The California Consumer Privacy Act comes into effect
On January 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. The CCPA is the most comprehensive privacy law in the US which does not have a federal law equivalent to the EU’s GDPR — the European General Data Protection Regulation. The CCPA has a wide sweep in terms of its application to all businesses with at least US$25m in gross annual revenue that collect personal information from “consumers”. In the private fund context, managers will need to assess the potential coverage of the CCPA for the funds, fund advisors and fund sponsors.
The definition of “personal information” is also broad: information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition includes email addresses.
The CCPA requires covered businesses that collect personal information about California residents to:
- make certain disclosures concerning the collection and use of personal information, including the purposes for which the personal information is used and the categories of third parties with whom the personal information is shared;
- inform individuals of their rights to request detailed information about how their personal information is used, or to request deletion of their personal information, and implement policies to comply with such requests;
- provide “conspicuous” notice and a means for individuals to opt out of the sale of their personal information; and
- be accountable for data breaches that result from a failure to maintain reasonable data security practices.
The California Attorney General may assess civil penalties of up to US$2,500 per unintentional violation, and US$7,500 per intentional violation. A business is not liable if it cures any non-compliance within 30 days after being notified of alleged non-compliance. The CCPA also creates a private right of action which is for consumers whose personal information has been subjected to unauthorized access or disclosure as a result of the covered business failure to maintain reasonable data security procedures. A consumer must give a business 30 days’ written notice and an opportunity to cure prior to bringing an action. A consumer may seek statutory damages in an amount of not less than US$100 and not more than US$750 per consumer per incident, or actual damages, whichever is greater, as well as an injunction or any relief a court deems appropriate.
Importantly, the CCPA provides an exemption for any information collected pursuant to the Gramm-Leach-Bliley Act of 1999 (GLBA), a federal law which covers the use of customers’ information obtained by financial institutions. Fund managers and fund sponsors are therefore exempt from the CCPA with regard to the information they have already obtained from existing investors. This exemption was most likely necessary as a matter of federal law pre-empting state law. However, the GLBA does not cover prospective investors, so the CCPA applies to fund managers and fund sponsors, as well as, brokers and solicitation agents that are engaged currently in raising capital for their new funds or follow-on funds. The CCPA also covers B2B contacts.
For EU-based fund managers and fund sponsors that are subject to the GDPR, compliance with the GDPR does not ensure CCPA compliance because there are significant differences in the requirements with regard to each statute’s definitions and scope.
The SEC’s Regulation Best Interest (BI) comes into effect on July 1, 2020
The SEC’s Regulation BI that strengthens brokers’ standard of care with new customer disclosures and federal regulations, comes into effect on July 1, 2020. The SEC has stated that it will not provide a grace period for brokers that are not in compliance with Regulation BI on that date. Brokers throughout the US are currently gearing up with implementing policies and procedures to comply with Regulation BI. Brokers are preparing Forms CRS (Customer Relations Statement) that are required to be filed with the SEC and distributed to customers. Brokers are also engaged in extensive training programs for their registered representatives. The SEC’s OCIE (Office of Compliance Inspections and Examinations) has been checking with brokers since last year on their progress toward compliance with Regulation BI. OCIE has stated that starting on July 1, it will be assessing compliance with Regulation BI, particularly as it relates to conflicts of interest disclosures.
Court challenge to the removal protections of the SEC’s Administrative Law Judges
The US Court of Appeals for the Fifth Circuit in Cochran v. SEC (case number 19-10396) will rule on the removal protections for the SEC’s Administrative Law Judges (ALJs). In the US Supreme Court’s 2018 decision, Lucia v. SEC, the Supreme Court held that ALJs are federal government employees who are subject to the Appointments Clause of the Constitution and who must be appointed by the President or the SEC Commissioners. The Supreme Court did not decide whether the Constitution prohibits the statutory “for cause” removal protections that the US Congress provided for ALJs so that ALJs had some independence from each administrative agency. As Justice Breyer said in the Lucia case, the elimination of the ALJs tenure protections would “risk transforming ALJs from independent adjudicators into dependent decision makers, serving at the pleasure of the SEC Commissioners.”
Since the US Supreme Court’s case in Lucia v. SEC, Steven Peikin, the SEC’s co-enforcement director, has stated that insider trading cases and financial fraud cases are now brought before federal district courts while lesser cases are brought before SEC ALJs. If the Supreme Court eventually strikes down the ALJ job protections (as would be consistent with its holding in Lucia v. SEC), the SEC’s administrative enforcement program based on ALJ hearings would be placed in jeopardy.
