How Can a Small Advisory Practice Economically Be as Cyber-Secure as Possible?
Cybersecurity is a risk that applies to firms both large and small without discrimination. Even very small advisory firms, which I’ll define as having one to five staff for purposes of this discussion, have a wealth of information worth safeguarding.
Cybercrime is often a crime of opportunity. Hackers are metaphorically going door to door (computer to computer) jiggling doorknobs to see which company is unlocked and a ripe target. At CSS, we are frequently asked by small practices about what steps they can take to improve their cybersecurity. My advice is to focus on the quick wins and the most cost-effective solutions. The goal isn’t to build Fort Knox, but to be a little more secure than the next company to take the target off your back. And it’s important to keep in mind that small firms are in fact a target. Many small firms believe they are not on a hacker’s radar, but hackers know that small firms are more likely to have weaker defenses.
Cost-effective solutions include:
- Keeping your software and operating system patched, so that vulnerabilities can’t be exploited
- Being aware of social engineering and phishing risks, and refreshing your ability to detect them through regular training, so that you think twice before clicking that email or opening that attachment you weren’t expecting, or that you call a client to verbally verify the wire instructions they emailed you before wiring money out
- Using encryption whenever feasible to send and store data. Bitlocker encryption at rest comes by default now on Windows 10 machines, for example, so if you have that and it’s enabled, your laptop is encrypted. Using secure file-sharing portals is generally more secure than sending clients confidential files via unencrypted email, because then if an email account is compromised, the data isn’t just sitting there in the email account.
- Finally, enabling two-factor or multi-factor authentication wherever possible
If you can tackle the above four bullets, you can greatly reduce your cyber risk without spending a lot. Once you have those items in place, it’s reasonable to consider next steps. The SEC and state regulators do expect even small firms to have cybersecurity policies and procedures, so that’s an area in which many firms turn to us for assistance when they’re ready.
I think the important thing to keep in mind is that some of the cyber best practices above can be implemented for free or for little to no cost. The practical approach is to get those cost-effective solutions in place first, and then as budget allows, try to tackle some of the other aspects. Hackers won’t take it easy on you just because you have a smaller firm. But for a large percentage of cyberattacks (other than highly sophisticated nation-state attacks, which even large firms have trouble defending against) you don’t need to be faster than the bear, just faster than the other guy running from the bear.
For more cybersecurity help, here are some helpful resources:
- Webinar – Getting Practical with Cyber, Part I: Testing & Validating Your Risk Controls
- Webinar – Getting Practical with Cyber, Part II – In the Driver’s Seat: Your Critical Role in Cyber Resiliency
- CSS Cybersecurity Solution – Shield
Ask us how we can help tailor a package to meet your needs. Fill out our form here and receive our free checklist for evaluating policies for cyber insurance coverage.
Will We See Liquidity Risk Management Programs in Europe Soon?
In an article posted by Ignites Europe, the Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg declared that it has “stepped up its supervisory focus on the liquidity aspects that are related to the recent developments” of Neil Woodford’s flagship fund and H2O Asset Management, an affiliate of Natixis Asset Management.
In the U.S., we have just seen the SEC’s Reporting Modernization program go live – this ushered in a new rule 22e-4 – which forces all 40 Acts to set up a formalized and documented Liquidity Risk Management Program (LRMP). The initial rule 22e-4 on establishment of a written LRMP was quite onerous with respect to classifying each holding into specific “liquidity buckets” – including quarterly public disclosures via Form N-PORT. This rule was watered down prior to going live, and while the public disclosure is no longer required, it has been replaced with a requirement to discuss briefly the operation and effectiveness of a fund’s LRMP in the fund’s report to shareholders. The formalization of the LRMP and profiling of individual positions and redemption stress testing are all part of the rule. The SEC estimates the rule will cost firms about $1.4 billion in one-time costs and $240 million annually after that as financial firms implement LRMPs to mitigate redemption risk.
As with many regulations in the US, ESMA have been keeping a close eye on the progress of Rule 22e-4 and have run their own CP process.
