Changing Times: How Compliance Officers Should Address Regulatory Changes
If there is one certainty about regulatory compliance, it is that nothing is static (isn’t that one of the things we love most about our profession??). The regulatory framework in which investment advisers, broker-dealers, investment companies and private funds operate changes continuously. Such changes include new or revised statues and rules or can come in the form of regulatory guidance, interpretations and frequently asked questions. Regardless of the form the change comes in, compliance officers need to consider the implications to their compliance program and their firm’s business.
So where do you start? Here are some helpful hints:
- Impact to Your Business – To assess the ramifications of a rule or other regulatory change to your firm, you first need to understand what the change is. The obvious way to understand the scope of a rule or interpretation is to read the release published by the agency. However, some new rule releases can be hundreds of pages long. Another approach is to participate in webinars offered by trade associations, law firms and compliance consultants. Participation is usually free and often provides reference materials that summarize the rulemaking. Also keep in mind that during and after a rulemaking, an agency may issue subsequent guidance that you will want to review and understand.
- Socialize the Change Within Your Firm – Regulatory changes do not only impact a firm’s compliance program. Consider the other business units or service providers to which you need to socialize the rule or guidance and include in the conversation (e.g., who are the stakeholders?) There may be direct and/or indirect impacts across your organization, and, as applicable, these colleagues could play a valuable role in operationalizing any new policies. Of course, be sure to advise members of your management team about the rulemaking or guidance and the actions you are taking to investigate the applicability to your organization.
- Develop a Game Plan – Engage in “backwards planning.” Working backwards from the effective date of a rulemaking and the compliance date, develop a timeline of actionable tasks that need to occur and identify who should be involved in the review and development of new policies and procedures. Don’t forget to include your IT team as utilizing systems and technology can provide cost-effective solutions and process efficiencies. A comprehensive assessment of your firm’s ability to address and respond to the change is essential to identifying needs and resources.
- Identify What Controls Will Need to Change – As a component of “backwards planning,” consider what aspects of the compliance program and business will need to be changed. Most likely, the following will be affected:
- Policies and procedures
- Regulatory disclosures
- System and technology updates
- Training materials
In some cases, the firm may also need to hire additional compliance staff, or even new personnel in the business. Consider the new advertising rule – if your firm intends to adopt a more aggressive approach to its use of social media, that could mean adding staff to both compliance and marketing.
- Who Needs to Know About Policy and Procedure Changes – Once your firm’s policies and procedures have been approved, the revisions need to be communicated to various stakeholders inside and possibly outside your organization. Parties with a need-to-know can include: staff, clients, boards, oversight committees and/or third-party service providers. Another consideration is messaging. What form will the communications and messaging take? Who will be responsible for communicating the changes to each group of stakeholders? Be sure your project planning includes appropriate time to develop and deliver this messaging and any other training that may be necessary.
“The secret of change is to focus all of your energy not on fighting the old, but on building the new.”
-Socrates
DOL on the Prowl for Cybersecurity; Goes Further than SEC and NIST
A large cyberattack on U.S. infrastructure – this time a ransomware attack that shut down the Colonial Pipeline – has left us with a sharp reminder that cybersecurity threats are constant and real, and that we must remain vigilant. Financial services is one of the 16 critical infrastructure sectors defined by NIST, and the threats to financial firms continue to grow. Just weeks earlier, the U.S. Department of Labor stepped up its expectations of firms when it comes to cybersecurity. On April 14, 2021, the DOL released a set of three separate cybersecurity risk alerts in which it described expectations and requirements that fiduciaries should be following.
