The California Consumer Privacy Act (CCPA), a broad statute which imposes new data privacy obligations on certain companies that do business in California, will become effective on January 1, 2020. Fund managers and other investment advisers (“Advisers”) and certain of their affiliates that are currently subject to data privacy laws pursuant to the Gramm-Leach-Bliley Act (GLBA) or the UK General Data Protection Regulation (GDPR) may have additional obligations to consider and prepare for as the CCPA compliance deadline approaches.
While acknowledging the challenges in applying the securities laws to digital assets, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA), in a joint statement on July 8, 2019, reaffirm that those rules equally apply to digital assets, and promise they will continue to engage the industry in finding solutions.
Read the full public statement HERE.
SEC Risk Alert regarding safety of customer records and cloud vendor diligence.
As part of its cybersecurity sweep, the SEC has examined risks related to the storage of customer records and information by investment advisers on cloud-based storage platforms and issued a Risk Alert, “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features.” The sweep focused on vendor due diligence and oversight and registered advisers’ monitoring of data and customer information safety. Among other information, OCIE sought vendor contracts (including service level agreements); vendor reviews; risks assessments of cloud service providers, including data encryption, data loss prevention, books & records exposure, identity and access management; and policies and procedures and their alignment to technology standards.
The Risk Alert identified as the main compliance issues related to cloud-based storage (i) Misconfigured network storage solutions (inadequately configured security settings to protect against unauthorized access; lack of policies and procedures addressing the security configuration); (ii) Inadequate oversight of vendor-provided network storage solutions (lack of, or inadequate, policies, procedures, contractual provisions that security settings on vendor-provided network storage solutions were configured in accordance with the firm’s standards); and (iii) Insufficient data classification policies and procedures (firms’ policies and procedures did not identify the different types of data stored electronically by the firm and the appropriate controls for each type of data).
The Risk Alert encourages investment advisers to review their practices, policies, and procedures with respect to the electronic storage of customer information and to consider any necessary improvements, and to actively oversee vendors. The SEC included helpful recommendations for cyber/cloud risk management, including the implementation of policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the network storage solution; guidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly; and vendor management policies and procedures that include, among other things, regular implementation of software patches and hardware updates followed by reviews to ensure that those patches and updates did not unintentionally change, weaken, or otherwise modify the security configuration.
Please contact your counsel at Pillsbury’s Investment Funds Group if you need help with reviewing and enhancing your cloud storage and related policies.
This is a reminder about the upcoming annual compliance deadlines that may or may not apply to you.
Please click HERE to open a summary chart of the filing deadlines.
Please feel free to contact us if you have questions or need assistance with any of these filings.
Pillsbury IFIM Group
In a press release issued by the Securities and Exchange Commission on December 20, 2018, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its 2019 Examination Priorities.
This year’s examination priorities, although not exhaustive, are divided into 6 categories:
- Compliance and risk at registrants responsible for critical market infrastructure;
- Matters of importance to retail investors, including seniors and those saving for retirement;
- FINRA and MSRB;
- Digital assets;
- Cybersecurity; and
- Anti-money laundering programs.
Read the OCIE 2019 Examination Priorities in full HERE.
This is a reminder that the 2019 IARD account renewal obligation for investment advisers (including exempt reporting advisers) starts this November. An investment adviser must ensure that its IARD account is adequately funded to cover payment of all applicable registration renewal fees and notice filing fees.
Key Dates in the Renewal Process:
November 12, 2018 – Preliminary Renewal Statements which list advisers’ renewal fee amount are available for printing through the IARD system.
December 17, 2018 – Deadline for full payment of Preliminary Renewal Statements. In order for the payment to be posted to its IARD Renewal account by the December 17 deadline, an investment adviser should submit its preliminary renewal fee to FINRA through the IARD system by December 14, 2018.
December 28, 2018 – January 1, 2019 – IARD system shut down. The system is generally unavailable during this period.
January 2, 2019 – Final Renewal Statements are available for printing. Any additional fees that were not included in the Preliminary Renewal Statements will show in the Final Renewal Statements.
January 21, 2019 – Deadline for full payment of Final Renewal Statements.
