On March 3, the U.S. Securities and Exchange Commission announced its examination priorities for 2021, providing a much-anticipated glimpse into the Biden administration's overall priorities for white collar criminal enforcement.
The exam priorities provide the opportunity to adjust compliance programs accordingly.
Compliance Programs Generally
The priorities state, as a threshold matter, that the SEC will focus on the following two characteristics of a compliance program:
Integrated Compliance Groups
Compliance groups cannot exist in a vacuum, but must have "active engagement in most facets of firm operations and early involvement in important business developments, such as product innovation and new services."
In other words, there should be a formalized line of communication between compliance and other firm sectors; material developments on the business side should be vetted with compliance as a matter of course.
Although this step may seem onerous, the SEC will be looking for compliance to be more proactive, and the best way to do this is to establish — in the least burdensome way — a regular line of communication between compliance and the rest of the company.
Thus compliance will be able to identify and mitigate potential conflicts of interest or other risks and issues. This way, when unanticipated problems arise, compliance will already have factual context for the issue so that it can move nimbly to ameliorate it.
Empowered Chief Compliance Officers
Compliance groups must have "knowledgeable and empowered [chief compliance officers] with full responsibility, authority, and resources to develop and enforce policies and procedures of the firm."
In November 2020, the director of the Office of Compliance Inspections and Examinations, Peter Driscoll, provided guidance on what this means — noting, among other things, that chief compliance officers, or CCOs, must have sufficient seniority within the firm and support from the most senior executives.
In other words, a company's organizational chart must demonstrate that CCOs are senior enough and empowered to make decisions, and set and enforce policies.
The priorities make clear that the SEC intends to focus on the manner in which registered investment advisers, or RIAs, approach environmental, social and governance, or ESG, matters, including climate change.
The priorities do not particularly explain this, except to note that RIAs increasingly offer investment strategies focusing on "products and services that are referred to by a variety of terms such as sustainable, socially responsible, impact, and ESG conscious."
For those products, the SEC expects to review, among other things, whether the firms' practices match their disclosures. In other words, if RIAs emphasize ESG issues in marketing, they can expect focus on whether they are not only talking the talk on ESG, but walking the walk.
RIAs should consider undertaking an ESG audit including a review of, among other things, marketing practices — in substance and procedure — and the implementation of the ESG-focused investment strategies.
All of these elements must align with representations made about ESG. Such reviews should include engagement not only with CCOs, but with business owners throughout the enterprise to sensitize and educate them on the ESG focus.
Focus on Particular Categories of Retail Investors
The SEC will continue to focus on the protection of retail investors, but also warns that certain categories of retail investors will receive particular attention if marketing is aimed at them and/or if they comprise a significant proportion of a firm's investors:
- Seniors, especially where the target audience is a retirement community;
- Military personnel; and
- Individuals saving for retirement.
The substance of the SEC's focus, however, does not significantly change from prior years. The SEC states that it will focus on the following, as expected:
- Fraud prevention policies;
- Compliance with 2019's Regulation Best Interest, which, broadly speaking, required broker-dealers to act in retail investors' best interest;
- Compliance with 2019's Interpretation Regarding Standard of Conduct for Registered Investment Advisers, which specified the fiduciary duties of broker-dealers; and
- Form CRS, which requires certain disclosures to retail investors, which must in turn be filed with the SEC.
These, of course, are not new areas of focus, and most firms have already implemented programs to comply with these requirements. However, the SEC did announce two new examination areas of emphasis:
Emphasis on Regulation Best Interest
The SEC expects examinations in 2021 will include an additional component, namely:
[E]nhanced transaction testing ... and will evaluate firm policies and procedures designed to meet additional elements of Regulation Best Interest, the recommendation of rollovers and alternatives considered, complex product recommendations, assessment of costs and reasonably available alternatives, how sales-based fees paid to broker-dealers and representatives impact recommendations, and policies and procedures regarding how broker-dealers identify and address conflicts of interest.
Therefore, now is an important time for compliance to home in on Regulation Best Interest and ensure firm policies cover and address, at a minimum, the specific items listed by the SEC.
Emphasis on Turnkey Asset Management Platforms
Because of the tendency to create conflicts of interest, the SEC states it will place a new emphasis on RIAs operating and using turnkey asset management platforms. The SEC noted that the division's examinations will seek to assess whether fees and revenue sharing arrangements associated with these platforms are adequately disclosed.
Now, then, is the time for compliance to ensure that these arrangements and associated conflicts, actual or apparent, are adequately disclosed.
The Results of Remote Work: Emphasis on Operational Resiliency
As expected, the pandemic and related increase in remote work have focused the SEC on the sufficiency of information security practices and procedures. There is nothing surprising here. As in past years, RIAs should ensure that they now have in place policies and procedures relating to cyberattacks and ransomware, as well as overall data security.
There are, however, two new areas of emphasis in 2021 directly attributable to the pandemic:
Operational Risk From Remote Work
Prior to the COVID-19 pandemic, firms did not generally focus on the risks of remote work. Now, the SEC states that it will be looking for specific policies and procedures that ensure remote work does not compromise data security, including the electronic storage of books and records, and investor records and information.
