Ascendant’s Adam DiPaolo Discusses Hypothetical & Model Performance Marketing Pitfalls
Adam DiPaolo
A Jan. 12 article in HFMCompliance titled “Best practice for hedge funds using hypothetical and model performance” outlines best practices for hedge fund managers when using hypothetical performance or model data in marketing efforts, and how managers relying on such data can avoid enforcement actions. Adam DiPaolo, Senior Consultant in Ascendant’s Private Funds group, is quoted in the piece.
Mr. DiPaolo advises managers to make sure disclosures are adequate and prominently displayed in order to avoid pitfalls and regulatory scrutiny.
“Regulators look at model or hypothetical performance as misleading until the manager can cure it, which is to say that the manager included appropriate disclosures and explanations about how the performance figures were generated,” Mr. DiPaolo said.
Mr. DiPaolo also cautions managers against burying disclosures.
“You don’t want to get cheeky and include something small at the end of your materials,” he said. “Disclosures can’t be too difficult for people to see and understand or they will not be meaningful.”
The article can be read here.
SEC’s Exam Priorities Offer Insight Into National Exam Program
On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued their 2018 Examination Priorities (see Ascendant’s summary here). In addition to defining their examination priorities for the year, the OCIE staff offered some insight into the National Exam Program. Specifically, they defined the following five principles in executing their exam priorities:
- Risk-based – OCIE realizes that the size of the securities industry prevents them from conducting regular, comprehensive examinations of every firm. The staff considers risk in setting priorities, selecting firms to examine and determining the scope of exams.
- Data-driven – OCIE acknowledges that they utilize data in setting priorities and evaluating risk. Over the past several years, the SEC has added quantitative capabilities for analyzing trade blotters and market data.
- Transparency – OCIE believes that publicly sharing information about the exam program enables firms to achieve compliance with the securities laws, thus helping investors. In fiscal year 2017, OCIE published six Risk Alerts, which identified issues for registrants to consider.
- Highest and Best Use of Resources – OCIE recognizes that their resources are limited, and attempts to leverage their talent, technology and data analysis in an effort to maximize the benefit to investors.
- Embrace Innovation and Technology – Technology in the financial markets often leads to innovation in ways that benefit investors, such as improving access or driving down cost. OCIE works to keep pace with advancing technological innovations and recognizes the threats through cybersecurity attacks.
Look familiar? In many ways, these principles are the hallmarks of an effective compliance organization. As OCIE has focused on increasing transparency, advisers and broker-dealers will be well served to pay attention to OCIE’s guidance and make sure that their compliance programs are up to par.
OCIE’s full priorities paper can be found here.
If you need help with your compliance program, Ascendant’has technological and consulting solutions to fit every business and budget. Contact us today via email or at 860-435-2255.
SEC Updates: ICO Gatekeeper Standards, SEC/CFTC Swap Rules
SEC Chairman Jay Clayton had some stern advice for market professionals, especially gatekeepers, who he said need to act responsibly and hold themselves to high standards.
Speaking via videoconference during Securities Regulation Institute’s recent annual conference, he said, “To be blunt, from what I have seen recently, particularly in the initial coin offering (“ICO”) space, they can do better.”
Clayton has instructed the SEC staff to be on high alert for approaches to ICOs that may be contrary to the spirit of our securities laws and the professional obligations of the U.S. securities bar. As an example, he noted, “…there are ICOs where the lawyers involved appear to be, on the one hand, assisting promoters in structuring offerings of products that have many of the key features of a securities offering, but call it an “ICO,” which sounds pretty close to an ‘IPO.’ On the other hand, those lawyers claim the products are not securities, and the promoters proceed without compliance with the securities laws, which deprives investors of the substantive and procedural investor protection requirements of our securities laws.”
He commented these lawyers appear to provide the “it depends” equivocal advice, rather than counseling their clients that the product they are promoting likely is a security.
During the same speech, Clayton addressed the rules pertaining to security-based swaps still remaining under the Dodd-Frank Act. Clayton said that the SEC is seeking to harmonize its ultimate securities-based swap rules with the CFTC, to increase effectiveness as well as reduce complexity and costs. On this front, Clayton was pleased to report deliberate and constructive engagement with the CFTC is well underway.
2018 SEC Exam Priorities: What You Need to Know
On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released its Examination Priorities for 2018. This is the sixth year that OCIE staff has issued their priorities, which provide transparency into their thinking and guidance for advisers reviewing their compliance programs. The priorities are organized around five themes: protecting retail investors, critical market infrastructure, self-regulatory organizations, cybersecurity and anti-money laundering. These priorities are consistent with those expressed in prior years. It’s also worth noting that OCIE’s scope of oversight covers investment advisers, investment companies and broker-dealers and many of the themes overlap between those types of organizations.
