Investment Management & Funds Regulatory Update - July 2023
In this issue, we discuss proposed rules relating to the use of predictive data analytics by investment advisers, and proposed reforms for investment advisers operating exclusively through the internet.
Rules and regulations
SEC proposes new requirements to address risks to investors from conflicts of interest associated with the use of predictive data analytics by investment advisers
On July 26, 2023, the Securities and Exchange Commission (SEC) proposed new rules and rule amendments under the Investment Advisers Act of 1940 (Advisers Act) to address certain conflicts of interest associated with the use of predictive data analytics by investment advisers in investor interactions that place the investment advisers’ interests ahead of investors’ interests.
The proposed rules aim to eliminate, or neutralize the effect of, certain conflicts of interests that generally exist when the technology that investment advisers use to guide, forecast, or direct investment behaviors or outcomes takes into consideration an interest of the firm or its associated persons. The SEC noted that unless adequately addressed, such conflicts of interests could cause investment advisers to place their interests ahead of investors’ interests, and that recently, the adoption and use of predictive data analytics technologies by investment advisers has accelerated. Such technologies often have the capacity to process data, scale outcomes exponentially, and evolve at rapid rates. The SEC noted its concern that if any such technology were to capture any unidentified conflicts of interest that put the interests of investment advisers before those of investors, the potentially harmful impact could be rapidly transmitted or scaled to cause harm to investors more broadly than before.
Scope and application of the proposed rule and amendments
The proposed rule would apply when, in connection with communicating with investors, advisers that are SEC registered or required to be SEC registered use or reasonably foreseeably may use analytical, technological or computational functions, algorithms, models, correlation matrices, or similar methods or processes that optimize for, predict, guide, forecast, or direct investment behaviors or outcomes of an investor (covered technologies).
The proposed rules and amendments would require investment advisers to:
- Evaluate any use or reasonably foreseeable potential use by the investment adviser or its associated persons of a covered technology in any investor interaction to identify any conflict of interest associated with that use;
- Determine whether any such conflict of interest places or results in placing the investment adviser’s or its associated person’s interest ahead of investors’ interests;
- Eliminate or neutralize the effect of any conflicts of interest that place the investment adviser’s or its associated person’s interest ahead of investors’ interests;
- Have written policies and procedures reasonably designed to prevent violations of the proposed rules if any investor interactions use covered technologies, including written descriptions of the processes for: evaluating any such use (or reasonably foreseeable potential use) of covered technologies; determining whether any such conflict of interest places or results in placing the investment adviser’s or its associated person’s interest ahead of investors’ interests; determining how to eliminate or neutralize the effect of any such conflicts of interests; and a review no less frequently than annually of the adequacy of the policies and procedures established pursuant to the proposed rule and the effectiveness of their implementation, and written documentation of such review; and
- Make and keep books and records related to the requirements of the proposed rule.
The public comment period will remain open for 60 days after publication in the Federal Register. If the proposed amendments are adopted, they would have a significant impact on the monitoring and recordkeeping obligations of SEC-registered advisers.
SEC proposes reforms relating to investment advisers operating exclusively through the internet
In a July 26, 2023 release (Proposing Release), the SEC proposed amendments to rule 203A-2(e) (the Internet Adviser Exemption) under the Advisers Act. The Internet Adviser Exemption allows certain investment advisers to register with the SEC, rather than with state securities authorities, if they meet certain conditions, including those relating to the investment adviser’s use of an interactive website to advise clients.
According to the Proposing Release, the proposed amendments are designed to modernize the Internet Adviser Exemption to reflect the evolution in technology and the investment adviser industry since the rule’s adoption in 2002 and to better align current practices in the investment adviser industry with Congress’s intended allocation of responsibility between the SEC and the states. In the Proposing Release, the SEC noted that there has been an uptick in the number of investment advisers relying exclusively on the Internet Adviser Exemption to register with the SEC. The SEC noted that based on Form ADV data, the number of investment advisers relying exclusively on the exemption has grown from approximately 107 investment advisers as of December 2015 to 256 investment advisers as of December 2022.
The proposal would require investment advisers relying on the Internet Adviser Exemption to at all times have an operational interactive website through which the investment adviser provides investment advisory services to one or more clients. The proposal would also eliminate the de minimis exception in the current rule, which currently permits an investment adviser relying on the exemption to have fewer than 15 non-internet clients in a 12-month period. As a result, an investment adviser relying on the exemption would be required to provide advice to all of its clients exclusively through an operational interactive website. Finally, the proposal would make certain corresponding changes to Form ADV. The SEC requested comments within 60 days after publication of the Proposing Release in the Federal Register.
SEC adopts rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies, including BDCs
On July 26, 2023, the SEC adopted amendments to require current disclosure about material cybersecurity incidents, as well as rules to require periodic disclosures of a registrant’s processes to assess, identify, and manage material cybersecurity risks, management’s role in assessing and managing material cybersecurity risks, and the board of directors’ oversight of cybersecurity risks. According to the adopting release, the new rules and amendments are intended to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.”
Under the amendments, registrants are required to determine the materiality of a cybersecurity incident without unreasonable delay and, if determined to be material, file new Form 8-K Item 1.05 generally within four business days of such determination. New Form 8-K Item 1.05 requires disclosure of a cybersecurity incident determined to be material, including a description of the material aspects of the nature, scope, and timing of such incident, as well as the material impact or reasonably likely material impact of such incident on the registrant, including its financial condition and results of operations. Disclosure on Form 8-K may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission in writing. With respect to foreign private issuers, amendments to Form 6-K require foreign private issuers to provide information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders.
New Regulation S-K Item 106 requires registrants to disclose in their annual reports on Form 10-K (with similar requirements for foreign private issuers on Form 20-F) their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, and to disclose whether any such risks, including as a result of previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Registrants are also required to describe oversight by the board of cybersecurity risks and management’s role and expertise in assessing and managing material cybersecurity risks.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register, with the new Form 10-K and Form 20-F disclosure requirements starting with annual reports for fiscal years ending on or after December 15, 2023. The amended Form 8-K and Form 6-K disclosures will be due starting on the later of 90 days after the date of publication in the Federal Register or December 18, 2023 (with an additional 180 days for smaller reporting companies).