Skip to Content
Main Content

Investment Management Legal and Regulatory Update - October 2017

October 26, 2017
View as PDF

CYBERSECURITY UPDATE

SEC Chairman Issues Statements on SEC Cyber Breach

SEC Chairman Jay Clayton recently issued a statement about cybersecurity risks that the SEC and SEC-regulated entities face and acknowledged that EDGAR was breached in 2016. In August 2017, the SEC learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. A software vulnerability in the test filing component of the EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.

In addition, Chairman Clayton acknowledged that a 2014 internal review by the SEC’s Office of Inspector General (OIG), an independent office within the agency, found that certain SEC laptops that may have contained nonpublic information could not be located. The OIG also found instances in which SEC personnel transmitted nonpublic information through non-secure personal email accounts.

Following this initial statement, Chairman Clayton provided an update on the status of the SEC’s investigation of the 2016 intrusion into the EDGAR system. Based on forensic data analysis, the SEC determined that the intrusion involved third parties accessing an EDGAR test filing that contained the names, dates of birth, and social security numbers of two individuals. SEC staff offered identity theft protection and monitoring services to the two affected individuals. In light of the breach, Chairman Clayton authorized the immediate hiring of additional staff and outside technology consultants, and the SEC is taking the following steps to assess and improve the cybersecurity risk profile of the EDGAR system:

  • Review by the OIG of the 2016 EDGAR intrusion.
  • Investigation by the Division of Enforcement of potential illicit trading resulting from the 2016 EDGAR intrusion.
  • General assessment of the SEC’s cybersecurity risk profile, including the identification and review of all systems that hold market sensitive data or personally identifiable information.
  • Internal review of the 2016 EDGAR intrusion to determine the procedures followed in response to the breach.

Source: Statement on Cybersecurity, SEC Chairman Jay Clayton (Sept. 20, 2017), available here; Chairman Clayton Provides Update on Review of 2016 Cyber Intrusion Involving EDGAR System, SEC Press Release 2017-186 (Oct. 2, 2017), available here.


SEC Uncovers Flaw in EDGAR

In an internal SEC memo dated September 22—only two days after the SEC disclosed that EDGAR was hacked last year—the SEC acknowledged having uncovered a flaw in the EDGAR system that causes EDGAR to repeat attempts to validate invalid forms for hours rather than reject them immediately. The flaw could be exploited in the form of “denial of service” attacks in which hackers intentionally flood a network with inputs in order to overwhelm it. Such attacks could shut down EDGAR, as could the submission of an accidentally invalid form if it were large enough.

The disclosure prompted the Investment Company Institute to renew calls for the postponement of the compliance date for the new Investment Company Reporting Modernization rule (discussed below), which requires funds to file monthly reports on portfolio holdings. Chairman Clayton said in congressional hearings in early October that he is considering a delay of the rule until security surrounding EDGAR can be ensured. 

Sources: Joe Morris, SEC Hits Glitch in Testing Fund Reporting Rule, IGNITES (Oct. 6, 2017); Exclusive: SEC’s corporate filing system vulnerable to denial of service attacks – memo, Reuters (Oct. 5, 2017), available here.

SEC Launches Enforcement Initiatives to Combat Cyber Threats and Protect Retail Investors

The SEC has announced two initiatives to build on its Enforcement Division’s ongoing efforts to address cyber-based threats and protect retail investors: the creation of a Cyber Unit to target cyber-related misconduct, and the establishment of a Retail Strategy Task Force to implement initiatives that directly affect retail investors.

The Cyber Unit will target cyber-related misconduct, including market manipulation schemes involving false information spread through electronic and social media, hacking to obtain material non-public information, violations involving distributed ledger technology and initial coin offerings, misconduct perpetrated using the dark web, intrusions into retail broker accounts, and cyber-related threats to trading platforms and other critical market infrastructure. The unit complements Chairman Clayton’s initiatives to implement an internal cybersecurity risk profile and create a cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the SEC. Robert A. Cohen, co-chief of the Market Abuse Unit since 2015, has been appointed Chief of the Cyber Unit.

The Retail Strategy Task Force will develop proactive, targeted initiatives to identify misconduct that impacts retail investors. The task force will draw upon the Enforcement Division’s successful history of bringing cases involving fraud, and leverage data analytics and technology to identify large-scale misconduct affecting retail investors. 

Source: SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors, SEC Press Release 2017-176 (Sept. 25, 2017), available here.


