Can We Say That Now? Predictions on Marketing and Advertising Amendments
Can we say that now? That’s what attendees at the recent CSS Compliance Conference in Scottsdale, Arizona wanted to find out as they attended a session on the application of marketing and advertising rules to the retail and private fund space. Michael Caccese, Chairman of the Management Committee and Practice Area Leader, Financial Services, K&L Gates LLP was joined by K&L Partner Michael McGrath in a panel moderated by Matt Calabro, Director of Institutional Wealth Services at Compliance Solutions Strategies.
The panel, ranked No. 1 among advertising and marketing panels at the event by a statistically insignificant sample size of this author, discussed what is and is not deemed an advertisement under the Advertising Rules adopted under Advisers Act Rule 206(4)-1, recapped key no-action letter guidance, and detailed many examples of ways to craft disclosure language to comply with the rule’s prohibitions on testimonials, past specific recommendations, and false or misleading statements. Case studies, rankings, and uses of social media were also discussed. Mr. Caccese, and Mr. McGrath delivered a session that was truly “best in class” and a top performer, and expressed their predictions for expected changes by the SEC in the next few months to the advertising rules.
Their predictions: a departure from black and white prohibitions in favor of a principles-based approach, and a bifurcation of the advertising rules as applied to the retail and institutional space.
Although it remains to be seen whether the panel’s stellar performance at the conference in predictions is an indication of future results, attendees were treated to the proven expertise of the panelists, and their willingness to share their industry insights and perspectives was much appreciated. And that is something we will gladly disclose.
Interested in attending our next conference? Our spring 2020 event is set for the Ritz-Carlton Sarasota in sunny Florida. Register now using the discount code CSS2020 for $600 savings!
Recent Privacy Law Changes for Advisers a Focus of Cyber Discussion in Scottsdale
Regulators and legislators certainly have been busy in 2019, leaving little breathing room for financial firms. More data privacy laws are on the horizon, particularly at the state level, with some very real implications for SEC-registered investment advisers. That was the key message from the “Regulatory Update on Privacy Regulations and Cybersecurity” panel during the recent CSS Fall 2019 Conference in Scottsdale, Arizona. Lending their expertise on the panel were Joseph Borg, Director of the Alabama Securities Commission and former President of the North American Securities Administrators Association (NASAA); Andrew Hartnett, Deputy Administrator of the Iowa Insurance Division; Cynthia Larose, Partner, CIPP/US and CIPP/EU, and Chair of the Privacy and Cybersecurity Practice at Mintz Levin; and Andras Teleki, Chief Legal Officer for M3Sixty Administration, LLC.
With three cybersecurity risk alerts issued by the SEC within the past year, attendees at the conference were aware that the regulatory focus on cyber has not abated. The panel discussed the implications of recent data privacy regulations at the state level, including the recently amended California Consumer Privacy Act (CCPA) scheduled to take effect in January 2020, New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, and other legislation. The regulatory changes include an expansion of the definition of personal information subject to data breach reporting and the inclusion of access alone, even without data acquisition, as sufficient to constitute a data breach. Suspicious activity reporting (SARs) thresholds for reporting phishing and ransomware to FinCEN were also discussed.
Since the state regulators work closely behind the scenes with their federal counterparts, and since federally registered advisers must still abide by applicable state data privacy regulations, the implications are tremendous. Firms who escaped the scope of the General Data Protection Regulation (GDPR) last year are now facing regulations in the U.S. that closely mirror the protections under GDPR. The importance of reasonable vendor due diligence was discussed, and the panel provided a list of eight steps firms can take to revise their information security policies and procedures to align with guidance from the recent SEC risk alerts and examination focus. A sampling of those steps include:
- Incident response plans should take state breach disclosure laws into account
- Data Loss Prevention – policy changes should address encryption, monitoring, use of cloud based apps and electronic communication platforms
- System Hardening – policy changes should mandate default passwords be changed, patches be tested and deployed promptly
If you haven’t looked at your cyber policies in the last year, Ms. Larose cautioned attendees that there have been a lot of changes in the last year worth addressing in your policies, so “it’s time to dust them off.”
- Interested in attending our next conference? Our spring 2020 event is set for the Ritz-Carlton, Sarasota in sunny Florida. Register now using the discount code CSS2020 for $600 savings!
- If you’re part of a private equity firm that needs cyber help, consider joining our free breakfast roundtable in New York on October 24. For more information or to register, cliquez ici.
Running Toward the RegTech Revolution
I like to get to conferences early when I can. It lets me absorb the local environment, which often informs my perspective in new ways. Beautiful Scottsdale, Arizona, the site of the CSS Fall Compliance Conference recently held on September 23-25, was no exception.
Just stay with me for a bit (I promise to talk about regtech stuff soon). Upon arrival at the expansive venue, the Hyatt Regency Hotel & Spa at Gainey Ranch, I didn’t even need to leave its confines to get a first taste of Arizona. A back corner of the lobby level offered an exhibit on the history and culture of Hopi Indians, one of whom struck me in particular.
