Regulation OCIE Cautions Advisers on Outsourcing Compliance Activities In a Risk Alert dated November 9, 2015, the SEC’s Office of Compliance Inspections and Examinations (OCIE) said it found that outsourced compliance programs are generally effective, but some of these arrangements leave room for improvement. As part of its Outsourced CCO Initiative, OCIE examined 20 registered advisers and funds (“registrants”) that outsource their compliance activities to assess the effectiveness of outsourced compliance programs and CCOs. The Risk Alert summarized OCIE’s findings. While OCIE stopped short of criticizing outsourced compliance activities, it called attention to its concern that registrants should not be complacent with “off-the-shelf” compliance programs and monitoring. Based on the results of the 20 examinations, OCIE observed that an effectively outsourced CCO generally involved: • regular, often in-person, communications between CCOs and registrants (rather than, for example, reliance on pre-defined checklists); • strong relationships established between CCOs and registrants; • sufficient resources for the CCO, particularly in cases where a CCO serves in that capacity for multiple unaffiliated firms; • sufficient, independent CCO access to documents and information necessary to conduct annual reviews; and • CCO knowledge about regulatory requirements and the registrant’s business. OCIE said that “an effective compliance program generally relies upon, among other things, the correct identification of a registrant’s risks in light of its business, operations, conflicts and other compliance factors.” OCIE cited examples of certain outsourced CCOs who “could not articulate the business or compliance risks” of a registrant or, to the extent the risks were Attorney Advertising November 2015 Investment Management Legal + Regulatory Update In this issue Regulation OCIE Cautions Advisers on Outsourcing Compliance Activities Page 1 SEC Revises Rule 2a-7 to Drop NRSRO Requirement Page 2 SEC Proposes Rules to Require Funds to Adopt Liquidity Risk Management Programs; Allow “Swing Pricing” Page 2 FINRA Tightens Protection of Elderly Investors Page 2 Cybersecurity, Round 2: OCIE Narrows Focus of Cybersecurity Examinations Page 3 FinCEN Proposes AntiMoney Laundering Rules for Registered Advisers Page 3 FINRA Sets Effective Dates for Research Report Conflicts Rules Page 3 Show Us the Money: FINRA Initiates Sweep Relating to Compensation Practices Page 4 Spotlight on BDCs Page 4 SEC Staff Clarifies Application of Rule Requiring Reporting of Personal Securities Transactions by Investment Adviser Personnel Page 5 The SEC’s Registration Rules for Security-Based Swap Dealers Page 5 AIFMD Passport for Non-EU Funds and Fund Managers Page 5 Volcker Rule: Federal Agencies Issue New Guidance Regarding the Seeding Period Treatment for RICs and FPFs Page 6 CFTC Requires Introducing Brokers, Commodity Pool Operators, and Most Commodity Trading Advisers That Use Swaps to Become Members of NFA Page 6 Enforcement + Litigation SEC Settles Charges that Investment Adviser Failed to Adequately Disclose Changes in Investment Strategy Page 7 SEC’s Warning—Fund Trustees Are Fair Game Page 7 Unlawful Crowdfunding?— SEC Institutes Public Administrative and Ceaseand-Desist Proceeding Against Unregistered Broker-Dealer Page 8 SEC Charges Investment Adviser With Failure to Adopt Proper Cybersecurity Policies and Procedures Page 8 SEC Sanctions Investment Adviser for Materially False Advertisements Page 9 SEC Commissioner: Don’t Hold CCOs Accountable for Misdeeds of Advisers Page 9 Tidbits Page 10 2 MoFo Legal + Regulatory Update, November 2015 identified, whether the registrant “had adopted written policies and procedures to mitigate or address those risks.” For more information, see our blog post here. SEC Revises Rule 2a-7 to Drop NRSRO Requirement The SEC amended Rule 2a-7 and Form N-MFP to removed references to credit ratings. Issuer diversification provisions in the rule were also amended to eliminate a current exclusion for securities subject to a guarantee issued by a non-controlled person. The amended rule provides that the determination of whether a security is an “eligible security” will require a “single uniform minimal credit risk finding, based on the capacity of the issuer or guarantor of a security to meet its financial obligations.” The amended rule codifies certain general credit analysis factors that the SEC expects fund boards (and their designees) to take into consideration when making a minimal credit risk determination. Those factors include the: • issuer’s or guarantor’s financial condition; • issuer’s or guarantor’s sources of liquidity; • issuer’s or guarantor’s ability to react to future market-wide and issuer- or guarantor-specific events, including the ability to repay debt in highly adverse situations; and • strength of the issuer’s or guarantor’s industry within the economy and relative to economic trends, and the issuer’s or guarantor’s competitive position within its industry. The SEC said that eliminating references to nationally recognized statistical rating organizations’ (NRSROs) ratings from Rule 2a-7 is not intended to change the current risk profile of money market funds, or to change fund boards’ evaluation of minimal credit risk. Nonetheless, the amendments remove the objective “floor” of an NRSRO rating from the evaluation. This arguably leaves fund boards in the position of determining minimal credit risk based on a more subjective set of factors. Fund boards should carefully consider necessary changes to their Rule 2a-7 policies and procedures to ensure