Please contact us if you have questions.
This alert contains a summary of the primary annual and periodic compliance-related obligations that may apply to investment advisers registered with the Securities and Exchange Commission (the “SEC”) or with a particular state (“Investment Advisers”), and commodity pool operators (“CPOs”) and commodity trading advisors (“CTAs”) registered with the Commodity Futures Trading Commission (the “CFTC”) (collectively with Investment Advisers, “Managers”). Due to the length of this Alert, we have linked the topics to the Table of Contents and other subtitles for easy click-access.
This summary consists of the following segments: (i) List of Annual Compliance Deadlines; (ii) New Developments; (iii) 2018 National Exam Program Examination Priorities; (iv) Continuing Compliance Areas; and (v) Securities and Other Forms Filings.
Read this article and additional Pillsbury publications at Pillsbury Insights.
The Office of Compliance Inspections and Examinations (OCIE) of the SEC issued a Risk Alert yesterday providing a list of the most frequently identified compliance issues relating to the Advertising Rule (Rule 206(4)-1) under the Investment Advisers Act of 1940. These compliance issues were identified as part of the OCIE examination of investment advisers: misleading performance results, misleading one-on-one presentations, misleading claim of compliance with voluntary performance standards, “cherry-picked” profitable stock selections, misleading selection of recommendations and insufficient/inaccurate compliance policies and procedures.
Compliance with the Advertising Rule has long been, and remains, a favorite focus of the SEC. In an age of fundraising challenges, investment advisers must balance the pressing need of appealing to prospective clients with adherence to precise regulatory standards. Each marketing piece should go through rigorous internal review and sign-off procedures and, as necessary, outside counsel evaluation. Investment advisers are urged to pay special attention to any form of performance or track record marketing.
Click here for the full Risk Alert. Contact your Pillsbury attorney for additional assistance.
On June 9, 2017, the Department of Labor (DOL) regulation updating the definition of “fiduciary” for purposes of ERISA became effective, along with a series of new and updated prohibited transaction exemptions. The DOL regulation expands the types of activities that can give rise to fiduciary status, and applies not only to plans subject to ERISA but also to self-directed IRAs. While the DOL is still reviewing whether changes should be made to the regulation to reduce the regulatory burden, and both the DOL and Congress are considering more drastic action such as full repeal, for the time being the regulation is in effect.
A broad reading of the definition of “fiduciary” under the new rule could cause investment fund managers to become fiduciaries to ERISA and IRA investors in their funds, and to prospective investors, regardless whether a fund they manage is a “plan assets” fund. Fund managers may need to take action now, notifying benefit plan investors, obtaining representations and/or amending subscription applications.
Private investment funds that limit ERISA plan and IRA investments to below 25% of each class of equity interests (or that qualify as a Venture Capital Operating Company (VCOC) or a Real Estate Operating Company (REOC)) are still exempt from ERISA with respect to most of their activities—their investment transactions and compensation arrangements are exempt from ERISA’s fiduciary rules and from the prohibited transaction restrictions of ERISA and the Internal Revenue Code. However, under the new DOL regulation, certain types of marketing and outreach activities to new and current benefit plan investors could be viewed as “recommendations” to invest in (or continue investing in) a fund, and thus may become subject to the new fiduciary rules.
Not every marketing or outreach activity will give rise to fiduciary status, and an exemption is available for communications with financially sophisticated plan fiduciaries. Please contact us to discuss how you can qualify for an exemption from fiduciary status and/or take necessary other action with respect to IRA and ERISA investors.
For more detailed information about the DOL fiduciary rule, please read our Alert.
The new EU data protection framework, called the General Data Protection Regulation (GDPR), will take effect in May 2018. These new laws will significantly impact any companies doing business in Europe, even those without a physical EU presence (e.g. U.S. companies targeting Europe). If you have a website, use customer or staff data or engage in almost any form of marketing you will likely be caught. The new very high fine levels for breaches and the need to be able to prove compliance mean companies, regardless of size, must take steps now to prepare.
If you would like to explore whether and how this law may impact you, please contact Pillsbury Partner Rafi Azim-Khan (Data Privacy Europe) or the investment management attorney you work with.