Primer:  Custody Rule for SEC-Registered Investment Advisers

Custody arrangements will always be reviewed in a routine regulatory examination. Violations of Rule 206(4)-2, more commonly referred to as the Custody Rule (the “Rule”) are also rapidly becoming a key enforcement area for the Securities and Exchange Commission (“SEC”). This primer will cover the important points of the Rule and discuss the most common violations.

  1. The Rule

At its most basic, the Rule:

  • Defines custody as “holding, directly or indirectly, client funds or securities, or having any authority to obtain possession of them;
  • Requires safekeeping of client assets, which means maintaining them at a qualified custodian such as a bank or broker-dealer. Assets must be in a segregated account either for each client under its name, or in an account that contains only clients’ assets with the adviser’s name as agent or trustee;
  • Requires the adviser to notify clients when accounts are opened for them and reasonably believe, after due inquiry, that custodians deliver account statements directly to clients at least quarterly; and
  • Requires independent, surprise verification of assets by an accountant. Private fund managers can satisfy this requirement by arranging for their funds to be audited annually (more on this in the next section).


  1. Important Nuances

Though simple on its face, there are some important nuances to consider:

  • An adviser can have custody through an affiliate (e.g., the general partner, or equivalent of a private fund);
  • The authority to obtain possession of funds or securities creates custody, regardless of whether such authority is exercised;
  • The accountant retained to provide either the surprise verification or the annual audit of a fund must be an independent public accountant that is both registered with and inspected by the Public Company Accounting Oversight Board or PCAOB.


  1. Common Violations

The SEC’s National Examination Program (“NEP”) staff recognized four common deficiencies during their recent investigations:

  • Advisers often failed to recognize that they had custody under the Rule. The NEP staff cited examples of advisers having physical or electronic possession of assets, but not fulfilling their Rule obligations;
  • Some surprise exams were not conducted on a “surprise” basis. The NEP staff collected evidence suggesting that the examinations were being conducted at a predictable time each year;
  • Certain advisers did not meet the qualified custodian requirements. Advisers that commingled client’s assets with employee or propriety assets were in violation of the Rule. The NEP staff also noted that some client assets were held in an adviser’s name, but not in an account that was under the adviser’s name as an agent or trustee for the client and that held only client assets; and
  • Some audits were considered to be unacceptable. Some auditors could not be considered to be independent under Regulation S-X or were not registered with the PCAOB. In other instances, audited financial statements were not prepared in accordance to generally accepted accounting principles standards.


  1. Compliance Tips

To comply with the Rule, adviser should consider:

  • Creating policies and procedures that address the application of the Rule. Advisers should consider how future Rule changes may alter their policies. SEC press releases about rule changes can be found here. Advisers should also consider how changes in their business may affect their Rule obligations and update policies accordingly; and
  • Ensuring that all parties involved consistently follow the prescribed procedures. The Rule is quite technical, and it is important that all parties involved understand the Rule, policies, and procedures.

Many violations of the Rule were the result of advisers not recognizing and understanding their obligations. These issues can be avoided by establishing clear written policies and procedures, distributing them firm-wide and training key staff on their role in implementing the adviser’s custody rule procedures.

SEC Announces Examination Priorities for 2015

The Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission (“SEC”) released its 2015 examination priorities for investment advisers, broker-dealers, and transfer agents. OCIE will focus its efforts on issues related to market-wide risks, analyzing data to prevent illegal activity and protecting investors who are saving for retirement, which are discussed in turn below:

  1. Assessing Market-Wide Risk

OCIE intends to examine widespread firm and industry structural risks. OCIE will closely monitor the largest of broker-dealers and asset managers. Large firms allow for better understanding of market trends as a whole. Additionally, clearing agencies will face increased scrutiny in 2015. As we have previously discussed, the SEC will examine broker-dealers’ cybersecurity compliance programs. Lastly, OCIE will increase their efforts of tracking firms’ trading history against their best execution policies. OCIE intends to work with the Division of Trading and Markets and other regulatory agencies to address market-wide risks.

