Investment Advisers: Compliance To-Do List for Year-End

Year-end is a busy time for most businesses. For investment advisers and other financial firms, it is especially important to make sure that certain compliance tasks are planned for, to allocate appropriate time and personnel and avoid last-minute scrambles to meet filing deadlines. Below is a summary of key tasks and processes for year-end/early 2014. Please contact us for assistance with any of these, or for any questions that may be specific to your business:

1. IARD Items

Beginning in November of each year, all registered firms must renew their state registrations and notice filings for the following year. FINRA issues renewal statements to each firm, which should be carefully reviewed and paid promptly to avoid delays in processing and ensure timely filings. The schedule varies somewhat each year. The 2014 schedule is available here. Notices regarding the renewal program are issued to firms’ Super Account Administrators (“SAA”) by email.

The renewal statement does not include the SEC’s ADV filing fees. SEC registrants should keep this in mind and submit those fees separately; they can be paid any time, including after the renewal program. Any new state notice filings or registrations should be anticipated and fees submitted so that the ADV filing is not delayed. Firms should allow at least two days for processing all submitted payments, even electronic payments and wires. Fee and payment information is available here. IARD’s “Completeness Check” function catches un-posted fees and will prevent a filing from being submitted.

SAAs should also review all IARD users, remove any that should no longer have access and otherwise adjust privileges as needed. On an annual basis, FINRA requires each firm to certify that the user information on the system is accurate. The timeframe for this varies. Firms are notified by email when the user accounts certification process begins, and each SAA should provide the certification promptly, in no case, not later than the deadline provided in the notification email. Failure to provide the certification will lock the IARD account, possibly delaying filings. Protracted delays in completing this process may result in disciplinary action.

SAAs and other users who have not previously done so will be asked to update their security questions. Any issues regarding IARD access can be addressed by the Firm Gateway Call Center (contact details here).

Finally, note also that IARD experiences a number of shutdowns due to its own year-end processing; filing and payment systems are typically unavailable during these times.

2. Annual Review/Report to Management

SEC registrants must perform an annual review of the firm’s compliance program. Other registrants and exempt advisers may wish to perform an annual review as a best practice, especially if they are planning to register with the SEC in the future. The review can take many forms, including:

a. A running log kept by the CCO or other compliance personnel throughout the year is reviewed and updated with any new information, resolutions and other pertinent details; the log is often edited and reformatted for presentation to management. An executive summary at the front, with additional detail following is a typical format. Exhibits or appendices may be included where appropriate;

b. The CCO uses a checklist to walk-through aspects of the firm’s compliance program, performing any tests and obtaining any reporting by other departments as indicated in the checklist, or otherwise in the firm’s policies and procedures. It may be helpful to include a notes section in the checklist, so the CCO can state how s/he plans to address the findings; or

c. A mock exam, either conducted by a consulting firm, or the CCO. Done by the CCO, this is very similar to utilizing a checklist. The data-gathering and reporting aspects will typically be more formal and extensive than a checklist.

Firms that maintain a risk assessment inventory should review that as well and make any updates required to reflect changes in the firm’s business or its policies and procedures. Firms implementing a risk assessment inventory for the first time may do so as part of the annual review process, or if too busy, then right after to be reassessed in the next year’s annual review.

Most importantly, the CCO should present his or her findings to firm management, ideally in a face-to-face meeting (or conference call in the case of multiple offices). Often, CCOs will distribute the report by email to give management time to review and prepare any questions or discussion points for the meeting.

3. Employee Compliance Training and Disclosures

Although employees receive a compliance orientation on hire, it is important to gather all employees on an annual basis for a group training session, which will enable the CCO to not only reiterate the firm’s employee-facing expectations but to discuss any regulatory updates and answer questions that may be of interest to the employees or firm generally.

In addition, employees must annually certify compliance with the firm’s Code of Ethics, and any other disclosures required by the firm’s policies and procedures.

Firms tend to do these at year end or just after the new year, but they can be done at any time (though a good practice is to keep that timeline consistent from year to year).

4. Prepare for Early 2014 Filings

A number of quarterly and annual filings are due shortly after the new year, including:

a. Form 13F: Quarterly filing, due 45 days after the end of a calendar quarter, or February 14, 2014;

b. Schedule 13G: Annual filing, due 45 days after the end of the calendar year, or February 14, 2014;

c. Form 13H: Annual filing, due 45 days after the end of the calendar year, or February 14, 2014;

d. ADV: Annual filing, due within 90 days of a firm’s fiscal year end; for most this will be March 31, 2014; and

e. Form PF: Annual or quarterly filing depending on type of funds managed and RAUM. Annual filers have a due date of April 30, 2014. Quarterly filers will have due dates of March 3, 2014 (large hedge funds) or January 15, 2014 (large liquidity funds).

Note: the above filings may also require interim amendments if certain information contained in the filing has changed or other thresholds are met. Though not based on the calendar year, firms that manage private funds should review their SEC Form D and state blue sky filings at this time to check for amendments and renewals.

