty-nine years ago, goes by the handle Dark Tangent.
- The Land: Even farm equipment can be hacked. At DEF CON 29, a security researcher with the handle “Sick Codes” demonstrated vulnerabilities in John Deere systems used to monitor industrial farm equipment. The speaker’s group reported being successful in getting the private key for John Deere’s Single Sign On system and for gaining full access. As even farm equipment increasingly relies upon technology, the risk is very real that tractors in the field can be taken over remotely and excessive chemicals released into fields undetected.
- The Air: Satellites and space vehicles can be hacked. At past DEF CON conferences, hackers have successfully taken over real satellites and used them to take photos.
- The Sea: In our current COVID-19 environment of supply chain troubles, our reliance upon cross-border shipments became evident. Hacking shipping containers with ransomware or even temporarily redirecting their coordinates for a mere few minutes can have drastic consequences on global supply chains.
- The Internet of Things (IoT) is still just as unsecure as ever. There are arguments for and against creating a legislative “right to repair” that would enable consumers to try to fix their own devices rather than having to bring them to a dedicated Apple Store or other specific manufacturer. There are some very interesting policy decisions at play when balancing the needs of consumers with the security risks that arise if companies are forced to disclose sensitive technical details about how their devices operate. In July 2021, President Biden issued an Executive Order on the right to repair.
- Just about anything can be hacked, as various demos at the DEF CON conference revealed. Medical devices, IoT devices, and even cars are all targets for hackers. One talk at DEF CON demonstrated a compromise of the Tesla Model X keyless entry system. Do you want to be riding in a self-driving vehicle at the moment someone remotely takes over control of the car?
- Last but not least, the only thing which seems to be hotter than Vegas nowadays is the world of cryptocurrency and blockchain, and both were on full display at DEF CON 29, with wonderful discissions of the interplay between security and privacy as the regulatory landscape continues to take shape. CSS provides compliance support to investment advisers who are active in the cryptocurrency and blockchain space, and I found it particularly exciting to tour the Blockchain Village at the conference. I expect that we will be seeing much more focus on blockchain technologies on the horizon, as well as a complex regulatory landscape to help our clients navigate in the years to come.
The cyber threats out there are unfortunately all too real, but they are not insurmountable. With the right approach and partners in place, the peak of cyber preparedness is something we should all continue to climb towards.
I, for one, will be taking the stairs.
For more information on CSS’s Cybersecurity Services and Solutions, email us at cybersecurity@cssregtech.com
Cyprus Securities and Exchange Commission & AIFMD
Cyprus Securities and Exchange Commission (the ‘CySEC’) reminding AIFMs to ensure compliance with their reporting obligations under the AIFMD. Read the full memo here.
Show Me the Money
How are you getting paid? That is the question that the SEC is focused on in recent regulatory examinations of investment advisers. In two recent document request letters, the focus on advisory fees and account reconciliation has never been more prominent. But that should not be a surprise to advisers since the SEC includes this topic in their 2021 examination priorities.
Within the Exam Priorities, the SEC stated, “The Division will continue to focus on risks associated with fees and expenses, complex products, best execution, and undisclosed or inadequately disclosed, compensation arrangements. Recent market volatility and industry pressures have impacted fees and other revenues collected by firms. These conditions may cause increased financial stress on firms and their personnel, which may, in turn, lead to increased instances of fraudulent conduct.” So frankly, the SEC wants to ensure advisers are not inflating fees to cover losses from 2020!
So, what exactly is the SEC interested in? Based on our review of recent document request letters, it appears they are zeroing in on calculation of fees, reconciliation of quarter-end balances, householding of accounts for fee-billing purposes, just for starters.
In the SEC Exam Priorities Letter, they said focus would be paid to, “… concerns may arise when an RIA does not aggregate certain accounts for purposes of calculating fee discounts in accordance with its disclosures. In reviewing fees and expenses, the staff will review for: (1) advisory fee calculation errors, including, but not limited to, failure to exclude certain holdings from management fee calculations; (2) inaccurate calculations of tiered fees, including failure to provide breakpoints and aggregate household accounts; and (3) failures to refund prepaid fees for terminated accounts.”
Here is just a sample of the questions investment advisers are being asked to substantiate:
- Indicate if fees are subject to householding and how households are determined.
- Provide all compliance and operational policies and procedures, including desktop procedures related to fee billing.
- Any written interim or annual compliance reviews, internal control analyses, and forensic or transactional tests performed in relation to client fee billing. Include any significant findings, both positive and negative, and any information about corrective or remedial actions taken regarding these findings.
- Adviser’s general ledger, subsidiary ledgers, and journals related to client fee billing for the Examination Period, including fee offsets and refund of prepaid fees.
Now is the time to focus your compliance testing on the topic of advisory fee billing; especially for retail clients. Ask yourself these questions to get started:
- Do you have a policy on the billing of cash?
- Does the firm have a policy on billing on clients’ legacy or unpriced assets?
- Who handles billing and what supervisory review is performed by an independent party?
- If you bill in advance, how are you handling the cash flows throughout the quarter? Is your billing system set up to adjust fees based on significant cash flows into and out of the accounts throughout the quarter or do you have to manually adjustment? If manual, how are you ensuring the accuracy of the calculations are accurate.
If you do not perform quarterly or periodic testing of your fee bill calculations, now would be a great time. Forensic testing can include sampling client accounts to determine if their fees are aligned with the stated fee schedule detailed in the advisory agreement, breakpoints, and householding policies. Review the language within your Form ADV Part 2A and Investment Management Agreements to ensure there is consistency between them. Document all your results, especially if you determine there were discrepancies in your practices. Finally, determine whether your compliance policies accurately reflect your firm’s practices and are reasonably designed to mitigate errors.
Our next “For CCOs, By CCOs” webinar series will cover regulatory exams on September 16. For more information or to speak with a regulatory expert, please email info@cssregtech.com.
SEC Cracks Down on Form CRS
The SEC twice reminded 27 RIAs and BDs to meet Form CRS requirements before starting enforcement actions. The firms have all now been fined for failing to file and deliver Form CRS last year. Fines ranged from $10,000 to $97,523, and all come with new required disciplinary disclosures for each of the firms. The firms now all need a “Yes” answer to the disciplinary question. Read the latest.
FCA Publishes UK PRIIPs Consultation Paper
On July 20, 2021, the FCA published Consultation Paper CP21/23 to collate industry view points on proposed amendments to the PRIIPs regulation as it applies in the UK – the FCA are doing this as they “want to address the lack of clarity on the PRIIPs scope and address concerns with performance scenarios, summary risk indicators and elements of the transaction costs methodology.” The proposal sets out options with respect to replacement of existing Annex IV (Performance Scenarios), and puts out options such as replacement with a narrative description of performance, a 10Y past performance analysis and a proposal to enable a firm to up-rate its SRI if they feel it is understating risk. The CP also doubles down on the FCAs’ continued support for the slippage calculation approach to transaction costs, but it does outline tweaks to the transaction cost methodologies as specified in the current legislation “to address issues arising from transaction cost reporting in specific contexts.” The comment form for the CP can be found here.