2015 Investment Management Compliance Testing Survey Lynne M. Carreiro, ACA Compliance Group Sanjay Lamba, Investment Adviser Association June 9, 2015
Lynne M. Carreiro Managing Director ACA Compliance Group Presenters Lynne has progressed to Managing Director at ACA, having joined the firm in 2005. She provides a wide variety of regulatory and compliance consulting services to clients. She advises both registered and unregistered clients, with respect to the design, drafting and implementation of customized compliance programs. In addition, she performs mock SEC examinations, procedural reviews, forensic testing audits, and other customized services aimed at evaluating and improving compliance with the federal securities laws. Lynne also specializes in assisting advisers with international regulatory issues following her re-location to London. Lynne began her regulatory career in 2000 as a Securities Compliance Examiner with the Boston District Office of the Securities and Exchange Commission. Lynne graduated from Trinity College in Washington DC in 1996 where she double majored in Political Science and International Relations. Lynne also attended Vermont Law School where she interned with the Office of Enforcement of the Vermont State Securities Division. Lynne obtained her Juris Doctor from Vermont Law School in 2000. 2
Presenters Sanjay Lamba Assistant General Counsel Investment Adviser Association Sanjay has over 16 years of experience regarding all aspects of investment management law and regulation. Prior to joining the IAA in 2013, Sanjay worked at the SEC for 10 years, beginning his service in the rulemaking office of the Division of Investment Management before transferring to the Office of Chief Counsel (Legal Branch) in the Office of Compliance Inspections and Examinations in 2010. Sanjay started his career in private practice advising investment companies and investment advisers in securities related matters. He received his B.S. degree in Finance from George Mason University in 1994 and his law degree from Boston University in 1997. He is a member of the bar in the Commonwealth of Virginia and the District of Columbia. 3
Survey Focus Areas Business Continuity Planning Alternative Investment Products Oversight of Third Parties E-mail Review and Testing Trading Issues and Errors Personal Trading/Code of Ethics Enterprise Risk Management 4
Survey Focus Areas Trend Updates Cybersecurity Social Media Hot Compliance Topics 5
Notable Findings Nearly 88% of respondents consider cybersecurity/privacy/identity theft as the hottest compliance topic for 2015. Increased use of technology about 60% of firms using automated trade management systems and 41% have a front-end compliance system. 35% of advisers reported using third parties to conduct mock SEC examinations. 73% of firms indicated that their compliance testing has detected issues, none of which was deemed to be material. Of the 9% of firms responding that they detected material compliance issues, 23% indicated that the issues were in the area of advertising/marketing; 23% in books and records; and 23% in custody. Focus on best execution Virtually all respondents are testing with less than 20% of firms having engaged a third party to review best execution. 6
Survey Demographics Established firms (6-25 years in business) constituted 61% with long-timers (more than 25 years) making up 29% of respondents. Both small and large firms were represented with 26% of respondents managing <$1 billion and 30% of respondents managing >$10 billion. The largest contingency responding were mid-size firms with 45% of respondents between $1 billion and $10 billion in assets under management and 63% of respondents reporting 50 employees or fewer. The primary services provided by our respondents span the full range: 58% private fund 58% institutional clients 54% high net worth individuals ($1mm or more) 41% ERISA assets/pension consultant 34% registered investment company 22% retail individuals ($1mm or less) 16% family office 7
Compliance Program: Personnel 94% of the firms responding have at least one employee dedicated fulltime to the legal/compliance role. 42% of firms reported employing between 2 to 5 legal and/or compliance professional; 20% reported that they employed more than 6. 63% of CCOs wear more than one hat. 65% of firms reported that the CCO is a senior executive. In 64% of the firms responding, the CCO has a direct reporting line to the CEO or President. 8
Compliance Program: Mock Examinations 30% of firms do not and are not planning to conduct a mock examination. 19% do not conduct a mock examination, but are planning to. 15% conduct a mock examination internally. 3% have a parent company conduct a mock examination. 3% have outside counsel conduct a mock examination. CCO conducted cybersecurity SEC sweep exam using lengthy published SEC questionnaire. Our annual review is conducted similar to a mock exam. Each year we do a partial or limited mock exam - focusing on one or more areas. There was a mock SEC exam done in 2013 - not very useful; was scheduled to hold a mock SEC exam in early 2015 and was notified by the SEC that they would be conducting a "real" exam - we instead utilized the services of the consultant for prepping senior management for the SEC exam (the company's first). 9