5. Special Considerations for Smaller Managers

Small managers should consider the following:

a. Much of the above assumes a larger infrastructure than may exist at smaller and start-up firms. For example, the person managing compliance may have no one to report to besides him or herself. Even so, the annual review process should be clearly documented and maintained in the firm’s files;

b. Smaller managers may not have any other users assigned in the IARD account. They will still need to complete FINRA’s user accounts certification per the email they will receive when that process begins;

c. Smaller managers may not be subject to a number of the filings listed above, such as 13F, 13H and Form PF; and

d. When the day-to-day compliance tasks are handled in house, in can be helpful to retain a consulting firm to perform annual tasks such as a mock exam for the annual review, conduct employee training and handle filings. Conversely, a firm that outsources routine compliance tasks should take an active role in the annual review process – essentially to review the performance of the consulting firm.

Conclusion

Advisers have plenty to think about as the end of the year (and beginning of the new year) approaches.  If you have any questions or would like help with your year end items, please contact us.

Regulatory Issues for High-Frequency Traders

Many institutional investors (including fund managers) utilize some form of automated trading. High-frequency trading (“HFT”) is a distinct subset of automated trading that makes its money from rapid entry and exit in positions throughout a trading day and can be based on a number of different strategies. Positions are generally held for fractions of a second (faster than an eyeblink in some cases).

Normally under the radar, HFT took center stage in the investing world in 2010 with two events: on February 3, HFT firm Infinium Capital Management’s algorithm malfunctioned, entering 6,767 orders to buy light sweet crude oil futures on the NYMEX, enough of which were filled to send the market soaring. More well-known is the May 6, “flash crash,” which saw US equities plummet, helped along, regulators said, by HFTs. However, of the two, the February 3 incident more clearly highlights some of the compliance issues relating to HFT.

A NYMEX business conduct panel investigated the February 3 incident and found a number of risk management failures, ultimately issuing a $350,000 fine to Infinium. Interestingly, the panel determined that Infinium breached its own protocols in developing the algorithm that went rogue on the NYMEX:

• Infinium’s normal testing process takes approximately 6-8 weeks; whereas this algorithm was finished the day before it went on the market and was only tested for a couple of hours;

• Features designed to automatically shut down the algorithm failed, attributed to errors in the code; and

• An employee used a colleague’s trading ID to place positions that would offset the firm’s undesirable exposures.

While the flash crash and the Infinium incidents were unusual in their scope (and resulted in a fine in the latter case), smaller versions of these kinds of issues take place every day.

While there are benefits to the marketplace associated with HFT (such as greater liquidity and lower transaction costs), firms utilizing it should build a robust compliance program around these activities, considering the following:

• Enhanced risk controls because of competitive time pressure to execute trades without the more extensive safety checks normally used in slower trades;

• Establish and document the process for developing, testing and using algorithms. Out of control or “rogue” algorithms are fairly common; though immediate causes may vary, a root issue is the care that is taken (or lack of it) in building the algorithms in the first place, or managing them once in use. Examples include:

o Algorithm goes out of control and submits unexpected orders;

o Trader sets parameters that cause an algorithm to trade too aggressively;

o Algorithms used simultaneously (e.g., to outbid one another) get into a negative feedback loop.

• Write “kill switches” into algorithms so trading can be stopped at certain preset levels;

• Impose limits such as:

o The number of orders that can be sent to an exchange within a set period of time;

o Intraday position limits that set the maximum position a firm can take during one day;

o Profit-and-loss limits that restrict the dollar value that can be lost.

• Security risks such as terrorist activity, hackers, disgruntled employees, or others obtaining and interfering with algorithms and/or related systems. Firewalls and physical barriers should be used and other measures taken to limit both internal and external access. Security measures should be tested periodically to ensure that they have not been tampered with, or accessed inappropriately;

• Determine whether the firm’s HFT activities could be considered front running, and whether this activity violates applicable regulations or the firm’s own Code of Ethics.

The SEC responded to the May 6 flash crash and it is likely that the regulatory landscape will continue to evolve. A round up of regulatory activity is listed below:

• In place:

o The SEC introduced “circuit-breakers” for individual stocks that stop trading across all markets. While these can be modified to permit continued trading, this is only within set parameters;

o The SEC established uniform policies for canceling trades struck at clearly irrational prices;

o The SEC eliminated “stub quotes,” which allowed market-makers to buy good stocks for a penny if there are no other bids;

o The London Stock Exchange abolished liquidity rebates.

• Ideas/proposals/concerns:

o Differences in data conventions among the dozens of markets may have exacerbated the flash crash;

o Banning flash orders;

o Require issuers to notify exchanges when they expect material information will be revealed during trading hours so that the exchanges can halt trading before the news arrives;

o Regulators/governments should release major information only when the markets are closed or at pre-announced times;

o The technology required to run an HFT platform is very expensive. As trading speeds increase, HFTs are investing more money into faster technologies. A concern here is that ultimately, only a few HFTs who can afford the ongoing expenditures will remain – undoing the benefits that HFT can have for the marketplace. It has been suggested that this “arms race” can be halted by requiring all exchanges to delay the processing of every order instruction they receive by a few milliseconds.

Use of Social Media: 9 Compliance Tips

As social media becomes ever-present, we are often asked, how can a futures participant, private fund manager or other investment adviser use these powerful tools, and still be compliant with both regulations and best practices?

Both the National Futures Association (“NFA”) and the US Securities and Exchange Commission (“SEC”) have established guidance regarding the use of social media by futures participants and investment advisers, respectively. Effective December 24, 2009, NFA members are generally required to treat any social media sites they use as “promotional material,” which carries a number of compliance-related obligations. Moreover, members have an affirmative duty to monitor reader/user generated posts on these sites, remove misleading content, ban users who repeatedly violate rules or for egregious conduct, and monitor their employees’ use of social media.

