Viewpoints

Compliance concerns amidst industry, regulatory change

September 14, 2017

By Gwendolyn Williamson, Perkins Coie LLP

Even under ordinary circumstances, a mutual fund board’s compliance oversight function is complex. In the current regulatory environment, the task is even more multi-faceted than usual. While endeavoring to ensure that existing compliance policies and procedures are properly adhered to, today’s boards also must keep an eye on how fund service providers are working—in the face of ongoing outflows and downward fee pressure—to comply with new regulations that may or may not become effective in their present form. Boards also must try to keep up with ever-evolving technology and related security concerns and prod their fund service providers to do the same.

 

The following provides a high-level overview of some of the pending regulations and other compliance issues that fund boards should be sure to devote attention to during coming months.

 

Fund Reporting Modernization

In October 2016, the SEC adopted rule amendments that will, in sum, starting on June 1, 2018, require funds to:

 

  • Make monthly filings on Form N-PORT (which replaces Form N-Q) and annual filings on Form N-CEN (which replaces Form N-SAR);
  • In compliance with new Rule 22e-4 under the 1940 Act, adopt a written liquidity risk management program, appoint a liquidity risk manager, and develop board reporting;
  • Confidentially file Form N-LIQUID when a fund’s level of illiquid assets exceeds 15% of its net assets or when its highly liquid assets drop below an established floor;
  • Produce financial statements that comply with amendments to Regulation S-X regarding derivatives usage and investments in and advances to affiliates; and
  • Comply with related disclosure requirements included in changes to Form N-1A (which governs fund prospectuses) and Form N-CSR  (which covers shareholder reports).

 

N-PORT and N-CEN Preparing Forms N-PORT and N-CEN will require fund complexes to organize massive amounts of data and augment their IT systems. The compliance burden is a substantial one. Form N-PORT requires detailed disclosure regarding, among other things:

 

  • portfolio holdings and pricing;
  • securities lending;
  • net gains and losses;
  • risk metrics;
  • returns and flows;
  • liquidity;
  • fair value measurements; and
  • derivatives contracts, repurchase agreements and restricted and other securities.

 

The disclosure on Form N-PORT generally will be treated confidentially by the SEC, except that some data will be made public at the end of each quarter on a 60-day lag.

 

Form N-CEN, named such because the SEC views it as a census-like report, requires disclosure regarding, among other things: 

 

  • the identity of the fund and its trustees, CCO, independent auditors, and affiliated service providers; 
  • compliance and risk matters;
  • NAV corrections;
  • securities lending collateral and fees; and
  • borrowings.

 

Many funds already will have available much, if not all, of the data called for by the new forms. But compiling it to feed in to newly built systems, and testing those systems prior to initial live filings, will be no small lift, and stand to introduce a variety of possible risks. In July, the Investment Company Institute submitted a letter to the SEC detailing its concerns about the reporting modernization rules and suggesting, among other things, that the SEC (1) delay the Form N-PORT/N-CEN June 1, 2018, compliance date by at least six months and (2) move from a monthly to a quarterly N-PORT filing requirement at least until the SEC implements “aggressive measures to protect Form N-PORT data, including independent third-party testing and verification of its information security programs.” It is also noteworthy that SEC staff have emphasized the role they expect “big data,” such as that to be collected from fund filings, to play in investigative, enforcement, and other regulatory activities.

 

Boards should work to understand the progress their funds’ service providers have made with Form N-PORT and N-CEN reporting and discuss any concerns about staffing and other resources or amassing and mapping the data on their IT systems and transmitting it securely to the SEC. Service providers should be able to report on how the new requirements will fold into their existing governance, compliance, IT, and oversight structure and what controls testing will be done once the compliance date is upon them.

 

Liquidity Risk Management and Form N-LIQUID Beginning Dec. 1, 2018, mutual funds must have in place a board-approved liquidity risk manager and board-approved written policies and procedures that, in sum, (1) classify the liquidity of portfolio holdings as illiquid or highly, moderately, or less liquid, (2) set a highly liquid investment minimum, and (3) provide for annual reporting to, and annual review by, the board. Funds also will be required to notify the SEC on Form N-LIQUID if their portfolio liquidity falls below that minimum for seven days or more. The liquidity risk management program must: be reasonably designed to assess and manage the risk that a fund could not meet redemption requests without significantly diluting remaining shareholders; prevent the fund from exceeding the statutory 15% limit on illiquid investments; and call for assessment, management, and review of fund liquidity risk.

