Eventually, We Have to Go Back – BCP Post-Mortem
We don’t know when, but at some point we will have to put on shoes, get a haircut and return to the office. As compliance professionals, we are trained to look ahead and should be planning our action steps for when we return.
Gather Firm Records and Other Property. You should have a good sense of any records removed from the office, as well as any new records generated by your employees while working remotely. Obviously, this is a bigger challenge if your firm is traditionally paper-intensive. Further, determine if there are any electronic records that have been created and stored on an employee’s personal computer or email account. We suggest a review of your records retention policy to identify required records and their location throughout the cycle.
With respect to other property, such as computers, monitors and other hardware, determine whether such items were inventoried prior to being deployed and ensure that they are checked back in. Consider an attestation for employees to certify that all firm records and property have been returned.
Conduct a Post-Mortem Review of the BCP. Firms of all sizes quickly implemented a work from home model with little time to plan. Even if your business continuity plan contemplated a pandemic response, it’s never been deployed like it is now. Gather representation from across the organization and assess what worked, what didn’t and what changes should be made to the BCP. Some things to consider:
From this review, identify and prioritize your action items. Finally, consider engaging a third-party to update your BCP or provide an independent post-mortem review.
Review Policies and Procedures. Chances are you bent a policy or modified a procedure or two while the team was working remotely. Review your policies and procedures to identify those exceptions and make sure that they are properly documented, as well as any effort to mitigate the impact of the exception. It’s also likely that you found a better way of doing some things that you may want to keep doing, or that ongoing social distancing requirements will continue to impact your business. To the extent that you modify your policies and procedures going forward, make sure you memorialize those changes and note their effective date.
Let CSS’s team of compliance and regulatory experts assist in developing and updating business continuity and cybersecurity plans. Email us at: info@cssregtech.com for an assessment and retrospective on your firm’s current BCP plan.
Coming of Age – The SEC Proposes Modernized Fund Valuation Practices
It has been 50 years since the SEC last addressed valuation practices for funds registered under the Investment Company Act of 1940, as amended (“ICA”). The SEC’s newly proposed rule[1] seeks to address the evolution of fund investment practices during that time. In particular, the proposed rule (Rule 2a-5) provides for the good faith determination of the fair value of a fund’s investments and grants boards the ability to assign good faith fair value determinations to the fund’s investment adviser, subject to board oversight and other conditions.
The ICA currently requires funds to value their investments using “readily available” market quotations of the securities. If a market quotation is not “readily available,” funds can use the fair value of a security as determined in good faith by the board. The proposed rule requires establishing criteria for determining when market quotations are no longer reliable and, hence, not readily available.
As proposed, in order to determine fair value in good faith certain functions must be performed. The functions include:
- Adopting and implementing written policies and procedures pertaining to fair value determinations and associated recordkeeping;
- Assessing and managing identified valuation risks, including conflicts of interest;
- Choosing, applying and testing fair value methodologies; and
- Approving, monitoring and assessing pricing services used by a fund.
Proposed Rule 2a-5 would also provide a board an alternative to making its own good faith fair value determinations. The proposal would permit a board to delegate the determinations to the fund’s investment adviser subject to the following conditions:
- The adviser being overseen by the board;
- Periodic reporting (i.e. at least quarterly) of the adequacy and effectiveness of the adviser’s process, including an assessment of valuation risks;
- Prompt reporting to the board on matters that could materially affect the fair value of the fund;
- Clearly defined and segregated roles and responsibilities of the adviser’s personnel; and
- Additional recordkeeping by the adviser.
The comment period for the proposal ends on July 21, 2020. For more information on how CSS can help you stay ahead of regulatory change, please email us at: info@cssregtech.com and one of our regulatory experts will be in touch!
[1] https://www.sec.gov/rules/proposed/2020/ic-33845.pdf
ESMA Proposes Major Changes to EMIR
On March 27, ESMA published a consultation on changes to the technical standards of trade reporting under the EMIR Refit legislation.
