Regulatory Roundup for May 2024

SEC DROPS NEW REQUIREMENT FOR INCIDENT RESPONSE PROGRAMS, PROPOSAL FOR RIAS TO ADOPT CIP, SEC EXAMS SHARES MARKETING RULE FAILURES,  RIA SLAMMED FOR FAILING TO RETAIN TEXTS, AND SEC WINS ON SHADOW TRADING THEORY

Welcome to our May Regulatory Roundup, where we provide you with a quick look at the latest regulatory developments.  In this edition, you will find one new SEC rule on cybersecurity breaches, one proposed rule requiring advisers to adopt “customer identification programs,” a risk alert from the Division of Examinations on the Marketing Rule, and some lessons learned from SEC cases, including a case against an adviser for failing to retain texts and a new interpretation of the insider trading prohibition. Enjoy!

SEC Requires RIAs to Develop Incident Response Programs for Cyber-Breaches

The SEC adopted extensive new requirements under Regulation S-P that will require broker-dealers, investment companies, registered investment advisers, and transfer agents to adopt incident response programs that include notifying customers of data breaches within 30 days. The deadline for compliance for registered investment advisers with $1.5 billion in assets under management is 18 months from the rule’s publication in the Federal Register.  Smaller firms have 24 months to comply. Other big changes include an expanded definition of “customer information” to include information received from other financial institutions and more extensive recordkeeping requirements.

The new incident response program must meet the following requirements:

• Be reasonably designed to detect, respond to, and recover from unauthorized access to and use of customer information.
• Assess the nature and scope of any incident and identify the customer information and types of information that may been accessed or used without authorization.
• Take appropriate steps to contain and control an incident to prevent further unauthorized access or use of customer information.
• Require notification to each affected individual whose “sensitive” customer information was, or is reasonably likely to have been, accessed or used without authorization within 30 days of becoming aware of the breach.
• Include reasonably designed written policies and procedures for oversight of service providers.
• Require service providers to provide notice of a covered breach within 72 hours of its occurrence.
• Maintain documentation about any detected unauthorized access to or use of customer information and the firm’s response to and recovery from such unauthorized access.

The notification requirement is limited to “sensitive customer information”, defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”  The notification must include the nature and date of the incident, the data involved, and ways for the affected individuals to contact the firm about the breach.

Although the Regulation S-P amendments apply to private funds and not to the underlying investors, the Final Release notes that private funds may be subject to the FTC Safeguards Rule, which requires financial institutions to develop, implement and maintain a comprehensive information security program.

Compliance with these amendments will be a heavy lift for investment advisers. Here are some initial steps to prepare:

• Update policies and procedures to reflect the updated definition of “customer information.”
• Update or create incident response programs to reflect the new requirements under Amended Regulation S-P.
• Revise vendor due diligence policies and procedures to include oversight required under the Regulation S-P amendments.
• Review logging and auditing tools for email and file access to assess whether breaches have occurred to meet notification obligations.
• Review service provider contracts to allow for ongoing due diligence to confirm whether the service provider is taking appropriate measures to protect customer information and provide notification in the event of a breach.
• Update record-keeping policies and procedures to conform to amendment Regulation S-P requirements.

SEC Proposes Long-Awaited Customer Identification Requirements for Investment Advisers

The SEC, along with the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN), jointly proposed a rule requiring SEC-registered investment advisers and exempt reporting advisors to establish and maintain customer identification programs (CIPs).  As noted by the SEC in its press release, “[t]he proposal is designed to prevent illicit finance activity involving the customers of investment advisers by strengthening the anti-money laundering and countering the financing of terrorism (AML/CFT) framework for the investment adviser sector.” The proposal was issued on May 13, 2024, and interested parties have until July 22, 2024, to comment on the rule.

The proposal includes minimum requirements for an investment adviser CIP:

• Identity verification requirements: Firms should develop risk-based procedures to verify the identity of their customers. A customer is defined as a natural person or legal entity that opens a new account with an investment adviser.
• Maintain records of the information used to verify the customer’s identity, such as name, address, birth date (for an individual) or formation date (for an entity), government-issued ID (for an individual), certified articles of incorporation (for an entity), social security number or tax identification number.
• Review lists of known or suspected terrorists or terrorist organizations provided to the adviser by any governmental agency to determine whether a potential customer is on such a list.
• Adopt procedures that address how a firm should respond if it cannot form a reasonable belief about a customer’s identity, including whether to decline opening an account, which services the firm can perform while attempting to verify the customer’s identity and when the firm should file a Suspicious Activity Report (SAR).
• Provide customers with notice that the firm is requesting information to verify their identity.

Investment advisers may rely on another financial institution to perform procedures under the CIP, but such reliance must be documented in a written agreement and reasonable under the circumstances. The other financial institution must also certify annually that it has an anti-money laundering program and will perform certain requirements of the adviser’s CIP.

For private fund managers, the proposed rule only requires that the fund’s adviser collect identifying information about the private fund, not the investors. However, an adviser may need to take additional steps to verify the identity of the private fund by seeking information about individuals with authority or control over the private fund.

Many RIAs have already adopted CIP procedures, including processes to comply with anti-money laundering rules in other foreign jurisdictions. Firms should review these procedures to ensure that they meet the minimum requirements of the proposed rule.  Firms should also discuss these requirements with existing service providers, such as broker-dealers acting as custodians and fund administrators, to determine whether they would be willing to undertake some of the processes required under the rule proposal.