The largest portion of the document, and that of most interest to advisers, was devoted to the protection of retail investors, including seniors and those saving for retirement. SEC Chairman Jay Clayton has emphasized the Commission’s commitment to protecting everyday investors, and the exam priorities reflect this mission. Several priorities were identified, including:
- Disclosure of the costs of investing. Examiners will review the disclosure of fees charged and other compensation the financial professional may receive; conflicts of interest that may provide incentives for certain products or services; and whether fees and expenses are calculated and charged as disclosed. OCIE will focus on firms with conditions that may present increased risks that investors will pay inadequately disclosed fees, expenses or other charges, such as incentives related to higher fee mutual fund share classes or accounts that have changed from commission-based to asset-based fees.
- Electronic Investment Advice. OCIE will continue to examine firms that offer advice through automated platforms, including “robo-advisers.” Examinations will focus on compliance programs, including oversight of computer program algorithms that generate recommendations, as well as marketing materials, conflict of interest disclosure and data protection.
- Wrap Fee Programs. Examiners will review whether the recommendation to invest in a wrap fee program is reasonable, if conflicts of interest are disclosed and whether advisers are receiving best execution and disclosing costs associated with trading through another broker-dealer.
- Senior Investors and Retirement Accounts. Examinations will continue to focus on investment recommendations, sales of variable insurance products and the use of target date funds. In addition, examiners will review how broker-dealers oversee interactions with senior investors, including the ability of firms to identify exploitation of seniors.
- Mutual Funds and Exchange Traded Funds (ETFs). As a new initiative this year, OCIE intends to conduct examinations focusing on mutual funds that have experienced poor performance or liquidity of subscriptions and redemptions relative to their peer groups, are managed by advisers with little experience managing registered investment companies or that hold securities that are potentially difficult to value during times of market stress. Examiners will also focus on ETFs that have little secondary market trading volume and face the risk of being de-listed from an exchange, and funds and ETFs that track custom indexes for conflicts with the index provider.
- Fixed Income Order Execution. Examinations will assess whether broker-dealers have implemented best execution policies and procedures.
- Cryptocurrency, Initial Coin Offerings (ICOs), Secondary Market Trading and Blockchain. The cryptocurrency and ICO markets have grown rapidly and present risks for retail investors. Where such products are securities, examiners will focus on controls to protect assets from theft or misappropriation and whether investors receive disclosure about the risks associated with these investments. In light of recent guidance and media attention on this subject, we are not surprised by OCIE’s focus.
- Never-Before-Examined Advisers. OCIE will continue to identify and examine firms that have never been examined.
Among the other themes, the priorities most relevant to investment advisers and broker-dealers are cybersecurity and anti-money laundering, specifically:
- Examiners will continue to prioritize cybersecurity controls in exams focusing on governance, risk assessments, access controls, data loss prevention, vendor management, training and incident response.
- Anti-Money Laundering (AML). As broker-dealers and investment companies are subject to AML rules, examinations of those entities will review the adequacy of AML programs, including customer due diligence, SAR filings, and robust and timely independent tests of programs.
In view of the SEC’s examination priorities, now is a good time to focus on any priorities identified impacting your firm’s business model and to consider revisiting your firm’s annual review content and written policies and procedures (“WSPs”) to ensure that the applicable SEC priorities are being addressed. For example, as part of this process, review those WSP sections for any material gaps and then test to ensure that the policies are being adhered to.
For more help with your compliance program, contact Ascendant at 860-435-2255.
The Problem with Buying Off-the-Shelf: It May Not Fit!
The Fort Worth, Texas, Regional Office (“FWRO”) of the SEC recently named the failure to sufficiently tailor off-the-shelf compliance programs as one of its most cited deficiencies during regulatory exams in 2017. According to the FWRO, such deficiencies were present in nearly half of all examinations conducted by them.
The news came during a first-of-its-kind call directly between the FWRO and over 2,000 industry members. The call consisted of a discussion of the exam program, investor risk highlights and a question-and-answer session. Although 11 deficiencies were mentioned during the exam priorities section, much of the call focused on the need to address individual-based risks through a well-designed compliance program.
The FWRO noted findings that many firms used “canned” compliance programs that were not tailored to the adviser’s business, and in some extreme cases the policies even included the names of other advisers. Those advisers that participated on the call were also reminded that the Compliance Rule requires issues from the previous year to be catalogued in an annual review and addressed in a timely manner. Finally, the FWRO stated that it was “no fan” of chief compliance officers with too many other roles.