that they are consistent not only with amended Rule 2a-7 but with the SEC’s stated intent that the current risk profile of money market funds should not change. For more information, see our Client Alert here. SEC Proposes Rules to Require Funds to Adopt Liquidity Risk Management Programs; Allow “Swing Pricing” At an open meeting on September 22, 2015, the SEC proposed new rules and amendments to existing rules to require openend investment companies to adopt comprehensive liquidity risk management programs. The rules would also allow funds to use “swing pricing” to pass on the cost of large purchases and redemptions to the shareholders that cause those costs. The SEC also proposed rules that would require funds to categorize the liquidity of each portfolio holding and to report to the SEC the category assigned to each portfolio security. Chair Mary Jo White said that the SEC’s purpose in adopting the proposals is to enhance management of liquidity risks of registered open-end investment companies, including mutual funds and exchange-traded funds. For more information, see our Client Alert here. FINRA Tightens Protection of Elderly Investors On September 17, 2015, FINRA announced that it would propose rules to help member firms protect seniors and other vulnerable adults from financial exploitation. The proposal would create a safe harbor enabling broker-dealer firms to place a temporary hold on a disbursement of funds or securities, and to notify a customer’s trusted contact, when the firm has a reasonable belief that financial exploitation is occurring. The proposal would amend FINRA’s customer account information rule to require firms to make reasonable efforts to obtain the name and contact information for a trusted contact person upon opening a customer’s account. In addition, the proposal would create a new FINRA rule permitting firms to place temporary holds on disbursements of funds or securities from the accounts of investors aged 65 or older where there is a reasonable belief that financial exploitation is taking place. The proposal would also apply to investors 18 and older if they have mental or physical impairments that render them unable to protect their own interests and there is a reasonable belief that financial exploitation is taking place. The proposed rules address a narrow set of circumstances involving senior investors where there is a reasonable belief that financial exploitation is taking place. However, FINRA’s guidance to brokers in handling the accounts of elderly investors is significantly broader. 3 MoFo Legal + Regulatory Update, November 2015 The new rules would not create a “duty” to place temporary holds on disbursements. Instead, they would protect firms that comply with the safe harbor when they exercise discretion in placing such a hold. FINRA expects to issue the proposed rules in the immediate future. The proposed rules will be subject to public comment and SEC review. For more information, see our blog post here and an article appearing in MoFo’s Structured Thoughts here. Cybersecurity, Round 2: OCIE Narrows Focus of Cybersecurity Examinations On September 15, 2015, OCIE issued a Risk Alert relating to its new cybersecurity examination initiative. This is the second round of these examinations, and the alert provides a detailed look at OCIE’s current areas of focus. The examinations will involve testing broker-dealers and investment advisers to assess implementation of their cybersecurity procedures and controls. The risk alert includes a sample document request detailing the materials that OCIE will seek to review in connection with these examinations. OCIE’s new examination plan builds on examinations that were initially announced in April 2014, which enabled OCIE to gain better insights into prevailing cybersecurity practices and procedures, and potential deficiencies, in the industry. As a result, key topics of the new examinations will include: • cybersecurity governance and risk management; • system access rights and controls; • data loss prevention; • management of third-party vendors which may place customer information at risk; • employee and vendor training; and • responses to suspected incidents. The SEC says it is committed to assessing and encouraging cybersecurity readiness in the industry. For example, the SEC has been fairly active in enforcing Rule 30 of Regulation S-P (Privacy of Consumer Financial Information), the so-called “Safeguards Rule,” and has imposed significant fines when it has identified deficiencies in a firm’s customer information compliance policies and procedures, distribution of limited or insufficient written materials regarding safeguarding customer information, or a failure to implement adequate controls to safeguard customer information. Moreover, OCIE identified cybersecurity as one of its exam priorities announced in January 2015 and FINRA announced its own examination of cybersecurity practices in 2014. Whether or not OCIE examines a particular firm’s cybersecurity practices, OCIE clearly seeks to encourage all industry participants to carefully consider their practices, policies, and procedures with respect to cybersecurity. To that end, the risk alert provides significant detail in order to prepare for an examination, and to internally review and evaluate a firm’s current practices. The sample document request included in the risk alert can be used to better understand OCIE’s views about cybersecurity, whether any differences compared to its own practices exist and, if so, whether those differences can be adequately explained based on the nature of the firm’s business or