13F and 13D – Changes on the Horizon?
Chair Gensler has been beating a drum signaling that changes to the U.S. transparency regimes are likely.
In prepared remarks for City of London Week (published June 23, 2021), Gensler indicated that he had asked SEC staff to propose updates to beneficial ownership reporting, including possibly shortening the reporting deadlines. Currently, under Section 13D, beneficial owners of more than five percent of a public company’s equity securities who have control intent have 10 days to report their ownership.
In addition, Gensler indicated that increased transparency was warranted around short selling and derivatives (e.g. security-based swaps that provide exposure to a company without traditional equity ownership).
These remarks are in line with Gensler’s May 2021 testimony to the House Financial Services Committee (HSFC) in the GameStop-related hearings, in which he indicated his support for expansion of Form 13F to include disclosure of derivatives – specifically mentioning the lack of current reporting on securities-based swaps.
In the same hearings, Gensler noted that Dodd-Frank had charged the Commission with updating 13F reporting to require monthly reporting of aggregate information in the short-selling market. This mandate – now 12 years old – is one of only three mandatory rulemaking provisions on which the SEC has yet to act. (67 have already been adopted; eight others are in the proposal stage; three remain.)
Congress is marching in the same direction.
Gensler’s recent remarks are very much in line with draft bills Congress released for discussion in May in connection with the GameStop related hearings. For example, the Capital Markets Engagement and Transparency Act of 2021 proposed modifying Section 13(f) to redefine the scope of the rule to cover both shorts and derivatives, and also to increase the frequency of reporting — it would require monthly reporting within 5 business days after the end of each month. Current Form 13F is due within 45 days after the end of each quarter.
Cyberattacks Continue to Wreak Havoc – What Can Compliance Teams Do?
It’s déjà vu all over again for cybersecurity professionals around the world, many of whom are now scrambling to recover from the latest cyberattack involving Kaseya software. The Russian affiliation of hackers known as the REvil Group, the same hackers attributed to the recent ransomware attack against JBS, is allegedly behind this latest ransomware as well. In what has become an unfortunate sign of things to come, ransomware is now increasingly of the “exfiltrate and extort” variety. Rather than simply encrypt a company’s data and hold it hostage for a ransom payment, hackers have found it profitable to also exfiltrate massive amounts of corporate data and demand a hefty ransom to either give the data back or decrypt it.
In this latest cyberattack, the REvil Group is alleged to have perpetuated an attack against vulnerabilities in a product of cybersecurity software company Kaseya, based in Miami, Florida. Kaseya is a well-known software company which provides, among other tools, VSA RMM, a “remote monitoring and management” that enables companies to remotely monitor networks and push out patches and other updates. The software is used by approximately 37,0000 companies in many industries and sectors around the world, the majority of whom are managed service providers (MSPs) handling information security for an even greater number of their own business customers. The legacy on premises version of Kaseya VSA is the product specifically accessed by the hackers, which fortunately appears to have limited the impact to those firms who still had an on premises configuration of it. Although many firms had migrated to Kaseya’s cloud-based solution, this cyber incident highlights the importance of keeping software patched, remaining vigilant of identified vulnerabilities through regular vulnerability testing and monitoring, and properly retiring old systems no longer needed or used by a firm.
Kaseya was allegedly informed of seven vulnerabilities as recently as April 2021, and had been working to patch them. Unfortunately, they didn’t finish the patching before the hackers struck. Time is clearly of the essence when new vulnerabilities are discovered and hackers race to exploit them before IT teams can close the security holes. In the Kaseya cyberattack, hackers exploited a credential leak among other vulnerabilities.
In some sense, what we are seeing with these latest hacking attempts is more of the same supply chain attacks that began to make headlines back in 2013. The difference now is that hackers are going after software applications used by MSPs and by many companies of all shapes and sizes to manage their information security. By compromising updates to security software itself, which is then pushed out to thousands of unsuspecting machines around the world, hackers are able to get a lot of mileage (and do damage to a lot of companies around the world) from a single hack. The sophistication and complexity of the attack method suggests a growing cybersecurity problem around the world: that regardless of using established industry vendors, organizations are only as strong as their current weakest link. It has become challenging for small companies to defend against attacks perpetuated by nation state actors, especially when those cyberattacks are targeting the same software that these companies rely upon to try to stay secure in the first place.
These recent attacks have highlighted how interconnected the global security ecosystem really is. CSS is not using the impacted Kaseya product, and we will continue to monitor the situation. If you are interested in speaking with one of our cybersecurity experts about testing your network and applications and monitoring for credentials of your staff on the dark web, please contact cybersecurity@cssregtech.com.
Pete Driscoll to Leave the SEC Examinations Division; Dan Kahl to be Acting Director
The SEC announced that Peter Driscoll, the Director of the Division of Examinations, will leave the SEC on August 14, 2021. Pete Driscoll has a long and distinguished career at the SEC, being the recipient of the Mission Award and the Distinguished Service Award, the Agency’s highest honor.
