In 2017, the FCA conducted a review of principal firms in the investment management sector. This was designed to look at how principal firms in the investment management sector understood and complied with their regulatory responsibilities in respect of their appointed representatives (ARs). &
This review enabled the FCA to enhance its knowledge of the industry and it then acted quickly and effectively to deal with the contraventions which it found. & This was a positive move for the industry, with any short-term concerns or negative perceptions allayed by the realisation that the FCA is cleaning up the industry for everyone, and competent providers have nothing to fear. & &
Earlier this week, the FCA published the findings. & Although the review does not contain any surprises, its value is in its summary of the FCA concerns and of the infractions it found. & The accompanying Dear CEO letter acts as a useful guide for anyone wishing to operate in the hosting industry in the future and will likely form the basis for FCA reviews in the future. &
We welcome the focus on governance, which fits well into the FCA ‘s stated intention to focus on the culture of compliance in the financial services industry. & We would also encourage interested parties to directly review the FCA ‘s summary as some media reports have dramatized their findings and exaggerated the conclusions. & Some press reports would suggest that the FCA found all firms in this space are failing to maintain adequate standards. & This simply isn’t true, particularly at principal firms like Mirabella that have always valued quality and compliance. &
While there is no doubt that principal firms operating in this sector are solely responsible for their actions, we would highlight that ARs should better educate themselves about the industry and the FCA ‘s requirements in this space. & All too often a lack of guidance means that prospective ARs view hosting services as a commodity and so simply base their choice of provider on the cheapest price. & It is important for ARs to recognise that a failure in their Principal Firm can have repercussions on their activity. & This review and the observations made by the FCA will help ARs to evaluate their choice of Principal Firm based on attributes such as quality and regulatory compliance and not just price. & This will improve the industry overall.
& &
The UK regulatory hosting industry attracts to London foreign firms which are looking to establish a regulated presence in Europe, by helping them to start under its oversight. & This will continue regardless of the UK ‘s relationship with the EU and is a service which is often envied by London ‘s competitors. & We believe that the FCA is aware of this and is not keen to lose this advantage.&
&
Mirabella participated& in this process, as did most of the industry, by responding to information requests and hosting a visit by the FCA ‘s expert reviewers. & At Mirabella, we found the process useful, productive and informative, and in mid-2018 we welcomed the FCA ‘s follow-up observations and suggestions regarding our process and infrastructure. & Shortly thereafter, we accepted the FCA ‘s minor suggestions and implemented appropriate solutions, and this concluded the process. &
Although the FCA is not looking to shut down regulatory hosting, it is looking to ensure that ARs are operating under the same regulations and obligations as all other firms. & We look forward to continued dialogue with the FCA to improve our process and that of the overall industry.&
&
SEC focus areas include cloud risk, cyber/tech controls, among others
The U.S. Securities and Exchange Commission (SEC) has commenced a series of cybersecurity examinations on registered investment advisers (RIAs).
As evidenced by a flurry of information request letters this week, the SEC is targeting Form ADV data related to cloud service providers with 24 requests focused on vendor diligence and oversight. The SEC is focusing on how RIAs are identifying and monitoring risks to ensure systems, data, and non-public client information are secured at third parties and the cloud service providers they use.
It is evident that the SEC is intent on understanding cyber concerns not only at RIAs, but in RIAs’ technology architecture and partners.
The current SEC sweep includes an information request list that differs from previous lists, including the cyber sweep that commenced earlier this year. The SEC is requesting that RIAs provide the following key areas of information, among others:
- Vendor contracting and vendor due diligence reviews
- Policies and procedures as they align to technology standards (e.g., NIST, COBIT)
- Cloud service provider:
- Business and risk assessments
- Jurisdictions
- Classifications
- Books and records exposure
- Data loss prevention
- Data encryption
- Identity and access management
- Comprehensive egress/ingress inventories (public domain and partners)
- Master Services Agreement (MSA), Operational Level Agreement (OLA), and Service Level Agreement (SLA) documentation for each service provider&
ACA Aponix Guidance
No RIA, big or small, is exempt from the SEC ‘s focus on cybersecurity. Now is the time for firms to enrich their cyber compliance programs.
While very targeted, the current examination sweep& does not exclude previous cyber focus areas. Governance, access controls, data loss prevention, vendor management, cyber training, and incident response are all still in focus; perhaps even more so considering these areas are in scope at an adviser ‘s connected partners. Private equity (PE) firms remain under additional scrutiny in how they oversee cyber concerns at their portfolio companies.
It is plausible that the SEC is using advanced analytics to determine vendor concentration risk across the RIA community and to understand how that is being addressed by individual RIAs. Not all Schedule D vendors were included in the request for diligence documentation: it was focused on providers that are likely servicing a significant number of RIAs.
Firms should ensure that they have documented initial and ongoing diligence on cloud providers in& Section 1.L of Schedule D on Form ADV Part 1A.
ACA clients who have received this request should reach out to their ACA contact for guidance in responding to the SEC.
How ACA Aponix Can Help
ACA Aponix provides guidance to RIAs on their cyber compliance programs in order to help them comply with SEC requirements and protect their assets and investors. With former SEC regulators, CISOs, CIOs, CTOs, and other executive-level consultants on our team, we are well positioned to provide the following cyber solutions to RIAs:
- Risk assessments and testing services, including penetration testing and vulnerability assessments
- Mock regulatory cyber exams
- Governance, policies, and procedures development, including cyber incident response planning, WISP development assistance, and business continuity and disaster recovery planning
- Microsoft® Office 365® security assessments
- Vendor diligence and management
- M&A due diligence (pre- and post-deal)
- Privacy gap analysis (CCPA, GDPR, and others)
- Cyber education and awareness
- Threat intelligence
- Gap analysis against PCI, HITRUST, and other standards
Given the SEC’s focus on vendor oversight, ACA ‘s vendor management services and Office 365 security assessments are particularly appropriate means of helping address how your firm would respond to a request similar to the ones just issued.
ACA Aponix Regulatory Cyber Resources
The following ACA resources are available to help your firm prepare for an SEC examination:
- Alert: SEC Updates Document Request List for Cybersecurity Examinations
- Blog: Preparing for SEC Cyber Compliance – What You Need to Know
- Webcast:& SEC Examination Priorities and Focus Areas for 2019
- Alert:& SEC Announces 2019 Examination Priorities
If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.