If not in place already, firms should promulgate a specific policy setting forth how information security will be maintained in a remote working environment.
Climate Change in Disaster Continuity Plans
The priorities note that the SEC will be reviewing the adequacy of disaster continuity plans — again, not a surprise after COVID-19. However, the priorities state that the SEC will be focusing on whether such plans also account for climate change and responses to "large scale events."
The priorities do not elaborate on what this actually means in practice, but notes that the SEC will be checking to see whether there has been improvement upon legacy disaster continuity plans put in place after Hurricane Sandy.
In other words, the SEC will be looking to see whether entities have taken the time to analyze and, if need be, update disaster continuity plans. If this analysis has not already been undertaken, it should be done promptly.
Other Areas of Focus
In addition to the foregoing, most significant announcements in the priorities, the SEC notes that it will focus on the following in 2021:
The SEC expects to focus on firms that are innovators in the following areas:
- Fintech: This includes robo-advisers, firms offering automated asset allocation, fractional share purchases, customized portfolios, and mobile applications. The focus will be compliance with applicable securities laws and regulations.
- Regtech: The focus will be to ensure that firms employing regtech, or technology used to implement compliance with regulations, are doing so effectively.
- Alternative data: Firms using alternative data, or "data gleaned from non-traditional sources," can expect scrutiny as well. Again, the focus will be on regulatory compliance — ensuring that firms properly address concerns related to, among other things, due diligence and material nonpublic information.
- Digital assets: The SEC notes that the digital asset market is evolving, particularly the adoption of distributed ledger technology. Accordingly, as in prior years, the compliance programs of entities in the digital asset market will be a focus.
In other words, if a firm is engaged in or employs any of the foregoing innovations, they can expect scrutiny in 2021 and should ensure now that their regulatory compliance program has kept up with technological developments.
Other areas of focus described in the priorities include:
Advisers to Private Funds
Registered investment advisers to private funds, especially those with a higher concentration on structured products — e.g., mortgage-backed securities — can expect scrutiny this year.
Again, the focus will be on general regulatory compliance, although the SEC specifies that it will be reviewing, among other things, the "preferential treatment of certain investors by advisers to private funds that have experienced issues with liquidity, including imposing gates or suspensions on fund withdrawals," and "portfolio valuations and the resulting impact on management fees."
RIAs to private funds of any type should ensure that compliance programs adequately address these and other enumerated issues.
Anti-Money Laundering Programs
As in past years, examinations can be expected to include a review of AML policies. This year, firms should be careful to ensure that their AML policies comply, to the extent applicable, with recent amendments to the Bank Secrecy Act.
The Libor Transition
The SEC will ensure that, where applicable, firms have programs in place to protect themselves and investors after the discontinuation of Libor. Firms should determine if there is exposure here and, if so, how to put processes in place to minimize it.
Liquidity Risk Management Programs
The priorities state that the SEC expects to conduct compliance examinations of mutual funds, exchange-traded funds and money market funds that have not been examined in recent years, focusing this year on liquidity risk management programs, making such programs are effective and comport with securities laws and regulations.
The priorities also note that they will be again be focusing on the regulatory compliance of national securities exchanges, transfer agents and clearing agents, as well as municipal advisers and broker-dealers.
This is a catchall, with no new guidance — except to note that compliance programs should be reviewed for any adjustments necessary post-pandemic. All such firms should review, at a minimum, their policies for disaster recovery and risk mitigation.
The priorities echo the SEC's historical focus on industry risks and trends that the SEC believes most impact the U.S. capital markets. The priorities are not exhaustive, and while they articulate the focus of SEC examinations, the scope of any firm examination is determined through a risk-based approach that includes, among other things, analysis of a firm's history, operations, services and products offered.
With the change of administration, and the appointment of a new SEC chairman, industry watchers anticipate a more robust and enforcement-minded commission in 2021.
The priorities confirm that, in 2021, the SEC will be reaching broadly both in the nature of entities examined and in the issues scrutinized.
Retail investors and potentially vulnerable investors are still critical, but the SEC is also focused on regulatory compliance in the context of new and evolving technologies; firms implementing technologies that affect investment decisions or automation of trading should have clear explanations and controls regarding these technologies to show appropriate concern for safety and security.
As ESG issues become a selling point for investment strategies, the SEC will ensure that claims made in these areas are accurate. Firms offering such products should therefore expect close scrutiny.
It remains important to ensure that compliance programs holistically address a firm's business and client or investor base — and the SEC will be analyzing these programs to ensure that they provide for lines of communication among all sectors of a firm.
Finally, as one would expect, COVID-19 and potential climate crises have brought the issues of information security and disaster preparedness to the forefront. Firms should carefully review legacy compliance programs in these areas and update them to reflect lessons learned during the pandemic.
Reprinted with permission from the March 12, 2021, issue of Law360. © 2021 Portfolio Media, Inc. All Rights Reserved.Click here to view the full article