US Supreme Court to decide on the SEC’s disgorgement powers
In Liu v. SEC, the Supreme Court will decide this Spring whether the SEC can keep its powers of disgorgement in enforcement actions. In its 2017 Kokesh v. SEC case, the Supreme Court stripped the SEC of its ability to seek disgorgement as a form of equitable relief. The Kokesh ruling held that the SEC’s collection of disgorgement should be subject to the five year statute of limitations on civil penalties. In 2019, the SEC collected US$3.2bn in disgorgements compared to about US$1bn in civil penalties. The SEC frequently uses the threat of disgorgement in settlement negotiations. Although five justices questioned the SEC’s authority to seek disgorgement during oral argument in the Kokesh case, the Supreme Court did not formally take a position.
On January 21, 2020, Attorneys General from 23 States and the District of Columbia filed an amicus brief with the Supreme Court in connection with the Liu case supporting the SEC’s authority to seek disgorgement in civil actions. The amicus brief cited direct financial harm to the States and a substantial weakening of the SEC’s enforcement authority if the Supreme Court rules against the SEC.
SEC publishes notice of application for order exempting directors from section 15(c) in-person meeting requirements for changes to sub-advisory agreements
On February 19, 2020, the SEC issued an order relating to an application by Blackstone Alternative Investment Funds (a multi-series Trust) and Blackstone Alternative Investment Advisors LLC (Advisor and together with the Trust, Applicants) for exemptive relief from the in-person meeting requirements under Section 15(c) of the Investment Company Act of 1940, as amended (1940 Act). The notice for the order stated that “[t]he requested exemption would permit the Trust’s board of trustees [(Board)] to approve new sub-advisory agreements and material amendments to existing sub-advisory agreements” for the Trust’s series (including by adding or removing sub-advisors) pursuant to “any means of communication that allows [Board members] to hear each other simultaneously during the meeting.” In support of the requested relief, the notice indicated the Applicants’ assertions that: the Board typically meets in person only once per quarter; and between such meetings, “market conditions may change or investment opportunities may arise such that the Advisor” wants to change sub-advisors. Citing administrative and cost burdens, as well as inherent delays, associated with holding additional in-person meetings, the Applicants contended that the relief would allow the Board to act more quickly and efficiently, and with less expense, to make changes to a series’ sub-advisors.
On January 14, 2020, BlackRock founder and CEO Larry Fink issued his annual letter to CEOs (Letter), in which he expressed his belief that the risks associated with global climate change will fundamentally reshape finance, noting that “climate risk is investment risk.” The Letter indicates that capital markets will need to adapt to new climate-adjusted realities as awareness increases regarding how climate change will impact economic growth and long-term investment. The Letter states that “because capital markets pull future risk forward, we will see changes in capital allocation more quickly than we see changes to the climate itself. In the near future – and sooner than most anticipate – there will be a significant reallocation of capital.” In the Letter, Mr. Fink further indicated that, as fiduciaries, asset managers have an important role to play in helping clients to address such climate risks. The Letter states that “sustainable investing is the strongest foundation for client portfolios going forward” and “sustainability- and climate-integrated portfolios can provide better risk-adjusted returns to investors.”
OCIE issues cybersecurity and resiliency observations based on recent examination experience
On January 27, 2020, the Office of Compliance Inspections and Examinations (OCIE) issued what it referred to as its “Cybersecurity and Resiliency Observations,” which consisted of a listing of what it considers essentially to be best practices in responding to and addressing cybersecurity threats based upon the extensive examinations that it has conducted of participants in the financial services industry. In describing its reasons for releasing its observations, OCIE indicated that its observations were intended to highlight specific examples of cybersecurity and operational resiliency practices and controls that industry participants have taken to attempt to safeguard against cyber threats and respond in the event of an incident.
OCIE has been focusing on the following seven areas with descriptions of the agency’s observations as to how firms can integrate these observations into their cybersecurity programs.
Governance and risk management
OCIE first addressed matters with respect to governance and risk management and noted that: “Effective cybersecurity programs start with the right tone at the top, with senior leaders who are committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate and mitigate cybersecurity risks.” Among the approaches to implement effective governance and risk management processes, OCIE observed the following:
- Senior level engagement: Ensure that senior leadership is engaged with and committed to mitigating cybersecurity risk and include cybersecurity as a key element in business planning, aligning it with other business processes.
- Risk assessment: Assess current levels of risks, including prioritizing potential vulnerabilities and identifying potential sources of risk.