Lewis Tewanima, who liked to run long distances in the Hopi tradition (really long, as in 50 miles), grew up in Second Mesa on Arizona’s Hopi Reservation, and like many others was sent to boarding school in Pennsylvania (pursuant to a deeply controversial government “assimilation” policy, which you should Google if you aren’t familiar with it).There, he became a teammate of legend Jim Thorpe and student of legendary coach Pop Warner, proceeded to win numerous races and claim a silver medal in the 1912 Olympics – thus carving out his own legendary status – and returned home a hero, spending the rest of his life farming on the Reservation. So for me, as the days went by, and after seeing Taliesin West, hiking among the red rocks in Sedona, attempting (and failing at) line-dancing, and finally learning how to pronounce “Saguaro” cactus, the story of Lewis Tewanima stuck the most.
Strange as it may seem, he came to mind during one of the many interesting panel discussions at the conference: “RegTech Revolution,” featuring Andras Teleki, Chief Legal Officer at the mutual fund administrator M3Sixty Administration, and E.J. Yerzak, Director of Cyber IT Services for CSS. They looked at how technology has enriched our ability to meet regulatory compliance challenges.
Technology is by now seen as a necessity for firms (in critical aspects such as an internet service provider, website, e-mail communication, mobile access, and data backup), as well as going further as an enabler (providing word processing flexibility, file sharing and collaboration, client portals, live meetings and communication, and dynamic sales data). And yet – here’s where that irrepressible runner from Second Mesa comes in – Andras and E.J. described how a firm’s ability to successfully harness all that technology and data still depends on the talent and diligence of individuals.
Andras pointed out that an “inertia mindset” can prevent individuals at a firm from facing a challenge in the first place. Even when presented with the possibility of achieving excellence in the long run, people are often reluctant to try because they see it as difficult and burdensome.
Once overcoming the hurdle to address the problem, it is up to individuals to select the right solution. Some applications are more robust than others, as Andras described with the example of “retail” vs. “commercial” versions of software that may otherwise appear equivalent. Moreover, any solution’s apparent advantages may in fact disappear under the scrutiny of a rigorous cost-benefit analysis, which of course depends on assessments made at the individual level. Finally, E.J. cited any technology’s potential exposure to security concerns, which may not have existed under a firm’s manual processes, and which must be examined by the individuals best positioned to do so.
Once a firm has chosen and implemented its technology solution it will be the firm’s individuals, and not the solution itself, who maintain the solution’s continued effectiveness. This is why, as E.J. noted, “key man” risk is so important. (To address this, he said, every step in taking a successful automation should be documented, so that “key man” risk is minimized). Andras added that properly testing automation is important, and relies on the expertise of individuals. He used the example of a solution for a firm’s accounting department, which should be tested not just by the firm’s technology personnel but by the firm’s individual accountants who ultimately will depend on it the most. Andras also addressed the tremendous sets of data available to firms. These are vulnerable to problems with data accuracy, which of course means that a firm’s various complex processes relying on that data will suffer as well. He noted that this especially is the case when underlying client data is messy or inaccurate, a problem which often requires the expertise and close attention of individual specialists to resolve.
E.J. and Andras also broached other aspects of our “RegTech Revolution” currently under way, making the hour-long session a fairly wide-ranging discussion. But by the end of it, one clear lesson they had imparted to the firms in attendance might go as follows: Automate to the best of your capacity but do it the right way, and don’t underestimate the value of a Lewis Tewanima in your corner.
Interested in attending our next conference? Our spring 2020 event is set for the Ritz-Carlton, Sarasota in sunny Florida. Register now using the discount code CSS2020 for $600 savings!
Virginia Investment Adviser Rules Amended – September 16, 2019 Compliance Date
Last week we discussed the changes to the Massachusetts IA Disclosure Rule. That is not the only state legislature that has been busy. On August 21, 2019, the Virginia State Corporation Commission adopted revisions to Chapters 20, 30, 45, and 80 of Title 21 of the Virginia Administrative Code. The amendments impact Virginia state registered advisers and include:
- The requirement to establish, implement, update and enforce written physical security and cybersecurity policies and procedures;
- The requirement to deliver upon engagement by a client, and on annual basis thereafter, to each client a privacy policy. The privacy policy shall be promptly updated and delivered to each client if any of the information in the policy becomes inaccurate;
- Prohibition of any mandatory arbitration provision in an advisory contract;
- Notification to the Division of Securities and Retail Franchising, State Corporation Commission and the client of an unauthorized access to records that may expose a client’s identity or investments to a third party within three business days of the discovery of the unauthorized access; and
- Authorization to delay or refuse to place an order or to disburse funds that may involve or result in the financial exploitation of an individual pursuant to 63,2-1606 L of the Code of Virginia.
For complete details on what should be included in the physical security and cybersecurity policies and procedures, please refer to Rule 21VAC5-80-260 (Information security and privacy). The adopted amendments to Chapters 20, 30, 45, and 80 of Title 21 were enforceable as of September 16, 2019.
If you need further guidance on this rule change, or any compliance assistance with state registration, explore our compliance management services and contact us.