  1. Use of Data Analytics

As SEC Chair Mary Jo White noted in her speech at the New York Times DealBook Conference in December, OCIE will increase its use of data analytics in examinations. OCIE will use data to identify individuals that are repeat offenders and will examine their employers. Additionally, data analytics will be used to identify excessive trading, market manipulation, and pump-and-dump schemes. Lastly, the OCIE will test firms’ anti-money laundering policies with collected data.

  1. Protecting Investors Saving for Retirement

The most significant theme of OCIE’s examination priorities is the protection of retail investors and investors saving for retirement. This includes investigating the suitability and sales practices for retirement products to individual investors. OCIE intends to examine branch office practices for deviations from the policies set out in compliance programs. Two types of companies the OCIE will examine closely are alternative investment companies and fixed income investment companies. The SEC considers alternative investment companies to be those that make returns that are uncorrelated to the stock market. Companies that act as both broker-dealers and registered investment advisers will likely be examined for the appropriateness of account types offered to their clients.

In addition to these three themes, the OCIE intends to examine transfer agents, municipal advisers, and never-before-examined registered investment company complexes. The SEC will also place significant emphasis on examining fees and expenses in private equity funds. OCIE noted many inconsistencies among private equity advisers in 2014 and plans to act on those findings in 2015. Advisers should review the SEC’s release in its entirety and consult their legal counsel and/or compliance consultant to best prepare for their next examination.

Mary Jo White’s Remarks at NYT DealBook Conference

On December 14, 2014 Chair Mary Jo White of the Securities and Exchange Commission (“SEC”) spoke at the New York Times’ DealBook Opportunities for Tomorrow Conference. She concentrated on the SEC’s future enhancements of risk monitoring and regulatory safeguards for the asset management industry, specifically: data reporting, portfolio composition risk controls and transition planning for advisers. Following are some key takeaways:

  • Chair White spoke about how the SEC relies on data reporting in order to understand the industry. She noted the rapid growth of the industry from $4 billion assets under management in 1940 to $63 trillion assets under management in 2014. As a result, the SEC has implemented new data reporting tools largely due to the Dodd-Frank Act. However, the SEC still only receives information from about a quarter of all registered firms. The SEC will release new recommendations for modernizing and enhancing avenues for data reporting that are already in place.


  • She also addressed portfolio composition risk and operational risk. Portfolio composition risk refers to the risk of mixing a fund’s investments. These can include risks associated with liquidity and leverage. Noting that operational risk involves the possibility of internal process and system failures, she emphasized these in relation to exchange-traded funds (ETFs) and the use of derivatives by mutual funds. The SEC will likely require broader portfolio composition and operational risk management policies for advisers to these types of funds in the future.


  • The final focal point of Chair White’s speech was transition planning and stress training for investment advisers. She pointed out that clients are severely at risk when an investment adviser is no longer able to operate. One especially problematic example is if there are restrictions on the use of a client’s money that is held by an investment adviser. The SEC is preparing recommendations for avoiding issues related to the termination of an investment advisory arrangement.

Chair White’s speech at the New York Times is a sign that the SEC is becoming increasingly interested in data reporting, portfolio composition risk controls and transition planning for advisers. The SEC is planning on new rules or amendments for each of these core points. In addition, there will likely be more reporting requirements for private funds in the near future. Investment advisers should keep an eye out for the possibility of new obligations in all of these areas.

Primer: Holdings Reporting for Investment Advisers

There are several provisions in the Securities Act of 1933 (“Securities Act”) or the Securities Exchange Act of 1934 (“Exchange Act”) that require investment advisers to report their holdings or other investment activity to the SEC. Most of these filings are available to the public via the SEC’s Electronic Document Access and Retrieval (“EDGAR”) system, with some exceptions, which are discussed below. Notably, many of these filings are required whether a firm is registered with the SEC or not (including Exempt Reporting Advisers and state registrants).  Deadlines and other requirements may also vary depending on a firm’s registered status.  These are discussed in more detail below.

