The Mid-Year Regulatory Update: Crisis, Volatility and More Regulation

Originating as a regional initiative to uncover abuses of so-called “alternative data” used to inform models and investment decisions, EXAMS recently expanded the focus on this compliance risk to make it a national priority. The regulators’ primary focus is to determine whether RIAs have reasonably designed, implemented, tested and documented policies and procedures to address the risk posed using non-traditional or alternative data, including the risk that such data may contain, or can be combined with other data sets to contain, material non-public information or personally identifiable information. With the rapid deployment of artificial intelligence tools (AI), such as ChatGPT and BardAI, into all aspects of business, regulators are increasingly interested in understanding the risks posed by such new tools to the extent they are deployed by RIAs—particularly if used for investment research, modeling or decision-making. The regulators have already made it clear that alternative data providers/vendors who allegedly misrepresent the way their data is compiled and aggregated, or who breach confidentiality obligations, would be subject to anti-fraud violations and hefty penalties. The SEC has demonstrated its willingness to charge RIAs who allegedly do not have reasonably designed MNPI controls or policies and procedures in place, even if the registrant is not alleged to have actually engaged in insider trading activity.

Mitigation Steps:

When it comes to alternative data, the RIA’s CCO should:

• Ensure that the firm has identified and mapped all areas where AI and alternative data is being used in the firm’s advisory business
• Conduct and document initial and periodic diligence to determine whether the data provider is legally obtaining and providing data that is compliant with regulatory obligations and contractual agreements
• Ensure compliance policies and procedures are tailored, implemented consistently and periodically tested, as well as calibrated to detect and respond to red flags.
• Have oversight over models that are fed by AI and alternative data

Fully enacted on November 4, 2022, the SEC examination and enforcement staff has identified compliance with the Marketing Rule as an area that poses significant regulatory risk, even though the rule itself and the corresponding guidance provided by the SEC arguably suffers from a lack of clarity and specificity in certain areas. By now, RIAs should have designed and implemented policies and procedures to address the applicable areas of the rule and trained supervised persons on how to adhere to the requirements. Basic “blocking and tackling” policies that address what is an “advertisement;” how to deal with materials that are redistributed by the RIA (but originated with a third-party); how to deal with extracted and hypothetical, targeted or projected performance, endorsements and testimonials; the documentation of marketing claims; and overall compliance with the anti-fraud and fair and balanced presentation requirements should be in place. Informal feedback provided by SEC examination officials for examinations to date seem to indicate that RIAs have at least adjusted their policies and procedures to account for the rule’s requirements, though deficiencies may be likely for alleged failure to adhere to those policies and procedures.

Certain registrants, especially private fund advisers, have encountered a significant pain point regarding the requirement to present net performance. It is clear that the SEC’s examination staff expects registrants to display net performance clearly and prominently at the deal or transaction level—including for client investments that have not yet been monetized or realized—leading some to criticize the rule for asking advisers to create and present ”fake net” calculations.

Mitigation Steps:

For investor communications that are deemed to be “advertisements” under the rule, advisers must ensure:

• They present net and gross performance “side-by-side” or with equal prominence, along with other conditions including material accuracy and documentary support
• Net performance is calculated over the same time period and using the same methodology as gross performance
• Assumptions and hypotheticals used in calculations are fully and fairly disclosed
• Reliance on permitted exclusions under the Interactive Analysis Tool provisions do not contain undisclosed hypotheticals and assumptions
• Disclosures regarding calculation methodology, assumptions and time periods should be robust and consistently applied across all marketing materials, due diligence questionnaire responses, firm websites, data rooms, third-party marketers and other forums where the adviser could be marketing to actual or prospective investors
• ADV disclosure forms are updated in accordance with the requirements

Registered Investment Companies (RICs) and their boards will need to ensure compliance with Rule 2a-5 of the Investment Company Act of 1940, which focuses on new requirements for fair value estimates. Among other areas, examination of RIAs generally will focus on conflicts of interest, calculation and allocation of fees and expenses, the impact of valuation practices at private equity funds and compliance with the new derivatives rule.

RIAs to private funds with specific risk characteristics will continue to receive a special focus. Such risk characteristics include: highly-leveraged private funds, private funds managed side-by-side with business development companies (BDCs), private equity funds that use affiliated companies and advisory personnel to provide services to their fund clients and underlying portfolio companies, private funds that hold certain hard-to-value investments (such as crypto assets and real estate-connected investments, with an emphasis on commercial real estate), private funds that invest in or sponsor Special Purpose Acquisition Companies (SPACs) and private funds involved in adviser-led restructurings (including stapled secondary transactions and continuation funds).

