At the half-way point in its fiscal year, the U.S. Securities and Exchange Commission (SEC) is accelerating and intensifying its aggressive examination, enforcement and rule-making initiatives for 2023. This poses significant regulatory and compliance risk, as well as costs for both persons and entities that fall within the agency crosshairs. Undaunted by the current crisis in the banking sector, the meltdown in the digital asset market, the looming threat of recession, rising interest rates, inflation concerns and market volatility, the SEC continues to flex its regulatory powers. The agency has recently enacted or proposed a host of new rules related to: trading by corporate insiders, cybersecurity, custody of client assets, private funds, marketing, privacy, supervision of outsourced vendors, climate risk, valuation and derivatives, among others. Further, the Division of Examinations (EXAMS) is well under way in the implementation of its priorities when conducting compliance reviews of a variety of registrants that are subject to the SEC’s examination powers, including registered investment advisers, broker-dealers, exchanges and municipal advisers.
Kroll’s multi-disciplinary team of subject-matter experts have formulated the following eight compliance enhancements and related actionable strategies that we recommend to effectively address potential exposure to material examination deficiencies or public enforcement actions:
- Off-Channel Communications
- Alternative Data
- Marketing Rule
- Fund Valuation and Derivatives
- Environmental Social and Governance (ESG) Investing
- Regulation Best Interest, Fiduciary Duty and Form CRS
- Information Security and Operational Resiliency
- Crypto-Assets and Emerging Financial Technologies
The SEC and other U.S. regulators expect registrants to have a robust compliance culture and to tailor compliance systems, processes and procedures in a manner that is risk-based and relevant to the registrant’s business. Our readers are encouraged to confer with their experts regarding local-area priorities, emerging risks, enforcement activity and agency risk alerts that may cause registrants to adjust their risk identification and compliance mitigation strategies.
The 8 Rules
Emboldened by their success in obtaining sanctions and over $1 billion in monetary penalties against broker-dealers (mostly), both EXAMS and the SEC’s Division of Enforcement have turned their attention to assess the state of compliance with the books and records, compliance program and material non-public information controls at registered investment advisers (RIAs). While most registrants have policies and procedures in place to address the archiving and review of required information that occurs via electronic mail, recent enforcement inquiries and examinations reflect an ongoing concern by regulators that buy-side market participants may be engaging in business-related communications via a variety of messaging platforms—without the firms complying with the books and records, MNPI-controls and compliance program obligations under the Investment Advisers Act of 1940 (Advisers Act).
Putting aside noted differences between what qualifies as a required "book or record" that must be maintained for the prescribed period by RIAs and what is required for broker-dealers, the regulators are reviewing firms’ authorized communications and archiving systems—and in some instances, personal devices used for business purposes—to determine whether supervised persons are using chat and text messaging applications that have not been archived or reviewed by the RIAs. Use of these so-called “off-channel” communications platforms by senior-level personnel is viewed as an aggravating factor when the regulators assess the sanctions to be imposed and the remediation steps that must be taken if violations are uncovered.
As we indicated in an article published in early 2022, we are not aware of a perfect technology solution that can be deployed to ensure that RIAs meet their chat and text message-related books and records obligations in all circumstances. Registrants have to design, implement and test a set of reasonable policies and procedures that are tailored to the risk if they permit, or have reason to know, that their supervised persons are using such a medium for business purposes.
At a minimum, organizations must be prepared to:
- Demonstrate that they have reviewed and tailored the applicable policies and procedures governing the forms of permitted and non-permitted electronic communications tools
- Clearly define records that are required to be maintained and preserved as specified by the Advisers Act
- Foster a compliance environment where non-compliant personnel are accountable and where supervisors themselves are operating within the firm’s policies
- Provide periodic and documented training and reminders to firm personnel on the risks, policies and procedures related to the use of text messages and personal emails for business purposes
- Ensure systems are designed to prevent users from downloading any program they wish to use and require authorization requests for non-standard software
- Document the findings of any internal investigations conducted by or on behalf of the firm in the event of a breach of the electronic communications policies and procedures
Originating as a regional initiative to uncover abuses of so-called “alternative data” used to inform models and investment decisions, EXAMS recently expanded the focus on this compliance risk to make it a national priority. The regulators’ primary focus is to determine whether RIAs have reasonably designed, implemented, tested and documented policies and procedures to address the risk posed using non-traditional or alternative data, including the risk that such data may contain, or can be combined with other data sets to contain, material non-public information or personally identifiable information. With the rapid deployment of artificial intelligence tools (AI), such as ChatGPT and BardAI, into all aspects of business, regulators are increasingly interested in understanding the risks posed by such new tools to the extent they are deployed by RIAs—particularly if used for investment research, modeling or decision-making. The regulators have already made it clear that alternative data providers/vendors who allegedly misrepresent the way their data is compiled and aggregated, or who breach confidentiality obligations, would be subject to anti-fraud violations and hefty penalties. The SEC has demonstrated its willingness to charge RIAs who allegedly do not have reasonably designed MNPI controls or policies and procedures in place, even if the registrant is not alleged to have actually engaged in insider trading activity.