  1. EDGAR Filing Generally

EDGAR requires market participants to file electronically with the SEC, enables the SEC to catalog and analyze filing data, and allows the public to quickly search most filings. First-time filers will need to apply for EDGAR access by filing Form ID with the SEC on its EDGAR Filer Management website (“Filer Management”). Form ID asks for basic business and contact information and an 8 character “Passphrase” selected by the filer. Within 48 hours, the SEC will assign a Central Index Key (“CIK”) number to the filer, which will be emailed to the contact person identified on the Form ID. Once a CIK number has been assigned, filers must return to Filer Management to generate the passcodes (“Codes”) used to make filings.

These Codes are all 8 characters and are randomly assigned by Filer Management. They include:

  • Password (NB: this is not the same as the Passphrase that filers select initially). The Password expires annually on the anniversary of its assignment and must be changed within 10 days of that anniversary (the “Grace Period”). The Password is used for all EDGAR filings;
  • CCC: This is the CIK Confirmation Code and must also be used for all EDGAR filings; and
  • PMAC: This is the Password Modification Access Code and can be used to update only the Password within the Grace Period. Following expiry of the Grace Period, filers must use their CIK and Passphrase to generate an entirely new set of Codes.

Filers should ensure that their Passphrase and Codes are kept in a secure location and updated as needed. This will prevent unauthorized use (including access to confidential filings) and avoid delays when making filings.

  1. Schedule 13D and 13G

Generally, a Schedule 13D filing is required where a person (including entities) beneficially owns more than 5% of a class of publicly traded equity securities of an issuer for the purpose of changing or influencing control (in other words, is an activist investor, or anticipates becoming one). A shorter form Schedule 13G is applicable where a person holds the position in the ordinary course of business and not for the purpose of changing or influencing control of the issuer (i.e., is a passive investor).

A person “beneficially owns” a security if it has or shares the power to vote or dispose of the security. To the extent that an investment adviser has discretionary authority over client accounts, it may be a beneficial owner for purposes of these filings. A person also beneficially owns any securities that it has the right to acquire (e.g. exercise of an option), if the right is exercisable within sixty days.

The initial Schedule 13D or 13G, as applicable, is due within ten days following the acquisition that causes the person to cross the 5% threshold.  Thereafter, 13D must be amended promptly (no more than two days) following a material change, including a 1% change in ownership. SEC or State registered investment advisers have the luxury of longer deadlines. If at the end of their fiscal year a registered adviser is still over 5%, they have forty-five days to file their initial 13G, which is amended annually thereafter. Additional requirements apply at 10% and 20% ownership thresholds, or if a passive investor becomes an activist and must file on 13D.

  1. Form 13F

Any investment adviser that on the last trading day of any month of a calendar year exercises investment discretion over $100 million or more invested in equity securities traded on stock exchanges or the Nasdaq is subject to reporting on Form 13F. The SEC compiles a list of “13F Securities” which is published quarterly on its website. The filing is due in mid-February (the exact deadline will vary depending on the calendar) using data as of December 31. Thereafter, a quarterly 13F report is required forty-five days after the end of each calendar quarter. Firms that met the threshold and then fell below will still need to make the initial and quarterly filings the following year.  See also the SEC’s 13F FAQ.

13F is a public filing, though filers can request confidential treatment.

  1. Form 13H

Any investment adviser who directly or indirectly exercises investment discretion over transactions in US exchange-listed securities equal to or greater than either (a) 2 million shares or $20 million per calendar day or (b) 20 million shares or $200 million per calendar month must report identifying and other data about itself and its affiliates to the SEC on Form 13H promptly (within ten days) after reaching the either of the foregoing activity levels. Thereafter, an annual 13H report is required within forty-five days after the end of each full calendar year (the same timeframe as for 13F and 13G for registered investment advisers). Interim amendments are required following any change to the information provided on the form.

Options must be included in calculating the thresholds. The SEC’s 13H FAQ is a useful resource for calculations and other questions.

13H is a confidential filing and is not searchable via EDGAR (though it is filed on the EDGAR system; it is subject to an earlier cut-off time than public filings).

