February 12, 2018: Investment advisers recommending mutual fund shares to advisory clients may have a disclosure problem. And yes, the U.S. Securities and Exchange Commission (“SEC”) is here to help address the problem. Yesterday the Commission announced its new self-reporting initiative, the Share Class Selection Disclosure Initiative (“SCSD Initiative”), to provide relief to advisers that have engaged in improper mutual fund recommendations on behalf of their clients. This initiative, forgiveness if you will, relates to certain mutual fund share class selections made by advisers relative to the formulation and execution of investment advice. If the offending firm promptly fesses up to the Division of Enforcement and promptly returns any non-compliant fees to harmed clients, the Division will agree not to recommend financial penalties against such advisers for violating federal securities laws. Read More
February 7, 2018: We wish our clients and colleagues a very prosperous new year and, this being the kickoff of 2018, we are all once again bestowed with the SEC National Exam Program Examination Priorities for the coming year! We believe this informal guidance, announced February 7, 2018, can be helpful to Chief Compliance Officers as they recalibrate their compliance programs to adjust for business model evolutions or to realign their own compliance priorities following the 2017 annual review.
The following is a synopsis of the 2018 SEC examination priorities, abridged to present content pertaining primarily to investment advisers. The strategy and principles content has been extracted directly from the release to provide appropriate context to the Commission’s strategic and tactical execution of their mission. Read More
November 27, 2017: The U.S. Securities and Exchange Commission (“SEC”) was established by an Act of Congress to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. Compliance with the Investment Advisers Act, the Investment Company Act, and other federal securities statutes is highly dependent upon the adviser’s capacity to fully appreciate where the SEC is headed when they contemplate a deficiency letter, enforcement action, or referral to the Department of Justice. For investment advisers, all aspects of the SEC mission statement have a direct correlation to the adviser’s business model, i.e., the non-compliant registered investment adviser presents an ongoing threat to undermine the Commission’s execution of its mission statement and therefore attracts significant resources and scrutiny from the regulator.
Fiscal year 2017 was by all accounts a successful year for the SEC’s Division of Enforcement. The Commission brought 754 actions and obtained judgments and orders totaling more than $3.7 billion in disgorgement and penalties. Significantly, it also returned a record $1.07 billion to harmed investors, suspended trading in the securities of 309 companies, and barred or suspended more than 625 individuals. Read More
September 14, 2017: The SEC Advertising Rule 206(4)-1 governing investment advisers is perhaps the most challenging aspect of the investment adviser regulatory regime. The fact that it is a component of the anti-fraud provisions of the Investment Advisers Act makes it only more so. Read More
August 17, 2017: Earlier this week, the Division of Investment Management of the U.S. Securities and Exchange Commission (“SEC”) issued IM Information Update 2017-06, directed to investment advisers filing Form ADV updates. As widely reported, in August 2016, the Commission adopted amendments to Form ADV with a compliance date of October 1, 2017. As of that date, any adviser filing an initial Form ADV or an amendment to an existing Form ADV will be required to provide responses to the form revisions adopted in the rulemaking. Read More
August 7, 2017: The U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) has released results of its Cybersecurity 2 Initiative. In this Initiative, National Examination Program Staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. The OCIE Cybersecurity 2 Initiative examinations involved more validation and testing of procedures and controls attendant to cybersecurity preparedness than was previously performed in OCIE’s 2014 Cybersecurity 1 Initiative. Read More
June 26, 2017: As reported last year, on August 25, 2016, the U.S. Securities and Exchange Commission (“SEC”) adopted a series of rule amendments that will impact all federally-registered investment advisory firms. Specifically, the SEC is requiring additional Form ADV disclosures for registered investment adviser (“RIA”) firms related to separately managed accounts, social media accounts, types of clients, branch offices, and the use of an outsourced Chief Compliance Officer (“CCO”). The effective date of the new requirements is October 1, 2017. Therefore, any SEC-registered RIA filing an amendment beginning in October 2017, will be required to provide additional information on Form ADV Part 1. Read More
May 17, 2017: The SEC just issued a Risk Alert (Cybersecurity: Ransomware Alert) to investment advisers and broker dealers informing them of the targeting of companies by hackers propagating a new and aggressive ransomware. On May 12, 2017, this attack, referred to as WannaCry, WCry, or Wanna Decryptor, rapidly affected numerous organizations across over one hundred countries. The WannaCry ransomware infects computers with a malicious software that encrypts computer users’ files and demands payment of ransom to restore access to the locked files.