- Policies and procedures: Develop and implement comprehensive written policies and procedures that are appropriately tailored to the firm’s core activities.
- Testing and monitoring: Test and monitor policies and procedures, including constant vigilance to developing threats via cyber threat intelligence.
- Continuously evaluating and adapting to changes: Respond promptly to testing and monitoring results by updating policies and procedures to address any gaps or weaknesses and involve board and senior leadership as appropriate.
- Communication: Establish internal and external communication policies and procedures to provide timely information to decision makers, clients, customers, employees, and regulators, as needed.
Access rights and controls
In the area of access rights and controls, which deal with the determination of the appropriate users for access to organization systems and related controls to limit access as appropriate, OCIE observed the following:
- User access: Establish and implement comprehensive controls regarding the storage of data and rights to access that information. Limit access to information based on appropriate roles.
- Access management: Manage access during all phases of employment and separation, reviewing access to information periodically, and protecting access via strong password requirements and multi-factor authentication.
- Access monitoring: Monitor access for threatening and suspicious attempts, as well as for required changes necessitated by hardware and software issues.
Data loss prevention
With respect to data loss prevention, which includes the establishment of tools and processes to ensure that sensitive data, including client information, is not lost, misused or accessed by unauthorized users, OCIE noted as follows:
- Vulnerability scanning: Scan assets such as software code, databases, workstations, and more for vulnerabilities, and take preventive measures.
- Perimeter security: Monitor and control all incoming and outgoing network traffic, using firewalls, intrusion detection, email security, and restrictions on external devices such as USB thumb drives.
- Detective security: Capture the movement of data, and especially suspicious activity, via intrusion detection systems and logging systems.
- Patch management: Ensure that all operating system and anti-malware software updates are applied using a patch management system.
- Inventory of hardware and software: Identify all components and locations of hardware and software assets and maintain a detailed inventory.
- Encryption and network segmentation: Encrypt data at rest (e.g., on hard drives, in databases) and in transit (e.g., during email transmission, in web form transmissions).
- Insider threat monitoring: Extend monitoring efforts to insider threats, ensuring detection and prevention of data loss implemented from within the organization.
- Securing of legacy systems and equipment: Decommission and dispose of hardware and software assets in a secure fashion.
As it relates to mobile security in connection with mobile devices and their related applications, OCIE commented on the following protective measures:
- Policies and procedures: Establish policies and procedures related to the security of mobile devices.
- Managing the use of mobile devices: Use mobile device management (MDM) software and extend its use to personal devices when used for company business.
- Implementing security measures: Enforce security measures such as multi-factor authentication and the ability to remotely clear data from devices.
- Employee training: Train staff on proper security for mobile devices and protection of information.
Incident response and resilience
OCIE made the following observations with respect to the appropriate approach to incident responses and resilience as it relates to business continuity planning:
- Development of a plan: Develop and maintain appropriate plans that include specified notification and response patterns, chains of responsibility, communication paths, and appropriate escalation to key stakeholders.
- Addressing applicable reporting requirements: Address applicable state and Federal reporting requirements for cyber incidents or events, including clear and detailed instructions for appropriate legal, enforcement, and regulatory reporting.
- Assigning staff to execute specific areas of the plan: Designate employees with specific roles and responsibilities in the event of a cyber incident, and identify in advance those particular employees who have specific cybersecurity and recovery expertise.
- Testing and assessing the plan: Test and assess incident response and resiliency plans, refining them based on test results.
As it relates specifically to addressing strategies regarding resiliency, OCIE observed that:
- Maintaining an inventory of core business operations and systems: Maintain inventories of key business systems and operations, including maps of system process and services.
- Assessing risks and prioritizing business operations: Develop a strategy for operational resilience with defined risk tolerances tailored to the organization.
- Consider additional safeguards: Ensure methods of resilient functioning, such as physical separation of backup data, offline backups, and evaluate the appropriateness of securing cybersecurity insurance.
In connection with relationships with and reliance upon third-party vendors, OCIE observed as follows:
- Vendor management program: Establish a vendor management program to ensure that safeguards and security programming is implemented.
- Understanding vendor relationships: Use due diligence, including questionnaires based on industry standards and security principles and carefully establish contractual obligations that cover necessary security terms.
- Vendor monitoring and testing: Monitor and test vendors, maintaining awareness of new developments at third-party service providers and establish secure procedures for changing vendors, including those that are cloud-based.