When it comes to alternative data, the RIA’s CCO should:
- Ensure that the firm has identified and mapped all areas where AI and alternative data is being used in the firm’s advisory business
- Conduct and document initial and periodic diligence to determine whether the data provider is legally obtaining and providing data that is compliant with regulatory obligations and contractual agreements
- Ensure compliance policies and procedures are tailored, implemented consistently and periodically tested, as well as calibrated to detect and respond to red flags.
- Have oversight over models that are fed by AI and alternative data
Fully enacted on November 4, 2022, the SEC examination and enforcement staff has identified compliance with the Marketing Rule as an area that poses significant regulatory risk, even though the rule itself and the corresponding guidance provided by the SEC arguably suffers from a lack of clarity and specificity in certain areas. By now, RIAs should have designed and implemented policies and procedures to address the applicable areas of the rule and trained supervised persons on how to adhere to the requirements. Basic “blocking and tackling” policies that address what is an “advertisement;” how to deal with materials that are redistributed by the RIA (but originated with a third-party); how to deal with extracted and hypothetical, targeted or projected performance, endorsements and testimonials; the documentation of marketing claims; and overall compliance with the anti-fraud and fair and balanced presentation requirements should be in place. Informal feedback provided by SEC examination officials for examinations to date seem to indicate that RIAs have at least adjusted their policies and procedures to account for the rule’s requirements, though deficiencies may be likely for alleged failure to adhere to those policies and procedures.
Certain registrants, especially private fund advisers, have encountered a significant pain point regarding the requirement to present net performance. It is clear that the SEC’s examination staff expects registrants to display net performance clearly and prominently at the deal or transaction level—including for client investments that have not yet been monetized or realized—leading some to criticize the rule for asking advisers to create and present ”fake net” calculations.
For investor communications that are deemed to be “advertisements” under the rule, advisers must ensure:
- They present net and gross performance “side-by-side” or with equal prominence, along with other conditions including material accuracy and documentary support
- Net performance is calculated over the same time period and using the same methodology as gross performance
- Assumptions and hypotheticals used in calculations are fully and fairly disclosed
- Reliance on permitted exclusions under the Interactive Analysis Tool provisions do not contain undisclosed hypotheticals and assumptions
- Disclosures regarding calculation methodology, assumptions and time periods should be robust and consistently applied across all marketing materials, due diligence questionnaire responses, firm websites, data rooms, third-party marketers and other forums where the adviser could be marketing to actual or prospective investors
- ADV disclosure forms are updated in accordance with the requirements
Fund Valuation and Derivatives
Registered Investment Companies (RICs) and their boards will need to ensure compliance with Rule 2a-5 of the Investment Company Act of 1940, which focuses on new requirements for fair value estimates. Among other areas, examination of RIAs generally will focus on conflicts of interest, calculation and allocation of fees and expenses, the impact of valuation practices at private equity funds and compliance with the new derivatives rule.
RIAs to private funds with specific risk characteristics will continue to receive a special focus. Such risk characteristics include: highly-leveraged private funds, private funds managed side-by-side with business development companies (BDCs), private equity funds that use affiliated companies and advisory personnel to provide services to their fund clients and underlying portfolio companies, private funds that hold certain hard-to-value investments (such as crypto assets and real estate-connected investments, with an emphasis on commercial real estate), private funds that invest in or sponsor Special Purpose Acquisition Companies (SPACs) and private funds involved in adviser-led restructurings (including stapled secondary transactions and continuation funds).
RICs and RIAs can best prepare for examinations by:
- Ensuring that they understand new rules (such as Rule 2a-5)
- Creating policies that address the risks noted above
- Undertaking procedures to verify compliance with established policies
- Obtaining independent valuation support, fairness opinions, mock reviews of fees, expenses and other compliance requirements
Often RICs and RIAs embark upon new investment strategies or modify existing processes without fully updating policies and procedures. With the complexity of investments and the interworking of agreements with investors, the need for rigor in valuing investments and ensuring compliance with rules and regulations is expanding. The objectivity brought by an experienced qualified independent third-party adviser can be invaluable in improving the robustness of complying with established rules and policies.