OCIE Issues Risk Alert Regarding Observations from Cybersecurity Examinations

The SEC Office of Compliance Inspections and Examinations (OCIE) issued a risk alert in August summarizing its findings from the 2015 “Cybersecurity 2 Initiative” in which OCIE staff examined 75 firms—including broker-dealers, investment advisers and investment companies—to assess industry practices and legal and compliance issues associated with cybersecurity preparedness.

Summary of Examination Observations. The staff observed that:

  • All broker-dealers, all funds and nearly all advisers maintained written cybersecurity policies and procedures.
  • Nearly all broker-dealers and the vast majority of advisers and funds conducted periodic risk assessments of critical systems.
  • Nearly all broker-dealers and almost half of the advisers and funds conducted penetration tests and vulnerability scans on critical systems, although a number of firms did not appear to fully remediate some of the high risk observations that they discovered from these tests and scans.
  • All firms utilized some sort of system to prevent, detect and monitor data loss as it relates to personally identifiable information.
  • All broker-dealers and nearly all advisers and funds had a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities. However, the staff observed that a few of the firms had a significant number of system patches that had not yet been installed.
  • Nearly all of the firms had plans for addressing access incidents. In addition, the vast majority of firms had plans for denial of service incidents and unauthorized intrusions. However, while the vast majority of broker-dealers maintained plans for data breach incidents and most had plans for notifying customers of material events, less than two-thirds of the advisers and funds appeared to maintain such plans.
  • All broker-dealers and a large majority of advisers and funds maintained cybersecurity organizational charts and/or defined cybersecurity responsibilities for the firms’ workforces.
  • Almost all firms either conducted vendor risk assessments or required that vendors provide risk management and performance reports and security reviews or certification reports. Over half of the firms required updated risk assessments on at least an annual basis.

Issues Observed. The staff observed that a majority of the firms’ information protection policies and procedures appeared to have issues. Shortcomings included:

  • Policies and procedures were not reasonably tailored because they provided employees with only general guidance, identified limited examples of safeguards for employees to consider, were very narrowly scoped, or were vague.
  • Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices, such as when the policies required employees to complete cybersecurity awareness training, but failed to take steps to ensure that training programs were actually completed.
  • Firms did not appear to adequately conduct system maintenance. For example, some firms used outdated operating systems that were no longer supported by security patches. Other firms failed to fully remediate high-risk findings from penetration tests and vulnerability scans.

Elements of Robust Policies and Procedures. Finally, OCIE identified the elements of cybersecurity policies that the staff applauded as having implemented robust controls, including:

  • Maintenance of a complete inventory of data, information, service providers and vendors, along with a classification of the applicable risks, vulnerabilities, data and business consequences of a breach.
  • Detailed cybersecurity-related instructions, including instructions pertaining to penetration tests, security monitoring, system auditing, access rights and reporting in the event that sensitive information is lost, stolen or unintentionally disclosed or misdirected.
  • Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including vulnerability scans of core IT infrastructure and patch management policies.
  • Established and enforced controls to access data and systems.
  • Mandatory employee training.
  • Engaged senior management.

Source: Observations From Cybersecurity Examinations, OCIE National Exam Program Risk Alert (Aug. 7, 2017), available here


Latest Development

New SEC Commissioners Proposed

President Trump nominated Hester Maria Peirce and Robert Jackson as SEC commissioners to fill SEC vacancies. Currently, the Commission consists of Chairman Jay Clayton, Michael Piwowar and Kara Stein. The nominations put the SEC on track to reach its full complement of five members for the first time since 2015.

Ms. Peirce is a Senior Research Fellow and Director of the Financial Markets Working Group at the Mercatus Center at George Mason University. If confirmed, Ms. Peirce will fill the vacancy left by Republican Daniel Gallagher, who stepped down in October 2015.

Mr. Jackson is a Professor at Columbia Law School and Director of its Program on Corporate Law and Policy. If confirmed, Mr. Jackson will fill the remainder of a five-year term expiring June 5, 2019. He succeeds Democrat Luis Aguilar.

The Senate Banking Committee scheduled a confirmation hearing for Ms. Peirce and Mr. Jackson for  October 24, 2017.

Sources: Joe Morris, Columbia Law Prof Tapped for SEC Slot, IGNITES (Sept. 5, 2017); Joe Morris, Hester Peirce Renominated to SEC, IGNITES (July 19, 2017); Andrew Ackerman, Senate Panel Sets Hearing Next Week on Pair of SEC Nominees, The Wall Street Journal (Oct. 16, 2017).


OCIE Issues Risk Alert on Misleading Advertising Practices

The OCIE recently issued a risk alert regarding compliance with Rule 206(4)-1 under the Advisers Act (the “Advertising Rule”). The alert follows an examination initiative focusing on advisers’ use of accolades in marketing materials.