Initial reports indicate that the hackers that perpetrated the attack are gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows Server Message Block version 1 vulnerability. Most significantly, some networks have been affected through phishing emails and malicious websites.
To protect against the WannaCry threat, investment advisers are urged to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed. The Microsoft patches to prevent the infection have been available since March for supported operating systems. In addition, within 24 hours of the attack, Microsoft had provided the necessary security patch for non-supported Windows XP. This highlights the need to keep current operating systems and have a disciplined and managed patching strategy.
This latest Risk Alert highlights the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis. SEC staff also notes that appropriate planning to address cybersecurity issues, including developing a rapid response capability, is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.
On the broader topic of cybersecurity, OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment companies to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness. The SEC observed a wide range of information security practices, procedures, and controls across the industry, varying greatly based on registrant operations, lines of business, risk profiles, and enterprise size.
The following observations gleaned from this sweep certainly informed this week’s SEC guidance relative to mitigating the cyber security risk posed by WannaCry ransomware, especially with respect to small and mid-sized registrants:
- Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
- Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
- System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.
The Commission has provided guidance and information that firms must consider when addressing cybersecurity risks and response – https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf . While not a functional regulator for advisers, FINRA has also provided guidance which is especially useful for smaller enterprises with commensurately smaller cyber risk profiles – http://www.finra.org/industry/cybersecurity.
For the past two years, Horrigan Resources has partnered with an IT specialist to offer cybersecurity risk assessments to our clients. Although each firm presents unique risks and challenges, the overarching themes relative to risk mitigation have been rapid response to red flags, and swift handling of ‘low hanging fruit’. Risk mitigation may entail material capital expenditure over time however the key is to know and triage risk, recognize that cyber risk management is ongoing and continuous, and be proactive.
Not unlike compliance, attaining a secure IT environment is a journey without a destination. Continuous and prudent attention to business risk, awareness of the threat environment, and ongoing employee training and awareness are great starting points to reduce cyber risk. Follow this link for the Risk Alert: https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf.
May 19, 2017
prepared by Horrigan Resources, Ltd.
Not customized advice. Not legal advice.
 See, U.S. Department of Homeland Security/ U.S. Computer Emergency Readiness Team (US-CERT), Alert (TA17-132A), Indicators Associated with WannaCry Ransomware (May 12, 2017, last revised May 15, 2017) (“U.S. Cert Alert TA-132A”).
April 9, 2017: The U.S. Securities and Exchange Commission (“SEC”) recently announced that ten investment advisory firms agreed to pay penalties in the tens of thousands of dollars to settle charges that they violated Rule 206(4)-5 (the “Pay-to-Play Rule”) under the Investment Advisers Act of 1940. The SEC charged the firms with receiving compensation for investment advisory services that they provided for managing public pension fund assets within two years of the firms’ covered associates having made prohibited campaign contributions.
In the aftermath of the California and New York pension scandals, the Pay-to-Play rule made it illegal for employees of regulated firms to make contributions to elected officials to influence the awarding of contracts to manage public pension plan assets and other government investment accounts. The presumption is that such practices result in higher fees for inferior advisory services because the advisory contracts are not negotiated at arm’s length.
The rule itself is fairly direct … investment advisers registered, or required to register, with the SEC, or which are “exempt reporting advisers” to private funds or venture capital funds, may not receive compensation for providing investment advice to government entities for two years after the adviser or its covered associates make direct or indirect contributions to officials of such governments who are responsible for hiring investment advisers.