Mr. Driscoll was well known for his leadership and transparent style, frequently speaking at industry events. Pete was the keynote featured speaker at CSS’ s “Fireside Chat with Pete Driscoll” in December 2020. Joining him was Stephanie Monaco, Partner at Mayer Brown, and Jim Anderson, Partner at Willkie Farr & Gallagher, along with expert compliance panelists in the industry discussion panel.
Daniel Kahl will be the Acting Director of the Division of Examinations upon Mr. Driscoll’s departure. Dan has been Deputy Director since 2018, and the Division’s Chief Counsel since 2016. Previously, Dan led the Office of Investment Adviser Regulation in the Division of Investment Management.
Compliance Solutions Strategies Expands aosphere Collaboration
Launches Integration of Market Data Services to Investment Monitoring Platform
NEW YORK, July 14, 2021 – Compliance Solutions Strategies (“CSS”), a leading RegTech platform providing technology-driven solutions which enable financial services firms to meet mandatory regulatory compliance requirements, today announced an expanded collaboration with aosphere LLP, an affiliate of Allen & Overy LLP, with the full integration of a range of Market Data Services offered by aosphere into the CSS Investment Monitoring platform.
To comply fully with obligations for shareholding disclosure, investment managers need access to accurate and timely market data covering diverse areas such as company takeovers, issuer-initiated thresholds (typically found in a company’s articles of association) and data relating to temporary short-selling bans.
The inclusion of Market Data Services for Shareholding Disclosure strengthens CSS’s position as a world-class RegTech solutions provider to institutional asset managers and hedge funds, with an automated investment monitoring platform that uniquely pairs unmatched in-house regulatory expertise with the most comprehensive set of industry legal and related market data offered by aosphere.
“Our strategic collaboration with aosphere builds upon the intellectual capital of our own team of legal and regulatory experts and significantly enhances our global Investment Monitoring platform,” said Doug Morgan, Chief Executive Officer of CSS. “Leveraging aosphere’s unique capabilities, as we’re doing with the integration of Market Data Services, will continue to help CSS accelerate the delivery of new product features in the years to come.”
“The Market Data services we offer provide a robust solution for clients seeking to comply with complex regulatory reporting rules. Sourcing accurate, cost effective data on a consistent basis is a significant client challenge and we are pleased to work with CSS to offer this service to their clients. We know how important it is for clients to be able to operationalise legal and regulatory content in platforms such as the CSS Investment Monitoring platform and we hope the ability to utilise this Market Data will be a welcome development for CSS clients,” said Clare Godson, Executive Director at aosphere.
About CSS:
CSS is a trusted global RegTech partner that uniquely brings together innovative technology-driven solutions to support financial services firms in navigating a clear and strategic path through the complex and fragmented global regulatory space. Our solutions and services help firms meet regulatory deadlines while optimizing compliance data, operations and technology. CSS covers a full range of global compliance disciplines spanning fund reporting, transaction reporting, investment monitoring, compliance management, compliance services and managed services with a complementary, centralized approach to the strategic management of regulatory data called RBOR (Regulatory Book of Record). The company currently serves over 600 software clients in the financial services vertical comprising of hedge funds, traditional asset managers and fund administrators, including Tier 1 buy-side and sell-side institutions. CSS maintains a global footprint across both North America and Europe with customer-facing offices in New York, London, Dublin, Amsterdam and Stockholm. For more information on CSS, please visit: www.cssregtech.com.
About aosphere LLP:
aosphere LLP, an affiliate of leading international legal practice Allen & Overy LLP, has a client base which includes an impressive list of more than 500 of the world’s leading investment banks, asset managers and funds. aosphere has expertise in key areas such as shareholding disclosure (including short selling), cross-border marketing restrictions, data privacy and derivatives to provide subscription products which help their clients to reduce legal, regulatory and operational risk. www.aosphere.com
EMIR REFIT Update from ESMA
Today, ESMA released a consultation paper on EMIR REFIT Reporting Guidelines. The consultation paper includes draft guidelines on topics relating to reportability, field-by-field reporting rules, TR reconciliation and TR data access under EMIR REFIT.
The consultation paper also covers EMIR REFIT draft XML schema for reporting, clarifying interdependencies between data fields and how the rules apply to reporting scenarios in scope. The closing date for responses is 30 September 2021.
This update consultation gives the industry much welcome clarity on how ESMA aims to implement the new EMIR reporting rules and guidelines, and provides firms with a detailed framework for further preparation ahead of the regulation go live.
The consultation paper, the draft validation rules and draft XML schema for reporting can be found here.
AIFMD Filings Update for The Netherlands
AIFMD filings to The Netherlands are to be submitted through the AFM Portal as per July 1, 2021, replacing the DNB DLR portal. More information can be found here. To our knowledge, third country managers are still not requested to submit.