Compliance Program: Best Practices There are common threads in best practices regardless of the characteristics of the firm: 94% of firms provide a copy of the annual compliance review to senior management. 61% of firms prepare a lengthy report to document/evidence the annual review. 85% of CCOs or other compliance personnel attend various management committee meetings (e.g., best execution, etc.). 80% of CEOs/Presidents are informed immediately of any material compliance issues. 78% of CCOs meet periodically with the CEO/President of the firm to discuss compliance issues and initiatives. CCO meets at least quarterly with CFO, IT, IR/marketing, legal and is integrated into all firm processes. 10
Compliance Program: Testing Firms reported increasing the amount of testing in the following areas (Top 5 responses): Cybersecurity/Privacy/Identity Theft (67.79%) Advertising/Marketing (42.95%) Personal Trading/Code of Ethics (34%) Disaster Recovery Planning (34%) Best Execution (32%) When asked about areas of decreased testing, 80% of firms indicated that they have not decreased testing in any area. Of those firms that reported decreased testing, the top area was AML/OFAC at 4%. All testing is risk based. 11
Business Continuity Planning 97% of firms reported having a written business continuity plan. 39% of firms complete a full test annually. 25% complete a partial test annually and 19% more often than annually. 12
Business Continuity Planning 92.0% 97.2% 87.6% 33.8% 46.9% 35.2% 4.7% 3.1% 13 Succession Planning Transitioning Planning Service Interruptions Facility-Wide Outages Natural Disasters Terrorist Attack Contagious Diseases Other Which of the following areas does your plan address?
Alternative Investment Products Perception vs. Reality? 90.0% 80.0% 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% Does your firm currently manage any liquid alternatives (i.e., 40 Act registered funds with an alternative strategy) or are you contemplating the management of one in the near future? (check all that apply) Yes, we are the investment adviser to a single liquid alternative fund. Yes, we are a subadviser to a single liquid alternative fund. Yes, we are the investment adviser to multiple liquid alternative funds. Yes, we are a subadviser to multiple liquid alternative funds. No, we do not currently manage a fund, but are considering launching one in the next 12 months. No Strategies 80% invest in U.S. equities 62% in international equities 49% in publicly traded fixed income 41% in OTC derivatives Less than 30% reported investing in bespoke derivatives, private investments, real assets, or other illiquid securities. Target Audience Retail investors 55% Accredited investors 68% Qualified purchasers 75% 92% of firms have adopted sideby-side management procedures. 14
Alternative Investment Products Top 5 biggest compliance concerns or challenges in managing a liquid alternative fund: Increased SEC examination focus (44%) Quarterly compliance reporting to fund board (32%) Conflicts of interest with other clients (31%) Managing Leverage (30%) Adherence to the investment rules of the 40 Act (30%) Lack of understanding by regulators and clients/prospects of what liquid alternative means. Top 5 changes made to the compliance program to accommodate the management of the 40 Act Fund: Adopted some additional policies and procedures (58%) Obtained third-party compliance assistance (31%) Created a stand-alone and/or supplemental compliance manual (26%) Implemented automated compliance tools (23%) Hired additional compliance personnel (22%) 81% of firms managing a liquid alternative fund have an automated trade order management system. 53% of firms manage the Rule 38a-1 compliance program and legal inhouse. 40% of the advisers CCOs are also the funds CCOs. 15
Oversight of Third Parties Answer Options (all that apply) Annual due diligence review. 39.2% Onsite visits on a periodic basis. 35.1% Teleconferences on a periodic basis. 27.6% Annual attestations of compliance with the service agreement. 14.1% Privacy policies. 37.6% Confidentiality agreements. 53.1% Exception reporting. 10.5% Financial statements. 15.3% References. 28.9% Background checks of key employees. 5.0% Review SSAE 16s where applicable. 50.1% We do not conduct any oversight of service providers. 6.2% 16
E-Mail Review and Testing Electronic Communications Who? 65% review electronic communications for all employees and 80% for at least some employees. How? 55% use keyword search terms; 47% also randomly select. When? 73% reporting reviewing on a set schedule. 12% on an ad hoc basis. 17
