Articles Tagged with SEC Risk Alert

Published on:

SEC Risk Alert regarding safety of customer records and cloud vendor diligence.

As part of its cybersecurity sweep, the SEC has examined risks related to the storage of customer records and information by investment advisers on cloud-based storage platforms and issued a Risk Alert, “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features.” The sweep focused on vendor due diligence and oversight and registered advisers’ monitoring of data and customer information safety.  Among other information, OCIE sought vendor contracts (including service level agreements); vendor reviews; risks assessments of cloud service providers, including data encryption, data loss prevention, books & records exposure, identity and access management; and policies and procedures and their alignment to technology standards.

The Risk Alert identified as the main compliance issues related to cloud-based storage (i) Misconfigured network storage solutions (inadequately configured security settings to protect against unauthorized access; lack of policies and procedures addressing the security configuration);  (ii) Inadequate oversight of vendor-provided network storage solutions (lack of, or inadequate, policies, procedures, contractual provisions that security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards); and (iii) Insufficient data classification policies and procedures (firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data).

The Risk Alert encourages investment advisers to review their practices, policies, and procedures with respect to the electronic storage of customer information and to consider any necessary improvements, and to actively oversee vendors.  The SEC included helpful recommendations for cyber/cloud risk management, including the implementation of policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution; guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.

Please contact your counsel at Pillsbury’s Investment Funds Group if you need help with reviewing and enhancing your cloud storage and related policies.

Published on:

By

The Office of Compliance Inspections and Examinations (OCIE) of the SEC issued a Risk Alert yesterday providing a list of the most frequently identified compliance issues relating to the Advertising Rule (Rule 206(4)-1) under the Investment Advisers Act of 1940.  These compliance issues were identified as part of the OCIE examination of investment advisers:  misleading performance results, misleading one-on-one presentations, misleading claim of compliance with voluntary performance standards, “cherry-picked” profitable stock selections, misleading selection of recommendations and insufficient/inaccurate compliance policies and procedures.

Compliance with the Advertising Rule has long been, and remains, a favorite focus of the SEC.  In an age of fundraising challenges, investment advisers must balance the pressing need of appealing to prospective clients with adherence to precise regulatory standards.  Each marketing piece should go through rigorous internal review and sign-off procedures and, as necessary, outside counsel evaluation.  Investment advisers are urged to pay special attention to any form of performance or track record marketing.

Click here for the full Risk Alert. Contact your Pillsbury attorney for additional assistance.

Published on:

(This article was published in the first February 2016 issue of “The Review of Securities and Commodities Regulation” and is reprinted here with permission.)

The last half of 2015 has been characterized by a lot of debate and press attention on the role of the Chief Compliance Officer (“CCO”) at investment advisers. It has attracted attention within the highest levels at the SEC as reflected in a series of public statements and speeches, including the public disagreement of two Commissioners on whether or not there is a new trend targeting CCOs. While this debate has been unusual, it has led to a healthy and productive discussion about the CCO’s role. Below, we will discuss in turn: (a) recent statements over the past six months by SEC leaders about CCOs and whether or not there is a new trend targeting them, (b) what qualities are essential to an effective CCO and whether or not the job should be outsourced, and (c) how an effective compliance leader can prevent and detect any problems and be truly effective in preparing the firm for SEC examinations.

CONTINUE READING… 

Published on:

By

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) previously announced that its 2014 Examination Priorities included a focus on technology, including cybersecurity preparedness.  In connection with that statement of examination priority, OCIE recently issued a Risk Alert to provide additional information concerning its initiative to assess cybersecurity preparedness in the securities industry.

As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following:

  • the entity’s cybersecurity governance,
  • identification and assessment of cybersecurity risks,
  • protection of networks and information,
  • risks associated with remote customer access and funds transfer requests,
  • risks associated with vendors and other third parties,
  • detection of unauthorized activity, and
  • experiences with certain cybersecurity threats.

OCIE has provided a sample form of request for information and documents that investment advisers and broker dealers can expect to receive prior to this type of examination.

Although the SEC has stated that they believe the sample document request (see Appendix) should help to empower compliance professionals with questions and tools they can use to assess their firms’ level of preparedness, registrants should also expect the SEC to use the sample document as a basis for finding deficiencies, to the extent the guidance is not followed.

