Countdown to CCPA: Are You Ready to Comply with New Data Privacy Requirements?
With less than one month before the California Consumer Privacy Act (CCPA) is effective, companies are preparing to update their cybersecurity programs. Many must address the regulation’s new data privacy requirements, which have caught some financial institutions off guard. Modeled to some extent after the European Union’s General Data Protection Regulation (GDPR), the CCPA provides new privacy rights to California consumers, including:
- The right to know what categories and items of their personal information is collected, used, shared, or sold;
- The right to delete that personal information;
- The right to opt-out of the sale of their personal information, and
- The right to non-discrimination for price and services when invoking such rights
The CCPA applies to companies who do business in California and who either:
- Have gross annual revenues in excess of $25 million (in total, not limited to California);
- Buy, receive, or sell the personal information of at least 50,000 consumers, households, or devices annually; or
- Derive at least 50% of annual revenue from the sale of personal information of California consumers.
As such, a number of financial institutions are finding themselves subject to the CCPA’s requirements, which include providing specific privacy notice disclosure to California consumers that expands upon typical privacy notice provisions (including disclosure about the additional rights of California consumers under the CCPA). Also included in the requirements are development of policies and procedures for handling consumer requests to exercise data privacy rights under the CCPA, along with mapping an inventory of where personal information of consumers is stored in order to facilitate responding to deletion requests.
The CCPA does include a number of exemptions, such as for data subject to HIPAA and the Gramm-Leach-Bliley Act (GLBA), as implemented under Regulation S-P for SEC registrants. A consumer’s right to request deletion of personal information can be refuted if such information is required by law to be kept by the SEC registrant. However, many investment advisers collect and store personal information that is outside the scope of the GLBA, including data about their own employees and data about individual contacts at their third-party service providers, for example. The CCPA provides a one-year extension, until January 1, 2021, for some of the requirements applicable to employee data and business-to-business data collected as part of due diligence. And advisers to private funds who have not had Regulation S-P on their radars may find themselves with additional requirements with respect to the personal data they collect about individual investors in the funds they advise. Firms who collect cookies via their websites may quickly find that they, too, are within the scope of the CCPA, as cookies are included among the definition of “personal information” under the CCPA.
The CCPA is effective January 1, 2020, and enforcement of the CCPA is expected to occur by the earlier of July 1, 2020 or six months following publication of the law’s implementing regulations by the California Attorney General. Penalties for noncompliance can be steep, as each consumer can request damages of up to $750 if a company does not cure violations within 30 days, on top of the up to $7,500 in fines per data record for intentional violations.
And California’s first-in-the-nation comprehensive data privacy law is likely the first of many states who are expected to follow suit.
For assistance in conducting a cybersecurity risk assessment, data mapping, and updating your cybersecurity procedures to align with the California Consumer Privacy Act, please contact us to find out how our Shield cybersecurity services can help.
ESMA Updates AIFMD Q&A on Reporting to National Competent Authorities
The European Securities and Markets Authority (ESMA) has updated its Questions and Answers on the Alternative Investment Fund Managers Directive (AIFMD).
One new Q&A has been added with regard to reporting to National Competent Authorities. ESMA has provided clarification on reporting on liquidity stress tests for closed-ended unleveraged Alternative Investment Funds (AIFs). These AIFs are exempt from the requirement to implement liquidity risk management systems, yet the reporting field is required. The new Q&A instructs AIFMs to indicate that the question is “Not Applicable” and to report the fact that the AIF is a closed-ended unleveraged AIF. However, if the AIFM does conduct liquidity stress tests for the AIF, the results must be reported in the field.
The update can be found at Section III, Question 83 by clicking here.
For information on CSS’s AIFMD solution, watch our video below and then contact us.
CSS Named to RegTech 100 List of World’s Most Innovative RegTech Companies
NEW YORK – Compliance Solutions Strategies (CSS) is proud to announce its inclusion in the RegTech 100 for 2020, a list recognizing the world’s most innovative RegTech companies compiled by RegTech Analyst, a specialist research firm.
“We are honored to be selected as one of the most innovative companies within such a competitive and evolving industry,” CSS President John Lee said. “This distinction validates CSS’s continued commitment to empowering its clients with best-in-class technology solutions for managing complex global regulatory requirements while achieving targeted levels of operational efficiency and risk reduction.”
CSS was selected largely based on its unique positioning within the market as a company whose breadth of solution capabilities helps mitigate vendor risk by allowing clients to address a range of regulatory compliance requirements.