Meanwhile, SEC-registered investment advisers are encouraged to review their social media use, assess the risks and adopt policies and procedures with respect to use of social media. The SEC provides a number of considerations to guide this analysis. The best practice here is similar to NFA requirements: treat all social media use as advertising, subject to SEC Rule 206(4)-1, and consider other compliance requirements such as recordkeeping.

Some tips for managing social media use by a firm and/or its employees:

1. Treat all social media content as promotional material or advertising, as applicable. Although some social networking can be considered correspondence, it is usually directed to more than one person and discusses the futures or securities industry in general or the firm’s business specifically. Fund managers relying on Regulation D and/or the Investment Company Act exemptions should not discuss these offerings on social media.

2. Firms should ensure that their electronic archiving systems capture social media content. If the current service provider cannot capture social media, the firm should either refrain from using it for business purposes, or retain a service provider that offers this service. The firm’s compliance staff should review all social media sites used by the firm on a regular basis. Employee sites should be reviewed as well if they are permitted to use their own sites for business purposes. Even if this is prohibited, compliance staff should run periodic searches to make sure that employees are complying. Required records should be kept for five years, and accessible such that it can be produced upon request to examiners.

3. Avoid testimonials from clients or investors. Employees’ use of social media should be monitored to ensure that endorsing skills or accepting recommendations on LinkedIn, liking a post or page on Facebook, favoriting or re-tweeting posts on Twitter do not constitute testimonials. To the extent that a particular platform will not permit declining likes, favorites or re-posting, the firm should avoid using the site for business purposes.

4. Blogs should set the commenting feature so that any reader comments must be approved by someone at the firm before they are visible on the blog. If such a setting is not available, any inappropriate content should be deleted promptly.

5. Do not disclose any client, investor or prospect information anywhere online. Be careful to ensure that such information is not inadvertently disclosed through a personally directed tweet or post. For its own business reasons, the firm should be aware that any information published on a third party’s site generally ceases to be owned by the firm. Accordingly, trade secrets or other proprietary or sensitive information including financial processes, methods of selecting investments, or analysis of market trends should never be disclosed online.

6. Create and implement a written social media policy that:

o Is firm-specific (i.e., not just off-the-shelf) and clearly explains how it prevents violations of applicable regulations, contain specific definitions, and detail permitted and prohibited platforms, activities and content.

o Addresses third party use of the firm’s websites or blogs, including prohibitions such as testimonials or recommendation of a specific investment. Consider pre-approving all postings and communications;

o Addresses confidentiality of client and prospect information, and use of confidential company information; and

o Provides parameters for employees’ use of social media and addresses possible disciplinary measures in the event of misuse.

o Requires archiving and monitoring of social media platforms (see also points 2 and 8).

7. Provide employee training and education regarding the policy. If the firm permits employees to use social media for business purposes, only those who have received training should use social media on behalf of the firm. Employee attestations should include compliance with the firm’s social media policy.

8. Regularly and actively supervise and monitor social media activity, including third parties’ use of social media outlets to ensure that any improper content (such as testimonials) is removed. The CCO should periodically examine employees’ social media usage to ensure compliance with the policy. Review methods may include:

o Conducting an internet search and viewing content on the sites;

o Searching an employee’s personal account if that account is accessed and/or stored on the firm’s computers or network;

o Retaining a service provider to archive social media content and review it regularly as part of general surveillance of electronic communications.

9. Don’t forget about mobile use. Most social media platforms offer apps for use/access on mobile phones and tablets. A firm’s policy should address this use and, similar to 2, above, ensure that content is captured for monitoring and recordkeeping purposes. This may be of particular concern to the extent that employees use personal devices, not issued or managed by the firm, for business purposes.

Identity Theft Issues for Investment Advisers and Futures Participants

A little-known provision of the Dodd-Frank Act shifted responsibility over existing identity theft rules from the Federal Trade Commission to the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”). The rules became effective May 20, 2013 and certain entities regulated by the SEC and CFTC will need to comply by November 20, 2013.

Overview

SEC and CFTC registrants that are “financial institutions” or “creditors” and that offer or maintain “covered accounts” for their clients will need to comply with the identity theft rules:

  • Financial institution: a bank, credit union or other person who holds a transaction account belonging to a consumer (a transaction account is one that permits withdrawals, payment orders, transfers or similar means for making payments to third parties);
  • Creditor: any person that regularly extends, renews or continues credit to others.
  • Covered account: any account that a financial institution or creditor offers or maintains:
    • Primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and
    • There is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. Examples include: for the SEC, brokerage or mutual fund accounts that permit wire transfers or other payments to third parties; for the CFTC, margin accounts.

Who will be affected, and how?

On the SEC side, broker-dealers, investment companies and investment advisers are considered financial institutions. On the CFTC side, commodity pool operators and commodity trading advisers will be considered creditors if they:

  • Regularly extend, renew or continue credit or arrange for the extension, renewal or continuation of credit; or
  • Acting as an assignee of an original creditor, participate in the decision to extend, renew or continue credit.

