SEC Risk Alert – Frequent Fee and Expense Deficiencies in Adviser Exams

By | Blog, New in Compliance, Risk Alert

April 12, 2018:  The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert to highlight recurrent deficiencies observed in their recent examinations of investment advisers’ policies and procedures governing client fee and expense assessments. The deficiencies were identified by OCIE while conducting more than 1,500 investment adviser examinations over the past two years.  This Risk Alert emphasizes the importance of advisers’ provision of clear and thorough disclosures in Form ADV and client investment advisory agreements.  The Risk Alert further underscores prior Commission guidance relating to adviser obligations to develop, implement, and test effective risk-based compliance policies to minimize the risk of misrepresentation in client communications and the risk of misappropriation in the management of client assets.

Most Frequent Compliance Issues – Advisory Fees and Expenses 

The following issues were deemed to be significant and prevalent in nature, although they do not constitute all fee and expense-related findings detected by OCIE.

Read More

SEC Announces Share Class Selection Disclosure Initiative

By | Blog, New in Compliance, SEC

February 12, 2018: Investment advisers recommending mutual fund shares to advisory clients may have a disclosure problem. And yes, the U.S. Securities and Exchange Commission (“SEC”) is here to help address the problem. Yesterday the Commission announced its new self-reporting initiative, the Share Class Selection Disclosure Initiative (“SCSD Initiative”), to provide relief to advisers that have engaged in improper mutual fund recommendations on behalf of their clients. This initiative, forgiveness if you will, relates to certain mutual fund share class selections made by advisers relative to the formulation and execution of investment advice. If the offending firm promptly fesses up to the Division of Enforcement and promptly returns any non-compliant fees to harmed clients, the Division will agree not to recommend financial penalties against such advisers for violating federal securities laws. Read More

SEC Issues 2018 Examination Priorities

By | Blog, SEC

February 7, 2018:  We wish our clients and colleagues a very prosperous new year and, this being the kickoff of 2018, we are all once again bestowed with the SEC National Exam Program Examination Priorities for the coming year!  We believe this informal guidance, announced February 7, 2018, can be helpful to Chief Compliance Officers as they recalibrate their compliance programs to adjust for business model evolutions or to realign their own compliance priorities following the 2017 annual review.

The following is a synopsis of the 2018 SEC examination priorities, abridged to present content pertaining primarily to investment advisers. The strategy and principles content has been extracted directly from the release to provide appropriate context to the Commission’s strategic and tactical execution of their mission.   Read More

Labor Department Officially Delays Start of Fiduciary Rule

By | Blog, New in Compliance

December 4, 2017:  Last week, the Department of Labor (“DOL”) officially announced an 18-month extension for the start of key provisions of the Fiduciary Rule. DOL announced that the special Transition Period for the Fiduciary Rule’s Best Interest Contract Exemption (“BICE”) and the Principal Transactions Exemption, and the applicability of certain amendments to Prohibited Transaction Exemption 84-24 (PTEs), will move from January 1, 2018 to July 1, 2019. The extension gives DOL time to consider public comments, review the Fiduciary Rule and related exemptions, and coordinate with the U.S. Securities and Exchange Commission and other securities and insurance regulators. The delay underscores the DOL’s objectives of protecting retirement investors and avoiding unnecessary restrictions imposed upon retirement investors by financial service firms scrambling to fully implement the rule.

The DOL action leaves in place the Fiduciary Rule, effective June 9, 2017, including the revised definitions of fiduciary and investment advice that apply to ERISA plans and IRAs. The DOL’s action continues to recognize various exemptions permitted under the rule. Financial services organizations may rely on the BICE and the Principal Transactions Exemption if they satisfy the Impartial Conduct Standards. The impartial conduct standards, also referred to as the best-interest standard, which took effect on June 9, require fiduciary advisers to adhere to a best-interest standard when making investment recommendations, charge no more than reasonable compensation for their services, and refrain from making misleading statements. Read More

2017 SEC Enforcement Division Playbook

By | Blog, SEC

November 27, 2017:  The U.S. Securities and Exchange Commission (“SEC”) was established by an Act of Congress to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation. Compliance with the Investment Advisers Act, the Investment Company Act, and other federal securities statutes is highly dependent upon the adviser’s capacity to fully appreciate where the SEC is headed when they contemplate a deficiency letter, enforcement action, or referral to the Department of Justice.  For investment advisers, all aspects of the SEC mission statement have a direct correlation to the adviser’s business model, i.e., the non-compliant registered investment adviser presents an ongoing threat to undermine the Commission’s execution of its mission statement and therefore attracts significant resources and scrutiny from the regulator.

