Articles Tagged with OCIE

The Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert highlighting the need for investment advisers to prevent unauthorized access to client data stored on websites.

Recently, cyber attackers have used “credential stuffing” and other methods to breach web-based user accounts. Credential stuffing is when a hacker combines lists of stolen account information from the dark web and customized scripts to compromise user names and passwords to other sites. Hackers prefer this method because it seems to be more efficient and successful than more traditional methods of hacking, like a brute force attack.

OCIE has the following recommendations for Investment Advisers to consider in protecting themselves and their websites against credential stuffing attacks: Continue reading ›

SEC Issues Risk Alert to Private Fund Advisers, Part 2

This supplements our previous post relating to a Risk Alert issued by the SEC’s Office of Compliance Inspections and Examinations on June 23. The Risk Alert was directed at investment advisers to private investment funds. While the prior post discussed the portion of the Risk Alert dealing with fees and expenses, this post discusses the SEC’s findings relating to failure to disclose conflicts of interest.

By way of background, the Risk Alert reminds private fund advisers that they owe duties of care and loyalty to the investors in private funds. In order to fulfill the duty of loyalty, the adviser may not prefer his own interests to those of the investors and must disclose to its clients, in a full and fair manner, all material facts relating to the advisory relationship. The scope of the investment adviser’s duties is discussed at length in IA-5248, issued in June 2019, which we have discussed in a previous post.

Continue reading ›

Earlier this week, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert in which it discussed ongoing deficiencies identified during compliance examinations of investment advisers that advise private funds. This risk alert follows on the heels of other SEC activity relating to private fund advisers, including enforcement referrals, deficiency letters, and informal guidance.

The deficiencies discussed in the risk alert fall into three broad categories: disclosures relating to fees; disclosures relating to conflicts of interests; and sufficiency of a firm’s policies relating to nonpublic material information and its internal enforcement of such policies. The purpose of this risk alert was to provide guidance to private fund advisers regarding steps they should take to improve their compliance policies and program, while simultaneously advising investors in private funds of the types of issues to be aware of when dealing with private fund advisers. Many investors in private funds are pensions or other qualified retirement plans, charities and endowments, and families who have family offices.

This blog post focuses on the portion of the risk alert relating to fees and expenses. Continue reading ›

As we mentioned in an earlier post, in April of this year the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued separate risk alerts on the subjects of Form CRS and Regulation Best Interest (Reg BI). The risk alerts were designed to provide investment advisers and broker-dealers information regarding the anticipated scope and content of the examinations OCIE will conduct following the filing deadline for Form ADV, Part 3 and following the compliance date for Regulation Best Interest. In this post we examine the new requirements regarding Form ADV, Part 3, which we will refer to as “Form CRS,” and then review the SEC’s Risk Alert relating to Form CRS. Firms seeking to comply with the new requirements should carefully review the 17-page instructions to Form CRS. The SEC has also published a helpful Small Entity Compliance Guide.

Under the new requirements, federally registered RIAs must electronically file Form CRS via the IARD system and must deliver a Form CRS to all retail investors, regardless of net worth or sophistication. Currently registered RIAs or entities who currently have pending applications to become RIAs may file their form CRS at any time, but they must file the initial CRS on or before June 30, 2020. The Form CRS may be filed as part of an initial application to register under Rule 203-1, or as an other-than-annual amendment to the Form ADV under Rule 204-1. Beginning June 30, 3020, any new application will be considered incomplete and will be rejected if it does not contain a Form CRS. Every RIA’s firm must post its Form CRS on its public website, but there is no requirement that a firm without a public-facing website must create one. Continue reading ›

In our previous post, we described the SEC’s announcement of examination priorities in 2020 for the Commission’s Office of Compliance Inspections and Examinations (OCIE).  In that post, we discussed areas of examination that will apply to a large percentage of registered investment advisors and other regulated entities.  In this post, we focus on another priority, namely robo-advisers.

Otherwise known as automated investment platforms, “robo-advisers” have come under increased scrutiny by OCIE.  The number of these advisers has increased substantially over the last four years.  OCIE intends to focus on issues such as the eligibility of the robo-adviser to register with the SEC, marketing practices engaged in by robo-advisers, the ability to comply with fiduciary duty, the adequacy of the adviser’s disclosures, the effectiveness of the adviser’s compliance program, and the firm’s cybersecurity policies, procedures and practices.

Advisers Act Rule 203A-2(e) permits “internet only advisers” to register with the SEC, provided certain conditions are met and maintained.  Specifically, the adviser must provide investment advice to all clients exclusively through an interactive website and maintain records demonstrating that it does so.  Under the rule, an adviser may provide investment advice through means other than the internet to up to fourteen clients during any twelve-month period. Undoubtedly there are some firms that registered on this basis who were either not eligible at the time or, through the evolution of their business, have strayed from the conditions required to remain eligible for registration.

Continue reading ›

Earlier this month, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its examination priorities for 2020.  Many of the priorities listed are similar to those identified in previous years’ priorities lists. The SEC’s approach in addressing them, however, continues to evolve to keep pace with the changing landscape of financial markets, market participants, products, technologies and risks. This post will address some of the areas that should be of concern to a large percentage of registered investment advisers (RIAs), broker-dealers and other regulated entities.

