Financial Services Regulatory Alerts

In a highly regulated industry such as Financial Services, it is of utmost importance for compliance officers, legal counsel, and others in senior management positions to stay ahead of regulatory change.  Our professionals will use this space to provide insight into upcoming regulatory developments each week.

 

December 28, 2009
Service Provider Oversight

The investment management industry is moving towards a much more sophisticated model for the oversight of service providers.  The overarching SEC and client/investor expectations are that the firms have put in place an oversight and governance process for initial due diligence (through RFPs, contracting, privacy/conflicts assessments, operations risk evaluations, etc.) and retain evidence of the ongoing implementation of the process for activities delegated to service providers to provide reasonable assurance that delegated activities (1) are being performed in a manner consistent with relevant contracts; (2) are at an arm’s length, especially important for affiliated service providers; and (3) the adviser/fund complex has adequately identified and addressed any risk within the outsourcing relationship (i.e., privacy, operations risk, legal/compliance risk, etc.).  The following is a distillation of typical oversight activities. 

 

1.    Matrix of delegated activities by provider (in Excel, based on the contract and any ‘side’ arrangements which should be documented if not in an amendment to the contract).

2.    Risk assessment for each provider based on the types of services provided and the significance of those services on the firm’s (i.e., adviser’s) ability to effectively manage and protect clients'/investors' assets.

3.    Periodic metrics reports (i.e., monthly, quarterly) aligned with the services described in #1, which allow the firm to assess the performance of each provider against pre-determined KPIs.  The goal is to identify the key risk areas and activities and develop metrics to measure how the provider is performing those activities.

4.    Periodic performance meetings.

5.    3rd party internal controls reports (i.e., SAS No. 70 (U.S.), Section 5970 (Canada) or FRAG21/94 (U.K.)); the firm should obtain this type of report, identify the controls tested which cover the activities delegated in the contract and ensure the design of the control is adequate and no relevant exceptions were noted.

6.    Sub-certifications: generally, firms should request periodic sub-certifications from providers which specifically require that the provider attest to their compliance with all applicable laws, regulations and contractual provisions; and, they maintain their ability to continue to provide these services, etc.

7.    Due Diligence Questionnaires: firms should require that providers complete due diligence questionnaires which include questions addressing changes to the provider’s control environment, key staffing changes, changes in management control, etc.

8.    On-site visits: for providers deemed high risk, firms should perform an onsite visits and memorialize the findings of the visit in a memo to file.

9.    Risk Score Cards for [especially] sub-advisers.

10.  Periodic testing of certain delegated activities such as proxy voting and regulatory filings (i.e., 13F filings) to ensure the sub-adviser is fulfilling their reporting obligations consistent with the sub-advisory arrangements.

11.  Results of due diligence/service provider oversight should be presented to a Risk or Compliance Committee (and Board where applicable).

 ________________________________________________

December 21, 2009
Pension Funds:  Enhanced Oversight and Governance

Recent industry events remind public (and private) pension plan (“Pension Plan”) fiduciaries of their duty to supervise their employees and service providers and establish robust governance frameworks to monitor conflicts, risk and the effectiveness of investment management, compliance and operations activities.   In one such event, New York Attorney General, Andrew Cuomo, obtained two guilty pleas and multiple indictments against state officials and other politically connected intermediaries for a scheme whereby state officials requested kickback payments for hiring investment managers for the New York State Common Fund.   Additionally, the Florida State Board Administration (“SBA”) is under investigation by the Securities and Exchange Commission regarding possible fraud in connection with certain allegedly misleading disclosures about the risk and liquidity of some SBA investments in an investment pool used by local communities as the equivalent of a money market checking account used to fund current liabilities, including payrolls.  Lastly, California Public Employees’ Retirement System (“CalPERS”) was forced to adopt new rules for its use of placement agents in the wake of revelations that a former CalPERS board member received tens of millions of dollars in placements fees from investment managers looking to win investment management mandates from CalPERS. These three stark examples, and previous SEC actions and guidance,  are reminders that Pension Plans are not exempt from misconduct, reputational harm and possibly fraudulent behavior.  Each example illustrates the need for enhanced oversight and governance to ensure a Plan’s Pension Plan Boards of Trustees (the “Board”) effectively discharges its obligation to protect the employee investors and prevent actual or perceived fraudulent or deceptive behavior.  Boards have an obligation and fiduciary duty to protect the employee investors and prevent fraudulent or deceptive behavior. 

 

The reality of Pension Plans today is that they are, in effect, large asset management organizations.  They undertake asset management activities across the spectrum of front, middle and back office operations, such as portfolio management, trading, valuation, affirmation, settlement, portfolio accounting and participant record keeping and require formal governance and oversight frameworks, including risk management programs.  The typical Pension Plan organizational model includes outsourcing the day-to-day asset management activities to 3rd party investment managers (front office) and operations activities to 3rd party administrators and custodians (middle and back office).  However, it should be noted that Pension Plans may retain all or a portion of the asset management and non-investment related activities which are performed by internal investment management and operations staff through an In-source Provider model.