Key CSS RegTech solutions include:
- Signal – An automated monitoring and reporting solution that compares portfolio holdings to relevant thresholds, provides alerts when action is required, and generates disclosure notifications for filing with regulators.
- Ascendant Compliance Manager – An enterprise platform for managing an organization’s complete compliance program, meeting regulatory requirements, facilitating workflow and communication, building and maintaining a document library, assessing and mitigating risk, and completing post-trade compliance testing and reporting.
- TradeChannel – A multi-regulatory transaction reporting platform that seamlessly integrates with the client’s core trade data systems and provides ongoing flexibility to comply with the changing requirements of ESMA, TRs, ARMs and NCAs.
To compile the list, the RegTech 100 advisory board and analyst team examine a collection of over 1,000 solution providers shaping the future of the compliance, risk management and cybersecurity industries on a range of factors, including the impact on the problem being solved; growth, in terms of capital raised, revenue, customer traction; innovation of the technology solution offered; potential cost savings, efficiency improvement, impact on the value chain and/or revenue enhancements generated for clients; and how important is it for a financial institution to know about the company.
About CSS
CSS is a global ‘RegTech’ platform – driven by data and backed by service – providing a comprehensive set of software solutions supported by a highly-targeted managed service capability. CSS solutions and services are aligned to the multiple regulatory compliance requirements of global funds reporting, global transaction reporting and global threshold management. The company currently serves over 600 software clients in the financial services vertical comprising of hedge funds, traditional asset managers and fund administrators, including Tier-1 buy-side and sell-side institutions. CSS is uniquely positioned within the market in terms of its size and the breadth of its regulatory compliance offerings. These factors vest the company with the capital and product range to support the broadest possible spectrum of regulatory requirements, while retaining the agility to work in partnership with individual clients to develop and support a comprehensive and longstanding program of regulatory compliance on a global scale. The Company maintains a global footprint across both the United States and Europe with customer-facing offices in New York, London, Dublin, Amsterdam and Stockholm. For more information, please visit www.compliancesolutionsstrategies.com or follow CSS on LinkedIn.
SEC Proposes Modernizing Advertising and Cash Solicitation Rules for Investment Advisers
In a much-anticipated move, the Securities and Exchange Commission (the “Commission” or the “SEC”) recently voted to propose amendments to modernize rules that prohibit certain investment adviser advertisements and payments to solicitors under Investment Advisers Act of 1940 (the “Advisers Act” or the “Act”). The proposal also contemplates amendments to Form ADV to require additional disclosures regarding advisers’ advertising practices and conforming amendments to the Advisers Act books and records rule.
AMENDMENTS TO RULE 206(4)-1
The proposed amendments to the advertising rule recognize how advances in technology have altered how advisers interact with investors and prospective investors, and changes in the expectations and demographics of consumers, the types of services offered by advisers, as well as the availability of information. The Commission notes that, “The breadth of the current (advertising) rule’s prohibitions, as well as the lack of explicit prescriptions related to the presentation of performance in the rule, can present compliance challenges and potentially have a chilling effect on advisers’ ability to provide useful information in communications that are considered advertisements.(i)” The proposed rule takes a more principles-based approach, incorporating both general prohibitions along with certain tailored restrictions and requirements, to better align with the evolution of the industry.
Proposed Amendments to Transaction Cost Calculations under PRIIPs
The European Supervisory Authorities (ESAs) recently issued a consultation paper that includes two draft proposals for changes to transaction cost calculation requirements outlined in Annex VI points 7-23, among other proposed amendments to the PRIIPs KID. The first proposal seeks to reduce the impact of negative implicit costs on net transaction cost disclosures, in addition to providing guidance for transactions executed on an OTC basis, costs associated with non-financial assets, and costs associated with low turnover asset classes. The second proposal also seeks to reduce the impact of negative implicit costs but includes a provision to replace the arrival price methodology with a more principles-based approach to select a suitable benchmark.
The primary concern raised by market participants is that negative implicit costs, or orders where the average execution price experiences a net improvement versus the prevailing arrival price (see Figure 1), are not well understood by retail investors. The ESAs intend to resolve this problem by requiring PRIIPs manufacturers to disclose a minimum of explicit transaction costs where aggregate implicit transaction costs are negative. This amendment is consistent in both draft proposals submitted in the consultation paper. This in effect prohibits the disclosure of zero or negative transaction costs in the PRIIPs KID, which the ESA believes this to be “confusing or at least not intuitive.”
Figure 1 Example of negative transaction costs. (Image Source: Bloomberg Markets)
The arrival price methodology captures the difference between the net realized execution price and the prevailing mid-point of the bid-ask spread at the arrival time. The arrival time is captured when the order is submitted to an executing broker, or in the event of direct market-access, the time the order is submitted to the venue. Market participants have also criticized arrival price benchmarking for recording market movements that are independent of the transaction as costs to the investor.
