Hot Topics for Investment Managers: Compliance & Technology Directives for 2012
Agenda
Form PF: What You Need to Know
Maintaining an Effective Compliance Program
Technology Must-Haves– Message Archiving– Email Security– Mobile Device Management
Hot Topics for Investment Managers: Compliance & Technology Directives for 2012
Nothing herein should be construed as legal advice or as a legal opinion for any particular situation. Information is provided for generalguidance and should not be substituted for formal legal advice from an experienced securities attorney.
1
44
Sections of Form PF
• Section 1: All Filers ($150M in RAUM)
• Section 2: Large Hedge Fund Managers ($1.5B in RAUM)
• Section 3: Large Liquidity Fund Managers ($1B in RAUM)
• Section 4: Large Private Equity Managers ($2B in RAUM)
55
Filing Deadlines
• 7/15/12 – Liquidity Fund Managers with ≥ $5B
• 8/29/12 - Hedge Fund Managers with ≥ $5B
• 1/15/13 - Liquidity Fund Managers with $1B to $5B
• 3/1/13 – Hedge Fund Managers with $1.5B to $5B
• 4/30/13 – All other filers
66
Filing Frequency
• Large Hedge Fund & Liquidity Fund Managers: Quarterly
• All Others: Annually
77
IT Challenges Posed by Form PF
• Data from internal and external systems
• Internal methodologies allowed, but strive for consistency and disclose assumptions
• Desire for a scalable process (maybe next time)
88
Form PF Recommendations
• Prepare a test filing
• Assign each question to the subject matter expert
• Coordinate with vendors early and often
• Document assumptions
99
Maintaining an Effective Compliance Program
1010
Integration of IT and Compliance
• To the extent that firms don’t have strong IT resources supporting their compliance program in areas such as risk assessment, surveillance and testing, that can be a real challenge to effectiveness. In today’s market environment, if you have a compliance program that’s not using technology in sophisticated ways to do monitoring, testing and surveillance, then you’re probably behind the 8-ball. Generally, we’re getting pretty good at working with different data formats and developing tools that can help us take the data and perform effective analysis.
– Carlo di Florio, Director of the SEC’s Office of Compliance Inspections and Examinations
1111
Integration of IT and Compliance
We’re going to be doing it, so I suggest you do it as well.
– Norm Champ, Deputy Director of the SEC’s Office of Compliance Inspections and Examinations, discussing email surveillance
1212
Common Email Review Focus Areas• Correspondence with competitors
• Messages sent with attachments to personal accounts (Hotmail, Gmail, AOL)
• References to restricted list entries
• Outbound messages referencing names subject to confis
• References to known conflicts of interest
• Correspondence with government email addresses
• Political contributions
• Gifts and entertainment (conflicts of interest and FCPA)
1313
Documenting Email Reviews• Scope
• Risk areas and associated search terms
• Number of hits per search term
• Number of emails opened per search term
• Findings and responses
– Decide in advance how to respond to findings that appear to be especially serious. Consider escalating directly to outside counsel.
– Word spreads quickly. Discussing questionable emails with employees will lead to changes in email behavior throughout the firm.
1414
Record Retention
• Electronic record retention welcomed
– Readily accessible
– Separately backed up
– Be prepared to produce in electronic or paper format
• Little flexibility in recordkeeping obligations
– Rule 204-2
– Typically a 5 to 6 year retention period
– Most advisers keep all electronic communications
• Apple Messages are a problem
Technology Must-Haves for Investment Managers
Message Archiving
SEC requires advisers to retain all internal and external electronic business communications
Tape backup by itself is not adequate!
Know the regulations & sound practices for archiving
All electronic messages must be captured and retained.
Message ArchivingRule 204-2: Retain all internal and external electronic business communications
Requirements Solution
• Retain accurate records Archive all electronic messages for up to 7 years
• Electronic media WORM format with off-site backup
• Index & retrieval Messages are indexed for easy & fast retrieval
Rule 206(4)-7: Adopt written compliance policies & procedures
Requirements Solution
• Prevent & detect violations
Internal supervisory compliance controls
• Annual review Robust reporting to facilitate annual reviews
Messaging archiving technology can simplify record retention & compliance reporting.
Message Archiving
Will my data be stored on dedicated or shared storage?
Is WORM storage used to ensure data integrity?
Are all messages searchable from a single search command?
How is user access to data controlled?
Do you archive messages from all devices?
Do you provide 24X7 support and/or in-house legal support?
Some questions to ask your solutions provider...
Email Security
Gramm-Leach-Bliley Act Data Protection Act of 1999 (GLBA) – Section 501(b):
– Protect Non-public Information
Email Security helps comply with data privacy regulations.
MA 201 CMR 17 (Massachusetts ):
– Protect Personal Identifiable Information (PII)
Regulations:
Common sense:
Firm’s reputation is at risk the moment customer privacy is violated.
Email Security Solutions
Email Security
Outbound Encryption
Spam Filtering
Anti-virus protection
Data Loss Prevention
A standard email security package goes a long way.
Ensure security of all outgoing electronic communications!
Email Security
What level of encryption is used to protect my email?
How do I access an encrypted message?
Can I create specific email security policies?
How can I prevent sensitive data from leaving my network?
How do my virus-outbreak filters stay current?
How much system maintenance is required of me?
Some questions to ask your solutions provider...
Mobile Device Management
What devices are accessing your network?
Are all the mobile apps safe to use?
Has anyone lost a phone recently?
Enterprise data is moving to smartphones & tablets!
Mobile Device Management (MDM)
MDM is essential for a comprehensive data protection strategy.
Convergence of work and personal devices...
Context – match activity to location, time, and network
Activity – user behavior patterns
Content – identify & secure files on each phoneApplication – provision, configure, troubleshootDevice – track settings, status, inventory, policies, functions
Visibility into mobile devices...
Photo Source: Mobile Iron
Mobile Device Management (MDM)
What mobile operating systems does your MDM solution support?
What asset management & inventory capability exists for managing devices on the network?
What remote administration functionality is available? Password enforcement
What reporting is available across operators, operating systems and locations?
Some questions to ask your solutions provider...
Other Technology Considerations
Web Filtering– Protection from malware originating over the internet
Intrusion detection– Protection against hackers attempting to invade a network
Endpoint encryption– Encryption of data on laptops and all other devices
Eze Castle Integration OverviewFounded 1995
Headquarters
Additional Offices
260 Franklin Street, 12th Floor, Boston, Massachusetts, 02110
Chicago, Dallas, Geneva, Hong Kong, London, Los Angeles, Minneapolis, New York City, San Francisco, Singapore and Stamford
Core Services
• Strategic IT Consulting• Outsourced IT Solutions• Professional Services• Project & Technology Management• Communications Solutions• Network Design & Management• Internet Service
• Private Cloud Services• Business Continuity Planning• Disaster Recovery• Compliance Solutions• Storage Solutions• Colocation Services• E-Mail & IM Archiving
Awards Received
260 Franklin Street, 12th floor Boston, MA 02110 Tel: 617-217-3000 www.eci.com
Top Related