Training and awareness
Noting the critical importance of effective employee training to generate better awareness of their activities and to create a culture of cyber awareness and readiness, OCIE noted the following:
- Policies and procedures as a training guide: Ensure awareness, understanding, and acceptance of policies and procedures related to cybersecurity.
- Including examples of exercises in training: Build a culture of cybersecurity awareness and readiness, including training methods that engage staff with practical situations and exercises.
- Training effectiveness: Continually monitor training efforts, improving them based on results and the current cybersecurity environment.
SEC proposes new rules and amendments to update approach to the regulation of the use by funds of derivatives and other transactions
On November 25, 2019, the SEC approved for publication a three-part rule proposal related to the use of derivatives and certain other transactions by registered investment companies (i.e., open-end funds other than money market funds; closed-end funds; and ETFs and business development companies). The proposal includes: (1) new Rule 18f-4 under the 1940 Act; (2) new rules relating to leveraged/inverse funds and vehicles, including sales practices rules under the Securities Exchange Act of 1934 (the Exchange Act) and the Investment Advisors Act of 1940 (the Advisors Act) and a related rule amendment to Rule 6c-11 under the 1940 Act relating to leveraged/inverse exchange-traded funds; and (3) related fund reporting form amendments (i .e, Form N-PORT, Form N-LIQUID, Form N-CEN and Form N-2).
Rule 18f-4 would provide an exemption from the applicable restrictions on issuing “senior securities” under Sections 18 and 61 of the 1940 Act, allowing funds to enter into certain transactions that create leverage, subject to certain specified conditions. Rule 18f-4 would treat separately a fund’s “derivatives transactions” (i.e. transactions in derivatives instruments involving a potential future payment or delivery obligation and short sale borrowings), reverse repurchase agreements and other “similar financing transactions,” and unfunded commitment agreements, and would subject each category of fund transactions to different conditions.
For most funds engaging in derivatives transactions, the conditions would require that: (i) the fund adopt and implement a written derivatives risk management program; (ii) the board (including a majority of directors who are not interested persons of the fund) approve a derivatives risk manager, who would be required to administer the fund’s derivatives risk management program and provide certain reports to the board; and (iii) the fund comply with limits on fund leverage risk such that the fund’s value at risk (VaR) could not exceed 150 percent of the VaR of a “designated reference index” that the derivatives risk manager identifies, or the fund’s VaR not exceed 15 percent of the value of the fund’s net assets if there is no appropriate index. A fund that only trades a limited amount of derivatives as specified in the rule would not need to adopt a derivatives risk management program or be subject to the risk management limits, subject to certain different conditions. A fund that is a “leveraged/inverse investment vehicle” would not be required to comply with the limit on fund leverage risk requirements, subject to alternative conditions.
A fund would be permitted to enter into reverse repurchase agreements and similar financing transactions if the fund complies with the asset coverage requirements under section 18 of the 1940 Act with respect to such transactions on an aggregate basis with any other senior securities representing indebtedness when calculating the asset coverage ratio.
A fund would be permitted to enter into an unfunded commitment agreement if the fund reasonably believes, at the time it enters such agreement, that it will have sufficient cash and cash equivalents to meet its obligations with respect to all of its unfunded commitment agreements as they come due, subject to certain limitations and guidelines.
The SEC proposed Rule 15l-2 under the Exchange Act and Rule 211(h)-1 under the Advisors Act - new “sales practices” rules that would require broker-dealers and investment advisors, as well as their associated persons who are natural persons, to exercise specified due diligence on “retail investors” prior to approving their account for trading in inverse/leveraged investment vehicles or placing or accepting such trades from a retail investor. The proposed rules also would require firms to adopt written sales practices, policies and procedures specific to these investments, and to maintain certain records. Significantly, the proposed sales practices rules would apply without regard to whether a recommendation or investment advice is provided to the retail investor, and so would apply even to self-directed brokerage transactions.
As a related matter, the SEC is also proposing to rescind Release 10666 (the asset segregation currently required for certain transactions under the SEC’s prior guidance relating to the use of transactions that create leverage), and SEC staff are reviewing certain of its other guidance in this area for possible withdrawal.
The proposing release states that the SEC would expect to provide a one-year transition period after the publication of any final rule in the Federal Register, while funds prepare to come into compliance with Rule 18f-4 before Release 10666 is withdrawn. The proposing release sets forth a number of requests for comment regarding each element of the proposed rule changes. The public comment period will remain open through March 24, 2020.
