In this issue, we discuss, among other things, a risk alert issued by the SEC’s Division of Examinations on compliance examinations related to identity theft prevention under Regulation S-ID, and a recent enforcement action involving principal transactions and cross trades by an investment adviser.

Industry update

SEC Division of Examinations issues risk alert on observations from broker-dealer and investment adviser compliance examinations related to identity theft prevention under Regulation S-ID.

Introduction

On December 5, 2022, the Division of Examinations (Division) issued a risk alert to inform SEC-registered investment advisers (advisers) and broker-dealers about notable deficiencies in the policies, procedures and practices meant to implement identity theft prevention programs required under Regulation S-ID.

The Division noted that under Regulation S-ID, SEC-regulated entities that qualify as financial institutions and creditors under the Fair Credit Reporting Act and that offer or maintain covered accounts must establish programs designed to detect, prevent, and mitigate identity theft. The Division also noted that Regulation S-ID is likely to apply to most registered broker dealers, as well as registered investment companies that allow individuals to wire transfer or write checks, and advisers who can direct transfers from individual accounts to third parties based on the individual’s instructions or who act as agents on behalf of individuals.

Staff observations

The Division staff noted that the following were examples of the categories and types of deficiencies and weaknesses they observed.

  • Identification of covered accounts: Under Regulation S-ID, firms must initially identify and then consistently update their list of covered accounts that must be covered by their identity theft programs. The staff noted that there were failures at three levels of the identification process.
    • Failure to identify covered accounts. Firms did not conduct an initial assessment to determine if any of their accounts were “covered accounts.”
    • Failure to identify new and additional covered accounts. Some firms did conduct an initial assessment to identify covered accounts but failed to conduct periodic update assessments. Therefore, they failed to identify when new covered accounts needed to be covered by their program.
    • Failure to conduct risk assessments. Other firms were properly identifying and updating their lists of covered accounts but failed to conduct risk assessments to best develop controls to prevent threats.
  • Establishment of the program: The staff observed the following inadequacies with the establishment of firms’ identity theft programs.
    • Programs not tailored to the business. Firms established generic programs that were not specific to their business model. Staff noted two common ways this happened: template programs with fill-in-the-blanks and simple restatements of the requirements of the regulation.
    • Programs did not cover all required elements of Regulation S-ID. Some firms indicated to Division staff that the firm’s process for detecting, preventing and mitigating identity theft was contained in other policies and procedures that were not incorporated or referenced in the firm’s written identity theft program, and in many cases did not cover all of the required elements of Regulation S-ID.
  • Required elements of the program: The risk alert noted that Regulation S-ID programs must have sufficient procedures to detect and respond to threats of identity theft and be periodically updated to respond to changes in risk to both the customer and the institution. The staff highlighted several instances of inadequate programs.
    • Identification of red flags. Programs must have policies that identify “red flags,” which are patterns that indicate the possible existence of identity theft. Staff observed programs that: listed red flags unrelated to their covered accounts, failed to add red flags when they took over new accounts, or did not have any actual red flags identified.
    • Detect and respond to red flags. Staff noted that many firms’ programs failed to have any mechanism to respond to red flags once they were detected.
    • Periodic program updates. Staff observed programs that were not updated to reflect changes in risks in response to significant changes in the way customers accessed their accounts and to business reorganizations.
  • Administration of the program: The risk alert noted that Regulation S-ID programs must be properly administered by: 1) gaining approval from either a firm’s board of directors or designated senior management; 2) continued board or management involvement in oversight and administration of the program; 3) adequate staff training; and 4) maintaining appropriate oversight of service provider arrangements. The staff observed failures to comply with these steps.

Conclusion

The Division concluded by encouraging registered broker-dealers and investment advisers to review their practices, policies, and procedures with respect to their Regulation S-ID programs and to consider whether any improvements are necessary.

Remarks of SEC Commissioner Peirce “There’s a Fund for That” at FINRA’s Certified Regulatory and Compliance Professional Dinner

On November 15, 2022, SEC Commissioner Peirce delivered remarks at FINRA’s Certified Regulatory and Compliance Professional Dinner, emphasizing that funds are unique entities that are distinct from their investors, asset managers, and other funds in the same complex. She noted in particular that the fiduciary duty applicable to fund boards and advisers are owed to each fund in the fund complex, and that a fund adviser’s fiduciary duty does not run to the fund’s individual shareholders. Commissioner Peirce explained that while funds within the same fund complex may be sponsored by the same asset manager and share the same board of directors, their objectives and strategies may conflict with one another. She noted that a portfolio manager must carry out a fund’s objectives, irrespective of what other funds in the same complex are doing.

Commissioner Peirce suggested that funds’ interests are “too often” treated as being identical to the interests of their managers, shareholders, investors, or other funds in the same complex, and that the distinction can become confused in fund voting and engagement with fund portfolio companies.  Commissioner Peirce emphasized that the exercise (or non-exercise) of a fund’s vote with respect to matters at its portfolio companies should serve the interests of that fund, as opposed to the interests of the fund’s advisers or individual shareholders. Commissioner Peirce laid out a scenario in which an adviser may be tempted to vote a fund’s proxies in a way that serves its interests rather than the fund’s best interest: “When a fund’s adviser also manages or seeks to manage the retirement plan assets of a company whose securities are held by the fund … a fund’s adviser may have an incentive to support management recommendations to further its business interests.”