otherwise. Clearly, OCIE views cybersecurity as central to the enterprise, and expects that commitment to be reflected in board discussions and efforts at the senior management level. FinCEN Proposes Anti-Money Laundering Rules for Registered Advisers On August 25, 2015, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) proposed rules to require SECregistered investment advisers to adopt and maintain anti-money laundering (AML) programs and to file suspicious activity reports (SARs). The rules would not apply to state-registered investment advisers. FinCEN’s rules would define investment advisers as “financial institutions” for purposes of the Bank Secrecy Act (BSA). Thus, investment advisers would face requirements similar to those that apply to banks, broker-dealers, and mutual funds. These requirements would include adopting compliance policies, filing Currency Transaction Reports (CTRs) and keeping records relating to transmittal of funds. FinCEN’s proposals would not require advisers to adopt a customer identification (“know your customer” or KYC) program, which FinCEN likely will address in the future. FinCEN would delegate compliance examination responsibility to the SEC. For more information, see this article by Jay Baris, which appeared in the November 2015 edition of The Investment Lawyer, available here. FINRA Sets Effective Dates for Research Report Conflicts Rules FINRA rules addressing conflicts of interest relating to the publication of equity research reports became effective on September 25, 2015, or will become effective on December 24, 2015, depending on the specific provision. Rule 2241 is designed to “foster objectivity and transparency” in equity research and provide investors with useful information 4 MoFo Legal + Regulatory Update, November 2015 with which to make investment decisions. The rule broadens the obligations of broker-dealers to identify and manage researchrelated conflicts of interest, but includes some flexibility in compliance. Among other things, the rule: • requires certain analysts to register and pass Series 86 and 87 exams; • requires broker-dealers to disclose conflicts of interest in research reports and in public appearances by research analysts; • prohibits investment banking personnel from being involved in writing the content of research reports; • prohibits investment banking personnel from determining how analysts are compensated; • establishes an information barrier requirement inspired by the Sarbanes-Oxley Act; and • establishes a new standard for personal trading by research analysts. Rule 2242 is FINRA’s counterpart for debt reports. The rule reflects differences in the trading of debt securities, and includes broad exemptions for debt research distributed solely to eligible institutional investors. FINRA Rule 2242 becomes effective on February 22, 2016. Show Us the Money: FINRA Initiates Sweep Relating to Compensation Practices FINRA has made no secret of its interest in broker compensation and the potential conflicts of interest that can be generated by some types of compensation practices. FINRA discussed these issues in its 2015 annual priorities letter, as well as in its earlier 2013 report on conflicts of interest. These conflicts are also relevant to FINRA’s ongoing discussions relating to the adoption of a fiduciary standard for brokerdealers, as well as its recent efforts to adopt rules relating to the disclosure of compensation arrangements relating to registered representatives who transfer customer assets to a new firm. In August 2015, FINRA sent a letter to a significant number of its members requesting information about their broker compensation practices and supervision. In the letter, FINRA indicates that its intent is to “continue [its] assessment of the efforts employed by firms to identify, mitigate and manage conflicts of interest, specifically with respect to compensation practices.” The letter requests information about the one year period commencing in August 2014 and ending July 2015. The inquiry solely concerns retail accounts and not institutional sales. The detailed information sought by FINRA relates to a variety of areas impacting the compensation of registered representatives, including: • Who makes compensation decisions and what departments are involved? • How are compensation-related conflicts of interest identified and managed? • What surveillance and supervisory tools and processes have been implemented to identify compensationrelated conflicts of interest? How frequently are they implemented? Did these processes identify compensationrelated conflicts of interest and, if so, how many were identified? • How is compensation determined for registered representatives, and what features are implemented to reduce any risk to clients’ longterm interests? • What types of standard and non-standard compensation arrangements are used to recruit or retain registered representatives? To what extent is their compensation contingent upon their production from particular Spotlight on BDCs BDC Master-Feeder Funds on the Horizon—No-Action Relief Granted to One Issuer The staff of the SEC’s Division of Investment Management said that it would not recommend enforcement action if a business development company (BDC) reorganizes into a master-feeder structure. The relief will also be available to future feeder funds in the same structure. Other BDCs that wish to utilize a masterfeeder structure, however, may not rely on this relief. The staff indicated that it was “willing to consider similar requests from other BDCs.” For a more detailed review of the no-action relief, see our Client Alert