E-Mail Review and Testing Electronic Communications For What? Unreported political contributions 47.5% Non-approved marketing materials 66.8% Insider trading 75.9% Non-approved personal trading 56.3% Fraudulent activity 69.3% Violations of firm policies and procedures 86.2% Unreported gifts and entertainment 57.8% Inappropriate language and content 46.2% Non-approved outside business activities 56.5% Text Messaging 55% do not review. 49% prohibit for business. 18
Trading Issues and Errors 43% of firms review all trades prior to settlement; 32% post settlement. Reallocations of bunched trades are reviewed by 28% of respondents. 34% of firms reported having an automated system for detecting trade issues. 51% periodically review policies and procedures against actual practice. 53% of firms have a dedicated committee to review trading practices. 31% test for trade issues daily. 19
Trading Issues and Errors How are trade errors resolved? 20
Personal Trading/Code of Ethics More than half of firms: Have employed an automated solution to manage the reporting and review of personal trading by employees. (56%) Consider all employees and directors to be Access Persons. (51%) Permit employees to trade with any broker. (57%) Require duplicate account statements sent from the broker. (59%) Do not implement a holding period for personal securities transactions. (57%) Permit access persons to trade in securities held in client accounts. (65%) Maintain a restricted list. (75%) Conduct testing on a quarterly basis. (55%) We do not define access persons but apply the Code of Ethics to all employees. 21
Personal Trading/Code of Ethics How do you test personal trading? We compare employees pre-approval forms with their executed personal trades. (64%) Compare employees personal trading to client trading. (62%) We compare information on employees confirmations and account statements with employees filed holdings and transaction reports. (62%) We review the list of access persons and confirm that all new employees are aware of their reporting obligations. (58%) We determine which access persons did not timely file their quarterly transaction reports and holdings reports. (55%) We seek compliance certifications. (53%) Do you implement a holding period for access persons transactions? Yes, 30 days or less Yes, 31-60 days Yes, 61-90 days No Report to the Audit Committee How does your firm evidence testing of personal trading activity? The reviewer initials personal trading statements and forms submitted in hard copy. The reviewer prepares a written memo, report, or summary of the reviews conducted. The third-party software application generates documentation to evidence reviews. Other (please specify) Monthly compliance committee report Testing is conducted by a third party and a comparison report is provided for the compliance files. Daily trading documentation reviewed by CIO or CCO; any violations or questioned trades are reviewed and documented if an error or violation occurs 22
Personal Trading/Code of Ethics Managing Violations 74% Record on violations log. 71% Report violations to senior management. 67% Provide a written warning. 58% Implement discipline up to and including termination. 58% Issue verbal warnings. 47% Report to supervisors. 31% Report to Board. 30% Suspend personal trading permission. 29% Require disgorgement of profits to charity. 5% Implement fines. 2% Do not implement sanctions. 23
Enterprise Risk Management Formal Risk Management Program? 42% Yes 55% No 46% of firms responded that they prepare formal written reports of risk. 78% of firms reported that capital and operational risks are included in their quantitative methodology. Over 70% of respondents stated that the risk function was involved in due diligence reviews for new products/services firm is offering and over 80% report the risk function being involved in other functional meetings. 24
Enterprise Risk Management Please describe the audience, form, and frequency of your firm's written risk reports. Enterprise risks are reported quarterly to our holding company risk management committee. Generally this includes identification of the risk and steps being taken to mitigate them. Board, senior management, divisional risk councils. Monthly. quarterly and semiannually. Results of the quarterly compliance monitoring program are formalized in a report showing each test, finding and recommendation. Based on that our risk matrix is re-assessed. Results are presented by the CCO during the semi-annual board meeting which includes senior management. We have created an issue escalation system and an incident response committee that in turn reports up to the formal risk committee. Enterprise risk group coordinates semi-annual risk inventories with each functional group and prepares a written report of each meeting and a comprehensive roll up report across the firm. This is made available to our Operations committee and senior management. Risks are provided by our Risk Management team to our Investment Committee and deal teams before an investment is decided upon. A risk assessment is provided for every deal, specific projects and investment themes. Weekly written reports are presented and reviewed with top level management. 25