OCIE reiterated that a significant underpinning of any effective compliance program is the “tone at the top” set by C-level executives and owners. Those firms that prioritize compliance and effectively create a “culture of compliance” tend to be more successful in designing and implementing compliance plans than firms that view compliance as an afterthought or business hindrance. One of the “hallmarks” of a firm’s commitment to compliance is the presence of an “empowered” CCO who is routinely consulted regarding most facets of the firm’s operations. There is nothing new to these concepts, but it is worth noting that OCIE continues to emphasize them year after year. Although not stated in the priorities release, the degree to which a firm demonstrates a commitment to compliance often weighs heavily on decisions OCIE examiners must make regarding how deficiencies will be addressed by the Commission. All other things being equal, firms that have made mistakes but demonstrate the ability to make effective corrections will often be provided an opportunity to implement those corrections and are less likely to become the subject of an enforcement referral.

Not surprisingly, OCIE will continue to prioritize examining RIAs to assess compliance with their fiduciary duty to clients. For examinations of RIAs occurring during the second half of 2020, this will undoubtedly include the proper use of Form ADV Part 3, which RIAs are required to complete, file, and place into use with clients by June 30, 2020. Additionally, broker-dealers will be expected to implement compliance with new Regulation BI, requiring adherence to a best interest standard. The priorities list reiterates that advisers and broker-dealers must eliminate, or at least fully and fairly disclose, all conflicts of interest, as more fully explained in Investment Advisor Release 5248, issued in June of last year.

Among other priorities relevant to RIAs, OCIE also listed the protection of retail investors saving for retirement, information security, anti-money laundering programs and financial technology.

Continue reading ›

The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a new Risk Alert on September 4th urging RIAs to review their compliance policies and procedures addressing principal trading and agency cross trading transactions.

We pay close attention to OCIE’s periodic Risk Alerts as these publications provide RIAs with not only a view of the results of recent OCIE exam, but also an insight into future exam priorities. This blog has provided commentary on all three of OCIE’s Risk Alerts for RIAs published thus far in 2019.Those alerts have focused on topics as diverse as hiring practices, customer record storage, and privacy notices.

This new Risk Alert encourages RIAs to revisit their policies and procedures designed to prevent violations of Advisers Act Section 206(3) and Rule 206(3)-2. Section 206(3) of the Advisers Act prohibits an adviser from engaging in the following trading activities, unless done with the consent of a client after receipt of written notice: (i) buying or selling a security from a client while acting as “principal for his own account” (“principal trading”); and (ii) acting as a broker for a person other than the client in order to effect a securities transaction between the client and the other person (“agency cross trading”).

Continue reading ›

A new Risk Alert released by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) reminds advisers of the added compliance obligations that arise when hiring representatives carrying the baggage of reportable disciplinary histories. While by no means exhorting advisers not to hire such persons, the Risk Alert nonetheless encourages advisers to properly consider the obvious compliance risks presented by such hiring practices, and, in turn, to adopt prudent policies and procedures to address those risks.

We follow OCIE’s periodic Risk Alerts closely as they not only provide insights regarding the focus of recent OCIE examinations, but also provide insights as to what OCIE management will be directing the staff to focus on in the future. This particular Risk Alert is a read-out of the results of a recent series of OCIE exams from 2017 specifically targeting advisory firms that (i) previously employed, or currently employ, any individual with a history of disciplinary events and (ii) for the most part serve retail clients. Indeed, OCIE makes special notation of its “focus on protecting retail investors” as a genesis for both the targeted exam initiative (the “Initiative”) as well as this new Risk Alert. Accordingly, advisers with a large retail customer base should pay especially close attention to the new Risk Alert.

In conducting the Initiative, OCIE’s staff focused on three areas of interest: (i) the compliance policies and procedures put into place to specifically cover the activities of previously-disciplined individuals; (ii) the disclosures relating to previously-disciplined individuals required to be made in filings and other public documents (including advertising); and (iii) conflicts of interest implicated by the hiring of previously-disciplined individuals. With this roadmap in place, the Initiative identified a variety of observed deficiencies across a range of topics, including:

In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.

OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.

This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections. Continue reading ›

With annual compliance reviews in full swing this time of year, we write today to remind advisory firms to be sure to assess the sufficiency of their policies and procedures in the ever-developing area of electronic messaging.  Our note comes on the heels of a recent Risk Alert on this topic issued by the SEC’s Office of Compliance Inspections and Examinations or “OCIE,” which exhorts advisory firms to take a fresh look at their current compliance policies in light of the particular risks of non-compliance posed by the firm’s usage of electronic messaging.

“Electronic messaging,” as discussed in OCIE’s Risk Alert, refers to such mediums as text/SMS messaging, instant messaging, personal email, and personal or private messaging, but specifically excludes firm-wide email.  Notably, OCIE’s exclusion of firm email from analysis in the Risk Alert should not be read as diminishing an adviser’s compliance obligations to capture, store, and periodically review firm email communications.  Rather, as OCIE explains, “firms have had decades of experience complying with regulatory requirements with respect to firm email” and it is not as problematic from a compliance standpoint as compared to some of the newer technologies that run on third-party applications or platforms.  Continue reading ›

Contact Information