Highlights include:
- ESMA proposes a complete overhaul of EMIR with full alignment to SFTR in terms of validations and data formats and alignment with MiFIR in terms of how to handle reference data (specifically UPI).
- ESMA recommends a new way of handling lifecycle events, using two fields instead of one (Action Type + Event Type) which will add even more complexity.
- The number of reportable fields are expected to go from 129 to 203. This means for firms to be compliant, data governance and control of the reference data will be even more important going forward.
The consultations line out substantial changes to multiple aspects of EMIR reporting. While some changes were expected, this consultation proposes sizable changes, with a proposed increase from 129 to 203 reportable fields. Many of the amended data requirements are derived from a global initiative finalized by FSB in a Critical Data Element guidance.
Most parts of the current EMIR outline are affected with changes to fields such as price, payment, basket and the addition of margin-related fields. ESMA also suggests supplements to the coming UPI identifier, new validations of LEI codes, usage of OTF, MTF and SI MICs, which will add to the reference data burden firms have today.
With the aim to give regulators better understanding of the risks in the derivatives market, ESMA also suggests an overhaul of action types and events that firms have to report, including new fields such as Prior UTI and Post Trade Reduction ID.
Apart from changes in the data to be reported, ESMA also recommends the usage of ISO2022 for reporting to Trade Repositories.
The overall reasoning behind most changes is to improve the quality of reported data. This will, according to ESMA, be achieved by removing ambiguous fields, add clarity to how fields should be reported and make participants report derivatives trading in a more granular way.
From a regulator’s point of view, these proposed amendments might achieve the desired outcome, but there are still questions that need to be answered. For example, a new waterfall model for UTI generation is proposed to bring clarification, and that will probably get you some distance. However, the issues surrounding UTI are not only connected to the generation of UTI, but also to sharing. So even with a new waterfall model the issues will still remain.
Although these are just proposed changes, it is an indication of ESMA’s intentions with EMIR. It is certain that changes will come, and it will add to the already present complexity and burden for firms reporting transactions under EMIR, MiFIR and SFTR. The alignment and overlap between existing regulations allows for reuse of reference data across various regulations and with attributes, rather than just transactions. The consolidation of reporting solutions may seem more and more attractive.
The deadline for response is June 19, 2020, and the final report is due to be delivered by the end of this year. With an additional 18 months of implementation, the changes are expected to go live in late 2022.
For more information on CSS’s Global Transaction Reporting platform, EMIR, MiFIR or SFTR, please email: SFTR@cssregtech.com.
New SEC Risk Alerts
The SEC today issued Risk Alerts identifying areas related to Form CRS and Regulation BI on which examiners will focus during upcoming exams. The SEC indicated in today’s Form CRS Risk Alert that RIAs need to meet content, delivery and record keeping requirements. The SEC referred RIAs to the Form CRS Adopting Release and Small Entity Compliance Guide for more information. The SEC’s Regulation BI Risk Alert reviewed the four component obligations: a Disclosure Obligation, a Care Obligation, a Conflict of Interest Obligation, and a Compliance Obligation.
The press release announcing the risk alerts quoted Pete Driscoll, Director of OCIE, stating that during initial examinations, “our focus will be on firms continuing good faith and reasonable efforts, including taking into account firm-specific effects from disruptions caused by COVID-19.” The press release also emphasized the importance of these regulations and the urgency to implement. “Regulation Best Interest and Form CRS are key components of a broader package of rules and interpretations, adopted contemporaneously on June 5, 2019, to enhance the quality and transparency of retail investors’ relationships with broker-dealers and investment advisers. The compliance date for Regulation Best Interest and Form CRS is June 30, 2020.”
Check out the Form CRS Automator for RIAs and BDs, and contact us regarding Regulation BI implementation services. CSS’s Form CRS Automator makes filing Form CRS fast and efficient and gives you confidence that you have it right. Our Regulation BI checklists will help make sure you are on the right track for your examination. For those not yet started, we can help you establish the necessary policies and disclosures. Email our compliance experts at formcrs@cssregtech.com.