here. 5 MoFo Legal + Regulatory Update, November 2015 product types? The letter includes a request for specific information about production thresholds and production penalties that can increase or decrease a registered representative’s compensation. The responses to the sweep letter will provide FINRA with a considerable amount of information and an opportunity to assess whether members have listened to, and addressed, FINRA’s concerns. These responses may also impact any action that FINRA ultimately takes in considering the adoption of a fiduciary standard for brokerdealers. For more information, see our blog post here. SEC Staff Clarifies Application of Rule Requiring Reporting of Personal Securities Transactions by Investment Adviser Personnel In a June 2015 Guidance Update, the staff of the SEC’s Division of Investment Management clarified how the code of ethics reporting rules apply to investment advisers. Rule 204A-1 under the Investment Advisers Act of 1940 requires an adviser to adopt and maintain a written code of ethics that, among other things, obligates certain access persons—directors, officers and partners and its supervised persons who have access to nonpublic information regarding securities transactions—to report personal securities transactions. The rule allows advisers and SEC examiners to identify improper trades or patterns of trading. The guidance clarifies which types of accounts may take advantage of a regulatory exception to that reporting obligation. The rule includes an exception from the reporting obligation for accounts over which an access person has “no direct or indirect influence or control.” The staff was apparently prompted to issue the guidance based upon its concern that certain advisers have tried to take advantage of the reporting exception in circumstances when the reporting persons—so-called “access persons” —may in fact have some influence or control over such accounts. In the guidance, the staff states that blind trusts, which are managed by a third party for the benefit of an access person who has no knowledge of specific investments made by the trustee and no right to intervene in the management of the account, qualify for the exception. According to the staff, however, other accounts may not qualify for the exception. The guidance states that simply providing a thirdparty manager with discretionary investment authority over an access person’s personal account, “by itself, is insufficient for an adviser to reasonably believe that the access person had no direct or indirect influence or control over the trust or account.” The staff said that, in order to take advantage of the reporting exception, an adviser needs to implement compliance “reasonably designed to determine whether the access person actually had direct or indirect influence or control over . . . an account, rather than whether the third-party manager had discretionary or nondiscretionary authority.” For more information, see our blog post here. The SEC’s Registration Rules for Security-Based Swap Dealers In August 2015, the SEC released final rules (the “Registration Rules”) for the registration of securitybased swap dealers (SBSDs). The Registration Rules, released more than three years after the release by the Commodity Futures Trading Commission (CFTC) of its parallel rules for the registration of swap dealers, set out the formal requirements for SBSD registration and are instructive for financial institutions that may soon be required to register as SBSDs. The Registration Rules will have little immediate effect, since their compliance date is tied to the occurrence of several events that, taken together, have not yet occurred, cannot occur for a minimum of six months, and seem relatively unlikely to occur until after significantly more than six months have passed. Moreover, market participants are not required to register as SBSDs until after their security-based swap activity exceeds certain de minimis thresholds. The Registration Rules Release states that, for purposes of complying with registration requirements, entities engaging in security-based swaps activities are not required to begin calculating whether their activities meet or exceed such thresholds until two months prior to the compliance date of the Registration Rules. For more information, see our Client Alert here. AIFMD Passport for Non-EU Funds and Fund Managers On July 30, 2015, the European Securities and Markets Authority (ESMA) published its advice to the European Parliament, the Council, and the European Commission on the application of the Alternative Investment Fund Managers Directive (AIFMD) Passport to nonEU Alternative Investment Fund Managers (AIFMs) and Alternative Investment Funds (AIFs). The advice was published a little over a week later than it was due to be published, perhaps reflecting the difficulties that ESMA has found in assessing the different factors that it is bound 6 MoFo Legal + Regulatory Update, November 2015 to take into account pursuant to the Level 1 AIFM Directive, particularly as a result of its adopted approach of providing advice separately for each non-EU country whose funds and fund managers are active in one or more EU member states. The AIFM Directive applies to managers (AIFMs) of alternative investment funds (AIFs) as defined in the Directive. It currently provides for EU AIFMs, once they have passed the conditions for authorization in one EU member state, to be permitted to market EU AIFs managed by them in any member state of the EU without further authorization. This so-called “passport” is currently available only to EU AIFMs. At