In ESMA’s draft principles they propose stress tests that are:
- Tailored towards the individual fund
- Reflect the most applicable risks to a fund
- Sufficiently extreme or unfavorable (yet plausible)
- Sufficiently model a manager’s actions in times of stressed market conditions
- Embedded into the fund’s overall risk management framework
The SEC and ESMA initiatives have their roots in the IOSCO consultations:
- CIS Liquidity Risk Management Recommendations
- Open-ended Fund Liquidity and Risk Management – Good Practices and Issues for Consideration
We can see that there is now a broad focus across the ESMA NCAs to focus on liquidity profiling and redemption stress testing of collective investments. As the vast majority of UCITS and US 40 act funds offer daily liquidity, it is of utmost importance that we understand how long each position would take to wind down in an orderly fashion by the profiling of the portfolio holdings. We can also see (even pre-Woodford) that questions on liquidity/redemption stress testing arise more frequently in audit.
Fund directors are (since Woodford) acutely aware of how exposed they would be were they not to maintain oversight of the liquidity risk diligently. For many open-ended funds, extracting portfolio-level liquidity data and identifying the necessary information needed for reporting can present an array of operational challenges.
CSS’s compliance consulting group Ascendant has extensive experience in LRMPs. If you need assistance addressing this evolving concern, contact us at info@compliancesolutionsstrategies.com or 860-435-2255.
How an LPA’s Definition of Organizational Expenses Can Connect to a Custody Rule Violation
For private fund advisers, fee and expense reviews are a cornerstone to a sound compliance program. The SEC repeatedly reinforces this axiom, and a recent SEC Settlement Order highlights how the lack of such reviews and the misclassification of expenses can lead to a Custody Rule violation.
In this case, according to the Settlement Order, the Limited Partnership Agreement (“LPA”) expressly excluded placement agent fees from “organizational expenses.” Unfortunately, the private fund adviser charged its client—the Fund—for placement agent fees under the rubric of organizational expenses. Additionally, the CFO transferred funds from the Fund to the adviser in advance of the actual incurrence of organizational expenses. The amounts transferred were estimated future charges, based on amounts incurred in the prior year’s audited financial statements. Mixed into the fee and expense quagmire were “deemed contributions” and offsets to management fees that were not properly applied, as well as a loan based on capital that should not have existed. Nothing in the LPA allowed the Fund to loan money to the adviser, even when funds were believed to be owed to the adviser.
The CFO tracked expenses and reported them to the CEO and the investment committee; the investment committee then determined the amounts to charge the Fund and investors. But, according to the SEC, the CEO did not adequately supervise the CFO and money transfers, and the private fund adviser did not implement a process to determine the accuracy of expense classifications or the accuracy of expenses estimated and charged. Reading the Order, it appears the SEC thought the CEO should have “obtained more detail to understand the specific nature of the transactions [the CFO] executed” and should have substantively reviewed bank statements and reconciliations.
So, what happened? Ultimately, the auditor—engaged to fulfill the Custody Rule’s annual audit provision—identified the misclassification of expenses and improper money transfers between the adviser and its Fund and withdrew from its engagement. The adviser hired a new auditor and remediated—with interest. Nonetheless, the adviser by then had failed to timely distribute to the investors the audited financial statements prepared in accordance with generally accepted accounting principles (within 120 days of the end of its fiscal year). So, the SEC found that the adviser violated the Custody Rule and issued civil monetary penalties against the adviser, the CFO, and the CEO.
Here, the Custody Rule violation was low-hanging fruit for the SEC, but it shows the domino effect for fee and expense missteps. Do not let expense misclassifications and fee miscalculations damage an otherwise sound compliance program and reputation. We often are asked how detailed should fee and expense reviews be? Start with a few basic questions and develop the comprehensive reviews from there. For example, have you recently gone back to the fund documents to determine if existing expense classifications and charges are expressly allowed? Have you documented that analysis? As the CCO, or management, do you know how expenses are actually paid? Does your fund reimburse the adviser for expenses actually incurred or does the fund pay for estimated expenses? For sure, the SEC will examine expense classification, expense payments, and offsets to management fees, so implement the fee and expense review processes now, before the SEC examiners do. If you do not have the personnel to review your processes, or even if you do, consider a third-party risk-assessment by CSS’ professional consulting group Ascendant on fees and expenses.