Firms that meet these definitions are required to implement reasonable policies and procedures that:

  • Identify “red flags” to prevent identity theft in the covered accounts they manage, and document them in the compliance program. Red flags can exist in the types of accounts the firm manages, the manner in which accounts are opened or accessed, and the firm’s previous experiences (if any) with identity theft;
  • Provide for monitoring accounts on an ongoing basis to detect red flags;
  • Respond appropriately to red flags;
  • Is periodically updated to reflect any changes in risks; and
  • Describe the various appropriate responses to red flags.

Whether a firm will meet the definitions will depend significantly on its client base and account structures. Traditional RIAs and other firms that manage accounts for individuals or family offices should look closely at those accounts to determine the types of activities that will be processed in them. A firm that handles bills or other third-party payments on behalf of its clients will need to undertake the most review and implement the most rigorous compliance program contemplated by the rules.

At first blush, fund managers may assume that these rules will not apply to them; however, care should be taken to ensure that investors’ accounts are set up to receive and hold investment amounts, and the only transfers permitted will be for management fees, performance allocations to the manager/general partner as applicable, and withdrawals by (and most importantly, back to) the investor to minimize identity theft risks. Even so, additional procedures around investor intake and withdrawal may need to be implemented.

CPOs and CTAs may undertake a similar evaluation and should also look at their investment strategies to determine the extent to which they meet the creditor definition.

Finally, even if a firm is not registered with the SEC or CFTC, identity theft can be a significant reputational and litigation risk for if they handle third-party payments on behalf of clients or investors. Accordingly state registrants and exempt firms should consider implementation as a best practice.

Compliance Strategies:

The rules identify five specific categories that every compliance program should address:

  • Alerts, notifications or other warnings received from consumer reporting agencies or other service providers;
  • Presentation of suspicious documents;
  • Presentation of suspicious personal information (e.g., an unexpected or unusual address change);
  • Unusual usage of a particular account; and
  • Notices from customers, victims of identity theft, law enforcement agencies or others regarding possible identity theft in an account.

Employees should be trained to identify the above and any other red flags that are specific to the firm’s business.

Appropriate responses to a red flag incident will vary significantly depending on the circumstances. The rules mention:

  • Monitoring an account for evidence of identity theft;
  • Contacting the customer;
  • Changing passwords, security codes or other devices that permit access to an account;
  • Reopening accounts with new numbers;
  • Refusing to open an account;
  • Closing an existing account;
  • Refraining from collection activities on an account;
  • Notifying law enforcement; and

Determining that a response is warranted in a particular instance.

Other, proactive safeguards can include standardizing the forms and processes used to effect transactions in client accounts, designating a person or team of people to handle those transactions under supervision (and training them to detect identity theft), preparing and reviewing a daily transaction blotter, requiring additional approvals and documentations for higher risk transactions and implementing PINs or security questions and client call-backs, to name a few.

To the extent that safeguards are client or investor-facing (such as call-backs, PINs or other identity verification tools), these should be standardized and clients/investors notified of the procedures so they know what to expect. Obtaining client’s acknowledgment of these processes via the investment advisory or subscription agreement is a good way to handle this clearly and consistently.

To ensure compliance by November 20, 2013, we encourage all firms to reach out to their compliance consultant or legal counsel as soon as possible. Rolling out the program early will afford plenty of time to refine it by the deadline.

JOBS Act Ban on General Solicitation Lifted for Fund Managers

New Opportunities and Challenges for Fund Managers

Nearly a year after their proposal, the SEC finalized rules lifting the ban on general solicitations for private offerings under Regulation D, Rule 506. Private fund managers typically rely on this rule exempting them from registering their private fund interests as securities.  The rule will be effective 60 days following publication in the Federal Register.

Previously private fund managers were banned from engaging in general solicitations in marketing to potential investors. The new regulations enable fund managers to reach a wider audience of potential investors, including through their websites, social media and other methods previously off-limits, subject to certain compliance obligations.

What should Managers be doing now?

Managers should hold off on any planned general solicitation efforts until the final rules are issued. In the meantime, compliance and marketing teams should review the rules alongside existing policies and procedures and determine any needed or useful enhancements. In particular, consider the following:

  • According to another rule proposed today, the SEC will require the filing of a Form D for a fund prior to engaging in general solicitations; managers who have not previously filed a Form D for a private offering should contact their legal counsel or consulting firm.
  • In its proposed form, the rule requires managers to take “reasonable steps” to ensure that targeted investors are accredited. This is an inherently flexible concept; the flip side being uncertainty in what constitutes reasonable steps. Accordingly, possibly more diligence may go into determining whether the recipients of a general solicitation are accredited investors and keeping more detailed records of this process.
  • Marketing material will be subject to wider potential distribution than ever before; even with appropriate disclaimers and other safeguards, these materials could fall into the hands of non-accredited investors. While this should not create a liability issue, many managers might be uncomfortable with such an unintentionally wide audience. Moreover, that audience is could include regulators who will review the materials before they come in for an examination.
  • Marketing material will likely require more intense internal review, given the wider audience and ease of distribution. For example:

Take extra care to ensure that nothing in the material could not be construed as misleading (think of the least common denominator here) and that opinions are explicitly described as such. Statements of fact should cite sources in the material and be robustly documented in the manager’s files.

More, not fewer, disclaimers and disclosures may be prudent, particularly around performance data, use of charts and other graphical material and portfolio holdings information.  Please note that additional legends and disclosures will be required per SEC regulation.