So, what does this mean for investment advisers? A couple of things, but most importantly the need to ensure your policies are customized based on your business, affiliations, conflicts of interest and protocols.
Make sure that your compliance program receives sufficient attention and is sufficiently tailored. A good first step could be using Ascendant’s Risk Matrix Tool, housed on the Ascendant Compliance Manager, to inventory the risks posed to your specific business model and determine if your policies adequately address those risks. You should also review your previous annual reviews to ensure that the issues identified in them have been remediated. From there, you should establish whether or not your policies and procedures are reasonably designed to effectively confront these risks.
For more information, or for a demo of Ascendant’s Risk Matrix Tool, please contact us at info@ascendantcompliance.com or call us at 860-435-2255.
U.S. Advisers Getting Serious About Fast-Approaching GDPR Deadline
For over a year, May 25, 2018 has been circled on the calendars of many chief compliance officers and chief technology officers at U.S.-based investment advisers and asset managers with a European presence or European investors. For others, the quickly approaching date may be coming as a surprise as they grapple with how to tackle yet another broad regulation with significant financial consequences.
We’re talking, of course, about the General Data Protection Regulation (GDPR), the EU’s sweeping data privacy regulation approved in April 2016 by the EU Parliament and set to take effect on May 25. GDPR is the EU’s effort to bolster the privacy protections available to EU residents to control how their personal data is gathered, processed, stored, and if they so desire, deleted, as well as to impose stricter reporting requirements relating to the breach of such information. The prior EU data privacy regulation, adopted in 1995, had become obsolete in the age of Facebook, Google, and the Internet in general.
While GDPR is not a financial regulation, it has the potential to profoundly impact the operations of financial firms, and asset managers in the U.S. should be cautious in casually dismissing GDPR as an EU-only rule with no domestic implications. The complexities of compliance with the regulation are driving efforts among advisers everywhere to understand who has access to what data, where personal data resides on their systems, and what the downstream data flows are to interconnected systems, vendors, and departments.
Firms should first assess whether GDPR is, or is likely to be, applicable to their business. The answer is likely to be “YES” if:
- The firm has a presence in the EU, and collects or processes personal data about an EU resident in the context of its business activities (as opposed to personal, non-economic reasons), or
- The firm, regardless of where it is located, processes personal data about an EU resident as part of the marketing of goods or services, or monitors such EU resident (which can include the use of cookies and similar tracking)
There are some exceptions to the above. For example, firms with fewer than 250 employees are not required to maintain certain transactional records under GDPR.
Personal data is defined broadly to include everything from an individual’s name and ID numbers to his or her IP address, Internet cookies, genetic information, ethnicity, sexual orientation, and even political opinions.
While GDPR compliance is going to be a significant undertaking, given that its various requirements are set forth in 91 different articles of legislation, there are a few key points to keep in mind for firms subject to GDPR:
- “Data subjects” (i.e. the EU residents whose personal data we’re talking about) have a “right of portability” of their data to another service provider and a “right to be forgotten” or “right to erasure” (e.g. to have their data deleted, unless the data is required to be maintained for regulatory recordkeeping purposes)
- Firms must establish reasonable safeguards to protect data of data subjects from compromise or loss. Such safeguards include the use of encryption and anonymization/pseudonymization of personal data. Anonymized data is data from which the data subject is not identifiable at all, whereas pseudonymized data is data from which the data subject is not identifiable without the use of additional information.
- Firms must conduct Data Protection Impact Assessments (e.g. risk assessments)
- Data breaches are required to be reported to Supervising Authorities (SAs) within 72 hours of becoming aware of the breach, including details of the breach and an estimate of how many records were impacted
- Firms must address disclosure requirements involving informed consent as to the reason data is collected and used.
- Noncompliance with GDPR requirements carries a stiff penalty, which can be up to 4% of the firm’s global annual revenue.
The clock is ticking, with less than 120 days until the May deadline. Compliance with GDPR will require a combination of technology, systems, processes and people.
Ascendant can help evaluate your cybersecurity program, perform cybersecurity testing, and offers a secure cloud-based compliance software suite – Ascendant Compliance Manager – that can be used to manage GDPR across the entire enterprise, including:
- Mapping and categorizing personal data across systems and applications;
- Conducting third party due diligence;
- Managing GDPR risks and controls; and
- Distributing updated policies and training to employees.
For more information, or for a demo of ACM, please contact us at info@ascendantcompliance.com or call us at 860-435-2255.