Environmental, Social and Governance Investing
The SEC initially added ESG issues to its priority list in 2022. The focus then was on misleading or false disclosures and misinformation given to investors regarding ESG-related advisory services and investment products. In 2023, ESG investing continues to be an area of attention. Many RIAs and registered funds continue to offer and evaluate investments that employ ESG strategies. The SEC is focused on whether funds are conducting activities in accordance with what is disclosed to investors. The SEC will also focus on the appropriateness of ESG labels on products and whether recommendations of ESG products are made in the best interest of the investors.
The SEC has already announced two enforcement actions demonstrating the risks to RIAs for allegedly not adhering to Advisers Act rules governing ESG claims. In the first instance, an RIA was sanctioned for allegedly failing to perform ESG quality reviews that it represented or implied would be performed in connection with investments on behalf of mutual funds it managed. Secondly, the SEC sanctioned another RIA for allegedly failing to have written policies and procedures for ESG research and for failing to consistently follow such procedures when they existed. Each case involved monetary penalties and violations of either the anti-fraud provisions or the Compliance Program rules.
The SEC will expect RIAs to have a well thought out ESG program, which includes consistency across documentation and the ability to provide evidence of a process that consistently follows the ESG investment program. RIAs and funds that are offering ESG-related investment products or services should be sure to:
- Properly label their offerings in a manner that is consistent with the activity being conducted
- Have proper disclosures regarding the activity and investment process of ESG-related products
- Closely review and monitor advertising, marketing, ESG statements and other disclosures related to ESG factors
- Provide both a clear and reasonable nexus between their ESG statements and disclosures as well as the existence and effectiveness of their actual ESG-aligned policies, procedures, goals, targets and commitments
RIAs should expect an increase in due diligence from existing and prospective investors, both initially and ongoing, to ensure that the firms are adhering to their ESG commitments and providing proper disclosure and reporting. Relatedly, firms that claim to incorporate ESG factors within their investment thesis and strategies—whether on an integrated, ESG-focused or impact basis—must be able to:
- Articulate, document and demonstrate the degree and manner in which each specific ESG factor has been incorporated into their investment policies and procedures
- Ensure statements made about ESG are proportional to the way ESG factors are incorporated into investments
Regulation Best Interest, Fiduciary Duty and Form CRS
Historically, the SEC’s annual examination priorities for broker-dealers and exchanges have focused on ensuring regulatory compliance generally and on fair and orderly securities markets. It is therefore no surprise that the SEC has once again prioritized broker-dealer and RIA compliance with Regulation Best Interest (Reg BI).
The SEC’s 2023 examination priorities, recent enforcement actions and other regulator comments project the SEC’s belief that compliance with Reg BI remains inadequate across the industry. Among the standards of conduct imposed by Reg BI, the SEC is seemingly more focused on those related to conflicts of interest and full and fair disclosures. Thus, broker-dealers should expect to see a high volume of investigative focus in these areas.
Reg BI makes clear that broker-dealers must establish, maintain and enforce written policies and procedures that are reasonably designed to identify and, at a minimum, disclose or eliminate conflicts of interest. In preparing for regulatory examinations, firms should keep in mind that mitigating certain conflicts of interest is a large part of this obligation (if not otherwise eliminated).
To be effective, the SEC has previously noted that a broker-dealer’s policies and procedures regarding conflicts of interest should include:
- How firms identify and address conflicts
- Systems and processes to escalate conflicts and identified instances of non-compliance
- Designated business line personnel responsible for supervision
- Periodic reviews and system testing
Firms should also:
- Take an inventory of conflicts of interest and be prepared to show a reasonable basis for how conflicts are identified, escalated and addressed
- Incorporate operations and compliance teams into review and monitoring processes
- Understand and be able to answer questions concerning any AI and/or algorithms that the firm may be utilizing to identify and resolve conflicts of interest and be prepared to answer questions about why processes are in place
The SEC has made it clear that retail customers cannot waive disclosure obligations and that Reg BI is meant to impose more explicit and broader disclosure obligations than previously existed for broker-dealers. With that in mind, broker-dealers should take a fresh look at the terms used in its disclosures, keeping in mind those that the SEC has recently called out as potentially unfair or misleading.
Information Security and Operational Resiliency
The SEC—along with other federal and state-level regulators—has made it clear that they understand cyber-related issues can have a material and sudden impact on an organization’s ability to function. The depredations that come with ransomware can almost instantly disable a company. What they have recognized is that operational resiliency—the ability to get through incidents and continue to operate—is closely associated with having an effective cybersecurity plan, a cyber-incident response plan and thorough service continuity and restoration plans.