Updates to the Massachusetts Investment Adviser Disclosure Rule
The states continue to be busy with new rule-making! On June 14, 2019 the Massachusetts Securities Division (the ‘Division’) adopted amendments to 950 Massachusetts Code of Regulations 12.205(8). The amendments, applicable to Massachusetts registered advisers, includes two elements, but the key one that we’ll focus on here is the requirement for Massachusetts registered investment advisers to provide current and prospective clients with a fee table for their offered advisory services.
Summary of Disclosure Requirements
An investment adviser must provide each current or prospective client with the following disclosures at least 48 hours before entering into a contract or, if the investment adviser provides disclosures to the client at the time of entering in the contract, the investment adviser must give the client the option to cancel the contract within five business days:
- A disclosure statement, which may be a copy of Form ADV, Part 2 or another written document containing the equivalent information. Alternatively, a document that is not Form ADV, Part 2 must be filed with the Division before its first use;
- A standalone Table of Fees for services in a Division-approved format that is prepared in accordance with specific instructions;
- Any additional information required to be disclosed under the Investment Advisers Act of 1940; and
- A notice that any disciplinary history for the investment adviser and employed/associated investment adviser representatives can be obtained from the Division.*
An investment adviser must annually, without charge, deliver (or offer in writing to deliver) the above disclosures to respective advisory clients upon their written request. Any disclosures that an advisory client requests in writing must be sent to the client within seven days of the adviser’s receiving the client’s request.
*This disclosure is to be included within Item 9 of the Form ADV Part 2A.
The Massachusetts Securities Act’s disclosure obligations are considered met if the investment adviser complies with the above four-part requirement.
The adopted amendments to 950 CMR 12.205.(8) will be enforced as of January 1, 2020.
Required Table of Fees
The required Table of Fees must be available and easily accessible on any website the investment adviser maintains for the adviser’s clients and/or for the public.
The Table of Fees must be a one-page, stand-alone document based on information that is already in each investment adviser’s Form ADV Part 2A. The Table of Fees must be prepared on the Securities Division-approved form and in accordance with the guidance and instructions for preparing the required fee disclosure.
Updates and delivery of the Table of Fees must be done consistently with the existing requirements to Form ADV. The purpose of the Table of Fees is to increase transparency of advisory fees and costs, aid comprehension of advisory fees and costs, and enable investors to make more informed decisions when choosing their investment advisers. The Table of Fees achieves this goal by clarifying the information about fees and services from the investment adviser’s brochure into a simple, easily understandable format to enable a side-by-side comparison of investment advisers and promote more informed questions and conversations about services and fees.
The Table of Fees must be annually updated as of the date the investment adviser is required to file any annual Form ADV amendments.
Need more guidance? The Massachusetts Securities Division will be conducting an in-person training session to assist investment advisory firms with their preparation of the document. The training session will be held on October 29, 2019 at the Best Western Hotel in Marlborough, MA, and information is available here. A copy of the presentation will be available to those who cannot attend the in-person training. CSS, through its Ascendant compliance services division, can also help. Check out our services and contact us.
Improving Mutual Funds’ Principal Risks Disclosure
The Securities and Exchange Commission (SEC) has for years stressed that registrants’ disclosure in regulatory filings needs to be written in “plain English.” The SEC’s Disclosure Review and Accounting Office recently reiterated the plain English directive in “ADI 2019 – 08 – Improving Principal Risks Disclosure.” The guidance focuses specifically on making disclosure of principal risks in a registered fund’s prospectus understandable for investors. The SEC views principal risks as those risks that are reasonably likely to adversely affect a fund’s net asset value, yield and total return.
The SEC’s guidance suggests the following approaches to principal risk disclosure to assist with providing clarity for investors:
- Ordering risk by importance
- Tailoring risk disclosures
- Affirmatively stating that a particular fund is not appropriate for certain investors
- Providing additional, more detailed information about a principal risk elsewhere in a prospectus
- Disclosing non-principal risks in the Statement of Additional Information rather than the prospectus
- Periodically reviewing risk disclosures, including the order in which they are listed, and evaluate their adequacy
With respect to ordering risks by importance, the guidance is simple: put the most significant risk first. The SEC understands that listing risks in this manner is a subjective determination and has stated that it would generally not comment on the order. The SEC’s view is that listing risks in other manner could assist with obscuring them.
Additionally, risks need to be tailored to the fund’s or fund family’s investment strategy, investment vehicles and the impact of market conditions, among other things. This is a lot like drafting policies and procedures. The disclosure cannot be off-the-shelf or one-size-fits-all. Think about unique qualities or factors pertaining to a fund and describe the associated risks.
Implementing this guidance can be incorporated into a fund’s existing procedures for reviewing and revising prospectuses and other disclosure documents. In other words, maintain the same process while keeping this guidance top of mind, and revise the disclosure as necessary. Also discuss the SEC’s expectations with other members of a fund’s review team so that other perspectives and input can be included.
If you need help with addressing your risk disclosures or other mutual fund compliance issues, explore our services and then contact us.