 

To be effective and discharge their fiduciary duty, the Board must adopt and carry out a robust governance and oversight program which clearly outlines: (1) what parties are responsible for the implementation of investment and non-investment related activities and the required skills for certain roles; (2) the authority delegated to those parties responsible for monitoring and carrying out the Pension Plan’s activities and the authority retained by the Board; and (3) how the Board monitors those activities.  This is accomplished through, among other things, the development of written policies and procedures addressing investment suitability, the identification and resolution of conflicts of interest, codes of ethics, enterprise risk management – including escalation protocols, statutory compliance and the oversight/monitoring of internal and external service providers.  The policies should provide for adequate segregation of investment, compliance and operations activities and provide for independent oversight of all delegated activities through, for example, Board sub committees including Risk Committees and Compliance Committees.  The Board sub committees may choose to delegate certain oversight and monitoring functions to business unit operating committees which provide more active oversight of day-to-day activities and have the flexibility to be more responsive to risk events (e.g., market events, issuer specific events and Pension Plan organizational changes).  Typically, business unit operating committees are responsible for the monitoring of Provider performance, make recommendations to the Board and Board sub committees and provide management reporting to the Board.  The operating committees should have a documented span of control, accountability and reporting requirements to the Board evidenced through a committee charter and should retain minutes of all meetings.

 

The lesson for all Pension Plans is that an affirmative, proactive process for evaluating the efficacy of Pension Plan management and operations is more than a best practice; it is a necessary step to ensure the Board is fulfilling its fiduciary duty. 

 ________________________________________________

December 14, 2009
How to Prepare for a Regulatory Exam – Part 4

A little preparation in advance of a regulatory exam goes a long way.  This is the final section of our series on regulatory exam preparation.  See below for Parts 1, 2, and 3, covering pre-exam employee education, development of a firm overview, annual review files, risk assessments and conflict of interest analyses, assigning a responsible party, document production processes, and document production “dry run”.

8.  Review your policies and procedures:  Ensure policies and procedures are current, address existing business activities/practices, are consistent with actual business activities and are properly dated (audit trail).  The annual review should capture this step but additional inquiry is warranted when preparing for an exam.  An important note, policies and procedures should be updated for current events and litigation such as pay-to-play and insider trading/MNPI.  CCOs should have a log or schedule of items currently in progress, including draft policies and procedures and open remediation items from annual reviews.

9.  Control environment and oversight processes:  CCOs should evaluate each core process to ensure there is an appropriate segregation of duties amongst investment professionals, operations and control groups and written procedures and accompanying control activities.  Segregation of duties extends into processes within each activity and must be documented (i.e., ensuring portfolio managers are not pricing assets, traders are not approving soft dollar/CCA/CSA payments and investment professionals do not have access to influence performance or fee calculations).  Firms should have a robust committee structure with documented charters/statements of purpose and minutes kept at each meeting.  Policies and procedures should reference the relevant oversight committee and the documents required to be presented to and considered by the committee.

10. Review client disclosures and registration statements:  Firms should review marketing, RFP and advertising templates for consistency with applicable rules and current no-action letters.  CCOs should pay particular attention to performance claims and companion disclosures requirements (i.e., GIPS compliant claims).  CCOs should sample existing materials and evaluate the controls around who has access to create, modify and distribute material (i.e., logical access controls).  Additionally, CCOs should evaluate existing registration statement disclosures (Form ADV Parts I & II) and offering documents (for private funds) for accuracy and consistency with existing business practices.

With some preparation firms can well position themselves to manage an exam.  It is true that exams are taking longer and draining resources from day-to-day management of the business.  However, preparation will mitigate the level of resource allocation and better allow firms to respond to document requests.  Additionally, firms will be able to provide consistent information during interviews and provide the examiners with a high degree of transparency into the firm’s activities and the compliance and risk management programs in place to manage those activities.  Telling this story is key to a successful exam.
________________________________________________

December 7, 2009
How to Prepare for a Regulatory Exam – Part 4

 

A little preparation in advance of a regulatory exam goes a long way.  This is the third in our four-part series on regulatory exam preparation.  See below for Parts 1 and 2, covering pre-exam employee education, development of a firm overview, assigning a responsible party, document production processes, and document production “dry run”.

 

 

6.       Annual review files:  Evaluate the level and adequacy of documentation retained to support determinations made as a result of the review, including changes to policies or procedures, updates to disclosure documents and changes in business processes.  Each annual review should have an action plan with responsible parties assigned to each remediation and a documented process to ensure each remediation is completed in accordance with the plan.  CCOs must ensure that they have documented their forensic/periodic/transactional testing program, have documents supporting this testing and action plans evidencing the follow-through for addressing issues noted as this information is certainly going to be closely reviewed by examiners.

