December 16, 2019
The SEC has certainly been busy in 2019 communicating with advisers and fund families using a variety of means. It is easy to get bogged down with the flurry of rule adoptions and proposals that have occurred over the last few months and overlook the other risk and interpretation communications the SEC has made during the year. As you begin planning for your 2020 annual review and compliance initiatives, we wanted to remind you of certain OCIE Risk Alerts, SEC Interpretations and SEC Guidance issued during 2019 and offer some practical considerations to implement as part of your 2020 annual review process and testing program. For those of you we work with on a regular basis, rest assured, we have incorporated these matters into our approach and are considering their impact on your compliance program.
Note the commentary below is not meant to be an exhaustive summary of the SEC communications or provide an exhaustive list of compliance considerations. Rather, we aim to provide an idea or two in each area of ways to improve your compliance program, engage various departments or individuals within your company or identify potential issues that can be corrected prior to the onset of an SEC exam.
OCIE’s Risk Alert on privacy proves that sometimes the simplest things are overlooked. For example, the Risk Alert notes OCIE staff observed advisers that stored client personally identifiable information in unsecure physical locations, such as unlocked file cabinets. We recommend periodically walking around your office spaces after business hours to inspect your employees’ habits regarding storage and disposal of sensitive information in hardcopy paper form. Ensure file cabinets are locked, stacks of paper containing client information are not maintained in plain sight, shred bins are being properly used and are locked and printers are not accumulating papers containing sensitive materials. Depending on what you find, you may determine additional training or periodic communications with employees on the topic is necessary.
The Risk Alert also notes OCIE staff observed advisers that were not following their own policies regarding review of the privacy and confidentiality practices of outside service providers or vendors. We are all well aware of the industry’s recent focus on and progress in the area of cybersecurity. One element of a cybersecurity program where progress can still be made relates to evaluation and oversight of the technological security in place at the service providers and vendors that maintain your confidential data. This area represents a great opportunity to work collaboratively with your in-house IT department or external IT vendor to better use their expertise regarding cybersecurity risk analysis and review of vendors’ information security programs, cybersecurity programs, disaster recovery plans and incident response plans.
OCIE staff observed deficiencies in advisers’ security practices when the advisers used network storage solutions, including cloud-based storage, to store confidential information. Specifically, the network storage solutions offered a variety of great security features that advisers either intentionally or inadvertently were not using. In our work with clients, we have similarly observed written Cybersecurity Policies that include effective technological safeguards but are only focused on the company’s internal servers and network, while not applying these same standards to vendor-hosted software containing confidential information. As an example, an adviser’s policy may require specific password requirements regarding password strength and mandatory password rotation for passwords used to access the adviser’s internal network, but these same password requirements are not enabled on vendor-hosted software which can be accessed anywhere via a web browser. This Risk Alert provides another opportunity to engage with your in-house IT department or external IT vendor to ensure your cloud-based software or storage or back-up solutions are configured appropriately. It is also critical that you work with IT to ensure Compliance has a thorough understanding of what software and systems are hosted on your firm’s server and which are hosted by the vendor or in the cloud to ensure all relevant risks are adequately addressed.
The interpretation reaffirms, and in certain places clarifies, aspects of the fiduciary duty that advisers owe their clients under the Advisers Act. The release does not create new rules-based obligations for advisers, but instead confirms the principles-based fiduciary duty that has always been in place, which requires advisers to act in their clients’ best interests at all times. The adviser’s fiduciary duty is broad and applies to the entire relationship between an adviser and its client.
It is a good idea to review your current policies and procedures to ensure none of your firm’s practices are in conflict with any element of the SEC interpretation. Additionally, below are a couple additional practical takeaways to consider.
The interpretation makes it clear that the adviser’s fiduciary duty to each client must be viewed in the context of the agreed-upon scope of the relationship between the adviser and the client. This relationship is most often articulated in the investment management agreement and/or investment policy statement. We recommend reviewing your current IMAs and IPSs to ensure they properly reflect the services you are providing to your clients. Your relationship with your clients may evolve over time. Services may expand or contract and sometimes the paperwork does not always follow.
The interpretation states that in order for an adviser to fulfill its fiduciary duty it must have a reasonable belief that advice is in the best interest of the client. When making this determination, the adviser must take into consideration the client’s objectives, risk tolerance and even financial sophistication. As an example, utilizing derivatives in client accounts may be appropriate for certain institutional clients but unsuitable for retail clients. If your firm recommends higher risk products (such as penny stocks, thinly traded securities, derivatives and inverse or leveraged ETFs) to retail clients or less sophisticated institutional clients, we recommend you review the process used by the portfolio management group to determine why these types of investments are appropriate for clients in the context of their investment strategies. We also recommend you review the documentation produced to support these recommendations.
OCIE’s Risk Alert communicates observations from exams of advisers that currently employ or previously employed individuals with disciplinary histories. The Risk Alert explores a variety of topics including potential employee vetting, supervision and tailoring policies and procedures to properly address the risk created by employing these individuals. One important takeaway that you can implement into 2020 compliance plans is to review your firm’s employee vetting process. OCIE observed instances where employees either lied on self-attestations regarding disciplinary history or did not provide enough detail to allow the disclosed disciplinary event to be accurately assessed. We recommend standard employee vetting procedures be implemented that go beyond requiring potential employees to fill out a disciplinary events questionnaire. Potential additional procedures to consider include performing background checks, running the potential employee through BrokerCheck, checking references and performing internet and social media searches prior to hire.
Additionally, if your firm would entertain the idea of hiring an individual with a disciplinary history in the future, we recommend you plan ahead as suggested in the Risk Alert. Creation of written procedures or a considerations checklist in advance will help ensure that risk does not go unaddressed after hiring the employee.
The SEC issued guidance to assist investment advisers with fulfilling their fiduciary duty to clients when the adviser assumes proxy voting authority. The guidance addresses, among other matters, the requirement for advisers to adopt policies and procedures reasonably designed to ensure proxies are voted in the best interest of clients and matters advisers should consider when using the services of a proxy advisory firm in the voting process.
The guidance clarifies that an adviser and its clients can agree on the scope the adviser’s authority to vote proxies on each client’s behalf. Accordingly, an adviser can establish a variety of different voting arrangements via its agreements with its clients. An adviser and its clients can agree that the adviser will vote all proxies, the adviser will vote proxies only in limited circumstances or the adviser will not vote proxies at all.
It is important that advisers only exercise voting authority within the scope of the agreements in place with their clients. We recommend you obtain a clear understanding of your firm’s proxy voting practices including when proxies are voted for clients and when they are not. We then recommend reviewing the investment management agreements in place with clients to ensure the voting authority, or lack thereof, described in client agreements is consistent with the actual voting practices. Where inconsistencies are noted, agreements may require revision or proxy voting practices may need to be altered.
Finally, we recommend you review your firm’s proxy voting policies and procedures along with various disclosures, including Form ADV, marketing materials, universal RPFs/DDQs, website, etc. to ensure descriptions of proxies voting practices are accurate, consistent and reflect the authority the firm has agreed upon with clients.