  1. Section 16

Section 16 of the Exchange Act mandates filings by certain insiders of public companies. Officers, directors and 10% shareholders are all considered insiders with respect to the shares of the public companies that employ them, or in which they hold 10% of the outstanding shares. Investment advisers registered with the SEC may be eligible for relief from the filing requirement if their aggregate holdings (i.e. across all funds and clients) meet the 10% threshold. However, if a single fund or another client meets that threshold, it will still be required to file.

The filings are made on Form 3 (initial filing), Form 4 (amendment filing) and Form 5 (annual filing). Amendments must be filed promptly, no later than two days following the change. It is best practice to file as soon as possible following the change, e.g., the same business day, especially given the increased SEC enforcement focus on this area.

See also the SEC’s guidance and electronic filing FAQs.

Practical Controls Around Expert Network Usage

Practical Controls Around Expert Network Usage

Unsurprisingly, recent SEC examinations of investment advisers are focusing closely on insider trading (see our primer on detecting and preventing insider trading).  The staff’s approach is multi-pronged and extensively covers a firm’s use of expert networks.  A firm should state in their policies if they do not use expert networks.

For firms that do utilize expert networks, some controls that can be placed around this area to maximize compliance are listed below.

  1. Workflow

Policies and procedures should specify how expert network and other research arrangements will be evaluated and approved.  For example:

  • State that providers must be approved by firm management, including the Chief Compliance Officer; only approved providers may be utilized by employees;
  • Prior to approving a provider consider, among other things:

-Whether or not it has compliance policies and procedures in place that are designed to prohibit and prevent insider trading;

-The depth and scope of such policies and procedures;

-The means by which these policies and procedures are carried out and tested;

-The added value of utilizing the provider relative to the internal research function at the firm; and

-The reputation of the outside research provider.

  • Require a written agreement with the provider that addresses and prohibits the communication of material non-public information.  Consider implementing a checks and balances process that requires the Chief Compliance Officer and/or General Counsel to review the agreement but also another officer’s signature;
  • Require any transmission of material non-public information to be reported to the Chief Compliance Officer; and
  • Otherwise encourage employees to discuss their concerns and questions with the Chief Compliance Officer (i.e., an open door policy).
  1. Reviews and Recordkeeping

Expert network activities should be reviewed as part of the annual review, at minimum.  For firms with a lot of activity or other risk factors, reviews should be more frequent.  Recordkeeping should be robust to establish compliance with stated policies and procedures and to demonstrate that policies and procedures are sufficient to prevent the transmission of material non-public information.

Recordkeeping might include:

  • Log of calls;
  • Due diligence files on chosen service providers:

-Executed agreement;

-Terms of service documentation if separate from the agreement;

-Documentation of the selection process, including the reasons for using a service provider and this one in particular, the purpose for the research (e.g., for general market, sector or similar information and not on specific issuers) and any other material that demonstrates the manner in which the firm became comfortable with the service.

  • Any relevant policies on insider trading generally and the use of expert networks. These should be considered living documents, to be reviewed and updated on a continual basis;
  • Any reporting that is circulated among compliance and other departments regarding usage.
  1. Real-Time Controls

Particularly where there is a lot of activity, firms should consider the kinds of real-time controls they can place around expert network usage.  These might include:

  • Utilizing Scripts. Scripts should be as concise as possible, written and distributed to all analysts.  Analysts should receive robust training on when and how to use the script to ensure maximum compliance.  They are typically be recited at the beginning of a call and/or copied into an email setting up the call.
  • Establishing guidelines specific to a particular provider or a particular outside research function on an as-needed basis;
  • Targeted training to analysts;
  • Targeted reviews of communications among the firm/its analysts, the service provider and experts utilized;
  • Placing hard limits on usage (e.g., a set number of calls per month, or only in certain sectors or markets of interest; prohibition on calls about specific issuers);
  • Any tools provided by the service or otherwise available, such as:

-All calls are routed through a bridge line to eliminate the exchange of direct contact information.  This will also enable monitoring by compliance, either to chaperone all calls or randomly dial in.  There is usually functionality for a pre-recorded script;

-Pre-approval such that a call cannot be setup absent approval by the firm’s compliance team.