Early Impressions on Regulation Best Interest, Form CRS
One week after the SEC adopted Regulation Best Interest and Form CRS, a Cincinnati roundtable hosted by Fort Washington Investment Advisors, Inc. Private Funds & Regulatory Compliance Manager Andre Rickman ran through early impressions of the new rules and their accompanying Interpretive Releases with a very interested group.
CSS Regulatory Compliance Expert Greg Hotaling opened discussion about the challenges of shareholder disclosure compliance and position limit monitoring, describing data management, the tracking of rules across the globe, and the creation of the necessary filing documents for each jurisdiction. Once a firm overcomes the challenge of organizing data, the next challenge is tracking each country’s rule set and then finally transforming the application of the data through the rule set into fileable reports, he told the group.
Participants also noted the need for a resource to track registration requirements in foreign jurisdictions.
The group returned to a discussion of Regulation BI and Form CRS led by CSS Executive Director Keith Marks, who stated a belief that rule makers have closed the gap between the standards of care applicable to broker-dealers and investment advisers. “To accomplish this, investment advisers must summarize information they currently provide to clients into another document in which broker-dealers will provide comparable summaries,” he said.
Regulation BI requires broker-dealers to adhere to a best interest standard of not placing their interests ahead of customer interests when providing advice to retail investors.
Broker-dealers will be required to adopt a four-step plan of disclosure, reasonable care, mitigation or elimination of conflicts of interest, and written policies and procedures to achieve compliance. The end result is more compliance, particularly for broker-dealers.
Form CRS, or Form ADV Part 3, will be the document that IAs and BDs will now have in common. To keep the documents similar for meaningful comparison, each document will have the same headings and be limited to two pages. Dual registrants may publish four pages. The deadline is June 30, 2020, and not before May 1, 2020. There are standard Form ADV client delivery requirements for providing the document to clients after being filed on the IAPD. When delivering Form CRS in paper, it must be the document on the top of the pile, according to one instruction.
The SEC published a supporting Interpretive Release titled “Commission Interpretation Regarding the Solely Incidental Prong of the Broker-Dealer Exclusion from Definition of Investment Adviser,” which included a list of limited types of discretion that are to be considered advice incidental to the primary business of effecting securities transactions – and therefore not subject to IA registration. Unlimited discretion is advisory, concluded the SEC.
The SEC also published “Commission Interpretation Regarding the Standard of Conduct for Investment Advisers.” This gave the SEC the opportunity to provide its clarity around the use of the word “may” in disclosures.
SEC Chair Jay Clayton seemed earnest when he opened the SEC’s June 5 meeting with the sentiment this may not be perfect but it protects broker-dealers while letting more information try to determine the market.
If you need more help on Form CRS, visit our Ultimate Guide to Form CRS page, with information about the regulation, as well as our solution.
Creativity vs. Compliance: When Marketing Just Doesn’t Seem to Get It
We’ve all been there before…you get a request to review marketing materials, and there’s urgency to it. Great! You’ve successfully trained the firm to make sure things are run by you first. The problem is it’s 4:15pm and they need to get it out by the end of the day. You open up the document, see some unsupported performance numbers, maybe a testimonial or two, and some language that’s so flowery that even a botanist would blush. The author is really excited about the piece, which pretty much guarantees (and we all know how much we hate that word) it’s not compliant. What’s a CCO to do?
Well first, take a deep breath. Then work through the document by prioritizing your comments. What’s a no-go? What’s just a preference? How do your findings compare to recent SEC Risk Alerts or Exam Priorities? Take the entirety of your comments back to the author and use them as bargaining chips. “I really don’t care for the way this is worded, but I can live with it. But the claim that our models will outperform the benchmark by at least 15% for the foreseeable future? That’s gotta go.”
Notice the wording used above; there are no “you” statements and the use of “our.” Positioning yourself on the same side of the table (you do, by the way, work for the same firm) helps take out some of the traditional “you vs. me” or “us vs. them” conflict that tends to pop up when Marketing and Compliance get together.
I’d argue, however, that you should do as much as you can beforehand to prevent this from happening. Here are some steps to help prevent this fire drill:
Establish a Defined Review Process
We all know that marketing materials need to be reviewed by Compliance prior to distribution, so why not put some parameters around that? Whether it’s through e-mail, a workflow through your CRM, or even reviews of physical pieces of paper, make sure everyone knows what needs to happen. An important part of this is timing as well. We all want to have as quick a turnaround as possible, but establish minimums to say you need X amount of time to do a proper review. X in this case is likely more than 20 minutes.
