When the SEC’s Division of Examinations (“Division”) publishes a Risk Alert, it expects Registered Investment Advisors (“RIAs”) to do more than just read the publication. The Division expects RIAs to take action, and at least one member of the National Society of Compliance Professionals (“NSCP”) got the message. The anonymous compliance professional articulated the steps his/her firm was taking in a post on NSCP’s Compliance Forum on May 10, 2022.
The compliance professional’s post referred to the Division’s April 26, 2022 Risk Alert, which provides investment advisors, investors, and other market participants with information regarding notable deficiencies that examiners have observed pertaining to Section 204A of the Investment Advisers Act of 1940 and Rule 204A-1 thereunder. Rule 204A-1, commonly known as the Code of Ethics Rule, requires both registered and unregistered investment advisors to establish, maintain, and enforce written policies and procedures that are reasonably designed to prevent the misuse of material non-public information (“MNPI”) by the RIA or any person associated with the firm. These policies and procedures must take the nature of the RIA’s business into consideration.
The person posting on NSCP’s Compliance Forum seemed shocked at how little reaction there was to the Risk Alert and said, “I am actually very surprised that no one has brought up the MNPI Risk Alert! A lot of interesting items that my firm is taking a look at and determining if we have adequate controls.”
One compliance professional’s response to the Division’s alternative data observations
The Risk Alert discussed examiners’ concerns about deficiencies related to alternative data. The term, “alternative data,” encompasses data from non-traditional sources. It includes many different types of information that are increasingly used in financial analysis. Alternative data extends beyond traditional financial statements, company filings, and press releases and does not necessarily contain MNPI. Alternative data is derived from numerous sources such as satellite and drone imagery of crop fields and retailers’ parking lots. The term includes analyses of aggregate credit card transactions, social media and internet search data, geolocation data from consumers’ mobile phones, and email data, which is obtained from apps and tools that consumers may utilize. Examiners observed instances where RIAs utilized alternative data but did not appear to adopt or implement reasonably designed written policies and procedures to address the potential risk of receiving and using MNPI.
These comments in the Risk Alert caused the compliance professional to ask, “Does your firm have an Alternative Data Policy/Procedure? My firm does not, but would sure love it if a fellow member would like to share one!” The commenter recognized that their firm needed to implement robust policies and procedures related to alternative data.
The Risk Alert noted that the advisors examined did not appear to document adequately or adhere consistently to diligence processes. Instead, they engaged in ad hoc and inconsistent diligence of alternative data service providers. In addition, advisors did not appear to have implemented policies and procedures regarding the evaluation of the terms, conditions, or legal obligations related to the collection or use of alternative data, including situations where advisors became aware of red flags related to its source.
For example, advisors did not apply their due diligence process consistently to all sources of alternative data. In addition, although certain advisors had an onboarding process for alternative data service providers, they did not have a system for determining when due diligence should be performed again based on the passage of time or changes in collection practices. Examiners also observed RIAs that could not demonstrate with books and records that their policies and procedures had been consistently implemented.
Concerns related to value-add investors
The commenter also expressed concern about the Risk Alert’s focus on value-add investors and asked, “Does your firm have a Value Add Personal Policy/Procedure? My firm currently does not but we are working on this first.” The compliance professional planned to add the identification of value-add investors to the firm’s client onboarding checklist and to update this information annually.
According to the Risk Alert, “value-add investor” refers to clients or fund investors who are corporate executives or financial professional investors possessing MNPI. Examiners encountered advisors that did not have or did not appear to implement adequate policies and procedures regarding investors who are more likely to possess MNPI, such as:
- Officers or directors at a public company;
- Principals or portfolio managers at asset management firms; and
- Investment bankers.
Certain RIAs did not have policies and procedures regarding MNPI risks posed by their value-add investors. Some RIAs maintained MNPI policies and procedures regarding value-add investors, but they did not correctly identify all of them. Furthermore, they did not track their relationships with potential sources of MNPI.
In addition to concerns regarding alternative data and value-add investors, examiners observed advisors that had not implemented adequate policies and procedures regarding their discussions with expert network consultants who may be related to publicly traded companies or have access to MNPI. The term “expert network” refers to a group of professionals who are paid for their specialized information and research services.
Conclusion
The Risk Alert had much more to say about the Code of Ethics Rule, as well as best practices. The commenter on Compliance Forum went further and encouraged fellow NSCP members to benchmark their practices in areas such as the monitoring of personal trading by the firm’s Chief Compliance Officer.
The NSCP commenter did exactly what the Division expects and is using the Risk Alert to evaluate and strengthen the firm’s supervisory and compliance systems. Other firms should follow the commenter’s lead whenever any Risk Alert is published. The Risk Alert is available at https://www.sec.gov/files/code-ethics-risk-alert.pdf.
For more information about this Risk Alert and how to respond to it, Amber Allen and Craig Watanabe will be publishing an article for the May edition of NSCP Currents entitled “Compliance Considerations for Alternative Data and Expert Networks.” The article will include a policies and procedures template and a due diligence questionnaire that can be used to vet vendors. Amber and Craig’s materials can also be used internally for firms that collect their own alternative data. Their article will be published at the end of May.