OCIE issues risk alert regarding investment company compliance matters based on recent examination experience
On November 7, 2019, OCIE issued a Risk Alert in which it discussed “the most often cited deficiencies and weaknesses” observed by its staff during its most recent examinations of nearly 300 investment companies registered under the 1940 Act. The Risk Alert also provides staff observations following OCIE’s review of money market funds and target date funds. The Risk Alert covers a two-year period and provides general compliance observations applicable to funds as well as more specific observations regarding money market funds and target date fund compliance.
According to the Risk Alert, the most frequently cited deficiencies involving funds related to: (i) the Fund Compliance Rule (Rule 38a-1 under the 1940 Act); (ii) disclosure to investors; (iii) the board approval process for advisory contracts (pursuant to Section 15(c) of the 1940 Act); and (iv) fund Codes of Ethics (Rule 17j-l under the 1940 Act).
- Fund Compliance Rule. The Risk Alert notes four main staff observations in connection with Rule 38a-1 compliance programs: (i) compliance programs that did not take into account the nature of funds’ business activities or risks; (ii) policies and procedures that were not followed or enforced; (iii) inadequate oversight of service providers; and (iv) inadequate performance of annual reviews.
- Disclosure. The OCIE staff observed instances where disclosures to investors may have been materially misleading because the disclosure did not comport with actual practice. Examples cited included failure to disclose or inaccurate disclosure of: (i) payments to service providers; (ii) changes in investment strategies; and (iii) principal investment strategies as implemented.
- Section 15(c) Process. As examples of deficiencies in the Section 15(c) process when approving or renewing fund investment advisory contracts, the OCIE staff noted instances where: (i) boards did not consider relevant information (e.g., advisor profitability, economies of scale, peer group advisory fees and performance data for other accounts managed by the advisor); and (ii) shareholder report disclosures did not adequately describe the board’s approval process.
- Codes of Ethics. As examples of deficiencies and weaknesses, the OCIE staff cited instances where: (i) Codes of Ethics lacked provisions reasonably necessary to prevent violations, or misuse of material non-public information by “access persons”; funds did not adequately review and pre-clear access persons’ securities transactions; (ii) funds did not report violations to the board; and (iii) the board did not approve the Code of Ethics.
OCIE releases 2020 exam priorities which include priorities for funds and advisors
On January 7, 2020, OCIE announced its examination priorities for 2020. Consistent with prior years, OCIE’s priorities focus on the protection of retail investors, including seniors and those saving for retirement. In addition, OCIE indicated that it will also be focusing its examinations on compliance by broker-dealers and investment advisors with the SEC’s newly adopted Form CRS Relationship Summary and applicable standards of conduct under Regulation Best Interest (Regulation BI) and the Interpretation Regarding Standard of Conduct for Investment Advisors.
The priorities relevant to investment companies and investment advisors also include examinations related to:
- Mutual Funds and ETFs: OCIE will continue to prioritize examinations of mutual funds and ETFs, investment advisors of such funds, and the oversight practices of fund boards of directors. OCIE noted that it will focus its examinations on investment advisors that engage third-party administrators to sponsor mutual funds (so called “multi-series trusts”), mutual funds and ETFs that have not yet been examined, and investment advisors that manage private funds and registered investment companies with similar investment strategies.
- Compliance Programs: OCIE will continue to prioritize examinations of investment advisors that are dual-registered as, or affiliated with, broker-dealers, focusing on whether such firms’ compliance programs adequately address the risks associated with “best execution, prohibited transactions, fiduciary advice, or disclosure of conflicts regarding such arrangements.”
- Information Security: OCIE will focus on information security risks, including cyber-related risks. OCIE’s examinations will focus on proper configuration of network storage devices, information security governance, and retail trading information security. With respect to investment advisors, OCIE will focus its examinations on investment advisors’ protection of clients’ personal financial information.
- FinTech: OCIE’s examinations will focus on firms’ use of alternative data sets and technologies to interact with, and provide services to, investors, firms, and other service providers. OCIE will also focus its examinations on the digital asset market and investment advisors that provide electronic investment advice.
- Never-Before and Not Recently-Examined Investment Advisors: OCIE’s examinations will focus on newly registered investment advisors, as well as investment advisors that have not yet been examined, or that have not been examined for several years.
- AML Programs: OCIE will continue to focus on fund and advisor compliance with applicable AML requirements, including: (i) proper filing of SARs (suspicious activity reports); (ii) adequacy of customer identification programs; (iii) compliance with beneficial ownership requirements; and (iv) robust and independent testing of AML programs.