 

7.       Risk assessment and conflicts of interest analysis:  CCOs should review their existing assessments and ensure they are current and complete.  The risk assessment should be sufficiently detailed so as to allow the CCO to direct their monitoring and testing program to the business activities posing key risk to the firm’s clients.  Additionally, CCOs should have a documented conflicts of interest analysis, which is aligned with client disclosures and registration statements, as this analysis will also direct the frequency and form of periodic testing and monitoring activities.

 

Check back next week for the final article in our series.

________________________________________________

November 30, 2009
How to Prepare for a Regulatory Exam – Part 2

 

A little preparation in advance of a regulatory exam goes a long way.  This is the second in our four-part series on regulatory exam preparation.  See below for Part 1, covering pre-exam employee education and developing a firm overview.

 

3.  Responsible party and exam oversight function:  Assign a party responsible for managing the effort.  This person should be sufficiently oriented to the exam process, adhering to firm policy regarding communication with examiners and the document production procedures.  A group of individuals comprising staff from each business unit should coordinate the overall effort, meet periodically to monitor the process, identify any requests which appear unreasonable and/or require negotiation with the exam team, and identify any potential material deficiencies.

 

4.  Document production processes/procedures:  Firms should develop a process and tool (e.g., Excel matrix) to track all document requests including the initial requests and follow-on requests.  Any requests received verbally should be reduced to writing and captured in the overall document production matrix.  Firms should keep a copy of all documents provided to the exam team and periodically discuss the status of open items with the exam team.

5.   Document production ‘Dry Run’:   Using a recent examination document request letter, load each request into the Excel matrix or other document request tracking tool, assign each request to a responsible party, and identify the source of the required information (i.e., systems/applications, files, archives and 3rd party record management vendors).  Coordinate with Information Technology and systems/applications Business Analysts and provide them with the required data fields for each request which requires electronic information.  Coordinate with external service providers so they know you are expecting an exam in the near future, discuss the anticipated test period (i.e., 1-3 years) and identify which documents are available electronically and how long the service providers will take to produce the information.  Conduct targeted sampling of selected requests to evaluate the time to produce the documents, the form of the output and substantively review output to ensure it appears adequate.

 

a.       Email surveillance:  CCOs should evaluate the firm’s ability to produce and sort emails in 24 and 48 hours intervals.  Firms should have surveillance programs in place and CCOs should examine their files to ensure they have appropriate documentation supporting their surveillance program and any actions taken as a result of email monitoring.  Additionally, CCOs should have appropriate staff on hand or available to review emails prior to delivery to the exam team.

 

________________________________________________

November 23, 2009
How to Prepare for a Regulatory Exam – Part 1

 

You’ve read the speeches and heard the industry buzz about the new SEC exam process, including enhanced coordination amongst various regulators, longer and more in-depth exams and the addition of examiners with specialized training in trading, portfolio management, risk management and fraud assessments. 

 

These changes, coupled with the far-reaching and ongoing impact from the Madoff Ponzi scheme and accompanying OIG Reports on OCIE, are fundamentally changing not only the duration and depth of exams but how the SEC assesses risk, determines exam schedules and their examination procedures.

 

All of these changes have so far resulted in longer deficiency letters and additional time and resource commitments from firms when responding to examiner questions during an exam and drafting responses to identified deficiencies.

 

Although each firm’s experience with examiners can be very different, there are several steps that your firm can take to plan and prepare for an SEC exam.  Over the next several weeks, we will describe these steps in detail.  Part 1 will cover employee education and a firm overview.

 

1.       Know and prepare your firm:  An obvious red flag to any examiner is when a CCO or senior executives do not know what is in the firm’s compliance manual or other material aspects of the firm’s business activities, such as service/business arrangements with affiliates.   

 

a.       Mock interviews:  Meet with each professional who is likely to be interviewed by the examination team and conduct mock interviews.  Follow up with each professional to ensure you’ve addressed any gaps; and don’t forget the rest of your staff!

b.      Staff communication:  The entire firm should be aware of the date(s) the examination team will be onsite and where they will be located.  Additionally, all employees should ensure they are sensitive to the commitment required to assist the SEC in completing their fieldwork and the importance of the exam process.

 

2.       Develop a firm overview:  A firm overview (often a Powerpoint presentation) is a good tool for providing examiners a view into where the firm has identified potential conflicts, how those conflicts have been mitigated and where to focus their efforts.  This is particularly true for complex organizational structures where affiliates provide services, when professionals may be ‘dually hatted’ and products may compete with each other (i.e., side-by-side management).

 

Check back next week for additional tips on preparing for an exam.

Click here for information about Navigant's Regulatory Strategy, Risk & Compliance team.

Archive:

• September 2009 Registered and Private Fund Regulatory Alerts

  September 2009 Registered and Private Fund Regulatory Alerts

  • 

• October 2009 Registered and Private Fund Regulatory Alerts

  October 2009 Registered and Private Fund Regulatory Alerts

  •