Vendor Oversight
The first DOL guidance update states that “plan sponsors should use service providers that follow strong cybersecurity practices,” and provides Tips for Hiring Service Providers which sets forth factors that plan sponsors and fiduciaries should consider in making that determination. The DOL guidance recommends conducting due diligence of service providers’ cybersecurity standards, policies and procedures, testing, occurrence of incidents and breaches, contractual terms for protection of information, and whether the provider maintains cyberinsurance. These are all consistent with what the SEC recommends, and with prior CSS recommendations regarding effective vendor oversight. The DOL goes a step further to state that plan fiduciaries should attempt to add language to service contracts that mandate an independent security audit of the provider. Interpreting the DOL guidance, CSS recommends that plan fiduciaries document their vendor oversight with due diligence questionnaires and regularly refresh those responses.
A Well-Documented Information Security Program
The second DOL guidance update details Cybersecurity Program Best Practices for ERISA plan recordkeepers and other service providers. The guidance distills to a collection of best practices on having a well-documented information security program that covers governance, access controls, encryption, software development lifecycle (SDLC), BCP, and incident response, as well as annual cyber risk assessments, regular independent security testing, and periodic security awareness training. The DOL guidance for a well-documented cybersecurity program follows the NIST Cybersecurity Framework supported by the SEC, which organizes cyber controls into 5 buckets: (1) Identity , (2) Protect, (3) Detect, (4) Respond, and (5) Recover. The DOL adds disclosure and restoration as categories; however, NIST and the SEC tend to cover both of these under the Respond and Recover functions.
The DOL states that cybersecurity policies should cover the following (which align with SEC expectations and which CSS covers when assisting firms in creating information security policies and procedures):
- Data governance and classification
- Access controls and identity management
- Business continuity and disaster recovery
- Configuration management
- Asset management
- Risk assessment
- Data disposal
- Incident response
- Systems operations
- Vulnerability and patch management
- System, application and network security and monitoring
- Systems and application development and performance
- Physical security and environmental controls
- Data privacy
- Vendor and third party service provider management
- Consistent use of multi-factor authentication
- Cybersecurity awareness training, which is given to all personnel annually
- Encryption to protect all sensitive information transmitted and at rest
Staying Safe Online
The third DOL guidance update details Online Security Tips meant to educate plan participants in keeping their retirement accounts secure. These tips include regularly monitoring online accounts, using strong passwords with multifactor authentication, avoiding public wireless networks when feasible, watching out for phishing attacks, and maintaining current antivirus protection and updated software patches. Here, the DOL goes further than current NIST guidance by recommending passwords be at least 14 characters long rather than the 8 characters recommended by NIST.
As additional regulators take a closer look at financial organizations’ cybersecurity posture, it is imperative that firms periodically evaluate the effectiveness of their information security controls. A firm’s fiduciary duty to clients clearly includes an obligation to reasonably safeguard information entrusted to the firm by these clients. For information about how CSS’s cybersecurity experts can help you assess, protect, and monitor your information security program, please contact us at cybersecurity@cssregtech.com .
The New Marketing Rule – Develop Your Plan
The new Marketing Rule (Rule 206(4)-1 under the Investment Advisers Act of 1940) is effective on May 4, 2021, starting an 18-month transition period. All advisers must be in compliance with the Rule by November 4, 2022. While that sounds like a lot of time, we encourage CCOs to start thinking about a plan because “time files in compliance.”
Here are some of our tips for a smooth implementation:
- Review and determine what changes to your firm’s policies and procedures are required. There are many new definitions and requirements resulting from this Rule, so give yourself plenty of time to address them in your compliance manual.
- Inventory your materials. Take stock of what you currently circulate which is deemed marketing and determine what revisions may be necessary as a result of the new Rule. Work closely to educate your Marketing department on the new facets of the Rule.
- Social media. Determine what your firm’s position is going to be on social media. Beyond whether the firm will participate in social media, understand the concepts of adoption and entanglement and how that might impact the marketing you will do. Also, make the decision on whether you will permit supervised persons to utilize their social media platforms for business/marketing purposes and develop the necessary policies surrounding their use.