An example of this is provided below in figure 2, where a trader executes trades using a volume participation algorithm to reduce market impact and still underperforms the arrival price based on the intraday volatility of the security being traded. Under current rules, PRIIPs manufacturers are required to use the arrival price, but the second draft proposal replaces it with a principles-based approach. If adopted, implicit costs will continue to be measured by comparing the average execution price to a benchmark; however the PRIIPs manufacturer will now have the discretion to identify a suitable reference rate taking into consideration the size and urgency of the order and the liquidity and volatility of the security.
Figure 2 Positive price momentum resulting high implicit trading costs. (Image Source: Bloomberg Markets)
It is evident that the ESAs believe that implicit costs are integral to their transaction cost transparency initiative, so I wouldn’t expect an amendment to remove them altogether from cost calculations. However – I would keep an eye on responses to the consultation paper as they are made available sometime in the first half of 2020.
To stay updated, subscribe to the CSS blog through the form below, or if you need more information, contact us.
Introducing the Regulatory Book of Record (RBOR)
I recently had the opportunity to sit down with our Chief Product Officer Ronan Brennan to discuss regulatory data management in front of an intimate and engaged audience of CSS conference attendees in Scottsdale, Arizona. The group ranged from small fund managers to large institutional asset managers, so it was difficult to boil down the topic into a one-size fits all approach, especially one as technical as this. As a follow-up to our discussion, I wanted to re-examine the concepts of strategic and tactical implementations and introduce a new one – the regulatory book of record (RBOR).
There are two approaches for sourcing regulatory data. The first is to build a single source of regulatory data or a regulatory book of record (RBOR). The second approach builds a gateway into multiple data sources – including the accounting or investment book of record (ABOR or IBOR), order/execution management system (OEMS) and reference databases. We can also refer to these approaches as either strategic or tactical.
Figure 1 Data flows from disparate systems to compile the regulatory book of record (RBOR). Source: CSS RegTech
Today’s global regulatory environment demands that data generated during the trade lifecycle (including historical positions) be accessible downstream to facilitate transaction reporting with regulators, exchanges and MTFs; periodic form filings such as Form PF, CPO-PQR and Annex IV; and support trade desk oversight functions such as position limit monitoring and substantial shareholder reporting. The expanded scope of filings and the increase in the frequency in which data must be produced has forced firms to re-evaluate their systems infrastructure. With near real-time data now in vogue with compliance teams, many operations teams are going back to the drawing board.
If you recall, the IBOR movement began under similar circumstances. Portfolio managers and traders needed real-time portfolio-centric views of positions and cash balances to better manage client accounts and maintain portfolio compliance. The RBOR movement is being driven by similar needs, and there are obvious long-term operational efficiencies in taking a strategic approach – such as the ability to absorb changes, mitigate vendor risk, and reduce the long-term costs of maintenance.
| Strategic | Tactical | |
| Pros |
|
|
| Cons |
|
|
Figure 2 Pros and cons of strategic and tactical regulatory data management.
The RBOR methodology is often included as one of the books of record in the multiple books of record (or MBOR) approach. The goal of the MBOR framework is to create multiple books of record such that the front, middle and back office have more comprehensive access to specific data sets required to carry out their job functions.
Due to the high upfront costs and impact on critical systems, smaller firms commonly take a more tactical approach by building gateways directly into the source systems, for example, the ABOR and enriching it with external data. The ABOR runs a batch process that occurs at the close of business each day and recognizes trades as part of the fund and NAV one business day after the trade is executed. Reconciling positions on a trade date plus one (T+1) basis is often acceptable for periodic filings, but it can become problematic for monitoring portfolio compliance and reporting thresholds in real-time.
There are some benefits to taking a tactical approach as well. Most notably, if real-time data is required to facilitate a compliance function, it is often best to go directly to the OEMS to reduce latency. Real-time positional data is going to be difficult in the absence of an IBOR, so the combination of an ABOR and a near real-time transactional feed can help firms facilitate real-time position limits monitoring or trade surveillance, for example.
For smaller firms unable to make the transition from the static ABOR to the dynamic IBOR framework, and even for larger firms struggling with the complexity of design and implementation, it is worth considering how developing an RBOR can provide better data governance for compliance teams now tasked with a myriad of data-driven filings and disclosures.
CSS boasts an entire suite of solutions for regulatory data management as well as other regulatory requirements. Have a look, and contact us for more information.