Regulatory Risk for Investment Advisers: Guidance, Enforcement and Compliance
As our Risk Outlook Series continues, we recently spoke with John Araneo, Partner at Cole-Frieman & Mallon LLP in New York, about many of the regulatory risks facing hedge funds today, including compliance, expense allocations and cybersecurity. Continue reading for a brief synopsis or scroll down to watch our webinar replay below.
How would you describe the current regulatory climate for fund managers and investment advisers?
For hedge fund managers and investment advisers, the regulatory expectations have never been higher. Looking ahead to 2017, managers and advisers should expect the challenge of having to navigate potentially seismic regulatory changes - each of which has the potential to complicate business practices and add to the cost and complexity of compliance.
How should clients prepare to react to these changes?
It’s a top-down approach that all comes down to compliance. A culture of compliance is no longer a lofty goal or a cliché; it is now a regulatory expectation. There needs to be a robust compliance program, actual implementation, and accountability. Clients should be prepared and able to effectively manage the SEC examinations. Managers need to take time to understand regulatory priorities and expectations before an exam.
What is the current regulatory regime's appetite for outsourcing the compliance function?
There is no requirement for firms to employ a full-time person to service compliance. However, the worries about outsourcing certain functions, particularly the compliance officer function, may lead to weakened compliance culture. The opportunity of outsourcing creates a gap between the compliance function and the operations, decision makers and day-to-day activities. Outsourcing can be effective and sufficient, but management needs to resist setting it and forgetting it.
What have been some of the focal points and areas of interest from the regulators?
These areas include examining manners of importance to retail investors, assessing issues related to market wide risk, using its evolving ability to analyze data to identify any illegal activity and operational issues including how a firm carries out its compliance operations, having business continuity and transition plans, cybersecurity and managing conflicts of interest.
What are some of the top line regulatory issues that fund managers themselves should focus on?
Expense allocation and cybersecurity.
Why is expense allocation as a stand-alone issue commanding and consuming so much attention?
The SEC is so concerned with expense allocation because conflicts of interest are so intertwined with that. The underlying issue of expense allocation is the conflict of interest between the fund manager and its investors.
How can clients protect themselves when making expense allocation determinations?
Certain expense allocations will be presumed unlawful by the SEC unless they are fully disclosed. Unless a fund's documents are very clear and specific in authorizing a fund manager's ability to allocate expenses in a certain way, the SEC sees it as a breach of fiduciary duty for that manager to allocate expenses in any way that benefits the manager. Managers must precisely draft and amend their fund documents to provide clear disclosure about how expense allocations will be made. Fund managers have to understand, identify and commit to how they treat various expenses.
Why is cybersecurity a concern with regulators?
Fund managers are required to disclose and report a higher quantity of more sensitive and meaningful information than ever before. Cyber-attacks can be manifested in a variety of ways from multiple sources and can lead to direct losses including theft of funds, property and reputational harm. Fund managers must take action to design, implement and monitor a cybersecurity program that will protect confidential information.
What is the first step to creating a cybersecurity policy?
Although regulatory requirements do not provide clear standards, and cybersecurity plans are not a one-size-fits-all checklist, managers must commit to adopting a cybersecurity plan.
If there is no checklist, how do managers know if their plan is efficient?
The anatomy of a cybersecurity program should include a governance process focused on risk assessment, controls on accessibility to data, data loss prevention techniques, vendor due diligence and evaluation, employee training and an incident response plan.