As chief compliance officers prepare for their annual compliance reviews, they should familiarize themselves with the examination priorities letter the Securities and Exchange Commission (SEC) issued last month and other recent Office of Compliance Inspections and Examinations (OCIE) guidance to ensure their firms are satisfying regulatory expectations. In particular, these materials emphasize the importance of the three Cs: cybersecurity, conflicts of interest, and cryptocurrencies.
Over the past few years, cybersecurity has been one of OCIE’s top priorities (we covered previous guidance here). This will continue in 2019. OCIE indicated that it will focus on advisers that operate multiple branch offices and those that have recently merged with other advisers to vet their governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
While OCIE has emphasized that it will work cooperatively with firms to identify and manage cybersecurity risks, recent enforcement actions for violations of Regulations S-P and S-ID as well as the Custody Rule illustrate the perils of not adequately addressing these risks.
The priorities letter also referenced a recent OCIE risk alert regarding electronic messaging. That alert counseled advisers to account for text, SMS, or instant messaging, personal email, and social networking in their compliance programs and how their use may affect the advisers’ recordkeeping and compliance obligations. Among other things, the alert included a sweeping recommendation that advisers monitor social networking posts to verify whether the firms’ policies on permitted use are being followed and to archive posts that qualify as business communications. The alert also recommended that firms perform regular internet searches or set up automated alerts to identify unauthorized business being conducted online.
Conflicts of Interest
OCIE will continue to scrutinize the disclosures and business operations of advisers to identify potential conflicts of interest. The guiding principle here is disclosure.
For example, the priorities letter referenced another risk alert (we previously covered here) that noted how OCIE has observed that some advisers erroneously value assets based on original cost rather than fair market value, while other advisers wrongly include certain assets in the fee calculation that the advisory agreement excluded. That risk alert also cautioned advisers to disclose any markups for third-party services or fee-sharing arrangements with affiliates and avoid any misallocation of expenses to clients where they should be borne by the adviser.
Another recent risk alert referenced in the letter similarly warned about proper disclosure of relationships with third parties soliciting clients on the adviser’s behalf. In particular, that alert observed that some advisers do not adequately disclose the nature of the relationship with their solicitors or the terms of the compensation arrangement and any costs to the client.
And a third risk alert referenced in the letter (we previously covered here) encouraged advisers to maximize client value when executing trades by reviewing the services performed by their executing brokers and documenting their best execution compliance on a periodic basis.
a stark warning for advisers, each risk alert identified enforcement actions the SEC has brought against advisers that failed to fulfill these fiduciary obligations.
OCIE recognizes that advisers are increasingly active in the burgeoning digital asset market. Given this trend and the nascent regulations surrounding this emerging asset class, OCIE indicated it will continue to evaluate the trading and management of digital assets by advisers to assess regulatory compliance where digital assets qualify as securities. OCIE also indicated it will continue to monitor this market to otherwise protect investors against opaque and illiquid assets that could be easily misrepresented, manipulated, or dissipated. To that end, OCIE noted that examinations will focus on internal controls relating to the pricing and safety of client portfolios.