- Solicitation arrangements. These need to be reviews and repapered. The Marketing Rule pulls in cash and non-cash solicitation arrangements under the endorsements/testimonial portion of the Rule and therefore changes will be required with your existing solicitation relationships. Since you potentially will need to work with outside counsel to draft new agreements, get that process in the works early on.
- Performance reporting. If you include performance data in your materials, look at how to meet the new requirements around gross and net performance, the time period presentation and relevant accounts.
- Recordkeeping. Be sure that you can substantiate any claims made in your materials and that your supporting documents are contemporaneous and easily accessible. In addition to performance calculations, we recommend supporting any claim in your materials (e.g., level of experience of a portfolio manager).
The Rule requires that you implement the entire rule at once, and there are amendments to Form ADV that must be made at the implementation date. When picking an implementation date, think about whether it is easier for you to select the first day or a quarter or some other landmark date that will be clear in your records.
Finally, as we move through the transition period, keep up with the latest developments and information. The SEC maintains a webpage of frequently asked questions, so check it regularly. Also, look for materials and information from industry experts, like your favorite compliance services firm.
The size of the challenge will vary based on the amount and type of marketing activities your firm conducts and the state of your current policies and procedures around those activities. Stating that analysis now will ensure that you address the requirements and meet the deadline. As the old saying goes, “plan your work, work your plan.”
For more information on automating marketing reviews or to ensure compliance with the Marketing Rule, email: info@cssregtech.com.
EU Relaxes its MiFID II Position Limit Regime
ESMA has recently suggested to national regulators across the EU that they de-prioritize enforcement of MiFID II position limits on commodity derivatives, other than those related to agricultural products or “significant” products (defined as products with net open interest of at least 300,000 lots over a one-year period). So if you’re an investment manager, or other type of position holder in commodity derivatives listed on EU markets, be aware that you may not face any regulatory or exchange-based consequences when exceeding many of the established MiFID II position limits.
We can’t yet fully tell which national regulators or exchanges will indeed refrain from enforcing these position limits, because many of them haven’t published a response to ESMA’s call for relief. And it’s worth keeping in mind that because ESMA cannot change EU law (which it acknowledges in its statement), its suggestion to regulators is not a requirement they must follow. But one notable regulator recently weighing in is BaFin, the competent authority in Germany for position limit purposes. BaFin has stated that it will follow ESMA’s suggestion, and therefore relax its enforcement of “MiFID II” position limits on commodity derivatives listed on German exchanges, other than those related to agricultural products or products with open interest of at least 300,000 lots. The German exchange EEX reflects this approach, publishing an updated (and now reduced) list of products that remain subject to “MiFID II” position limit enforcement: just one electric power contract, and a handful of low-volume futures for milk, butter and whey powder.
ESMA’s statement stems from the EU’s “MiFID II Quick Fix” Directive published in February. Technically an amendment to MiFID II (and to other EU Directives to a lesser degree), the Quick Fix Directive aims to support struggling EU commodity derivative markets during a time of economic uncertainty arising from the COVID pandemic. While its provisions reduce the scope of products subject to “MiFID II” position limits (among other changes), they do not become effective until 28 February 2022. Acknowledging this delay in needed regulatory relief, ESMA essentially has decided to suggest to domestic regulators that they immediately supervise their markets as if the Quick Fix were in effect now (i.e., immediately reducing the scope of products for which “MiFID II” position limits should be enforced).
For more information on position limits or our Investment Monitoring solution, please visit this page or email our regulatory guidance experts at: info@cssregtech.com.
SEC Reminds Advisers About ESG Practices
In recent years, investor awareness regarding environmental, social and governance issues (“ESG”) has grown and investors increasingly look for investments that advance their personal goals. As a result, the number of investment options claiming to consider ESG factors has also grown. There is a range of approaches with respect to the influence of ESG factors on an investment decision.