The MCAA and the Rise of ‘GATCA’

The Cayman Islands and 50 jurisdictions signed the Organisation for Economic Co-operation and Development’s (“OECD”) Multilateral Competent Authority Agreement (“MCAA”) on October 29, 2014 in Berlin. The MCAA implements the automatic exchange of tax information based on the OCED’s Multilateral Convention on Mutual Administrative Assistance in Tax Matters. The MCAA will require Competent Tax Authorities (“Authority” or “Authorities”) in these jurisdictions to automatically exchange relevant tax information based on the OECD’s Common Reporting Standards.

Here are some takeaways from the MCAA:

  • The MCAA in tone has similarities to GATCA, a term to describe a global version of FATCA that would enable countries’ governments to charge tax evaders in up to 65 countries. While GATCA is not an actual policy in place, governments are increasingly making bilateral agreements to prevent tax evasion like the MCAA;
  • Private funds based in the Cayman Islands will now have significantly more international tax reporting and compliance obligations. In addition to the MCAA, Cayman Island organization have additional reporting obligations based on US FATCA and the new UK FATCA The Cayman Islands has already implemented several of the laws and regulations to enable the automatic exchange with other authorities. See our discussion of UK FATCA here;
  • The MCAA will be activated in each jurisdiction once the OECD can confirm that there is proper legislation in place to enforce the rules based on the OECD’s Common Reporting Standards. This rule is particularly important when considering privacy issues that may arise with frequent and large information swaps between Authorities;
  • An Authority needs to provide a timeline of dates regarding enforcement for previous accounts and new accounts to the OECD for approval to implement automatic tax exchanges; and
  • An Authority needs to provide the OECD a list of the other Authorities with which it would like to have an automatic tax exchange agreement. The MCAA does not guarantee exchanges with all of the signees.

The MCAA is a reminder to closely follow the ever changing landscape of international compliance rules and regulations, particularly in the area of tax.  Firms operating in one or more of the jurisdictions listed should frequent the relevant websites for news regarding the possible regulation changes. Awareness of changing international regulation is especially true for private funds operating in Crown Dependencies and Overseas Territories, such as the Cayman Islands and the British Virgin Islands, in light of UK FATCA. Authorities look forward to the opportunity to catch tax evaders and violations can be very embarrassing and costly.

Primer: Detecting and Preventing Insider Trading

Most everyone in the securities industry knows what insider trading is, at least the general outlines. Challenges arise when figuring out how to manage it internally from a compliance perspective, and how to detect (and avoid receiving) material non-public information (“MNPI”) in the first place. This primer sets out the basics briefly as a background but will focus on practical strategies to detect and prevent insider trading.

Managing Insider Trading Issues:

Investment advisers, fund managers, broker-dealers and other participants in the marketplace regardless of registration or exemption status, should have policies and procedures in place to prevent and detect insider trading. These can include, among other things:

  1. Clear agreements with research providers (especially expert networks) that contain representations to the effect that the firm is not engaging the provider for purposes of obtaining MNPI, and that the provider is aware of the laws pertaining to insider trading and will not transmit MNPI.
  2. Establish a policy prohibiting insider trading with the following supporting processes:
  • Employee training;
  • Emphasize that MNPI can be received in connection with the firm’s work or through other means. Receiving MNPI is still a risk to the firm even if the employee receives it separately from his or her work;
  • Periodic review of electronic communications;
  • At least quarterly reviews of employees’ personal securities transactions. More frequent reviews are always better and should be considered necessary to manage a high volume of activity and/or increased risk of receiving MNPI;
  • Real-time maintenance of restricted/watch lists;
  • Escalation of MNPI or a new risk area to Chief Compliance Officer; and
  • Restrict access to any MNPI that is in the firm’s possession.
  1. Analysts or other employees who may contact public companies in the course of their research, or who otherwise might access MNPI should receive additional and/or more frequent training on how to handle insider trading issues.
  2. Employees who think they have received MNPI must not share that information with anyone other than the Chief Compliance Officer and must not trade while in possession of that information (e., even if the MNPI is not a factor or is among other factors in a decision to trade).
  3. Identify areas in which a firm may be more likely to receive MNPI and implement additional policies if needed:
  • Issuers in a client portfolio that may be involved in M&A activity, tender offers and the like;
  • Activist strategies;
  • Confidentiality agreements with respect to information about a public company (e.g., for private equity funds, such an issuer might be in a position to acquire a portfolio company);
  • Use of expert networks; and
  • Employees/principals or their family members who have relationships with public companies (board/officer positions, employees, significant shareholders).