Not having evidence of a competent risk assessment, appropriate prevention and response policies and compliance documentation to assure plans are operating as intended should be unacceptable. Too often, a post-incident review shows that standards and controls are more aspirational than actual. Management ultimately must take responsibility for assuring that their cybersecurity is operating in a commercially reasonable manner and that it is continuously updated in light of the rapid evolution of risks and attack methodologies.
Cybersecurity is a complex discipline and firms should:
- Demonstrate that they have appropriate management and staffing—or appropriate outsourcing to gain access to important resources.
- Consider hiring a Chief Information Security Officer (CISO), or alternatively a shared CISO resource (commonly referred to as a “virtual CISO” or “vCISO”), who can perform a risk assessment and can review how the RIA’s cybersecurity program is protecting the firm, its clients and investors, and provides a sound basis for operational resilience.
- Consider engaging with Managed Security Providers to help put small programs (called “sensors”) in the firm’s end-user computers and servers, and remotely monitor them for indicators of threats or compromises.
- Engage in continuous monitoring, which is considered a best practice in an increasingly dangerous world.
- Consider effective multi-factor authentication (MFA), recognizing that cyber-criminals have developed strategies for defeating some forms of MFA.
Cybersecurity has moved from a technical issue to a corporate and board-level focus, as well as a focus area for regulators and litigators. We expect that the SEC will, in the near-term, impose new rules requiring increased reporting and disclosures to the SEC and investors relating to significant cybersecurity incidents, as well as related recordkeeping and compliance program requirements. RIAs should be prepared to pivot and enhance their compliance, testing and reporting infrastructure to be able to comply with these new rules, which are very likely to be imposed.
Crypto-Assets and Emerging Financial Technologies
Crypto or crypto-related assets offered, sold or recommended will be a special focus of the SEC, especially for those registrants who have never been examined before. This focus is even more intense in the digital assets space, with pressure from investors and many in Congress to have clear rules, and for the agency not to engage in “regulation by enforcement.” Specifically, the SEC said that its examiners will assess whether such market participants involved with crypto or crypto-related assets: met and followed the respective standards of care when making recommendations, referrals or providing investment advice, to the extent required; and routinely reviewed, updated and enhanced their compliance, disclosure and risk management practices.
Regulatory attention will also be placed on firms that operate digital platforms which employ digital engagement tools or ‘game-like’ features to attract investors and induce trading. Regulators will assess whether: any recommendations were made or advice was provided (e.g., through the use of social media marketing and social trading platforms); representations are fair and accurate; operations and controls in place are consistent with disclosures made to investors; any advice or recommendations are in the best interest of the investor (taking into account the investor’s financial situation and investment objectives); and risks associated with such practices are considered, including the impact these practices may have on certain investors, such as seniors.
Recognizing the strong, ongoing SEC interest in policing securities offerings involving cryptocurrencies and digital assets, RIAs that invest client assets in this space should:
- Be prepared to demonstrate to the regulator that they are free of undisclosed conflicts.
- Have properly diligenced, valued, and custodied such investments, and that they are acting in the best interest of the clients in making the recommendations.
- Consider the selection of a qualified and sound custodian to protect client assets.
- Have robust defensive policies and practices, to address the increased cybersecurity risk posed to digital assets.
The compliance risk and SEC interest is unlikely to be extinguished in the short-term, especially if the SEC passes amendments to the custody rule to broaden its application to include any client asset in an RIA’s possession or when such adviser has authority to obtain possession of client assets—side stepping any debate over whether cryptocurrencies and digital assets meet the legal definition of a security.
While many industry pundits predicted an increase in regulatory activity under the current administration, the SEC’s rulemaking, enforcement and examination activities have far outpaced even the most optimistic projections. The SEC, using all available tools in its regulatory quiver, has been public about its expectations, levied hefty monetary penalties, imposed monitors, extracted admissions and held individuals accountable for violations. In addition, the SEC has signaled that it expects firms that become aware of violations to self-report misconduct to examiners during the course of examinations without being prompted to do so—clearly exposing another potential issue for registrants to navigate.
Kroll’s experts have highlighted and provide practical guidance on these eight compliance risk areas and steps to mitigate such risks. However, these risk areas are not exclusive and registrants are urged not to ignore the building blocks of a well-designed compliance program, including a knowledgeable and empowered CCO; effective supervision and governance; robust risk identification; a tailored set of compliance policies and procedures that is designed and implemented to detect and prevent violations of applicable laws; a compliance culture and value system that is baked into the firm’s DNA; and effective testing, training and documentation—all wrapped in a healthy dose of adherence to fiduciary duty (or best interest, as applicable) and disclosure and mitigation of conflicts.
For firms considering adding external resources to their exam preparation arsenal, Kroll is here to help, offering subject-matter expertise and industry insights into these and many other compliance and operational matters.