Commissioner Peirce noted that mandatory disclosure of a fund’s voting may help enable assessments of whether the fund’s votes match its objectives, but also noted that the costs of mandatory disclosure may outweigh its benefits for many funds.

Commissioner Peirce concluded by reiterating the importance of respecting funds’ status as distinct entities. “Smartphone users expect each app on their phone to stick to its stated function. They do not expect their find-me-the-closest-bakery app to record their daily steps or monitor their caloric intake by photographing the cupcakes and cookies they buy. Similarly, asset managers who work hard to be able to say ‘there’s a fund for that!’ should ensure that each fund sticks to its ‘that.’”

Litigation

SEC settles charges against investment adviser for automated principal transactions and cross trades

On November 21, 2022, the SEC issued an order (Order) instituting and settling administrative and cease-and-desist proceedings against Legal & General Investment Management America, Inc. (LGIMA) for allegedly effecting a number of principal transactions and cross trades through an automated system without obtaining requisite consents or making required disclosures.  The Order is a notable reminder of the importance of identifying the potential unintended consequences that may flow from automating a previously manual process, and ensuring that such automated processes are designed to comply with relevant law, rules, and policies.

Regulatory background

As outlined in the Order, section 206(3) of the Investment Advisers Act of 1940 (Advisers Act) prohibits “principal transactions,” transactions in which an adviser, acting as principal for its own account, knowingly sells a security to or purchases a security from a client, unless the adviser provides written disclosure to, and obtains consent from, affected clients.  Sections 17(a)(1) and 17(a)(2) of the Investment Company Act of 1940 (Investment Company Act) prohibit an affiliated person of a registered investment company (or an affiliated person of an affiliated person) from knowingly selling a security to, or purchasing a security from, the investment company unless the person obtains an exemptive order from the SEC.  Investment Company Act Rule 17a-7 exempts certain trades from this prohibition, subject to various requirements.  According to the Order, LGIMA’s policies provided that “LGIMA does not engage in principal trades,” and that all cross trades executed on behalf of an LGIMA-advised registered investment company would comply with Rule 17a-7.

LGIMA implements an automated program to identify and match cross trades

The Order explains that in May 2019, LGIMA replaced its prior manual system to match buy and sell orders across client accounts with an automated system, the “Efficient Netting Program.”  That program identified, matched, and aggregated buy and sell orders for the same equity security across advisory client accounts and advisory client accounts of affiliates.  LGIMA’s clients did not pay commissions on such trades, and, the Order notes, LGIMA reported that commission savings were the sole purpose of the automated system.  Because the Efficient Netting Program automatically identified, matched, and aggregated orders, it allegedly resulted in a significant increase in the amount of cross trading by LGIMA. 

The SEC alleges that during the relevant period of August 2017 through December 2020, LGIMA’s traders did not identify or distinguish LGIMA principal accounts or certain registered investment company accounts from other advisory client accounts when entering trades, and that the Efficient Netting Program did not identify or exclude such accounts from its processes.  As a consequence, the Order states that LGIMA effected 44,125 principal transactions without making the required client disclosures or obtaining the required client consent—all but four of those transactions allegedly occurred after implementation of the Efficient Netting Program.  According to the Order, LGIMA also effected 547 cross trades between LGIMA registered investment company accounts and other LGIMA clients who were affiliated persons, or affiliated persons of an affiliated person, of a registered investment company without obtaining an exemptive order or being able to rely on an exemptive rule.  Only one of these cross trades allegedly occurred before implementation of the Efficient Netting Program.

Because the Efficient Netting Program did not appear to exclude or identify principal trades or cross trades potentially subject to section 17(a)(1) or 17(a)(2), the SEC further alleges that LGIMA failed to adopt or implement policies and procedures reasonably designed to prevent these alleged violations.  While, as noted above, LGIMA’s policies stated that “LGIMA does not engage in principal trades,” and required compliance with Rule 17a-7, and further required that all cross trades be documented, approved by LGIMA’s compliance department, and monitored, these policies were not implemented in the Efficient Netting Program.  The SEC further alleges that LGIMA’s employees were not adequately trained on the regulatory requirements applicable to cross trades or principal trades. 

LGIMA identifies prohibited cross trading

The Order notes that LGIMA discovered that it had engaged in prohibited principal trades and cross trades, and “promptly” hired outside counsel and an economic consultant to review trading practices, self-reported to the SEC staff, and provided “detailed presentations, analyses, and responses” to staff questions.  LGIMA also stopped using the Efficient Netting Program, ceased all cross trading, and revised its policies and implemented additional training, and additional review and monitoring procedures.  LGIMA also disclosed these matters to its advisory clients. 

On account of the conduct described above, the SEC alleges that LGIMA violated sections 206(3) and 206(4) of the Advisers Act, caused violations of sections 17(a)(1) and 17(a)(2) of the Investment Company Act, and caused violations of Rule 38a-1 of the Investment Company Act.  LGIMA agreed to cease and desist from further violations, to be censured, and to pay a civil money penalty of $500,000.