  1. Insiders. An “insider” includes officers, directors and employees of an issuer of securities. Additionally, anyone who has a confidential relationship with the issuer, such as its attorneys, accountants or other consultants is considered a “temporary insider.”
  2. Material Information. Information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if that information is reasonably certain to have a substantial effect on the price of an issuer’s securities. Material information can be positive or negative, and can relate to any aspect of a company’s business or to a type of security. While this definition is intentionally broad, common examples include:
  • Revenue and earnings information;
  • Projections and forward-looking information;
  • Mergers, acquisitions, tender offers, joint ventures, or changes in assets (even if preliminary);
  • New products;
  • Developments about customers or suppliers, such as the loss of a major contract;
  • Changes in control or management;
  • Events regarding the issuer’s securities, including defaults on strict securities; calls of securities for redemption; repurchase plans; stock splits; changes in dividends; changes to rights of securities holders; public or private sales of securities;
  • Change in auditors or audit report; and
  • Bankruptcies or receiverships.


  1. Non-public Information. Information is non-public until it has been effectively communicated to the marketplace. Practically speaking, this means that some fact will show that the information is available to the general public, e.g. through an SEC filing, a newspaper or online article, a quotation service such as Bloomberg, or a widely distributed communication by the issuer. Rumors or other information known to a smaller segment of the investment community is not considered public.

Types of Insider Trading:

  1. Classical Theory. Classic insider trading occurs when an officer, director, employee, or other insider trades on the basis of MNPI about the issuer for which s/he works, in breach of his/her duty to the issuer to refrain from such trading. The duty to refrain from trading extends to attorneys, accountants and other consultants who obtain information through their relationship as well as to “tippees,” if they are aware, or should have been aware, that they were given confidential information by an insider who has breached their duty to the issuer.
  2. Misappropriation Theory. This form of insider trading takes place between the source of the information and a third party who owes a duty to the source. If the third party steals or misappropriates information from the source and then trades on it, the third party is liable for insider trading. This is potentially broader than classical theory insider trading. In a 2013 case, the trader arguably did not receive MNPI as such, but had sufficient knowledge to make a correct, educated guess about an acquisition and traded accordingly. We discussed this case here; the SEC’s release and complaint are available on its website.


UK FATCA: New Filing Obligations for Overseas Crown Territories

The United Kingdom and its Crown Dependencies, such as the Cayman Islands and the British Virgin Islands, have entered into intergovernmental agreements (“IGA”) to improve compliance with UK tax laws. These new IGAs are popularly referred to as UK FATCA due to their similarity to the United States Foreign Account Tax Act (“US FATCA”).

Pre-existing and new investors, as of July 1, 2014, of funds located in UK FATCA jurisdictions have different obligations. Funds are required to obtain a form of self-certification for new investors. Here are the respective rules:

  • New investors to funds in UK IGA jurisdictions will have to self-certify as either a “Specified UK Person” or a “Passive Non-Financial Foreign Entity.” Specified UK Persons will have additional forms to complete. The Cayman Islands FATCA working group has created forms for the purpose of distribution to investors while funds in other IGA jurisdictions have distributed questionnaires in subscription documents.
  • Funds with pre-existing investors should obtain self-certification forms from their investors. Furthermore, UK FATCA requires that the funds perform an adequate search of possible links to the UK (“UK Indicia”). This search includes looking for UK mailing addresses or UK bank account information. If there is a link, UK FATCA will require the fund to obtain additional information.