present, nonEU AIFMs are only able to actively market their funds in an EU member state if such marketing is permitted by the National Private Placement Regime (NPPR) of that member state, and a separate application is required for the NPPR of each state in which active marketing is intended to occur. For more information, see our Client Alert here. Volcker Rule: Federal Agencies Issue New Guidance Regarding the Seeding Period Treatment for RICs and FPFs Under guidance issued on July 16, 2015 by the federal agencies responsible for implementing the Volcker Rule (the “Agencies”) registered investment companies (RICs) and foreign public funds (FPFs) need not be treated as banking entities during a seeding period of up to three years. The Volcker Rule restricts “banking entities” from sponsoring or investing in covered funds. RICs and FPFs are not “covered funds” as defined in the Volcker Rule; however, while they are being organized and “seeded” with capital, investment funds generally are privately held—and, in the case of RICs, are not registered—and do not qualify as RICs or FPFs, thus creating an issue as to whether the banking entities may seed them. Under the new guidance, the Agencies will not treat a RIC or an FPF that is controlled during its seeding period by a banking entity as a banking entity during a seeding period of up to three years, absent evidence that the seeding vehicles were established in order to circumvent the Volcker Rule. The Agencies will not require an application to be submitted to the Federal Reserve to determine the length of the seeding period of a particular RIC or FPF as long as it is within the three-year time frame. The new guidance also acknowledges that SEC-regulated business development companies (BDCs) are treated like RICs under the Final Rule and, consistent with the parallel treatment of the two vehicles, a BDC would not become a banking entity during a three-year seeding period, solely because it is controlled by a banking entity. For more information, see our Client Alert here. CFTC Requires Introducing Brokers, Commodity Pool Operators, and Most Commodity Trading Advisers That Use Swaps to Become Members of NFA On September 14, 2015, the Commodity Futures Trading Commission (CFTC) published a final rule requiring introducing brokers (IBs), commodity pool operators (CPOs), and most commodity trading advisers (CTAs) to become members of a registered futures association (RFA). A limited exception to this requirement applies to CTAs that qualify for an exemption from registration under CFTC Regulation 4.14(a)(9) (i.e., those who do not direct client accounts or provide advice tailored to a particular client) but who nonetheless chose to register. All persons subject to the regulation will be required to become members of the National Futures Association (NFA), the only RFA, by December 31, 2015. To comply with the requirement, each registered IB, CPO, and CTA (subject to the limited exception for CTAs) must update its existing registration forms on NFA’s online registration system and pay initial and NFA annual membership dues. For many years, IBs, CPOs, and CTAs that facilitated trading in futures contracts were required to become members of NFA, not because of a CFTC regulation, but due to NFA Bylaw 1101, which prohibits NFA members from dealing with non-members that are required to be registered with the CFTC and that provide services with respect to futures contracts. The Dodd-Frank Act required IBs, CPOs, and CTAs that provide services with respect to swap contracts to register as a result of amendments to the Commodity Exchange Act adding “swaps” to the definitions of these registration categories. After Dodd-Frank was enacted, registered IBs, CTAs, and CPOs that provided services with respect to swaps only were not subject to NFA Bylaw 1101, which only applies to futures contracts, and thus did not have to become NFA members. The final rule now requires all IBs, CPOs, and CTAs, including those who provide services with respect to swaps, to become and remain NFA members. This requirement subjects these registrants to NFA rules and ongoing NFA oversight, including NFA audits. While most registrants in these categories have become NFA members in any event or are exempt because they have claimed 7 MoFo Legal + Regulatory Update, November 2015 exemption from registration (e.g., under the CFTC Reg. 4.13(a)(3) de minimis exemption for CPOs), the CFTC estimates that approximately 296 persons registered with the CFTC as a CPO, CTA, or IB will be required to become and remain NFA members. For more information, see our blog post here. Enforcement + Litigation SEC Settles Charges that Investment Adviser Failed to Adequately Disclose Changes in Investment Strategy The SEC settled charges with two investment advisers to a closedend fund based on allegations that the advisers failed to adequately disclose a change in investment strategy to the fund’s board and investors. The SEC also found that shareholder reports filed with the SEC were inaccurate. According to the SEC, the fund originally invested in distressed debt but, in 2008, it began investing a significant portion of the fund’s assets in credit default swaps (CDS). Since CDS values move significantly more than traditional bond prices in response to credit market fluctuation, the increase in exposure to CDS meaningfully changed the fund’s risk profile. According to the SEC, this represented a shift from an investment thesis that debt would increase in value to an investment thesis that debt would decrease in value. The SEC found that the change in investment strategy resulted, at