EXAMS Tells Advisers What Not to Do in Advertisements

SEC’s Division of Examinations (“EXAMS”) issued a risk alert on its Initial Observations Regarding Advisers Act Marketing Rule Compliance (the “Risk Alert”), giving compliance officers an unexpected gift by sharing examples of deficiencies, ranging from books and records violations to materially misleading advertisements.  Check out our blog, SEC Tells Advisers What Not To Do in Advertisements, for more details.

The Cover-Up: A New Case Starring an Investment Adviser and its Principal

The SEC settled charges against Hudson Valley Wealth Management, Inc. (the “Firm”)and Christopher Conover (the “Principal”), a registered investment adviser and its founder, for failing to disclose conflicts of interest and misleading clients. Unlike the garden-variety conflict of interest cases, however, this Firm and its Principal invested client and investor money in loans made to film production companies.

The Firm advised separately managed accounts (SMAs) and a private investment fund.  What the SMA and private fund investors did not know was that the Principal received more than $500,000 in compensation from the production companies. When updating the Firm’s Form ADV Brochure and the fund’s private placement memorandum a few years later, the Firm disclosed that the Principal was receiving fees related to his role as an executive producer, which gave him an incentive to recommend investments in those productions. The SEC found, however, that these disclosures were a day late and a dollar short since the Principal’s fees were based solely on the amount of the loans extended to the production companies, not because of any services provided.

Eventually, the production companies defaulted on their loans, and the private fund was unable to satisfy investors’ redemption requests.  Instead of distributing available cash on a pro-rata basis, however, the Firm redeemed only one investor in full ahead of all others.

The SEC found that the firm and its principal violated the anti-fraud rules under Advisers Act Sections 206(2) and 206(4) and Rule 206(4)-8, resulting in a $200,000 civil penalty for the firm. The Principal had to pay more than $600,00 in disgorgement, prejudgment interest and a $150,000 penalty.

SEC Brings First Case Against Investment Adviser for Failing to Retain Text Messages

The day that many advisers have feared has come—the SEC has settled its first stand-alone case against an investment adviser for failing to maintain records of its electronic communications.

Long story short, Senvest Management, LLC’s (“Senvest”) employees, supervisors, and management sent and received thousands of personal text messages using non-official communications channels discussing firm business. Senvest’s policies and procedures were much broader than the books and record-keeping requirements under the Advisers Act, requiring retention of “all electronic communications” instead of just those that concerned “recommendations made or proposed to be made and advice given or proposed to be given about securities,” as stated in Advisers Act Rule 204-2(a)(7). The firm’s policies and procedures also permitted the firm to access employees’ personal devices to review for off-channel communications, which the firm failed to do.

The SEC also found that the firm failed to enforce its code of ethics. Employees failed to obtain pre-clearance for personal securities transactions, and their supervisors failed to review their quarterly transaction reports, which would have detected these violations. Senvest was required to pay a $6.5 million civil penalty and hire an independent consultant to help the firm improve its compliance policies and procedures.

The lessons from this case include:

• Read the compliance manual! Firms pay consultants and law firms thousands of dollars to develop their compliance policies and procedures. However, having policies and procedures that no one reads or follows can be just as harmful as having no compliance processes at all.
• Do not make promises you cannot, or should not, keep. In this case, the policies and procedures regarding electronic communications were broader than required under the Advisers Act. When reviewing the firm’s policies and procedures, confirm that they are consistent with the Advisers Act. SEC examiners may punish firms that promise to go above and beyond their regulatory obligations.
• Code of Ethics reporting is not enough. Advisers often focus on processes and systems to ensure that their employees perform their code of ethics reporting. Although these processes can be automated, someone within the firm should be responsible for review and enforcement.

Insider Trading Definition Expanded in “Shadow Trading” Case

The SEC won its recent insider trading case against Matthew Panuwat after a jury found that he used material, non-public information about his company to trade securities of a similar company. SEC v. Panuwat, Civil Action No. 4:21-cv-06322 (N.D. Cal. Verdict April 5, 2024). As with many insider trading cases, Panuwat earned about $100,000 from the trade, which is probably less than the legal fees paid to defend his case.  In any event, Panuwat received information that his company was being acquired and, within minutes, purchased options in a similar company. The stock price of this other company increased after the acquisition announcement, and Panuwat earned $107,066 by exercising his stock options.

For investment advisers with access to inside information, this case now provides a precedent for a broader view of the materiality of non-public inside information.  Firms may want to consider whether material non-public information about one company might be material to another, especially where there is a “market connection” between the companies. It is important to note, however, that the SEC’s winning argument relied on the broad insider trading policy at Panuwat’s company, which prohibited trading the securities of other publicly traded companies based on MNPI learned through his employment and a confidentiality agreement Panuwat breached by using his company’s information for personal gain.

Panuwat is expected to appeal this verdict. In the meantime, it is still not clear how to determine a “market connection” between companies for insider trading purposes. In this case, Panuwat knew that his company’s acquisition would probably affect the second company’s stock price because of his involvement in the analysis of the prospective sale. Different facts could have affected the outcome.

In any event, advisers should be aware that courts are willing to accept broader theories of liability in insider trading cases. They should consider this more expansive view of MNPI when developing restricted lists, especially with companies in smaller market sectors. Finally, advisers should consider training their employees on the regulatory risks of shadow trading.

SEC³ provides links to other publicly available legal and compliance websites for your convenience. These links have been selected because we believe they provide valuable information and guidance. The information in this e-newsletter is for general guidance only. It does not constitute the provision of legal advice, tax advice, accounting services, or professional consulting of any kind.

Photo by Julia Kicova on Unsplash