Caution may dictate that content is left out altogether, content that managers would almost always include when presenting to potential investors in its existing network. Conversely, more explanatory content may be added elsewhere, making a presentation less streamlined and attractive, creating concern that the core message is obscured.

Because marketing materials will likely be distributed electronically, managers should ensure that their archiving system for email and other electronic communications is functioning properly and consider implementing more frequent reviews and testing of the archive. If there are any deficiencies, managers should upgrade their archiving platform before engaging in general solicitations.

  • It is not unusual for a startup manager to obtain initial fund investments from friends and family, some of whom may not be accredited investors. Any manager who seeks non-accredited investors, even prior to launch, will have to be extra careful in how such investors are identified and contacted and keep impeccable records that show the relationship. There should be no doubt or question that such investors could have been obtained through a general solicitation.
  • Managers should note that felons and certain “bad actors” will be prohibited from using general solicitations with respect to a private offering.

Conclusion

Managers using general solicitation should devote additional resources, whether this is outside counsel, a compliance consultant, or internal staff, to ensure compliance with the new rules and appropriately manage the risks involved. In addition to professional fees, costs associated with recordkeeping and maintenance should also be considered.

How to Roll Out a New Compliance Policy

Tips on Creating New Compliance Policies & Procedures

Regulators expect firms to have an “evergreen” compliance program (“Program”), in other words, one that adapts to its changing business. The Policies and Procedures/Compliance Manual (the “Manual”) a firm adopted when it launched may not be fresh today. A Chief Compliance Officer’s (“CCO”) annual review process can help flag areas of a firm’s business and/or the Program that need to be updated, but how does one create a brand new policy? Consider the following:

1. Where does it go?

Code of Ethics (“Code”), Manual or somewhere else? Generally speaking, policies and procedures (“P&P”) around business operations should go in the Manual, whereas those that focus on individual employee conduct can go in the Code. A typical Code includes P&P relating to insider trading, conflicts of interest, outside business activities, personal account trading and gifts, gratuities and entertainment. Some firms include political contributions (aka Pay to Play) and lobbyist registration in the Code, whereas others include these in the Manual.

It can be tempting to insert detailed workflows, specific guidance or similar explanatory details into the Manual. As these change, the Manual itself will need to change and be reissued to employees. Accordingly, consider keeping the P&P more general in nature (without sacrificing clarity), and document workflows, guidance and other details separately.

2. Timing

Keep in mind that the SEC requires advisers to obtain employee attestations to the Code on at least an annual basis. If the Code is revised in the meantime, employees should attest to the revised Code when it is rolled out. If a particular change to the Code is urgently needed, an adviser may have no choice but to roll it out immediately and obtain employee attestations. Other changes may wait until its typical annual acknowledgment timeframe (often around year-end, or after the beginning of a new year) so both can be accomplished at once. Multiple attestation cycles during the year can create confusion and a series of too many changes may give a negative impression to regulators.

Changes to the Manual typically do not need to be acknowledged by employees as they happen, so long as impacted employees are made aware of (and trained on, if needed) the changes.

A firm should set a target date to officially launch a new P&P, but have it ready about a month before that for a “soft launch” during which it can be tested and revised if needed. Once any post-testing changes are made, the revised, final Manual or Code can be circulated to all employees.

3. Who is involved?

Which departments/employees will be most involved in the new P&P? Soliciting their input while it is being developed will help a firm create a customized P&P that is more easily integrated into existing workflows. Handled well, discussing this feedback will reinforce employees’ sense of buy-in to the new P&P and more generally boost the firm’s culture of compliance. On the practical side, while management may understand the need for a new P&P, affected employees may have a detail-level familiarity with the processes that will be invaluable when the P&P is operational. Finally, this input during development means that the testing phase can focus more on detecting unanticipated issues (instead of getting bogged down on issues that could have been resolved earlier).

Similarly, outside counsel and/or a firm’s compliance consultant should be in the loop to troubleshoot issues based on their regulatory expertise and broader experience. Either/both of these service providers can assist with drafting P&P and determining where/how it is documented and integrated into a firm’s Program and overall business.

4. Testing and Training

As discussed in point 2, above, a “soft launch” of a new P&P provides a window of time to test it and ensure that it works as intended. Parallel with testing, affected employees should be trained and their immediate questions answered before the P&P is official. If a new P&P is unusual or complex, consider asking your compliance consultant to run the test. Finally, the firm’s next annual review or mock exam should cover the new P&P in more detail; a longer period of time and the accumulation of applicable records will enable the CCO to see the new P&P in a larger context, and more objectively able to make any other changes.

Sansome Strategies Launches Outsourced Compliance Solutions

Today we formally announce the launch of Sansome Strategies LLC.

The regulatory environment has changed for all investment managers and a premium, both with regulators and investors, has been placed on having a tailored, robust and evolving compliance program in place.  The cost in man-hours to many managers is high and those managers are choosing to outsource some or all of their compliance obligations to third party consulting firms.  Sansome Strategies was launched to cater to these managers and to deal with all aspects of the investment management industry – RIAs, private fund managers, CFTC registrants and FINRA member firms.

The press release announcing the launch is found below. 

