This case reads like a compliance what-not-to-do handbook. Conflict of interest? Check. Undisclosed payola? Check. Reducing client returns? Check. Failing to implement procedures or testing? Check. Dual-hat, conflicted CCO? Check. Ignoring OCIE deficiencies? Check. The adviser has already withdrawn to state registration. We expect a bleak litigation future for these alleged wrongdoers.
New FAQs for Regulation Best Interest and Form CRS provide guidance on how to handle accredited investors, what is a “recommendation”, how to define “retail investor”, and how to address affiliate services. RIAs and BDs must apply Regulation BI and send Form CRS to accredited investors because the definition of retail investor does not exclude high-net worth natural persons and accredited investors, according to the SEC’s Trading and Markets staff. A retail client does not include a legal representative (e.g. RIA, BD) of a retail client but would include non-professional legal representatives (e.g. trustees, executors, attorneys-in-fact). The FAQs also address several affiliate relationships, generally allowing the use of a single Form CRS so long as you can fit all the required disclosure in 4 pages. Certain investor education – general information about retirement planning, minimum distributions – would not be considered a recommendation. An RIA that provides services solely to another RIA would not have to deliver a Form CRS to its client’s retail clients.
Because the Form CRS is new and the “best interest” standard has no common law history (like the fiduciary standard), the SEC has its work cut out to define what’s required. Compli-pros must keep watch for future FAQs as the staff has already published three sets of FAQs since November.
The Chief Compliance Officer must be “competent and knowledgeable” in the Advisers Act, according to the compliance rule’s adopting release. An unqualified CCO in and of itself violates the compliance rule and can result in significant firm and personal liability. Every firm should retain a third party CCO firm or hire a qualified regulatory professional. Appointing whoever drew the short straw at the management meeting won’t cut it with the SEC.
A family office was censured and fined for failing to implement procedures to prevent the misuse of material nonpublic information. The firm’s business model involved buying small cap stocks and conducting research through contact with insiders and investment bankers. Because it frequently obtained material nonpublic information, the firm’s policies required the Chief Compliance Officer to maintain a restricted list of companies in which neither the firm nor its covered persons could invest. The SEC asserts that the CCO did not maintain or timely update a restricted list, relying instead on ad hoc communications and changes to the order management system. The SEC also faults the firm for relying solely on the CCO because nobody communicated restrictions when he was not in the office or failed to communicate. Additionally, the SEC faults the firm because it relied on insiders reporting potential restricted securities rather than implementing a monitoring system. The firm’s owner, founder and managing member owned 60% of the firm’s assets under management.
Compliance is a series of procedures and processes, not a person. Just because your policies designate a person responsible doesn’t mean you have satisfied your compliance obligation to implement reasonable policies. It is also notable that the SEC fined this firm for weak policies even though it did not allege that the firm or its principal actually engaged in insider trading.
Avoiding required registration will not long go unnoticed. Eventually, the state securities regulators or the feds will find you. Your risk goes up exponentially if an aggrieved client has lost money or a competitor raises eyebrows.
Today, we offer our “Friday List,” an occasional feature summarizing a topic significant to investment management professionals interested in regulatory issues. Our Friday Lists are an expanded “Our Take” on a particular subject, offering our unique (and sometimes controversial) perspective on an industry topic.
We made it down to Hollywood, Florida this week for Inside ETFs, the annual self-congratulatory industry confab of everything ETFs. We saw issuers big and small, service providers, advisers, and technologists. There were also some pretty cool special guests like Barney Frank and Derek Jeter. We took in a lot of information over three days of sessions and networking. For those that couldn’t make it (or for those that may have, ahem, missed a few of the sessions), we offer the ten most interesting things we learned at the conference.
10 Interesting Things We Learned at Inside ETFs
Zero fees: Competition helps firms with scale but investors should consider hidden costs.
Service matters: Many investors/RIAs are willing to pay more for service.
Quality: Low expenses get you in the game, but performance may ultimately keep you there.
Active and non-transparent: Active ETFs are not new, but non-transparent ETFs are changing the industry.
ESG. ESG is a screen applied to almost any equity strategy rather than a strategy unto itself.
Model portfolios. Model portfolios are better tools that RIAs can use; they don’t replace the RIA.
Niche marketing. Smaller firms have to define a niche to attract clients. A niche is a small enough cohort to differentiate but large enough to sustain growth.
Fixed income. With uncertain economic conditions, fixed income ETFs are likely to become a more significant part of the industry.
Mission investing. Interest group-focused products such as the LGBTQ fund will target investors looking to use their money for more than just yield.
Our daughters will rule the world. Julian Guthrie’s Alpha Girls provides a “see it so you can be it” template for high-performing women in male-dominated industries.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) has published a report of cybersecurity best practices. The report advises registrants to assess their cybersecurity practices in seven key areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response, vendor management, and training. Citing industry best practices, OCIE advises firms to conduct risk assessments; adopt, implement and test policies and procedures; restrict access; inventory the location of data; conduct vulnerability scanning; implement patches; encrypt networks; create an incident response plan; and supervising vendors. OCIE recommends following statements from the Cyber Infrastructure Security Agency as well as the National Institute of Standards and Technology. OCIE identifies cybersecurity as “a key risk for security market participants” and a “key priority” for exams.
Cybersecurity transcends merely hiring a random IT firm to conduct a penetration test. OCIE requires an entire firm governance and compliance infrastructure. Our firm, in conjunction with Align Cybersecurity, includes a cybersecurity assessment and remediation plan in our compliance outsourcing service.
Don’t allow your portfolio managers to play regulatory Jenga. Very often, former private fund managers have a hard time abiding by the strictures imposed by the Advisers Act and the Investment Company Act. Firms should impose heightened supervision and training to ensure that hedge fund PMs understand the limitations.
When selling investment products, you cannot merely disclose the good facts. In this case, the respondent may not (or may) have known the investments were Ponzi schemes, but he did have enough facts to suspect and should have warned potential investors.