 

The ICI and the Securities Industry and Financial Markets Association have made significant suggestions to the SEC regarding the liquidity risk management rules. Citing the substantial costs and difficulties of readying IT systems and controls, the ICI asks the SEC to quickly “re-examine the rule’s asset classification, or ‘bucketing,’ requirement via a request for additional comments that incorporates a delay” until such re-examination is complete. The ICI worries that once implemented, it is possible that “the liquidity classifications [various fund] systems generate for a given security either will differ (in which case the classifications will be subject to second-guessing, and potentially confuse regulators and the public) or be largely identical (creating the potential for crowded trades and herding).” 

 

The ICI also notes that liquidity buckets will be inherently limited, subjective, and forward-looking and may not fully be understood by the investing public or regulators. In place of a uniform classification system, the ICI recommends that funds be permitted to draw unique parameters for their liquidity risk management programs. Similarly, in a January 2016 letter, the Asset Management Group of SIFMA urged that the rule should be “flexible enough to allow funds with effective liquidity risk management programs in place to continue to use and build on them, while requiring funds with less robust practices to develop and adopt programs that benefit from the experience and examples set by…industry leaders.”

 

Whether the liquidity risk management and fund reporting modernization rules will be revised, as requested by the ICI, SIFMA, or otherwise, remains to be seen. Like the Department of Labor fiduciary rule discussed below, the ultimate fate of the liquidity risk management requirements is unknown in the ambiguous regulatory space of the current presidential administration. Still, boards should know what fund service providers are doing to prepare for their implementation and whether they anticipate being ready in time for the current compliance dates. Boards also should talk with their fund advisers to understand any implications of the liquidity risk management rule on fund portfolio management and strategy disclosure.

 

Cybersecurity

Boards should be sure to read the most recent risk alert on cybersecurity from the SEC’s Office of Compliance and Investigations and evaluate the policies and procedures of their funds and advisers vis-à-vis the guidance. The risk alert was issued after the SEC’s second sweep examination of the asset management industry’s cybersecurity practices, and noted significant deficiencies identified by the staff. Those shortcomings include:

 

  • overly vague and general policies “not reasonably tailored” to fund and adviser operations and lacking in specific implementing procedures;
  • actual practices that deviated from written policies and procedures;
  • use of legacy operating systems incapable of supporting new security patches;
  • failure to promptly install software patches and remediate high-risk findings from network penetration tests; and
  • non-compliance with Regulation S-P.

 

The cybersecurity risk alert also laid out in relatively deep detail the specific elements that the OCIE staff believes should be part of a “robust” set of cybersecurity controls. In sum, these include:

 

  • maintenance of an inventory of data, information, and third-party vendors/service providers and a classification of the risks, vulnerabilities, data, business consequences and information regarding each such vendor/service provider;
  • regular penetration tests appropriate to review the effectiveness of the testing and security solutions;
  • security monitoring and system auditing covering testing methodologies;
  • tracking of network access rights, including in connection with employee hiring, termination and transfer;
  • reporting procedures that entail specific action plans and escalation protocols;
  • maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
  • enforced controls to access data and systems, including with respect to firm networks and equipment, mobile devices, and access logs from third-party vendors;
  • mandatory employee training and engaged senior management.

 

The risk alert came on the heels of OCIE’s May 2017 alert regarding the WannaCry ransomware attack, which encouraged “broker-dealers and investment management firms…to (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team…and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows Server 2003 operating systems are properly and timely installed.”


Cybersecurity clearly continues to be a top concern of the SEC, generally, and was included on OCIE’s 2017 Examination Priorities list. Fund boards should reassess their cybersecurity programs against the risk alert in preparation for a potential OCIE cybersecurity examination.