least in part, in significant losses, and the fund was liquidated in 2012. Pursuant to the fund’s offering memorandum, the fund was authorized to buy and sell securities other than distressed debt, including derivative instruments for both hedging and speculative purposes. The offering memorandum included general risk disclosure related to investments in derivatives, but the SEC found that it did not contain adequate specific disclosure related to the risks of holding CDS. The SEC found that the fund’s advisers misrepresented the investment strategy in communications to investors and the fund’s board, as well as in filings with the SEC. SEC Chair Mary Jo White has announced that the SEC will soon be issuing proposed rules related to funds’ use of derivatives and the resulting effect of leverage on funds’ performance. This order may provide some insight into the types of concerns that the proposed rules will address: accurate and clear disclosure to fund investors; appropriate discussions with a fund’s board to ensure it can adequately perform its oversight role; and assurance that filings with the SEC contain accurate information. Funds and their advisers should carefully review their current disclosure practices to ensure that they are adequately representing the use of derivatives and will continue to operate within the parameters of their stated investment strategy For more information, see our recent Client Alert here. SEC’s Warning—Fund Trustees Are Fair Game In a cease-and-desist order entered on June 17, 2015, the SEC found that a fund adviser, two independent trustees, and an inside trustee willfully violated Section 15(c) of the Investment Company Act of 1940 (the “1940 Act”) by failing to satisfy specific requirements for approving a fund’s investment advisory agreement. The SEC also found that the funds’ administrator caused one of the funds to violate Section 30(e) of the 1940 Act, and Rule 30e-1 thereunder, by omitting disclosure related to the trustees’ evaluation of the advisory and sub-advisory agreements under Section 15(c). Section 15(c) of the 1940 Act imposes a duty on the board members of a registered investment company to request and evaluate— and a duty on the adviser to furnish—such information as may be reasonably necessary for the directors to evaluate the terms of an advisory contract. Item 27(d)(6) of Form N-1A further requires that, if a fund’s board approved any investment advisory contract during the fund’s most recent fiscal half-year, the next shareholder report must contain a discussion, in reasonable detail, concerning “the material factors and the conclusions with respect thereto that formed the basis for the board’s approval.” The SEC said that the administrator violated Section 30(e) of the 1940 Act and Rule 30e-1 by failing to disclose the information required in Item 27(d) (6) of Form N-1A. This case is a clear reminder of the SEC’s view that the annual review of a fund’s advisory contract is one of the central responsibilities of a fund board, and demonstrates that the SEC will dive deep into the weeds to review the adequacy of that contract review process. It appears that the SEC wants to send a strong message that independent trustees are fair game if the SEC believes trustees are asleep at the switch when carrying out their statutory responsibilities. In addition, we note that this case may also confirm the adage that “no good deed goes unpunished.” The SEC notes that, during the relevant time period, certain of the independent trustees waived their trustee fees and the adviser had 8 MoFo Legal + Regulatory Update, November 2015 waived its fees. The clear message is that fund trustees and investment advisers, as fiduciaries, must carry out their responsibilities whether or not they waive compensation to benefit fund shareholders. For more information, see the article written by Jay Baris for Law360 here. Unlawful Crowdfunding?—SEC Institutes Public Administrative and Cease-and-Desist Proceeding Against Unregistered Broker-Dealer In a proceeding on September 28, 2015, the SEC ordered a public hearing to be held before an administrative law judge within the next two months. Further, the SEC ordered the respondent and two companies under his control, to cease and desist from engaging in any unlicensed and/or criminal acts of securities dealing. The respondent was previously sanctioned by regulators in two states for fraudulent conduct in the offering of unregistered securities and making misrepresentations as to his status as a registered broker-dealer. In its release, the SEC emphasizes the respondent’s use of crowdfunding channels to find small business customers and offer purported expert brokerage services. His companies offered support in identifying prospective investors, raising capital, listing securities, structuring offerings, transferring stock, and performing a number of related services. The SEC found that, in so doing, the respondent fraudulently misrepresented his companies to small business owners as registered broker-dealers and established financial services companies with experience facilitating exempt offerings and the capacity to provide legal counsel. The respondent advised and assisted customers in filing Regulation A offering statements that were deemed to be deficient by the SEC. The SEC has requested a public hearing to take evidence regarding possible violations of Section 10(b) of the Securities Exchange Act, including the fraud provisions of Rule 10b-5. Although the transactions involved were small, the SEC’s vigorously worded release shows that, although the JOBS Act relaxes restrictions