Mitigation Steps:

RICs and RIAs can best prepare for examinations by:

• Ensuring that they understand new rules (such as Rule 2a-5)
• Creating policies that address the risks noted above
• Undertaking procedures to verify compliance with established policies
• Obtaining independent valuation support, fairness opinions, mock reviews of fees, expenses and other compliance requirements

Often RICs and RIAs embark upon new investment strategies or modify existing processes without fully updating policies and procedures. With the complexity of investments and the interworking of agreements with investors, the need for rigor in valuing investments and ensuring compliance with rules and regulations is expanding. The objectivity brought by an experienced qualified independent third-party adviser can be invaluable in improving the robustness of complying with established rules and policies.

The SEC initially added ESG issues to its priority list in 2022. The focus then was on misleading or false disclosures and misinformation given to investors regarding ESG-related advisory services and investment products. In 2023, ESG investing continues to be an area of attention. Many RIAs and registered funds continue to offer and evaluate investments that employ ESG strategies. The SEC is focused on whether funds are conducting activities in accordance with what is disclosed to investors. The SEC will also focus on the appropriateness of ESG labels on products and whether recommendations of ESG products are made in the best interest of the investors.

The SEC has already announced two enforcement actions demonstrating the risks to RIAs for allegedly not adhering to Advisers Act rules governing ESG claims. In the first instance, an RIA was sanctioned for allegedly failing to perform ESG quality reviews that it represented or implied would be performed in connection with investments on behalf of mutual funds it managed. Secondly, the SEC sanctioned another RIA for allegedly failing to have written policies and procedures for ESG research and for failing to consistently follow such procedures when they existed. Each case involved monetary penalties and violations of either the anti-fraud provisions or the Compliance Program rules.

Mitigation Steps:

The SEC will expect RIAs to have a well thought out ESG program, which includes consistency across documentation and the ability to provide evidence of a process that consistently follows the ESG investment program. RIAs and funds that are offering ESG-related investment products or services should be sure to:

• Properly label their offerings in a manner that is consistent with the activity being conducted
• Have proper disclosures regarding the activity and investment process of ESG-related products
• Closely review and monitor advertising, marketing, ESG statements and other disclosures related to ESG factors
• Provide both a clear and reasonable nexus between their ESG statements and disclosures as well as the existence and effectiveness of their actual ESG-aligned policies, procedures, goals, targets and commitments 

RIAs should expect an increase in due diligence from existing and prospective investors, both initially and ongoing, to ensure that the firms are adhering to their ESG commitments and providing proper disclosure and reporting. Relatedly, firms that claim to incorporate ESG factors within their investment thesis and strategies—whether on an integrated, ESG-focused or impact basis—must be able to:

• Articulate, document and demonstrate the degree and manner in which each specific ESG factor has been incorporated into their investment policies and procedures
• Ensure statements made about ESG are proportional to the way ESG factors are incorporated into investments

Historically, the SEC’s annual examination priorities for broker-dealers and exchanges have focused on ensuring regulatory compliance generally and on fair and orderly securities markets. It is therefore no surprise that the SEC has once again prioritized broker-dealer and RIA compliance with Regulation Best Interest (Reg BI).

The SEC’s 2023 examination priorities, recent enforcement actions and other regulator comments project the SEC’s belief that compliance with Reg BI remains inadequate across the industry. Among the standards of conduct imposed by Reg BI, the SEC is seemingly more focused on those related to conflicts of interest and full and fair disclosures. Thus, broker-dealers should expect to see a high volume of investigative focus in these areas.

Reg BI makes clear that broker-dealers must establish, maintain and enforce written policies and procedures that are reasonably designed to identify and, at a minimum, disclose or eliminate conflicts of interest. In preparing for regulatory examinations, firms should keep in mind that mitigating certain conflicts of interest is a large part of this obligation (if not otherwise eliminated).

