SEC Compliance Private Investment Funds Cybersecurity Requirements

Published: Feb 19, 2016
Share

During 2015, actions brought by the SEC's Division of Enforcement highlighted a number of themes of importance to managers of private investment funds. Among those numerous themes, this article discusses a subset relating to the following: (1) disclosure requirements in fund offering and governing documents, (2) the duties of a registered investments adviser's chief compliance officer ("CCO") and (3) cybersecurity requirements.

In some instances, enforcement actions seemed to coincide with pronouncements by the SEC's staff or the focus of examinations by the SEC's Office of Compliance Inspections and Examinations ("OCIE").

Deficiencies Relating to Required Disclosures in Fund Offering and Governing Documents

Enforcement cases during 2015 included those where advisers to private funds were found to have had inadequate disclosures in their funds' offering materials and governing documents relating to fees and expenses.

In one highly publicized case, the SEC found that an adviser failed to disclose to its investors that it would be entitled to payment of certain monitoring fees earned in connection with fund investments and that the adviser was entitled to certain discounts from third-party service providers when such discounts were not given to the funds. The adviser was deemed by the SEC to have breached its fiduciary duty to the funds and violated Advisers Act Rule 206(4)-8.

In a relatively minor case, the SEC found that an adviser violated the Advisers Act by charging to its client funds, without proper disclosure, the cost of the Adviser's registration with the SEC, the expense of complying with Advisers Act requirements and legal expenses in connection with an examination by the SEC.

These types of enforcement cases have caused many private fund advisers to revisit their disclosure documents (including advertising materials, private placement memoranda, governing documentation such as partnership agreements and the advisers' Form ADV and the brochure relating thereto). Advisers should confirm that the disclosure describing the fees which they may earn, and the expenses which the funds will bear, is in line with current market practice in light of these recent enforcement cases and adequate given facts applicable to the funds.

Enforcement Actions Relating to Chief Compliance Officers

In a public statement issued in June 2015, SEC Commissioner Luis Aguilar said "it has been my experience that the Commission does not bring enforcement actions against CCOs who take their jobs seriously and do their jobs competently, diligently, and in good faith to protect investors. I do not believe that these CCOs should fear the SEC." Commissioner Aguilar noted that most cases brought by the SEC against private fund CCOs were in connection with CCOs who wear "more than one hat" in connection with their employer (for example, a CCO who is also a portfolio manager).

Nevertheless, advisers themselves have been the target of enforcement action in recent years and 2015 was no exception. One case focused on an adviser's deficient compliance procedures caused by the CCO having inadequate compliance experience, inadequate support personnel and additional non-compliance responsibilities which resulted in the CCO being able to devote only 10%-20% of his business time on compliance activities. The CEO of the adviser was found to have ordered the CCO to focus more on investment research than on compliance duties. The SEC took action against the CEO and the adviser in this instance (not the CCO), requiring, among other things, that the adviser take remedial action such as working with outside compliance counsel.

Requirements Relating to Cybersecurity

During 2015, OCIE published the results of a "Cybersecurity Examination Sweep" in which it examined 49 registered investment advisers (and 57 registered broker-dealers) in connection with cybersecurity issues. The SEC published guidance for investment advisers stating that "funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber-attacks. Funds and advisers could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws."

In September 2015, the SEC fined a registered adviser which it found did not have written policies and procedures reasonably designed to protect customer records and information (resulting in the disclosure of personally identifiable information of 100,000 individuals) and ordered the adviser to take certain remedial action. Registered advisers should, therefore, review the SEC's guidance on the topic of cybersecurity to ensure compliance with applicable rules and the SEC's current expectations.

Looking Ahead to 2016

OCIE has already announced selected examination priorities for 2016 relating to private advisers, which include, among other topics, (1) a continued focus on cybersecurity, (2) fees and expenses and (3) controls and disclosure associated with side-by-side management of accounts with performance-based vs. asset-based compensation. OCIE indicated this is far from an exhaustive list, but rather simply a suggestion for areas which may require an even greater degree of attention for registered advisers, their principals and their compliance staff.

Asset Management Intelligence - Q1 2016