Make Friends with Marketing
While Compliance and Marketing at times can get along like the Starks and Lannisters in Game of Thrones (RIP to the Lannister legacy), I’d argue that Marketing can and should be one of your closest allies. Go to lunch together! Stop by when you don’t need anything to just see how they’re doing. Make sure they’re up to speed on not only regulatory hot-button items, but also on the basics. What counts as testimonials? When is performance allowed and when is it not? Where do disclosures go? Most compliance issues can be worked out before they even cross a CCO’s desk with an educated and friendly Marketing group.
Make your ‘Nos’ Matter
No one likes to hear no all the time, but yet sometimes Compliance can be viewed as the “No Department.” In your daily reviews, make sure that you very rarely just flat-out say no to something. Try to explain why there’s an issue, and then suggest alternatives. Even if they don’t particularly like or even use your suggestion, at least you’re making an effort. Then, when you do have to say “no” to something, that should jump out as important…as different from other items you’ve identified.
But at the end of the day, you’re only one man or woman, fighting the good Compliance fight. If Senior Management makes the decision to overrule you, at least try to soften the wording some. Be willing to compromise, and try come up with reasons why the material actually is compliant. The regulatory world surrounding marketing is often murky and up for interpretation, so there are usually two sides to an argument. Even if your side doesn’t win out, try to come up with some sort of thought process should it come up in an examination. And remember, Starks, Lannisters, Dothraki and Unsullied all fought together against the Night King. If Jon Snow and Jamie Lannister can fight together side-by-side, Compliance and Marketing can, too.
SEC Adopts Regulation Best Interest, Form CRS; Also Issues Interpretive Releases on IA Fiduciary Duty and Solely Incidental Exception
By a 3-1 vote, on June 5, 2019, the SEC acted to provide a new regulatory framework to help retail, or main street, investors understand the distinctions between broker-dealers and investment advisers, particularly the standards of conduct owed by each. Opening remarks by SEC Chair Jay Clayton noted that as markets have developed over the last century, this issue has grown in importance with more than 44 million US households having retail investment accounts.
Clayton cited that the obligations of financial professionals to those they service has been the ongoing concern of the SEC since its inception. Today, he remarked, “we elevate, enhance and clarify these obligations in a comprehensive manner.” Chair Clayton further noted that past delays in acting have only led others to develop strident opposition.
Despite these “head winds,” Clayton stated that the SEC made it here through a “mix of law, duty, courage, conviction and commitment.” He expressed his support to Commission staff for working on two objectives: (1) bringing required standards of conduct and mandated disclosures in line with reasonable expectations and (2) preserving the availability of customer choice and levels of service that match different needs.
The adoption of Best Interest Standards for broker-dealers likely creates the most significant industry re-tooling. Regulation Best Interest enhances the broker-dealer standard of care requiring broker-dealers to act in best interest of retail customers. This draws from key fiduciary principles and cannot be managed by disclosure alone. Indeed, the rule will require disclosures, a care obligation to place customer interests first, an obligation to mitigate conflicts of interest, and compliance policies and procedures to manage the implementation of the standard of care.
Form CRS will have broad application across broker-dealers and investment advisers, providing sunlight on required standards of conduct, fees and services, plus any disciplinary history. Clayton again noted that while critics express concerns, that he believes Form CRS will be a positive step forward as part of this new framework.
In discussing the Interpretive Releases, SEC staff noted its goal of providing greater information to assist with the new framework, specifically answering that nothing within it should be considered to water down the fiduciary duty.
As the SEC makes public the written text of the Final Rules and Interpretive Releases, CSS will have more information on how to implement the new requirements.
What’s Next?
The rules and forms will be effective 60 days from publication in the Federal Register and the interpretations will be effective upon publication in the Federal Register.
By June 30, 2020, registered broker-dealers must begin complying with Regulation Best Interest, and broker-dealers and investment advisers registered with the Commission will be required to prepare, deliver to retail investors, and file a relationship summary.
If you need more help on Form CRS, visit our Ultimate Guide to Form CRS page, with information about the regulation, as well as our solution.