The U.S. Securities and Exchange Commission’s (“SEC”) Division of Examinations (“DOE”) has observed a variety of practices followed by investment advisers, including instances in which advisers fail to clearly represent their actual investing behavior. As a result, on April 9, 2021, the DOE issued a Risk Alert[1] to highlight their observations from recent exams of investment advisers, registered investment companies and private funds offering ESG products and services (collectively, “Firms”).
Following the issuance of the Risk Alert, SEC Commissioner Hester Peirce issued a statement regarding the Risk Alert[2]. She stressed that the SEC’s role is not to second-guess investment decisions, but to understand whether a Firm acts consistently with its claims. She also stressed that the topics discussed within the Risk Alert are not necessarily unique to an ESG strategy compared to other strategies.
What to expect in an exam
The DOE will evaluate the accuracy of ESG related disclosures as well as a Firm’s policies and procedures. Specifically, examinations will focus on reviewing portfolio management processes to ensure that investment decisions and proxy voting decision making is consistent with ESG disclosures and marketing; reviewing a Firm’s regulatory filings, marketing materials (including websites and RFP responses) and reports to sponsors of global ESG frameworks, such as the UN Principles for Responsible Investment (“UNPRI”); and examining the effectiveness of compliance programs, in particular written policies and procedures, their implementation and compliance oversight and reviews.
Do this, not that
The Risk Alert also highlighted good and bad practices observed by the DOE staff during recent examinations.
| Good | Bad |
| Simple and precise disclosures regarding Firm’s approach to ESG investing, which are aligned to actual practices | Portfolio management practices were inconsistent with disclosures |
| Clear disclosure regarding level of reliance on unaffiliated advisers, such as mutual fund sponsors | Inadequate controls to monitor ESG guidelines |
| Precise disclosure about role of ESG factors, especially if such factors could be considered alongside other factors | Proxy voting inconsistent with ESG claims |
| Explain how investments are evaluated using goals established by global ESG frameworks, such as UNPRI | Unsubstantiated or potentially misleading claims about ESG approach |
| Policies and procedures addressing ESG investing and covering relevant practices | Inadequate controls to ensure disclosures and marketing are consistent with practice |
| Knowledgeable and engaged compliance staff who are integrated into ESG-related processes | Compliance program did not adequately address ESG issues |
| Compliance staff actively reviewing disclosures, marketing and other reporting | Compliance staff has limited knowledge of investment process or marketing disclosures |
Takeaway
As Commissioner Peirce said in her statement, there are no specific rules that apply with respect to offering ESG influenced investment strategies. The Advertising Rule and anti-fraud provisions of the Investment Advisers Act of 1940 still apply. Marketing, disclosures and other communications should accurately reflect the Firm’s approach and not attempt to mislead their intended audience. The Compliance personnel should understand the Firm’s business and be active participants in communications activities. In short, the old rules still apply and Firms should ensure that their words match their actions.
To speak with one of our regulatory or ESG experts, email us at: info@cssregtech.com.
[1] “The Division of Examinations’ Review of ESG Investing”, https://www.sec.gov/files/esg-risk-alert.pdf, April 9, 2021.
[2] Statement on the Staff ESG Risk Alert, Hester M. Peirce, https://www.sec.gov/news/public-statement/peirce-statement-staff-esg-risk-alert, April 12, 2021
Virginia Joins Growing List of Jurisdictions Regulating Data Privacy. What’s Next?
Jurisdictions are creating privacy laws with competing interests of protecting consumer data without unnecessarily impeding companies’ ability to do business with residents of the jurisdictions that have enacted these regulations. As the number of places regulating data privacy with a patchwork of laws continues to expand, companies will have to rethink their approach to assessing compliance. The first comprehensive data privacy regulation of its kind came into existence in Europe when the European Union implemented the General Data Protection Regulation, GDPR, in 2018 to protect the data and privacy in the European Union and the European Economic Area.
