SAFEGUARDING CLIENT ASSETS
Advisers Act Rule 206(4)-7 requires a registered investment adviser to adopt policies and procedures that are reasonably designed to prevent violations of the Investment Advisers Act and its rules. In the case of the custody rule, this includes adopting controls that are reasonably designed to prevent misappropriation or misuse of client assets, and taking appropriate action if any misuse does occur. With respect to privacy protection and cybersecurity, this includes adopting procedures to protect nonpublic personal information of clients and limited partners, and unauthorized access to confidential information. Adequate disaster recovery and business resumption planning is also required to ensure an orderly recovery of business operations in the event of a disruption due to unforeseen events or liquidation.
CUSTODY
Rule 206(4)-2 (the "Custody Rule") prohibits, with limited exceptions, a registered adviser from holding physical custody of client assets and imposes detailed requirements on the manner in which an adviser must hold client assets. The rule's definition of "custody" is not focused on physical possession of assets, but rather on the "directly or indirect authority" of the adviser and its related persons to control the disposition of client funds and securities. In February 2017, the SEC released additional guidance on situations that may invoke the Custody Rule: inadvertent custody of clients assets due to (1) a standing letter of authorization ("SLOA") between the client and the custodian that grants limited authority to the adviser to transfer client assets; (2) a separate agreement between a client and a custodian that grants boarder authority to the adviser over client assets even if the adviser is not a party to such an agreement; and (3) a client authorizing the adviser to move money between the client's other accounts. The SEC further clarified its position in a no-action letter and an updated to its FAQs on the Custody Rule. Advisers who have such arrangements must be sure to read these releases carefully against the adviser's current practices, and amend with specificity, any such authorizations as needed to comply with the SEC's guidance. With respect to private funds, a registered adviser who is a general partner or holds a similar position with a private fund, will be deemed to have complied with the surprise audit requirement under the Custody Rule provided that (1) the fund is audited annually by an independent public accountant that is registered with and subject to inspection by the Public Accounting Oversight Board ("PCAOB") and the audited statements are distributed to the fund's investors or (2) the qualified custodian must send quarterly statements to each investor in the pool and the adviser must obtain a surprise examination of the fund's assets. Generally, private fund advisers choose the former option, as an independent audit can be costly. Private fund advisers should be alert to when the audited financials are required to be released. A 180-day extension after fiscal year end is granted to an adviser of a feeder fund in a master feeder structure where the master feeder invests 10% or more of its assets in a fund of funds. The same extension is granted to a fund of funds advised by one or more advisers unaffiliated with the adviser of the feeder fund. The SEC's February 2017 Risk Alert on compliance deficiencies related to the Custody Rule can help identify gaps in an adviser's compliance program that should be addressed. In addition, a registered adviser should consider carefully its private fund and master feeder arrangements in the context of the Custody Rule, as these considerations will likely impact the adviser's registration on Form ADV and other client disclosures.
PRIVACY PROTECTION
A registered investment adviser has an obligation to maintain the confidentiality and security of its clients' personal information and to adopt procedures to properly dispose of such information. The obligations under Regulation S-P and Regulation S-AM under Title V of the Gramm-Leach-Bliley Act ("GBLA") apply to an adviser who provides or has provided services to investment company clients, individual account clients, and wrap account clients. Regulation S-P governs the adviser's ability to disclose or share nonpublic personal financial information with its affiliates and non-affiliated third parties. Regulation S-AM prohibits the use of such client information unless certain conditions are met, but does not infringe on the rights of a financial institution to share information, provided proper notices are provided to clients. (See Paul Hastings Stay Current "SEC Adopts Rule Governing Affiliate Marketing - Regulation S-AM") A privacy notice to clients that indicates the adviser's intent to share information must be provided at the time the client relationship is established and annually thereafter. Pooled investment funds that claim an exemption from registration as an investment company under Sections 3(c)(1) or Section 3(c)(7) of the Investment Company Act and pension plans are exempt, but privacy laws under the Federal Trade Commission and data security rules at the state level may apply. Advisers that share information with non-affiliated third parties, such as an executing broker, fund or investment adviser, are not responsible for such providers' compliance with the regulations. Unregistered investment advisers or those registered only with the states are subject to privacy regulations overseen by the Consumer Financial Products Board. SEC and state registered investment advisers should be sure to periodically review their client base to confirm compliance with these regulations, and consider whether compliance can be contractually delegated to a third party, such as a fund administrator or transfer agent.
CYBERSECURITY
The SEC's 2017 examination priorities continue to include an examination of cybersecurity compliance procedures and controls, following a 2014 initiative by the SEC to understand cyber-threats to the securities industry. The SEC has since provided the industry with summary observations from its sweep exams conducted in 2014 and published guidance in April 2015, including a number of recommendations for funds and advisers to consider. The SEC followed with a Risk Alert communicating its expectations related to advisers' cybersecurity preparedness. Attached to this risk alert is a sample list of information that the SEC will likely request from advisers under examination. Advisers are expected to: (1) periodically assess their cybersecurity risks; (2) create a strategy designed to prevent and respond to cybersecurity threats; and (3) implement the strategy through written policies and procedures and training. The guidance highlights the advisers obligations to comply with federal securities laws and recommends advisers consider cybersecurity risk in the context of identity theft and data protection, fraud, and business continuity. In addition, an adviser should assess the cybersecurity programs of its service providers, including a review of outsourced technology and the provider's oversight of second-tier technology providers.
DISASTER RECOVERY & BUSINESS
CONTINUITY PLANNING
A registered investment adviser has a fiduciary obligation to protect client interests from risks resulting from the adviser's inability to provide advisory services. The SEC's policy statement makes clear its expectation that financial institutions will adopt business continuity plans to "...minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations." In adopting the compliance rule, the SEC did not identify specific areas that advisers should consider in developing its disaster recovery and business resumption planning, and in 2016 proposed new Rule 206(4)-4 to remedy what it observed were inconsistent practices in the industry and "lessons learned" following Hurricane Katrina in 2005 and Hurricane Sandy in 2012. The proposed rule will require registered advisers to adopt and implement a business continuity and transition plan that provides for: (1) critical operations and systems, and the protection, backup, and recovery of data; (2) alternate physical office locations for employees; (3) identification and assessment of third-party services critical to the adviser's operations; and (4) plan of transition for the winding down or transition of the adviser's business to others. The SEC modeled the rule, in part, on business continuity plans of other financial institutions, and collected from its past cybersecurity examinations certain best practices for advisers. In formulating its business recovery and transition plan, an adviser should focus on its operations, and in particular, functions provided by third parties that provide critical support to the adviser's operations. The adviser should include in its annual review, an assessment of the provider's own disaster recovery and business resumption plans, including the frequency of testing, back-up data storage and recovery capabilities. This is particularly important in the context of publicly traded funds and private funds, which commonly outsource several critical functions to third parties. The adviser should also consider any technology critical to the adviser's operations that the provider has outsourced and assess the provider's ongoing monitoring of those third-tier providers.