on communications with potential investors during certain securities offerings, the Act does not limit the SEC’s broker-dealer registration requirements. The SEC has expressly distinguished brokers who collect transactionbased compensation to promote, offer, and sell shares of private stock offerings from the persons protected by Section 201(b) of the JOBS Act. As explained in detail on our website, a “matchmaking” site that takes no compensation and does not handle or analyze securities in providing ancillary services in connection with a Rule 506 Regulation D offering can be exempt from broker-dealer registration. However, this exception has been narrowly interpreted, and the SEC has been aggressive in enforcing requirements for broker-dealer registration under Section 4(b) of the Securities Act. The SEC has yet to finalize its rules relating to crowdfunding. When such regulations are in place, funding portals would be subject to an alternative regulatory scheme. All industry participants, and companies seeking capital, will want to verify that the purported broker-dealers with whom they work are appropriately registered broker-dealers. For smaller and newer firms that are seeking to understand their responsibilities, the SEC’s Division of Trading and Markets maintains a Compliance Guide, which sets forth the SEC’s views as to the circumstances in which the SEC believes that intermediaries must register as broker-dealers. Caution is appropriate, as the SEC is expected to maintain its scrutiny of the area. For more information, see our blog post here. SEC Charges Investment Adviser With Failure to Adopt Proper Cybersecurity Policies and Procedures A registered investment adviser agreed to settle SEC charges that it failed to adopt adequate cybersecurity policies and procedures reasonably designed to protect customer records and information as required by Rule 30(a) of Regulation S-P (the “Safeguards Rule”). Without admitting or denying the SEC’s findings, the investment adviser agreed to a censure, to cease and desist from future violations, and to appoint an information security manager to oversee its data security. The SEC found that the adviser stored customers’ personally identifiable information (PII) on a third-party-hosted web server for almost four years without procedures to protect customer records and information. In July 2013, a hacker gained access and copyrights to the data. The SEC found that the adviser’s failure to adopt data security procedures left the PII of more than 100,000 individuals vulnerable to theft. The Safeguards Rule requires investment advisers to adopt written policies and procedures that: • Ensure the security and confidentiality of customer records and information; • protect against any anticipated threats or hazards to the security or integrity of customer records and information; and 9 MoFo Legal + Regulatory Update, November 2015 • protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to a customer. The SEC found that the adviser’s procedures violated the Safeguards Rule because the adviser’s policies and procedures did not include: • conducting periodic risk assessments; • employing a firewall to protect the web server containing client PII; • encrypting client PII stored on the third-party server; or • establishing procedures to respond to a cybersecurity incident. The settlement came less than a week after OCIE announced its second round of cybersecurity examinations (see above). For more information, see our blog post here. SEC Sanctions Investment Adviser for Materially False Advertisements The SEC recently instituted proceedings against a registered investment adviser and its founder, CEO, and majority shareholder for allegedly making material misstatements and omissions regarding the amount of assets purportedly “managed” by the adviser. The SEC also alleged that the firm and its CEO made material misstatements regarding clients’ investment returns, claiming that such returns placed the adviser in the “top 1%” of firms worldwide, and failed to disclose that the returns related to a model portfolio did not reflect actual client experience. The adviser and its CEO are also charged with failing to adopt and implement adequate written policies and procedures related to the calculation and advertisement of assets managed and investment returns. The SEC alleged that the firm and its CEO touted investment performance that significantly outpaced relevant benchmarks and misrepresented the amount of assets managed in order to “attract new clients . . . by creating the impression that they were larger and more successful players than they in fact were.” The SEC also alleged that the firm used an “off-the-shelf” compliance manual without tailoring its content to the firm’s specific operations, including compliance procedures related to review of advertising and other promotional content. Moreover, the SEC alleged that even these inadequate policies were not implemented. Once again, the staff is demonstrating its on-going focus on conflicts of interest and the need for advisers to ensure that such conflicts are appropriately identified and addressed in the firm’s compliance policies. In particular, the action underscores the need for investment advisers to ensure that all employees—including the most senior employees—are adequately supervised with respect to public statements and other advertising regarding the adviser’s investment performance. For more information, see our blog post here. SEC Commissioner: Don’t Hold CCOs Accountable for Misdeeds of Advisers Former SEC Commissioner Daniel Gallagher, in a speech on June 