****

Sansome Strategies LLC Introduced as New Compliance Consulting Firm with Commodities Focus

San Francisco-Based Firm Specializes in Outsourced CCO Services

SAN FRANCISCO, CA – May 2, 2013 – Announced today is the launch of Sansome Strategies LLC, a compliance consulting firm specializing in high-touch, outsourced compliance services for firms in the investment management industry. Aiding hedge fund managers, commodity pool operators and CTAs, private equity firms, futures managers, and other investment managers, Sansome Strategies offers expertise in streamlining regulatory processes and tailoring compliance outsourcing arrangements to a business’ specific needs.

Sansome Strategies’ head of compliance operations is Jennifer Dickinson, who has extensive experience with private fund compliance, both with respect to investment adviser and futures regulation. Prior to joining Sansome Strategies, Dickinson was a Senior Compliance Consultant at Gordian Compliance Solutions, LLC. Dickinson has been a Chief Compliance Officer at several large investment managers, and worked at the law firms of Cole-Frieman & Mallon LLP and Pillsbury Winthrop Shaw Pittman LLP. “Sansome Strategies will be a perfect fit for those firms seeking one-off compliance solutions, as well as firms that need an institutional quality compliance consultant,” Dickinson said. Ghufran Rizvi, COO of Standard Pacific Capital, LLC in San Francisco agrees, “I have known Ms. Dickinson for many years. She is a great business partner and Sansome Strategies will be a valuable addition to the compliance consulting space.”

Sansome Strategies’ expertise with futures managers and commodity pool operators differentiates the firm in a crowded field and is unique in the compliance consulting industry. The firm is backed by Karl Cole-Frieman and Bart Mallon, partners and founders of Cole-Frieman & Mallon LLP, which has one of the largest private fund practices in California. “There is significant and increasing demand for a compliance firm that understands both registered investment advisers and CFTC registered firms,” according to Karl Cole-Frieman. “Changes in the CFTC’s registration and exemption requirements have forced more managers into registration,” Bart Mallon notes, “and we have not seen the existing compliance companies prepared to address this demand.”

With Sansome Strategies, clients can pick and choose from an array of options, including a completely or partially outsourced compliance program, or opt for advisory, educational, or training services only. Sansome Strategies collaborates with business management and staff to structure, implement, and maintain their compliance program. Sansome Strategies features a client-centric business model, putting a heavy focus on customized services and collaboration.

####

About Sansome Strategies

Headquartered in San Francisco and with a nation-wide scope of services, Sansome Strategies is a compliance consulting firm specializing in high-touch, outsourced compliance services for businesses in the investment management industry. Serving investment advisers, futures managers, hedge funds, broker-dealers, private equity firms and businesses ranging from entrepreneurial start-ups to multi-billion dollar international institutions, Sansome Strategies prides itself on tailoring compliance management solutions to the unique needs of each client. Comprised of securities industry professionals with years of experience in the financial and regulatory industries, Sansome Strategies’ mission is to simplify the compliance process, minimize risk, and lower costs, with the core goal of helping clients focus on building and enhancing their business. The firm also publishes ComplianceFocus a compliance blog designed to be a practical and accessible resource to the investment management community. For more information please visit Sansome Strategies at: http://compliancefocus.com.

For more information, please contact:

Jennifer Dickinson
Sansome Strategies LLC
415-762-8753

7 Tips to Get the Most Out of Your Mock Examination

A mock exam can be a useful tool in many contexts, for example taking the place of your annual review, or helping growing managers transition from exempt reporting advisers or state registrants to SEC registration. Most importantly, it is an invaluable exercise in preparing existing SEC registrants for the inevitable real thing. The following tips will help you make the most of the mock exam experience:

1. Retain a consultant to perform the exam. Ideally this will be a consultant who is not already familiar with your business – either another team member from your current consulting firm or an entirely new firm. A mock exam conducted by internal compliance personnel is likely to be less formal and, however inadvertently, less objective.

2. Think locally. Look first to consultants in your area, who will be able to perform onsite interviews and other tasks with a minimum of expense. If you do retain a consultant that must travel, be prepared to pay for airfare, lodging and related expenses. Depending on your budget, this could be a limiting factor both in your choice of consulting firms and in the scope and realism of the exam. Consultants are often willing to conduct interviews by telephone, but this may diminish the “real thing” experience.

3. Go through your counsel. Your counsel may have referrals to compliance consultants and will likely have valuable feedback on the report that is ultimately created based on the exam. It is also worth noting that your counsel can retain the consultant on your behalf, which makes the exam and its results confidential under the attorney-client privilege.

4. Treat it like the real thing. Particularly if the examiner is familiar with your business or has access to your information (e.g., another consultant at the firm you currently use), you should treat the mock exam like it is the real thing, including the following:

a. Do not expect the examiner to use or rely on information already in the consulting firm’s files. Instead, produce all documents and information relevant to the request. Do not assume that the examiner has any background or other information on the questions s/he asks.

b. Even if your examiner has not specified a deadline, set internal deadlines, such as the final deadline to produce all requested documents and any interim deadlines for information or documents to be gathered by particular employees or departments.

c. Make your written responses to the document/information request as professional as possible, as if you were responding to a regulator.

d. If a particular request is not applicable, mark it as such in your response to the document request. Do not assume that the examiner knows it is inapplicable.

5. Ask for a risk-based exam. If you are registered with the SEC and using your mock exam to prepare for the real thing, ask prospective consultants if they can conduct as a risk-based “presence exam” per the SEC’s new protocol. While the initial interview and document request may not differ significantly from the traditional format, the examiner will ultimately identify a few higher risk areas for your firm and focus the bulk of the exam on those areas, including additional interviews and document/information requests.