Mitigation Steps: 

To be effective, the SEC has previously noted that a broker-dealer’s policies and procedures regarding conflicts of interest should include:

• How firms identify and address conflicts
• Systems and processes to escalate conflicts and identified instances of non-compliance
• Designated business line personnel responsible for supervision
• Periodic reviews and system testing

Firms should also:

• Take an inventory of conflicts of interest and be prepared to show a reasonable basis for how conflicts are identified, escalated and addressed
• Incorporate operations and compliance teams into review and monitoring processes
• Understand and be able to answer questions concerning any AI and/or algorithms that the firm may be utilizing to identify and resolve conflicts of interest and be prepared to answer questions about why processes are in place

The SEC has made it clear that retail customers cannot waive disclosure obligations and that Reg BI is meant to impose more explicit and broader disclosure obligations than previously existed for broker-dealers. With that in mind, broker-dealers should take a fresh look at the terms used in its disclosures, keeping in mind those that the SEC has recently called out as potentially unfair or misleading. 

The SEC—along with other federal and state-level regulators—has made it clear that they understand cyber-related issues can have a material and sudden impact on an organization’s ability to function. The depredations that come with ransomware can almost instantly disable a company. What they have recognized is that operational resiliency—the ability to get through incidents and continue to operate—is closely associated with having an effective cybersecurity plan, a cyber-incident response plan and thorough service continuity and restoration plans.

Not having evidence of a competent risk assessment, appropriate prevention and response policies and compliance documentation to assure plans are operating as intended should be unacceptable. Too often, a post-incident review shows that standards and controls are more aspirational than actual. Management ultimately must take responsibility for assuring that their cybersecurity is operating in a commercially reasonable manner and that it is continuously updated in light of the rapid evolution of risks and attack methodologies.

Mitigation Steps:

Cybersecurity is a complex discipline and firms should:

• Demonstrate that they have appropriate management and staffing—or appropriate outsourcing to gain access to important resources.
• Consider hiring a Chief Information Security Officer (CISO), or alternatively a shared CISO resource (commonly referred to as a “virtual CISO” or “vCISO”), who can perform a risk assessment and can review how the RIA’s cybersecurity program is protecting the firm, its clients and investors, and provides a sound basis for operational resilience.
• Consider engaging with Managed Security Providers to help put small programs (called “sensors”) in the firm’s end-user computers and servers, and remotely monitor them for indicators of threats or compromises. 
• Engage in continuous monitoring, which is considered a best practice in an increasingly dangerous world.
• Consider effective multi-factor authentication (MFA), recognizing that cyber-criminals have developed strategies for defeating some forms of MFA.

Cybersecurity has moved from a technical issue to a corporate and board-level focus, as well as a focus area for regulators and litigators. We expect that the SEC will, in the near-term, impose new rules requiring increased reporting and disclosures to the SEC and investors relating to significant cybersecurity incidents, as well as related recordkeeping and compliance program requirements. RIAs should  be prepared to pivot and enhance their compliance, testing and reporting infrastructure to be able to comply with these new rules, which are very likely to be imposed. 

Crypto or crypto-related assets offered, sold or recommended will be a special focus of the SEC, especially for those registrants who have never been examined before. This focus is even more intense in the digital assets space, with pressure from investors and many in Congress to have clear rules, and for the agency not to engage in “regulation by enforcement.” Specifically, the SEC said that its examiners will assess whether such market participants involved with crypto or crypto-related assets: met and followed the respective standards of care when making recommendations, referrals or providing investment advice, to the extent required; and routinely reviewed, updated and enhanced their compliance, disclosure and risk management practices.

Regulatory attention will also be placed on firms that operate digital platforms which employ digital engagement tools or ‘game-like’ features to attract investors and induce trading. Regulators will assess whether: any recommendations were made or advice was provided (e.g., through the use of social media marketing and social trading platforms); representations are fair and accurate; operations and controls in place are consistent with disclosures made to investors; any advice or recommendations are in the best interest of the investor (taking into account the investor’s financial situation and investment objectives); and risks associated with such practices are considered, including the impact these practices may have on certain investors, such as seniors.

Mitigation Steps:

Recognizing the strong, ongoing SEC interest in policing securities offerings involving cryptocurrencies and digital assets, RIAs that invest client assets in this space should:

• Be prepared to demonstrate to the regulator that they are free of undisclosed conflicts.
• Have properly diligenced, valued, and custodied such investments, and that they are acting in the best interest of the clients in making the recommendations.
• Consider the selection of a qualified and sound custodian to protect client assets.
• Have robust defensive policies and practices, to address the increased cybersecurity risk posed to digital assets.

The compliance risk and SEC interest is unlikely to be extinguished in the short-term, especially if the SEC passes amendments to the custody rule to broaden its application to include any client asset in an RIA’s possession or when such adviser has authority to obtain possession of client assets—side stepping any debate over whether cryptocurrencies and digital assets meet the legal definition of a security.