New and pre-existing investors also have different timelines for compliance obligations:

  • July 1, 2014: Obtain self-certification from all new investors;
  • June 30, 2015: Complete UK Indicia review for pre-6/1/2014 individuals;
  • May 26, 2016: Report to local tax authority for the 2014 and 2015 calendar years;
  • June 30, 2016: Complete UK indicia review for pre-6/1/2014 entity investors;
  • May 31, 2017: Report to the local tax authority for the 2016 calendar year.

Finally, there are two more important things to note about UK FATCA:

  • Unlike US FATCA, UK FATCA does not have any tax withholding provisions as a consequence of non-compliance. Compliance obligations are only based on the laws and regulations of the UK IGA jurisdiction where the fund is located. Fines and penalties are based on local laws.
  • Investment funds that recognize certain investors as reportable based on UK FATCA will have to do so on an annual basis. This includes a variety of information ranging from the investor’s birthdate to his or her account balances.

UK FATCA is a step in the direction of increased global regulation of financial services on a variety of fronts.  Managers to offshore funds should review the relevant jurisdiction’s websites to stay updated on changes.

Further reading:

Our article on the Multilateral Competent Authority Agreement signed by a number of jurisdictions, including the Cayman Islands, for the exchange of tax information (also known as GATCA).

The Cayman Islands Tax Information Authority website is a great resource for more information regarding UK FATCA.  More on Cayman is available on Maples & Calder’s website.

Schulte Roth and Zabel’s UK FATCA Alert provides a thorough discussion of requirements.

PwC provides an in-depth discussion of the interaction between FATCA and the UK regime.

Considering a Tech Solution for Compliance Workflows? Six Questions to Ask Yourself

A technology platform to manage compliance-related tasks, recordkeeping and calendaring is an alluring prospect for many firms. There are many to choose from, all with their particular strengths and, depending on a firm’s needs, weaknesses. They can also be expensive. Firms that fully adopt and utilize their chosen platform can save money and time in the end, freeing up compliance staff for more substantive work. In contrast, firms that are unsure of their needs or ability to fully utilize a technology platform may make an expensive mistake.

To ensure the best choice and fit and before you even review specific platforms, ask yourself the following questions:

  1. How much compliance data do we manage?

The more data that you manage, the more likely you can benefit significantly from a technology solution. Factors to consider include:

  • Number of employees;
  • Volume of activity in key areas (political contributions, personal trading, gifts and entertainment, outside business activities);
  • Complexity of pre-approval processes; and
  • Extent of filing or other deadline-driven obligations.
  1. What are the pros and cons of our current system?

Historically, compliance disclosures and pre-approvals were managed entirely on paper, organized into folders or binders and tracked on spreadsheets.  Filing deadlines, cyclical reviews and similar tasks were, and largely still are, managed on calendars (e.g., Outlook or Google), spreadsheets or lists. These methods are inexpensive and easy to create and use, but there are pitfalls. For example, it can be difficult to stay current with new or changing obligations and especially so for managers to multiple funds that may have different deadlines for similar tasks (such as state Blue Sky filings).

  1. Can we do better with a technology platform?

The answer is almost always yes. These platforms allow compliance staff to manage nearly all of their work on a single interface.   They typically offer document storage and retrieval for compliance manuals and related items, built-in audit trails, electronic forms and reporting, and integration with other platforms (e.g., email, calendaring and feeds from the most common brokers for personal trading reconciliation).

  1. But, do we need a technology platform?

The question becomes whether you will use any of the bells and whistles, or even most of the core functions. Carefully consider the complexity of the firm’s business or compliance program, such as multi-layered approval processes. For firms with affiliates and/or funds with deadlines or other functions to manage, uniting all of those on a single platform could be extremely useful, saving time and minimizing the risk of missing something. The greater or more complicated your needs, the more weight you might have in favor of a platform on the remaining two questions.