The State of California followed suit by enacting the California Consumer Privacy Act, CCPA, which became effective in 2020 and was subsequently amended in the CPRA ballot initiative in November 2020. Virginia became the latest U.S. jurisdiction to join the data privacy bandwagon when the Governor of Virginia passed the “Virginia Consumer Data Protection Act”, VCDPA. Virginia’s Act won’t go into effect until 2023. However, companies need to consider whether these laws apply to them, and if so, what actions to take to remain compliant.
Who is Regulated?
For a company to consider if this law applies, it must understand who these laws intend to regulate.
The CCPA, as amended by the CPRA, intends to regulate organizations for any for-profit entity doing business in California that meets one of the following requirements:
- Has annual gross revenue of over $25 million (calculated on total global revenue regardless of where the revenue is derived from);
- Buys, receives, sells or shares the personal information of 50,000 or more consumers (a “consumer” is defined as a California resident), households or devices for commercial purposes each year; or
- Derives 50% or more of its annual revenue from selling consumer personal information.
For financial institutions, the CCPA provides for an exception for personal information that is subject to the Gramm-Leach-Bliley Act, GLBA. The GLBA exception is not an entity-level exemption. It applies to a certain category of data, not to financial institutions as entities. This is in contrast to Nevada’s privacy regulation, which exempts an entire organization if it is subject to the GLBA.
The GDPR intends to regulate a much broader audience in its scope and territorial reach. The Act regulates any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers or businesses in the EU.
As for the new VCDPA, it regulates all entities “who conduct business in the commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth” and, during a calendar year, either:
- Control or process personal data of at least 100,000 Virginia residents, or
- Derive over 50% of gross revenue from the sale of personal data (though the statute is unclear as to whether the revenue threshold applies to Virginia residents only) and control or process personal data of at least 25,000 Virginia residents.
Unlike the CCPA, the VCDPA does not include a standalone revenue threshold for determining applicability separate from the above thresholds regarding contacts with Virginia. Therefore, even large businesses will not be subject to VCDPA unless they fall within one of the two categories above, which focus on the number of Virginia residents affected by the business’s processing of personal data.
However, similar to the entity-level approach taken by Nevada, Virginia’s CDPA exempts entities already covered by the GLBA, among other exemptions.
What Happens if the Company Doesn’t Comply?
As for the potential risk of non-compliance with data privacy regulations, every law has different types of penalties.
The CCPA uses fines as enforcement of its Act. The maximum penalty of the CCPA is $7,500 and is reserved for only intentional violations of the CCPA. Other violations lacking intent are going to remain subject to the preset $2,500 maximum fine. A consumer may bring a suit against the company.
The GDPR states that it evaluates each punishment on a case-by-case basis. That said, for especially severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million euros or up to 4% of global turnover of the preceding fiscal year, whichever is higher. The European Union publicizes a tracker of reported fines and penalties that data protection authorities within the EU have imposed so far.
Unlike the CCPA, the VCDPA does not include a private right of action for consumers. It allows the Attorney General to bring an action in the name of the Commonwealth, or on behalf of persons residing in the Commonwealth. As for the amount liable, a controller or data processor who violates the VCDPA is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation, per section 59.1-580 of the regulation.
Key Takeaways
Companies should continue to monitor data privacy laws since they change so rapidly. If you are concerned about being in violation, consider reaching out to an expert.
- The VCDPA is similar to the CCPA in scope. Still, instead of exempting specific personal data from the law, it exempts the businesses themselves – including, notably, financial services companies that must comply with the GLBA.
- The Virginia Attorney General will enforce the VCDPA. Unlike the CCPA, which provides for a private right of action for data security incidents, there is no private right of action in the VCDPA.
Guest blog post by E.J. Yerzak, CSS and Sofia Orrantia McPherson, Quinnipiac University School of Law
For more information on the VCDPA or to learn more about CSS’s Cybersecurity Services, email cybersecurity@cssregtech.com.