6. Think about what keeps you up at night. Is there anything that would help your compliance team do better, be more efficient or fill in gaps in your compliance program? Consider asking the examiner for recommendations in these areas and include them in your report (see also Tip no. 3 above if you’re concerned about keeping these confidential). A recommendation from a reliable and objective third party may help you obtain additional resources internally to beef up your compliance program, e.g., to improve archiving and search capabilities for email surveillance, additional personnel or an online solution for trade review and the like.

7. Toot your own horn. Most positions or departments, regardless of the business or industry, face a moment when they have to justify their existence to management. Positives in your mock exam report are evidence of what your compliance team is doing well and should be highlighted in periodic meetings, your own internal compliance reviews and anywhere else they can be useful to you and your firm.

The trend toward outsourcing CCO services

Overview

Under Rule 206(4)-7, an investment adviser registered with the SEC is required to (a) adopt and implement written policies and procedures reasonably designed to prevent violations of the federal securities laws; (b) revise those policies and procedures each year for adequacy and effectiveness; and (c) designate a chief compliance officer to be responsible for overseeing and administering said policies and procedures.

Since the rule’s implementation almost a decade ago, there has been a distinct trend among SEC-registered investment advisers towards outsourced CCO services to satisfy 206(4)-7(c). Despite initial reluctance on behalf of the SEC to fully embrace the practice of firms using outsourced CCOs, registered investment advisers have found widespread success with this arrangement. As the SEC and state regulators continue to ramp up compliance requirements for all industry participants, the outsourced CCO arrangement has increasingly become a fixture in the modern landscape of the industry.

The Outsourced CCO Arrangement

The SEC requires that the CCO is a “supervised person,” defined as “any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an investment adviser, or another person who provides investment advice on behalf of the investment adviser and is subject to the supervision and control of the investment adviser.”

An outside compliance professional endowed with the overarching duty of overseeing and implementing the firm’s compliance program and equipped with the authority to do so fits the bill. In an outsourced CCO arrangement, the outside compliance professional becomes the named CCO on Form ADV and can be made responsible for everything from drafting, maintaining, and implementing a firm’s compliance manual, to conducting formal, periodic compliance reviews and risk assessments, to providing compliance education and training to the firm’s staff.

Explaining the Trend

When the new Compliance Rule 206(4)-7 became effective in 2004, investment advisers scrambled to find a cost-effective and legitimate way to comply with the SEC’s heightened requirements. Small firms found themselves in a particularly challenging position because of fewer personnel and resources. Even the most experienced advisers well-versed in SEC rules and regulations found it extremely difficult, time-consuming, and stressful to try to singlehandedly perform all the duties required of a CCO without outside help.

In 2004, Lori Richards, Director of the SEC’s Office of Compliance Inspections and Examinations, emphasized the need for CCOs to have “intimate knowledge of the firm’s operations in order to administer an effective compliance program. It would therefore be logical to infer that a reasonable amount of time would have to be spent not only overseeing the structure of the compliance program but its implementation as well. Because of this, I am wary about whether a compliance ‘rent-a-cop’ could really be up to the task.”

Nevertheless, the arduous ongoing compliance requirements imposed on investment advisers, in conjunction with the numerous benefits yielded by those who engaged in outsourced CCO arrangements, have resulted in a steady increase in the prevalence of outsourced CCOs. Charles Schwab’s 2012 Benchmarking Study revealed that 35% of firms reported outsourcing compliance, up from 23% three years ago. Indeed, this past year has seen no shortage of the consequences of inadvertent noncompliance due to investment adviser’s self-reliance. In 2012, Ron Rhoades, president and CCO of an investment adviser firm, expert in securities laws and regulations, and chair-elect of the National Association of Personal Financial Advisors, stepped down over a registration error he made that cost his firm tens of thousands of dollars. He stated afterward that, had he used a compliance consultant, such a mistake would not have occurred.

Benefits of Outsourced CCO Services

Cost-Effectiveness: One of the most compelling arguments for engaging in an outsourced CCO arrangement is the sheer cost of hiring a full-time in-house CCO, which is typically significantly more expensive than using an outsourced CCO. This is particularly true in light of what employment entails: competitive salary, benefits, vacations, sick days, paid time off, among other things. Furthermore, employee turnover would be especially problematic in this position, whereas an outsourced CCO would be part of a compliance company that retains its institutional knowledge even if that particular employee leaves.

The other option is placing the title on an existing employee with other duties. While this may be less expensive in the short run, investment advisers should consider whether this exposes them to a heightened risk of substantial penalties and losses, and determine whether that risk is worth it. Oftentimes, investment advisers find that the cost-benefit analysis clearly sways in favor of using a compliance professional.

Compliance Expertise: One mistake that firms often make is assuming that they will not commit any compliance violations as long as they act properly and “do the right thing.” Unfortunately, the SEC requires more than good-faith dealing and does not excuse inadvertent oversight or honest misinterpretation of the rule. By using the services of compliance specialists, investment advisers can capitalize on the industry expertise of entire companies applied entirely to this one aspect of their business.

Reallocation of Time and Resources: Firms often attempt to handle the CCO requirement internally until they realize what an enormous undertaking it is. Registered investment advisers have enough on their hands managing and growing their businesses. Many of their responsibilities are non-delegable, but compliance is not one of them. Firms that use outsourced CCO services can save valuable time and resources that can be devoted to other aspects of the business.