Fiscal year 2017 was by all accounts a successful year for the SEC’s Division of Enforcement. The Commission brought 754 actions and obtained judgments and orders totaling more than $3.7 billion in disgorgement and penalties. Significantly, it also returned a record $1.07 billion to harmed investors, suspended trading in the securities of 309 companies, and barred or suspended more than 625 individuals. Read More

SEC Issues Additional Guidance – Form ADV Updates

By | New in Compliance, SEC

August 17, 2017:  Earlier this week, the Division of Investment Management of the U.S. Securities and Exchange Commission (“SEC”) issued IM Information Update 2017-06, directed to investment advisers filing Form ADV updates.  As widely reported, in August 2016, the Commission adopted amendments to Form ADV with a compliance date of October 1, 2017.[1] As of that date, any adviser filing an initial Form ADV or an amendment to an existing Form ADV will be required to provide responses to the form revisions adopted in the rulemaking. Read More

SEC Risk Alert – Observations from Cybersecurity Examinations OCIE Cybersecurity 2 Initiative

By | New in Compliance, Risk Alert, SEC

August 7, 2017:  The U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) has released results of its Cybersecurity 2 Initiative. In this Initiative, National Examination Program Staff examined 75 firms, including broker-dealers, investment advisers, and investment companies (“funds”) registered with the SEC to assess industry practices and legal and compliance issues associated with cybersecurity preparedness. The OCIE Cybersecurity 2 Initiative examinations involved more validation and testing of procedures and controls attendant to cybersecurity preparedness than was previously performed in OCIE’s 2014 Cybersecurity 1 Initiative. Read More

SEC Division of Investment Management Issues New Form ADV FAQs

By | New in Compliance, SEC

June 26, 2017:  As reported last year, on August 25, 2016, the U.S. Securities and Exchange Commission (“SEC”) adopted a series of rule amendments that will impact all federally-registered investment advisory firms. Specifically, the SEC is requiring additional Form ADV disclosures for registered investment adviser (“RIA”) firms related to separately managed accounts, social media accounts, types of clients, branch offices, and the use of an outsourced Chief Compliance Officer (“CCO”). The effective date of the new requirements is October 1, 2017. Therefore, any SEC-registered RIA filing an amendment beginning in October 2017, will be required to provide additional information on Form ADV Part 1. Read More

SEC National Exam Program Risk Alert Cybersecurity: Ransomware Alert

By | New in Compliance, Risk Alert, SEC

May 17, 2017:  The SEC just issued a Risk Alert (Cybersecurity: Ransomware Alert) to investment advisers and broker dealers informing them of the targeting of companies by hackers propagating a new and aggressive ransomware. On May 12, 2017, this attack, referred to as WannaCry, WCry, or Wanna Decryptor, rapidly affected numerous organizations across over one hundred countries. The WannaCry ransomware infects computers with a malicious software that encrypts computer users’ files and demands payment of ransom to restore access to the locked files.

Initial reports indicate that the hackers that perpetrated the attack are gaining access to enterprise servers either through Microsoft Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows Server Message Block version 1 vulnerability.[1] Most significantly, some networks have been affected through phishing emails and malicious websites.

To protect against the WannaCry threat, investment advisers are urged to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team[2] and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.  The Microsoft patches to prevent the infection have been available since March for supported operating systems.  In addition, within 24 hours of the attack, Microsoft had provided the necessary security patch for non-supported Windows XP.  This highlights the need to keep current operating systems and have a disciplined and managed patching strategy.

This latest Risk Alert highlights the importance of conducting penetration tests and vulnerability scans on critical systems and implementing system upgrades on a timely basis. SEC staff also notes that appropriate planning to address cybersecurity issues, including developing a rapid response capability, is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.

On the broader topic of cybersecurity, OCIE’s National Examination Program staff recently examined 75 SEC registered broker-dealers, investment advisers, and investment companies to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.  The SEC observed a wide range of information security practices, procedures, and controls across the industry, varying greatly based on registrant operations, lines of business, risk profiles, and enterprise size.

The following observations gleaned from this sweep certainly informed this week’s SEC guidance relative to mitigating the cyber security risk posed by WannaCry ransomware, especially with respect to small and mid-sized registrants:

  • Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and funds (collectively, “investment management firms”) examined did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
  • Penetration Tests: Five percent of broker-dealers and 57 percent of the investment management firms examined did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.
  • System Maintenance: All broker-dealers and 96 percent of investment management firms examined have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.  However, ten percent of the broker-dealers and four percent of investment management firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The Commission has provided guidance and information that firms must consider when addressing cybersecurity risks and response – https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf .  While not a functional regulator for advisers, FINRA has also provided guidance which is especially useful for smaller enterprises with commensurately smaller cyber risk profiles – http://www.finra.org/industry/cybersecurity.

For the past two years, Horrigan Resources has partnered with an IT specialist to offer cybersecurity risk assessments to our clients. Although each firm presents unique risks and challenges, the overarching themes relative to risk mitigation have been rapid response to red flags, and swift handling of ‘low hanging fruit’. Risk mitigation may entail material capital expenditure over time however the key is to know and triage risk, recognize that cyber risk management is ongoing and continuous, and be proactive.

Not unlike compliance, attaining a secure IT environment is a journey without a destination. Continuous and prudent attention to business risk, awareness of the threat environment, and ongoing employee training and awareness are great starting points to reduce cyber risk. Follow this link for the Risk Alert: https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf.

May 19, 2017

prepared by Horrigan Resources, Ltd.

www.horriganresources.com

(724) 934-0129

Not customized advice. Not legal advice.

[1] See, U.S. Department of Homeland Security/ U.S. Computer Emergency Readiness Team (US-CERT), Alert (TA17-132A), Indicators Associated with WannaCry Ransomware (May 12, 2017, last revised May 15, 2017) (“U.S. Cert Alert TA-132A”).

[2] https://www.us-cert.gov/ncas/alerts/TA17-132A