COVID-19 and Compliance – Mitigation Efforts Will Have Compliance Consequences the SEC Soon Will Examine
We understand that COVID-19 has brought many stresses, both personal and professional. To many private fund advisers, this may seem an appropriate time to allow “compliance” to take a “back-seat.” However, many business and management decisions your firm now may be contemplating or is already positioned to take likely will have compliance ramifications, now or in the near future. Rather than let compliance slip while your firm pivots in response to this global pandemic, compliance should continue to have a seat at the table within the management structure.
For example, did the CCO review investor communications disseminated in response to this situation? Were investor communications appropriately consistent, across vehicles and within each vehicle, or did they vary where they should not have? Is your firm contemplating a change in fund guidelines, a term extension, or other material change? Has management and compliance recently reviewed the fund documents to understand when LPAC consent is needed? What do your fund documents say about sustained illness and key person risk, if anything? We understand that CCOs at some firms are also founders, partners, voting members of the Investment Committee, and the like. But, we remind those firms whose CCO is not also in these positions to bring the CCO and compliance department members to these discussions and the fund documentation analysis, so that the process can be sound and the mitigation efforts without compliance shortfalls.
We all know that fees and expenses are a perennial hot topic for the SEC. So, is your firm considering a change in fees? Are you continuing to receive all forms of portfolio compensation? Are you considering a change to the offset percentage? Have you had issues or are you going to have issues with capital calls, or is your capital call process in need of tweaking? Are or will clawbacks be exercised?
Another regular hot button issue is the use of leverage, loans, credit lines, subscription credit facilities, and the like. Is compliance understanding the firm’s use of these and the potential consequence to disclosures, advertising, performance, valuations, and other firm or fund obligations?
These are just a few examples of COVID-19’s possible impact to your firm.
For the CCOs out there who are a step or two behind the executive decision-making at your firm, we suggest you ask to join the discussions that occur before decisions are implemented. For those of you working with legal counsel to understand available courses of action, support that work with additional consideration to compliance, because there will be compliance related consequences to your legal rights of action. We know that OCIE will be examining what firms did well and what they did not do well. We want your firm to be one of the ones that did well. We are here to help. Email us at info@cssregtech,com.
Where Are Your Cybersecurity Blindspots with COVID-19?
Google Data Reveals 350% Surge In Phishing Websites During Coronavirus Pandemic
More financial firms have shifted to a remote workforce in the midst of the COVID-19 pandemic. While the availability of VPNs and cloud-based services has enabled firms to continue operating, the paradigm shift to an entire staff working from home has not come without increased cybersecurity risks.
Hackers have realized that there are more opportunities to compromise firm data and staff credentials when such a large group of workers is working from home. Add to that the increased fear and uncertainty around the pandemic, with employees constantly searching for the latest updates and information, and you have a recipe for cybersecurity breaches that could impact your firm’s data and your personal data.
CSS’s cybersecurity team has put together the following checklist to help determine if your employees’ data may be at risk:
- Is more than 50% of your workforce currently working from home?
- Is your mobile staff using their personal computers or devices to work?
- Do you list names and email addresses of executive management on your firm’s website?
- Do you include personal details in employee bios listed on your firm’s website?
- Do any of your staff members maintain a presence on LinkedIn?
- Do you permit employees to access confidential email on their mobile devices?
- Are you aware of any employees using the same password for multiple accounts?
- Have you conducted phishing testing for your staff more than 3 months ago?
If you answered yes to three or more of these questions, your risk of account compromise is heightened. Let CSS help mitigate that risk to your firm and your staff.
We are pleased to offer Surveillance du Dark Web as an additional service to our robust Cybersecurity offerings. With dark web monitoring, we proactively monitor the dark web for your firm’s compromised employee and client data, alerting you when such data appears in dark web forums and enabling you to take prompt action to change account passwords before other hackers buy and use the compromised credentials.
It can be easy to feel powerless in the current uncertain environment. Take back control of your firm’s risk. Contact us at cybersecurity@cssregtech.com to schedule a consultation with one of our cybersecurity experts and to learn more about dark web monitoring, cyber risk assessments and phishing testing.