Most Frequent Advertising Rule Compliance Issues. The most frequent deficiencies OCIE identified included the following examples:

  • Misleading performance results. Advertisements that presented results without deducting advisory fees or that compared results to benchmarks without including disclosures about the limitations inherent in such comparisons.
  • Misleading one-on-one presentations. One-on-one presentations that presented performance results gross of fees without disclosing that the results did not reflect the deduction of advisory fees and that client returns would be reduced by such fees and other expenses.
  • Misleading claims of compliance with voluntary performance standards. For example, advertisements that claimed to comply with the Global Investment Performance Standards (GIPS®), but it was not clear to staff that the performance results in fact adhered to GIPS®. 
  • Cherry-picked profitable stock selections. Advisers included only profitable stock selections or recommendations in presentations, client newsletters or on their websites, without meeting the conditions in the Advertising Rule.
  • Misleading selection of recommendations. Advertisements that included only certain, and not all, past specific investment recommendations in order to illustrate a particular investment strategy, and did not meet the conditions of the Advertising Rule and related no-action letters (TWC Group and Franklin).
  • Compliance policies and procedures. Some advisers did not have compliance policies and procedures reasonably designed to prevent deficient advertising practices, including a process for:
    • reviewing and approving advertising materials prior to their publication or dissemination;
    • determining the parameters for which accounts were included or excluded from performance calculations for a composite; or
    • confirming the accuracy of performance results.

Touting Initiative. OCIE launched an initiative in 2016 to examine the adequacy of disclosures that advisers provided to their clients when touting awards, promoting ranking lists, and/or identifying professional designations in their marketing materials. The initiative identified the following advertising deficiencies: ​

  • Misleading use of third party rankings and awards. Advisers advertised accolades that had been obtained by submitting potentially misleading information and published marketing materials that (1) referenced stale ranking or evaluation information, or (2) failed to include important disclosures, such as the relevant selection criteria for the award or rankings, who created and conducted the survey, or that the adviser paid a fee to participate in the survey.
  • Misleading use of professional designations. Advertisements and disclosures made in advisers’ Form ADV Part 2B brochure supplements that contained potentially false or misleading references to employee professional designations, such as references to professional designations that had lapsed or that did not explain the minimum qualifications required to attain such designations.
  • Prohibited testimonials. Advisers that had published client endorsements on firm websites, social media pages and in pitch books.

Source: The Most Frequent Advertising Rule Compliance Issues Identified in OCIE Examinations of Investment Advisers, National Exam Program Risk Alert, Office of Compliance Inspections and Examinations (Sept. 14, 2017), available here.


SEC Issues Investment Company Reporting Modernization FAQs

In July 2017, the Division of Investment Management published responses to questions related to the investment company reporting modernization reforms adopted in October 2016, including the following guidance for new reporting forms N-PORT and N-CEN. Form N-PORT will require certain registered investment companies to file portfolio-wide and position-level information on a monthly basis with the SEC and will replace reports currently filed on Form N-Q. Form N-CEN will require registered investment companies to annually report census-type information and will replace reports currently filed on Form N-SAR.

Compliance Dates and General Filing Obligations

  • The compliance date for Form N-PORT is June 1, 2018 for funds, together with other investment companies in the same group of related investment companies, with net assets of $1 billion or more as of the end of the most recent fiscal year. The compliance date for funds with net assets of less than $1 billion is June 1, 2019. Reports must be filed no later than 30 days after the end of each month. With respect to Form N-PORT filings for the end of the first and third quarters of a fund’s fiscal year, the fund must file portfolio holdings exhibits (“Part F Attachment”) within 60 days after the end of the applicable reporting period.
  • Once a fund begins filing reports on Form N-PORT, it will no longer be required to file reports on Form N-Q. When a fund ceases filing reports on Form N-Q, its certification on Form N-CSR must cover any change in financial reporting internal controls during the most recent fiscal half-year rather than the registrant’s most recent fiscal quarter as currently required.
  • The compliance date for Form N-CEN is June 1, 2018 for all funds. Reports must be filed within 75 days after the end of the fund’s fiscal year. Once a fund begins filing reports on Form N-CEN, it will no longer be required to file reports on Form N-SAR.
  • Funds with a fiscal year end of April 30 or May 31 may choose to file reports for FY 2017-2018 on either Form N-SAR (due 60 days after the reporting period ends) or Form N-CEN (due 75 days after the reporting period ends).

Form N-PORT

  • Funds with multiple series must file one report for each series; however, they may include in their Part F Attachment the portfolio schedule for the series making the filing, as well as the portfolio holdings schedules for the other series in the trust with the same fiscal year end and one set of financial statement notes covering all of the different series.