Independence: Using an outside compliance professional to oversee and implement a firm’s compliance program has the advantage of independent and unbiased third-party compliance review, which may hold more weight with the SEC. CCOs are required to detect and report internal violations, and take corrective action as needed. Having an outsourced CCO handle these tasks rather than a fellow employee increases the likelihood of objectivity and accuracy.

SEC Examination Priorities for 2013 Quarter 1

The National Examination Program (“NEP”), headed by the U.S. Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”), published its examination priorities for the first quarter of 2013. These focus areas, summarized below, set forth the risks, issues, and policy matters that have been identified as warranting particular attention in SEC examinations. The NEP identified issues that arise market-wide as well as those that arise specifically in the context of investment advisers and broker-dealers. The exam priorities are aimed at supporting the SEC’s mission of protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formations.

The NEP has determined that the following market-wide exam priorities will be scrutinized:

Fraud Detection and Prevention. The NEP seeks to identify registrants engaged in fraudulent or unethical behavior. Fund managers should be prepared to have their compliance programs examined with respect to policies and procedures that address fraud detection and prevention.

Corporate Governance and Enterprise Risk Management. The NEP will meet with management and boards of entities registered with the SEC to discuss and examine how firms manage financial, legal, compliance, operational, and reputational risks. The objective of these discussions will be to understand the firm’s approach to enterprise risk management, evaluate the firm’s “tone” at the highest levels of management, and initiate a dialogue on key risks and regulatory requirements. In the wake of Hurricane Sandy, the NEP will pay particular attention to firms’ business continuity plans.

Conflicts of Interest. The NEP will examine the steps registrants have taken to mitigate conflicts, the sufficiency of disclosures made to investors, and the overall risk governance framework in place.

Governance and Supervision of Information Technology Systems. In light of the technological advances that are revolutionizing the securities regulatory industry, the NEP plans on examining firms’ operational capability, market access, and information security. This includes risks of system outages and data integrity compromises.

The NEP has also released exam priorities specifically applicable to investment advisers and broker-dealers. Targeted for examinations will be new registrants under Section 402 of the Dodd-Frank Act, dually registered investment advisers and broker-dealers, and firms that have been identified as recidivist or high-risk for potential misconduct.

Investment adviser exam priorities include:

Safety of Client Assets. The NEP plans to utilize a risk-based asset verification process to assess the safety of client assets and compliance with Advisers Act Rule 206(4)-2 (the “Custody Rule”). Advisers should expect a review of measures to protect client assets from loss or theft, the adequacy of audits of private funds, and the effectiveness of policies and procedures.

The NEP issued a risk alert on March 4, 2013 regarding significant deficiencies involving the Custody Rule, which is designed to protect advisory clients from the misuse or misappropriation of their funds and securities. Advisers should make sure that they appropriately recognize situations in which they have custody, comply with the rule’s “surprise exam” requirement, satisfy the rule’s “qualified custodian” provision, and follow the terms of the exception to the independent verification requirements for pooled investment vehicles. The NEP has had to order remedial measures spanning from amending written compliance policies to referrals to the SEC’s Division of Enforcement.

Conflicts of Interest Related to Compensation Arrangements. The NEP will examine financial records to identify undisclosed compensation agreements, such as solicitation arrangements, referral arrangements, and receipt of payment for services provided to third parties. Advisers should review such arrangements for conflicts of interest and be sure that they have been fully and clearly disclosed to clients.

Marketing and Performance. The NEP plans on scrutinizing marketing and performance advertising in search of fraudulent valuation practices, misleading advertising, inadequate disclosure, and noncompliance with recordkeeping requirements. The NEP also intends to evaluate changes to firms’ advertising practices under the JOBS Act. [hyperlink]

Conflicts of Interest Related to Allocation of Investment Opportunities. As a part of its review of portfolio management practices, the NEP will assess whether an adviser has adequate internal controls to monitor the side-by-side management of performance-based and non-performance-based fee accounts and detect and resolve conflicts. This is particularly important if the same portfolio manager is responsible for making investment decisions for both kinds of client accounts.

Fund Governance. The NEP is interested in confirming that advisers are making full and accurate disclosures to fund boards and that fund directors are conducting reasonable reviews relating to contract approvals, service provider oversight, valuation of fund assets, and assessment of expenses or viability.

Broker-dealer exam priorities include:

Sales Practices Fraud. The NEP is particularly concerned about frequent findings of fraud in connection with sales practices regarding retail investors. Broker-dealers should expect to be examined for senior-targeted fraud; unsuitable recommendations of higher yield products; improper supervision and due diligence processes regarding those recommendations; activities and products on the periphery of certain registered entities; and the mitigation and clear and timely disclosure of conflicts of interest.

Trading. The NEP will conduct thorough examinations of certain trading risk areas, particularly high frequency trading, algorithmic trading, proper controls around the use of technology, alternative trading systems, and order routing practices.

Anti-Money Laundering Programs. The NEP will assess the adequacy of the firm’s AML program, with particular focus on customer identification programs, suspicious activity identification and reporting deficiencies, and weak due diligence procedures.

It is important to remember while the NEP expects to focus on these priorities, it will conduct additional examinations on issues that are not addressed here.