Published on:

By

Written by:  Jay B. Gould and Jessica M. Brown

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations released a “Risk Alert” on January 28, 2014, which focuses on the due diligence investment advisers perform in alternative investments[1] and managers for their clients. After observing an increasing trend in advisers recommending alternative investments to their clients, the SEC examined a group of SEC-registered investment advisers, who collectively manage more than $2 trillion. The purpose of the examination and the Risk Alert is to review how the advisers perform due diligence, utilize investment teams to review fund structures and complex investment strategies, and identify, control and disclose conflicts of interest.

While the Risk Alert focuses on the narrow market segment of advisers who recommend to their clients discretionary investments in alternative investments managed by outside advisers/managers, the recommendations and due diligence practices can serve as practical guidance for all investment advisers and fund managers.

Observations

The SEC notes four primary trends in the due diligence that advisers perform on alternative investments and their managers:

  1. Position-level transparency and client risk mitigation
  2. Use of third parties to supplement and validate information provided by managers
  3. Quantitative analyses and risk measures on the investment and managers
  4. Enhancing and expanding due diligence teams and policies

Warning Indicators

The SEC notes a number of red flags that advisers find with respect to managers that warrant additional due diligence. These warning signs include:

  • managers who refuse transparency requests;
  • performance returns that conflict with factors known to be associated with the manager’s strategy;
  • unclear investment and research process;
  • lack of a sufficient control environment and separation of duties between the business and investment units;
  • portfolio holdings that conflict with a purported strategy;
  • insufficiently knowledgeable personnel to carry out the strategy intended to be implemented;
  • changes in manager investment style;
  • investments that are overly complex or opaque;
  • lack of third-party administrator;
  • inexperienced auditor;
  • repeated changes in service providers;
  • unfavorable background check results;
  • discovery of undisclosed conflicts of interest;
  • insufficient compliance or operational programs; and
  • lack of sufficient fair valuation process.

Advisers should review whether their due diligence process identifies these warning indicators and whether there are additional warning indicators they should consider to meet their fiduciary obligations. 

Adviser Compliance Practices

The SEC identifies the areas in which they found material deficiencies or control weaknesses with the investment advisers. Based on the deficiencies the SEC identifies, advisers who recommend alternative investments should ensure:

  • the due diligence policies and procedures for alternative investments/managers are reviewed annually;
  • disclosures made to clients do not deviate from actual practices, are consistent with fiduciary principles and describe any notable exceptions to the adviser’s typical due diligence process;
  • marketing materials are not misleading or unsubstantiated regarding the scope and depth of the due diligence process;
  • due diligence processes are written policies that contain sufficient detail and require adequate documentation; and
  • if responsibilities are delegated to third-party service providers, periodic reviews of those service providers’ adherence to their agreements.

Conclusion

The SEC reminds advisers that they are fiduciaries and must act in the best interest of their clients. In order to meet their fiduciary obligations when selecting alternative investments for clients, an adviser must evaluate whether such investment meets the client’s investment objectives and is consistent with the strategies and principles of investment presented to the adviser by the manager.

While the Risk Alert focuses on a narrow market segment of advisers, the recommendations and due diligence practices have a broader application. Any SEC-registered adviser, exempt reporting adviser or state-registered adviser can review their own operational due diligence policies and procedures to see if they can be bolstered by incorporating any of the recommendations contained in the Risk Alert. Further, managers of alternative investments should consider whether any of their practices or policies are included in the list of warning indicators and make the changes necessary to smoothly pass an adviser’s due diligence process.


[1] Included in the SEC’s definition of “alternative investments” are hedge funds, private equity funds, venture capital funds, real estate funds, funds of private funds, and other private funds.

Published on:

By

Written by:  Jay B. Gould and Jessica Brown

In response to the devastating effect of Hurricane Sandy which temporarily crippled U.S. equity and options markets in October 2012, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on business continuity and disaster recovery planning for investment advisers. In the aftermath of Hurricane Sandy, the SEC reviewed the business continuity and disaster recovery plans of approximately 40 advisers who were affected by the storm “to assess their preparedness for and reaction to the storm.”

On August 16, 2013, a joint advisory was issued by OCIE, the CFTC’s Division of Swap Dealer and Intermediary Oversight, and the Financial Industry Regulatory Authority on business continuity and disaster recovery planning for a wide array of firms. The Risk Alert focuses exclusively on investment advisers and encourages advisers to review their business continuity plans in light of OCIE’s findings.  

The Risk Alert highlights the notable practices and weakness identified in the business continuity and disaster recovery plans and suggests improvements advisers could make to their plans in the following areas:

  • Preparation for widespread disruption
  • Planning for alternative locations
  • Preparedness of key vendors
  • Telecommunications services and technology
  • Communication plans
  • Reviewing and testing