Form N-CEN

  • Funds must report their transfer agent arrangements, including arrangements where systems, transaction processing and services are provided by sub-transfer agents in supporting the fund’s primary transfer agent system and recordkeeping functions (such as part of a remote system or hybrid or fully outsourced arrangement).
  • Funds are not required to report information on intermediaries, such as broker-dealers and retirement plan third-party administrators, that provide administrative service type arrangements (i.e., “sub-transfer agent” arrangements) because such arrangements are not part of the primary transfer agent’s recordkeeping arrangement with the funds.

Source: Investment Company Reporting Modernization Frequently Asked Questions, available here.


SEC Issues FAQs on Form ADV, Part 1A Amendments

As we reported in our October 2016 Update, the SEC adopted amendments to Form ADV that will take effect for most advisers (i.e., those with December 31 fiscal year ends) beginning with the annual update to Form ADV due in March 2018, as well as for advisers filing interim amendments to Form ADV on or after the October 1, 2017 compliance date. The amendments added new reporting requirements designed to collect additional information about an adviser’s separately managed accounts (SMA) and other data. For example, advisers must report the approximate percentage of their SMA regulatory assets under management invested in each of the following twelve broad asset categories: exchange-traded equity securities, non-exchange-traded equity securities, U.S. government/agency bonds, U.S. state and local bonds, sovereign bonds, investment grade corporate bonds, non-investment grade corporate bonds, derivatives, securities issued by registered investment companies or BDCs, securities issued by pooled investment vehicles (other than registered investment companies or business development companies (BDCs), cash and cash equivalents and “other.”  

As we reported in our July 2017 Update, the SEC previously issued FAQs interpreting the amendments. The SEC recently issued additional FAQs addressing a number of disclosure items regarding counting clients, advisory affiliates and related persons, private fund clients and disclosure events. In addition, the SEC has published a redline that shows most of the revisions to Form ADV.

In light of the increased reporting requirements under Form ADV, Part 1A, we encourage advisers to begin compiling the information for the new form as soon as possible.

Source: Form ADV and Investment Advisers Act Rules, Release No. IA-4509 (Aug. 25, 2016); Staff Summary of Changes Adopted to Form ADV Part 1A (available here); Frequently Asked Questions on Form ADV and IARD, available here.


SEC Extends No-Action Relief on Auditor Independence

On September 22, 2017, the SEC issued a no-action letter to Fidelity Management & Research Company (Fidelity) extending its earlier no-action relief on the “loan rule,” which had been set to expire in December of this year.

As we reported in our July 2016 Update, the SEC staff issued a no-action letter in June 2016 that provided guidance to registered investment companies and their investment advisers as they evaluate the independence of their audit firms in light of uncertainty about the application of Rule 2-01(c)(1)(ii)(A) under Regulation S-X—referred to as the “loan rule.”

Under the loan rule, an audit firm will not be considered independent from an audit client if the firm, any covered person in the firm, or any of his or her immediate family members has any loan to or from the audit client, or the audit client’s officers, directors, or record or beneficial owners of more than 10% of the audit client’s equity securities. “Audit client” is defined to include affiliates of the audit client, which, for a registered investment company, includes all entities within the “investment company complex,” regardless of whether the audit firm actually provides audit services to those other entities. Because of the manner in which fund shares are often held (e.g., in omnibus accounts), the loan rule may be inadvertently violated in situations where the lender would have no ability to influence either the audit firm or the fund. The result could call into question the validity of prior fund audits.

The SEC staff issued no-action relief to Fidelity, indicating that it would not object if the funds managed by Fidelity rely on audit opinions from an audit firm that fails to comply with the loan rule, provided that the following three conditions are satisfied:

  • The audit firm complies with PCAOB rules, which require the auditor to (1) describe in writing any relationships between the auditor and the fund that may be reasonably thought to bear on its independence, and (2) discuss with the fund’s audit committee the potential effects of such relationships on its independence
  • The non-compliance of the auditor is with respect only to the lending relationships; and
  • Nontwithstanding non-compliance with the loan rule, the auditor concludes that it is objective and impartial with respect to other issues encompassed within its engagement.

The no-action letter cautions, however, that if fund shareholders are asked to vote on one or more matters relating to the election of directors, the appointment of the fund’s auditor, or other matters that similarly could influence the objectivity and impartiality of the audit firm, Fidelity would be required to make reasonable inquiry as of the record date about the impact of the loan rule on the vote, and if Fidelity determines as part of that inquiry that an institution in a lending relationship in fact exercises discretionary voting authority with respect to at least 10% of a fund’s shares, the fund could not rely on the relief granted and would instead take other appropriate action, consistent with its obligations under the federal securities laws.

