2015 has been a very interesting year for Compliance folks. Some of the topics receiving big play this past year included:
- The Department of Labor’s Fiduciary Rule;
- The SEC’s emphasis on cybersecurity;
- Financial Crimes Enforcement Network (“FinCEN”) proposed AML Rule for Investment Advisers;
- CCO liability; and
- Third Party Compliance Reviews.
Where do we stand on each of these issues at the beginning of 2016?
First proposed in 2010, withdrawn in 2011 due to the fierce opposition, then re-proposed in April of 2015, receiving over 2,500 comments. Although originally expected to be finalized before the end of 2015 and effective in early 2016, the latest projection I have seen indicates that the push will be to have the rule finalized by the end of 2016 and effective in the first few weeks of 2017.
The SEC is expected to be pushed to have its own version of a Fiduciary Rule by the end of 2016, which may cause Congress to require the agencies to reconcile both of these Rules. I am concerned about what that would look like!
The SEC talked about cybersecurity in 2011, made it an examination priority in January 2014, held an SEC Roundtable on Cybersecurity in March 2014, announced that OCIE would conduct examinations to identify cybersecurity risks in April 2014, gave us the results of those examinations in February 2015, and issued a Risk Alert in September 2015, with the continuation of focused cybersecurity examinations..
Also in September 2015, the SEC brought an action against an advisory firm for not adopting written policies and procedures that are reasonably designed to safeguard customer records and information. The proof that those policies and procedures were not reasonably designed lay in the third-party-hosted web server being breached. The firm was censured and assessed a $75,000 civil money penalty, although there was no indication that any client suffered any financial harm as a result of the breach.
This suggests that the SEC is indeed serious about cybersecurity and will continue to remind the industry of its responsibilities in this regard, even though there is no rule directly addressing cybersecurity. It appears that having a breach somehow indicates that your policies and procedures are inadequate, but FBI personnel have indicated that anyone can be hacked, including agencies of the federal government.
Is there the potential for a rule here?
In 2006, FinCEN’s Anti-Money Laundering Rules became effective for broker-dealers and other covered financial institutions. Fortunately, investment advisers were not included among the entities to which the Rules applied, but that changed in 2015. The proposed AML Rule is very similar to the AML Rule already adopted for broker-dealers and investment companies and will require investment advisers to have a program in place, six months from the effective date of the Rule, that requires the adviser to:
- establish and implement policies, procedures, and internal controls;
- provide for independent testing by qualified company personnel or a qualified outside party;
- designate a person responsible for implementing and monitoring the program; and
- provide ongoing training for appropriate personnel.
If an AML case has been brought against an investment adviser, I must have missed it. This looks like extra work and expense for very little gain, if any.
What can I say? CCO liability has been all over the place: the CCO had a target on his/her back; the CCO was the SEC’s eyes and ears in the firm; or the CCO would only be liable if directly involved in the violation or should have identified and stopped the violation.
We heard from Buddy Donahue, the SEC’s Chief of Staff, in a speech on October 14, 2015 at the NRS Annual Conference. According to Donohue, there are generally three scenarios in which staff recommended enforcement action against CCOs: when they had “(1) affirmatively participated in the misconduct; (2) helped mislead regulators; or (3) had clear responsibility to implement compliance programs and policies and wholly failed to carry out that responsibility.”
I interpret (3) to mean that the CCO either didn’t identify the misbehavior, or identified it but did not adequately address it. I have had this discussion with many compliance professionals over the years, and we have been unable to decide which is the greater failing, not finding it, or finding it and not fixing it.
This has been a concern of the SEC and the industry for several years, since, regardless of the resources allocated to the SEC’s examination program, it has not been able to keep up with the growth of the industry, but only able to examine approximately 10% of the registered investment advisers annually. Additionally, the examinations have become more complex with the addition of new rules. When I started as an examiner at the SEC in 1988, the exam request list was only one page (I think there were eleven items on it), and only one policy was required to be written: Insider Trading. We are a long way from that now, with request lists as long as 20 pages and required written compliance policies and procedures to address all of the firm’s risks.
At the SIFMA Conference on March 17, 2015, SEC Chair Mary Jo White indicated that, absent additional funding for the SEC, she would consider the possibility of outsourcing the examination of investment advisers to third parties. The SEC oversees about 25,000 market participants, including almost 12,000 advisers; 10,500 mutual funds and ETFs; nearly 4,500 broker-dealers; and about 450 transfer agents. It also oversees 18 national securities exchanges, 10 credit rating agencies, and 8 active registered clearing agencies, as well as the Public Company Accounting Oversight Board (PCAOB), Financial Industry Regulatory Authority (FINRA), Municipal Securities Rulemaking Board (MSRB), the Securities Investor Protection Corporation (SIPC), and the Financial Accounting Standards Board (FASB).
A recent Financial Advisor-IQ poll found that 62% of respondents said they were opposed to outsourcing exams because they don’t trust such third parties and don’t want to pay for outsourcing, but the poll also indicated there are some out there in favor of outsourced exams. If the SEC does outsource exams and the adviser is expected to pay for the exam, many folks think the adviser should be able to pick the third party and let a competitive market set the price.
- Would the SEC require every registered investment adviser to have a third party examination on some regular basis?
- Would the SEC publish a list with the names of firms considered competent to conduct examinations?
- How would the SEC or the adviser determine those third parties qualified to conduct the examination?
- Would the third party be required to send a copy of a report to the SEC’s local office?
Many more questions like these would need to be addressed before this plan could be implemented. Is the SEC including answers to the questions as they develop this program? Are they going out to the industry or some of those third party examiners to get comments, or will they publish a plan and ask for comments? Trust me, whatever they decide to do, there will be many waiting and willing to provide suggestions.
At the “SEC Speaks” conference in February, Chair White identified one of the core initiatives for 2015 to strengthen asset managers.
The Staff’s goals for 2015 were to:
- modernize and enhance data reporting for both funds and investment advisers;
- require registered funds to have controls in place to more effectively identify and manage the risks related to the diverse composition of their portfolios, including liquidity management and the use of derivatives in mutual funds and ETFs; and
- focus on planning for the impact of market stress events, or when an adviser is no longer able to serve its clients.
I suggested that the industry response to these initiatives would tend to be negative, as many folks have indicated that the SEC’s estimates of time required for the production of information (that may not be maintained in the format that the SEC requires) are not accurate. There are also many who would like to see the SEC perform some cost/benefit analysis for the requirements of any new rules.
Since many of these are carry-overs from prior years, we can expect many of them to reappear in 2016, not to mention the fact that the SEC still has rules required by Dodd-Frank that have not been proposed. 2016 appears to be another busy year for compliance, but I think we have all been expecting it. I also have to say that many of these rules have nothing to do with managing money.