25, 2015, said that a perceived trend by the SEC toward “strict liability” for chief compliance officers (CCOs) is “sending a troubling message.” The statement explains his vote against bringing two enforcement actions against CCOs. In one case, the SEC charged a CCO with violating Rule 206(4)-7, popularly known as the adviser compliance rule, in connection with an alleged failure to ensure that the adviser’s compliance program was sufficient to assess and monitor outside activities of employees. In the second case, the SEC found that a CCO failed to implement compliance policies and procedures that, if carried out appropriately, would have detected an alleged multi-year theft of client assets by the adviser’s president. This trend toward strict liability, Commissioner Gallagher argued, could encourage CCOs to distance themselves from their firm’s compliance policies and procedures, lest they be held accountable for the adviser’s conduct. Moreover, this trend could incentivize CCOs to favor less comprehensive policies and procedures that require less monitoring in an effort to avoid potential liability when the SEC “plays Monday morning quarterback.” Part of the problem, the Commissioner said, is that the compliance rule itself is not a model of clarity and “offers no guidance as to the distinction between the role of CCOs and management in carrying out the compliance function.” He said that the SEC should not resolve this uncertainty through enforcement actions. While acknowledging that CCOs should be held accountable for violations of the federal securities laws, he said that the SEC should strive to avoid “perverse incentives” that will flow from targeting CCOs who are “willing to run into the fires that so often occur at regulated entities.” The SEC, he said, should consider whether to amend Rule 206(4)-7 or provide guidance to clarify the roles and responsibilities 10 MoFo Legal + Regulatory Update, November 2015 We are Morrison & Foerster — a global firm of exceptional credentials. Our clients include some of the largest financial institutions, investment banks, and Fortune 100, technology, and life sciences companies. We’ve been included on The American Lawyer’s A-List for 12 straight years, and the Financial Times named the firm number six on its 2013 list of the 40 most innovative firms in the United States. Chambers USA honored the firm as its sole 2014 Corporate/M&A Client Service Award winner, and recognized us as both the 2013 Intellectual Property and Bankruptcy Firm of the Year. Our lawyers are committed to achieving innovative and business-minded results for our clients, while preserving the differences that make us stronger. This memorandum summarizes recent legal and regulatory developments of interest. Because of the generality of this newsletter, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. The views expressed herein shall not be attributed to Morrison & Foerster, its attorneys, or its clients. Contacts Jay G. Baris (212) 468-8053 jbaris[email protected] Lloyd Harmetz (212) 468-8061 [email protected] Kelley A. Howes (303) 592-2237 [email protected] Matthew J. Kutner (212) 336-4061 [email protected] © 2015 Morrison & Foerster LLP of CCOs so that CCOs are not held accountable for the misconduct of others. In a speech on June 29, 2015, Commissioner Luis Aguilar said that Commissioner Gallagher’s statement has left the impression that the SEC is too harsh with CCOs, and that CCOs are “needlessly under siege from the SEC.” This dialogue, he said, “is unhelpful, sends the wrong message, and can discourage honest and competent CCOs from doing their work.” The cases that the SEC has brought against CCOs, he said, do not “signify the beginning of nefarious trend” to target CCOs, but rather involve “egregious misconduct” of CCOs. Both Commissioners found some common ground: they agree that CCOs play a vital role in protecting investors. More recently, in a speech on October 14, 2015, SEC Chief of Staff Andrew Donohue expressed his view that the SEC is not targeting, and has not targeted, compliance personnel. Echoing Donohue in a speech on November 4, 2015, Andrew Ceresney, Director of the Division of Enforcement, addressed the “rare instances in which the [SEC] has charged CCOs in enforcement actions.” Director Ceresney expressed the view that the SEC’s exercise of its judgment in recommending enforcement actions is appropriate, and recommendations follow only in instances where conduct “crossed a clear line.” For more information, see our blog post here. Tidbits • Kelley Howes will be a panelist at the Investment Adviser Association (IAA) Fall Compliance Conference on December 2nd in Los Angeles, California. The workshop will be held at the Westin Bonaventure Hotel, and will provide an excellent opportunity to gain practical insights on challenging legal and regulatory issues facing SEC-registered investment advisers, and to network with compliance and legal professionals at other IAA member firms. More information and registration is available here. • Jay Baris recently published “Conflicts of Interest: When You’re Having Too Much Fun at That Business Lunch” in the Learning Curve column of the July 2015 issue of Fund Directions. Jay discusses the challenging new hurdles fund directors face to comply with the 1940 Act’s gifts and entertainment prohibition. The full article is available here. • The SEC has named Marc Wyatt as Director of the Office of Compliance Inspections and Examinations (OCIE). Mr. Wyatt was previously Deputy Director of OCIE and has served as Acting Director since April 2015, following the departure of Andrew Bowden.