A “covered associate” of an investment adviser is defined in Rule 206(4)-5(f)(2) as: (i) any general partner, managing member or executive officer, or other individual with a similar status or function; (ii) any employee who solicits a government entity for the investment adviser and any person who supervises, directly or indirectly, such employee; and (iii) any political action committee controlled by the investment adviser or by any of its covered associates. The rule also prohibits covered investment advisers or their covered associates from providing or agreeing to provide, directly or indirectly, payment to any person to solicit a government entity for investment advisory services on behalf of an adviser, unless that person is a regulated person as defined by Rule 206(4)-5(a)(2)(i)(A).
There are three exceptions to the Pay-to-Play Rule wherein covered associates of a firm (not the firm itself) may contribute to current or prospective clients of the firm which are government entities without fear of violating the rule. They include the following:
¨ De minimis contributions: covered associates, who are natural persons, may contribute up to $350 per election to an official for whom that covered associate is entitled to vote, and a maximum contribution of $150 for any other official.
¨ New covered associates: provides an exception for certain covered associates who made a contribution more than six months prior to becoming a covered associate of the current adviser; this exception is not valid for associates that engage in distribution or solicitation activities with a government entity on behalf of the adviser, where in such case, the time-out period is two years.
¨ Returned contributions: an adviser will not be in violation of the rule if the contribution in question is returned to the contributor within the stipulated grace period. Reliance on this exception is subject to the following additional conditions:
¨ Advisers with more than 150 registered persons may rely on this exemption three times in a calendar year;
¨ Advisers with less than 150 registered persons may rely on this exemption twice a year;
¨ The exemption may only be used once for the same registered person;
¨ The excess contribution is discovered within four months of the initial conveyance to the political office holder/aspirant; and
¨ The contribution is returned to the donor within 60 days of its discovery.
The SEC findings affirmed that ten advisory firms violated the two-year timeout period wherein they accepted advisory fees from city or state pension funds after their covered associates made campaign contributions to candidates or elected officials. The ten firms were required to pay penalties ranging from $35,000 to $75,000 and forego compensation for two years from such government entities.
Several key factors make these settlements particularly noteworthy and instructive, namely:
- The contributions in question were small.
- Several of the advisers charged were only “exempt reporting advisers”.
- Several of the advisers charged had obtained returns of the prohibited contributions.
The amount of the contributions made in all cited cases was relatively small and in most cases only a few hundred dollars above the permissible limit. A few of the advisers contributed a total of $500, and in one instance a covered associate of the adviser made a contribution $50 over the de minimus limit. Of significant import … there appears to have been no specific indication that these contributions were made as part of a quid pro quo arrangement or attempt to induce an investment by a government entity.
Of the ten enforcement actions, the contributions in question were made to a state governor or candidate for governor in six instances, while in two cases, the contributions were made to the mayor of New York City. While these political office holders/aspirants fall within the rule’s technical definition of “elected official”, many CCOs find it surprising that the SEC chose to focus its enforcement efforts on donations to such offices to the extent that Pay-to-Play is intended to thwart political contributions to political players who truly influence the awarding of asset management contracts by public funds. Nevertheless, regardless of how tenuous the office holder/aspirant’s connection is to the asset management protocol for a given political jurisdiction, the SEC is making clear that advisers and their covered associates must toe the line as it relates to Pay-to-Play compliance.
These enforcement actions should compel CCOs and covered associates alike to review their Pay-to-Play policies and procedures to avoid penalties and sanctions.
NOT LEGAL ADVICE
Horrigan Resources, Ltd.
Wexford, Pennsylvania 724-934-0129 www.horriganresources.com
March 9, 2017: The law of unintended consequences has struck again … this time its target is the investment advisory community wherein advisers who eschew custody and indeed have written policies which prohibit custody, may in fact retain custody and therefore be noncompliant with U.S. Securities and Exchange Commission (“SEC”) Rule 206(4)-2 pursuant to the Investment Advisers Act of 1940, as amended (“Advisers Act”).
The occurrence of unintended custody is a process wherein the custodian and the client, without adviser participation or direct knowledge, execute a custodian agreement which conveys to the adviser access to client funds. Advisers prohibiting client custody under this scenario are now deemed to have client custody. If you are such an adviser, the SEC wants you to know that your firm has the obligation to fully comply with Custody Rule 206(4)-2. Read More