Enterprise Risk Management Please describe the audience, form, and frequency of oral risk reports, and who provides them. The written reports are presented verbally to the Compliance Oversight and Risk Committee and to the Board, at least quarterly. The Risk Committee and if necessary the Partner Group. Issues are discussed as part of an agenda item, the committee meets monthly, various members of the committee report on risks. Oral is a part of the regular ongoing dialogue involving senior management and certain committees. The CCO apprises the corporate BOD quarterly on risk matters, including presentation of the Risk Dashboard (High Level). 2015 ACA Compliance Group, Investment Adviser Association, and OMAM 26
TREND UPDATE: Cybersecurity 43% of the firms reported having a formal, written cybersecurity program. 42% do not have a standalone policy, but have cybersecurity policies and procedures that are incorporated into other policies and procedures. 79% of respondents outsource at least a portion of their IT services. 15% of firms reported being a victim of a cybersecurity breach in the past 18 months; 9% did not know. 27
Cybersecurity (continued) What are the potential gaps in cybersecurity programs? 67% of firms do not benchmark to a specific industry IT security/control framework. 39% of firms do not have a formal policy to conduct due diligence on how key vendors manage cybersecurity. 28
Cybersecurity Which of the following are parts of your cybersecurity Responses program? External independent vulnerability reviews/penetration tests 48% Documented incident response plan 55% Informal incident response plan 26% Protect remote access to systems 74% Report on hacking attempts to senior management 50% Formal intrusion detection/prevention software 69% Monitor and block for malware and explicit content 82% Monitor and block restricted business content 36% Awareness training for employees 58% 29
Cybersecurity How has your firm s approach towards investing in cybersecurity programs changed since January 1, 2014? We used the SEC questionnaire to review our computer systems, adopted a formal written cybersecurity program, established a schedule of annual external penetration testing by a third party service provider and increased the amount of cybersecurity training we do for employees. Management is more willing to spend resources on creating and maintaining a cybersecurity program in light of the SEC's heightened focus in this area. Heavy spend on technology and people. We are taking cyber-security far more seriously in light of the SEC's 2014 sweep and 2015 OCIE priorities. In addition, we were the victim of a sophisticated fraud that resulted in the unauthorized wire of client funds to an unknown third party despite security protocols that should have prevented it. Shortly following the SEC's cybersecurity risk alert, we experienced a cyber-breach. As a result of these two events, we engaged, at not insignificant cost, a large consulting firm to conduct an information security maturity assessment and to assist with implementation of certain recommendations. We also engaged a third party IT firm to perform ongoing network monitoring. 30
TREND UPDATE: Social Media 89% of firms have adopted formal written policies and procedures to govern the use of social media by employees, compared to 83% in 2013. Another 6% have informal policies. 47% prohibit the use of personal social networking websites for business purposes, compared to 49% in 2013. 70% test compliance with the firm s social media policy (compared to 63% in 2013). Social media testing is most commonly done annually (31%). 31
TREND UPDATE: Social Media Types of social media activities that are permitted for business purposes. Response Answer Options Percent LinkedIn for employees 49.0% LinkedIn for the firm 28.9% Twitter for employees 10.7% Twitter for the firm 14.1% Facebook for employees 12.5% Facebook for the firm 10.4% YouTube for employees 6.8% YouTube for the firm 5.2% Blogs for employees 5.5% Blogs for the firm 7.3% 32
TREND UPDATE: Hot Compliance Topics Topics 2012 2013 2014 2015 Custody 12% 20% 23% 18% Cybersecurity/Privacy/Identity Theft 15% 14% 75% 88% Advertising/Marketing 26% 34% 27% 23% Fraud Prevention 11% 12% 13% 13% Disaster Recovery X X 16% 17% FATCA X X 16% 12% Other? Fee and Expense Allocations Fiduciary Duty Debate 33
Survey Contact Information Lynne M. Carreiro, Managing Director ACA Compliance Group 11 Berkeley Street Mayfair, London, W1J 8DS +44 (0)20 7042 0500 lcarreiro@acacompliancegroup.com Sanjay Lamba, Assistant General Counsel Investment Adviser Association 1050 17th Street, NW, Suite 725 Washington, DC 20036 (202) 293-4222 sanjay.lamba@investmentadviser.org Amy S. Yuter, Vice President/Senior Compliance Manager OMAM (610) 578-1387 ayuter@omam.com 34