In this letter, the SEC extended its no-action relief until the loan rule is amended.

Sources: Fidelity Management & Research Company et al., SEC No-Action Letter (Sept. 22, 2017), available here; Fidelity Management & Research Company et al., SEC No-Action Letter (June 20, 2016), available here.


DOL Fiduciary Rule Update

DOL Proposes Extension to DOL Fiduciary Rule Transition Period to July 1, 2019

In August 2017, the DOL submitted to the Office of Management and Budget (OMB) proposed amendments extending the transition period and delaying the applicability date of the best interest contract exemption to July 1, 2019 (BIC Exemption).

As we reported in our April 2017 Update, the expanded fiduciary definition and the “Impartial Conduct Standards” in the BIC Exemption for investment advisers and other fiduciaries who make recommendations to “retirement investors” (which includes many smaller plans, participants in a 401(k) plan, and IRA owners) went into effect June 9, 2017. The DOL simplified compliance with the BIC Exemption during the transition period from June 9, 2017 to December 31, 2017. During the transition period, advisers only have to comply with the Impartial Conduct Standards and not the other conditions of the BIC exemption, such as written disclosure requirements. The DOL proposed an extension of the transition period and a delay in the January 1, 2018 applicability date to July 1, 2019.

The DOL received 138 public comments on its proposed extension and the industry is impatiently waiting to see if it will be made official. DOL lawyers indicated in an October 13, 2017 litigation brief that the DOL “is likely to adopt a significant extension” of the transition period.

Sources: Extension of Transition Period and Delay of Applicability Dates; Best Interest Contract Exemption (PTE 2016-01); Class Exemption for Principal Transactions in Certain Assets Between Investment Advice Fiduciaries and Employee Benefit Plans and IRAs (PTE 2016-02); Prohibited Transaction Exemption 84-24 for Certain Transactions Involving Insurance Agents and Brokers, Pension Consultants, Insurance Companies, and Investment Company Principal Underwriters (PTE 84-24), 82 FR 41365 (Aug. 31, 2017), available here; Employee Benefits Security Administration, United States Department of Labor, website available here; Joe Morris, Trump Names Pick for Chief Fiduciary Rule Regulator, IGNITES (Oct. 16, 2017); Hazel Bradford, DOL Asks for Stay in ‘Unnecessary’ Fiduciary Rule Challenge, Pensions & Investments (Oct. 16, 2017), available here.

Final Rule

Compliance Date(s)

Amendments to Form ADV

Effective since October 1, 2017

Amendments to Books and Records Rule: Performance Information

Effective since October 1, 2017

FinCEN Clarifies and Strengthens Customer Due Diligence Requirements for Mutual Funds and Broker-Dealers

May 11, 2018

Investment Company Reporting Modernization:
New Forms N-PORT and N-CEN

New Form N-PORT:

Fund complexes with $1 billion or more in net assets: June 1, 2018 (first filing date is July 30, 2018, based on June 30, 2018 data)

Fund complexes with less than a $1 billion in net assets: June 1, 2019 (first filing date is July 30, 2019, based on June 30, 2019 data)

New Form N-CEN:

June 1, 2018 for all funds (first filing date is 75 days from the end of a fund’s fiscal year after June 1, 2018)

Swing Pricing

November 19, 2018 (for those funds that wish to implement swing pricing)

Amendments to Form N-1A, Regulation S-X and Form N-CEN associated with swing pricing

November 19, 2018

Liquidity Risk Management Programs (Rule 22e-4)

Fund complexes with $1 billion or more in net assets:
December 1, 2018

Fund complexes with less than $1 billion in net assets:
June 1, 2019

Amendments to Form N-PORT and Form N-CEN associated with liquidity rule

Fund complexes with $1 billion or more in net assets:
December 1, 2018

Fund complexes with less than $1 billion in net assets:
June 1, 2019

Amendments to Form N-1A associated with liquidity rule (information regarding redemptions)

June 1, 2017 (compliance with amendments only required for registration statements filed on or after December 1, 2017)

Form N-LIQUID

Fund complexes with $1 billion or more in net assets:
December 1, 2018

Fund complexes with less than $1 billion in net assets:
June 1, 2019

Join Our Mailing List

Need to stay current on the latest news, trends and regulatory issues impacting your business? Subscribe today! We know your time is valuable, so we limit our communications to only the most pertinent info you need to stay informed.

Subscribe