  1. What is our budget?

Cost is always a factor, if not the ultimate deal-breaker. In addition to the cost of the platform itself, consider the costs of implementation and training, for example:

  • Depending on the vendor, a certain amount of initial implementation and training may or may not be included.
  • Determine what is included in the training. Will the vendor train compliance staff who then trains employees on how to use the platform? Will the vendor conduct training for employees as well?
  • To what extent is the platform customizable, if needed, and are there additional costs?
  1. Will everyone at the firm come on board?

Firm management will, of necessity, have the final approval on purchasing a compliance platform. In addition to management, involve other key stakeholders who, if you proceed with implementing a platform, will advocate it within their departments or the firm as a whole. Key stakeholders might include: c-level officers, department/team leaders, human resources, senior portfolio managers and those whose monitored activities are extensive.

If you have any concerns about complete adoption of the platform across your organization, you should carefully weigh this question.

Cybersecurity: Takeaways for State and SEC Registered Investment Advisers

This September, the North American Securities Administrators Association (“NASAA”) released the results of a pilot project designed to gain a better understanding of cybersecurity threats to mid-sized investment advisers. The results were promising and suggested that cybersecurity issues might not be as serious a problem as previously feared. Of the 440 investment advisers surveyed, only 4.1% participants had encountered any cybersecurity breach. Only 1% had an incident of theft or loss as a result of a security breach. Furthermore, a majority of these investment advisers are taking appropriate precautions. 77% of the firms had policies and procedures in place regarding cybersecurity threats. In addition to the NASAA’s survey, the SEC issued a Risk Alert and conducted its examinations of 50 registered advisers. Here were items that were focused in the NASAA report and the SEC examination:

  • Both the NASAA and the SEC are concerned with the physical equipment firms are using including smartphones, tablets, laptops and desktop computers. If data is traveling among multiple devices, especially ones outside of the firm, there are more opportunities for cybersecurity attacks;
  • It is important to have a solid written procedure that discusses what the firm will do to prevent and in response to a cybersecurity threat. A firm will be less susceptible and recover more easily after an attack if there is a concrete policy in place;
  • Consider when and how affected clients or investors should receive disclosure about risks, the firm’s policies and any breaches. Public companies have an affirmative obligation to disclose instances of cyber attacks and possible risks, but this is not currently the case for investment advisers and private funds. Regulators’ increased focus in this area may warrant some additional disclosures, whether in fund offering documents, client agreements or Form ADV Part 2; and
  • Expect more regulations and recommendations to be made in the future as a result of the NASAA and SEC’s findings. Cybersecurity continues to be of interest to regulators as technology rapidly becomes ingrained into every facet of business.

Here are some tips on cybersecurity and in response to the SEC and NASAA’s findings:

  • Beware of potential threats. Learn about how devices interact with one another and how to identify signs of an attack. Consider encrypting correspondence and data transmissions (e.g., to or from any client/investor portals or cloud-based applications);
  • The risks for different firms are unique depending on devices, applications and policies in place.  A firm’s cybersecurity program will likely be unique and complex. Figure out a specific plan that will aid staff in preventing, repelling and recovering from attacks;
  • The SEC will always be concerned with disclosure issues, and cyber attacks are no different. If the firm is a victim of a cyber attack, it is critical to appropriately address the event and its impact on clients or investors;
  • Advisers that are doing it right should not rest on their laurels; review and refine cybersecurity policies and procedures at least annually, or more often depending on the firm’s particular risks.
  • Review policies concerning prevention of identity theft to ensure that they work alongside the larger cybersecurity initiative and do not conflict with one another.


Though cybersecurity and the risk of attack is top of mind for both regulators and financial firms, it is important not to panic and rush into policies and procedures that may not be the best fit.  Firms should work with information technology, finance and operations teams to build a comprehensive plan of defense that truly works for their business.   Start with a clear understanding of hardware, software, communication methods, and potential points of entry into the firm’s information (e.g., through online investor or client portals or cloud-based platforms). The best way to avoid issues with cybersecurity is to recognize threats and avoid danger before they compromise the firm.