 

The DOL Fiduciary Rule

The DOL fiduciary rule that was adopted in 2016 and went into partial effect on June 9, 2017, looms large over the mutual fund industry. It has been praised and criticized from many sides, the president has directed the DOL to review and potentially revoke it, and its future is far from certain. In June, the House of Representatives passed the Financial Creating Hope and Opportunity for Investors, Consumers and Entrepreneurs Act of 2017 (the CHOICE Act), which among other things, would repeal the DOL fiduciary rule and give the SEC jurisdiction over the future development of a fiduciary standard for investment advisers, broker-dealers and others currently subject to the rule. Also in June, SEC Chairman Jay Clayton requested public comment on a long list of topics related to the SEC’s storied consideration of a uniform fiduciary standard. Noting the desire expressed by DOL Secretary Alexander Acosta for the SEC and the DOL to “engage constructively” in pursuit of appropriate “standards of conduct applicable to investment advisers and broker-dealers when they provide investment advice to retail investors,” Clayton invited input on a wide range of issues and asked for “specific suggestions for any potential action” as well as “data and other information that may inform the Commission’s analysis.”

 

Since then, Clayton has expressed publicly that he views the fiduciary standard as a top priority for the SEC. And in late August, the DOL obtained approval from the White House Office of Management and Budget to extend the full compliance deadline for the rule to July 1, 2019, an additional 18 months beyond the previously articulated Jan. 1, 2018, compliance date. The DOL is expected to publish its proposal in the Federal Register for comment shortly. While the CHOICE Act likely will face an uphill battle in the Senate, it adds an additional layer of doubt about the rule’s future. Any rulemaking by the SEC would of course also have a substantial impact.

 

Many funds and their service providers were well-poised to comply with the rule’s original April 2017 compliance date, but fund boards should nonetheless engage fund service providers to keep abreast of how their complexes are responding to developments involving the rule, and how they might respond if the rule disappeared.

 

Boards also should seek to understand any collateral effects, including conflicts of interest arising from the migration of shareholder assets to “clean,” class “T,” or other new or modified share classes offered in anticipation of the DOL rule’s implementation. As the ICI stated in an Aug. 7, 2017, letter, no one share class established in the wake of the DOL fiduciary rule “will be optimal for all investors. There are many situations where any given investor could derive benefits more responsive to his or her individual preferences and circumstances with other share classes in use today.” Fund advisers and their affiliates could have financial incentives, outside the fund expense ratio, for selecting and recommending fund share classes that conflict with their obligation to act in fund investors’ best interests. Boards should consult with fund service providers to understand how advisers’ written policies and procedures have been updated, if at all, to mitigate potential conflicts of interest related to new and/or modified share class offerings related to the DOL fiduciary rule.

 

In addition, boards should inquire how fund service providers are responding to income lost as investors shift to “clean” and other lower-cost share classes and alternative, cheaper investment products such as ETFs. To the extent that service providers seek to recoup their losses through increased fund-level expenses, such as advisory or administration fees, at a minimum boards will need to ask whether such increases are justified by enhanced or additional services. Boards also should consider how any cost-cutting measures taken by fund service providers could impact the quality of compliance and other services provided. Anecdotal and some hard evidence shows that many fund CCOs are operating with fewer resources than in previous years. Whether in connection with the CCO’s annual Rule 38a-1 compliance review or otherwise, boards should seek to understand how fund service providers plan to continue administering robust compliance programs in the face of dwindling revenue. They should be alert for increased compliance violations, and should pay close attention to how any requested sub-transfer agency or sub-accounting fee changes implicate the January 2016 “distribution in guise” guidance from the SEC’s Division of Investment Management.  

 

Working through the regulatory matters and service providers’ response to them will not be simple within the air of ambiguity that has arisen in the current presidential administration. Boards should take their time and work diligently with counsel to assess the impact of the SEC rules and guidance on funds and their service providers. Boards need to be sure that their fund and service provider policies and practices in all of these areas are up to snuff, and that controls are in place to ensure proper compliance once the rules become effective, in whatever final form.


Gwendolyn Williamson is a partner with Perkins Coie LLP’s Investment Management group within the firm's Corporate practice. She concentrates her practice on representing investment advisers and family offices, as well as investment companies and business development companies and their boards of directors.