Written by Allison Gill
Managing Director (US)
In a time of a very active SEC, it’s important to remember the basics. When it comes to compliance risk – investigate, mitigate, and educate.
Speaking with clients at our recent event in London, concerns seem to fall into two major, common themes: whether policies and procedures are adequate and sufficient to satisfy the SEC and staff, and whether employees fully understand firm policies and are comfortable reporting concerns. The event, in partnership with our friends at Katten Muchin Rosenman, focused on insider trading regulation in the US and UK and our guest speaker was Tom Hardin, aka TipperX. If you’re not familiar with Tom and his work, he was a fundamental witness during the US government’s insider trading crackdown in the mid-2000s, termed “Operation Perfect Hedge”. This was a year-long drama filled with many characters and stories that played out in a serial fashion, rivalling anything Netflix produces today. We had a great evening which led to some interesting and hopefully helpful conversations.
Investigate
For investment advisers, risk comes from many places. Asking the basic question, where could staff possibly obtain material nonpublic information (“MNPI”), is the foundation of a sound policy. Years ago, during the Operation Perfect Hedge era, an FBI agent speaking at an industry conference made it clear that firms should focus on the nonpublic element of information. “We can make anything material” was the warning. Very Billions-esque, ala Paul Giamatti’s character Chuck Rhoades, but a fine starting point for a firm’s MNPI risk assessment.
In the June 2020 Risk Alert, “Observations from Examinations of Investment Advisers Managing Private Funds,” the Division of Examinations (the “Division” and previously the Office of Compliance Inspections and Examinations or “OCIE”) focused on policy elements of insider trading risk. The SEC found, as they often do, that private fund advisers failed to “establish, maintain, and enforce written policies and procedures reasonably designed to prevent the misuse of MNPI,” including failure to adequately address the issue of employees communicating with high-risk individuals such as public company insiders, expert network consultants, and value added investors.
In order to develop appropriate policies and procedures, a Chief Compliance Officer (“CCO”) needs to understand all sources of risk. This requires internal dialogue and assistance, and in the case of insider trading requires input from the investment team, including less experienced analysts. By including junior staff in these primary discussions, the firm is setting the groundwork not only for a comprehensive policy, but also for individual responsibility. The discussion should cover all avenues from where investment team members are getting information, e.g., research providers, or perhaps the firm is considering expanding its business into a new strategy that would require additional measures, such as an information barrier.
In the April 2022 Risk Alert, “Investment Adviser MNPI Compliance Issues,” the Division discussed advisers using alternative data, without addressing the potential heightened risk of receiving MNPI in their policies and procedures. This was echoed in the Division’s 2023 Examination Priorities. The release highlights due diligence on new providers – or lack thereof. Documented due diligence is extremely important before a new provider is engaged and advisers were missing this basic step of the onboarding process. As Tom notes, “Not all alternative data vendors have the necessary policies and procedures to safely do business with hedge funds. Smaller investment firms, in particular, may inadvertently expose themselves to insider trading risks if they lack proper policies and procedures.” Proper initial review would take care of this very basic concern.
The SEC also observed inconsistent application of stated policies, a lack of ongoing due diligence, and no stated process on how advisers should handle red flags from the sources of this data. Staff need to understand the red flags in relation to MNPI and feel comfortable reporting any concerns. While there is no expectation for compliance to monitor staff behavior at all times, a CCO can implement a compliance program that addresses firm risks and conflicts in a manner that encourages the firm’s fiduciary duty to always be front of mind.
Mitigate
Having robust policies (*apparently “robust” is the new “unique” in marketing, so beware) is only the starting point. Without proper implementation, controls, and review, a firm can’t claim to be mitigating the risk.
The June 2020 Alert makes clear that while certain advisers had adequate policies in place, they failed in their review and enforcement of these policies, such as trading restrictions as documented on the Restricted List, firm gifts and entertainment obligations and standard Code of Ethics pre-clearance and reporting requirements for all access persons. The April 2022 Alert discusses the lack of proper implementation. It was found that advisers did not apply their due diligence process consistently to all sources of alternative data and lacked systems for determining when additional due diligence was needed.
The SEC’s message in this area has been consistent and at times repetitive. Over the past decade, we have seen a focus on political intelligence firms, value added investors (now alternative data providers), and in a throwback to 2011, expert network concerns reappear in the April 2022 Alert. Full circle, and the same issues noted. Many firms are still not properly tracking and logging calls with experts, reviewing call notes, or analyzing the trading activity of supervised persons involved in the calls.
A common industry mantra, it is believed that having a “culture of compliance” is necessary to have proper buy-in on the controls of a compliance program. Tom believes this needs to go further. “The term “culture of compliance” is often used with good intentions, but it can be misunderstood. It is not just about controls; it’s about knowing what to do when a control isn’t in place. Firms must foster an environment where ethical behavior is the norm, not the exception. Instead, I advocate for infusing a “culture of doing the right thing.”
Educate
More often than not, compliance officers are worried about staff. In the case of insider trading, do they know enough to recognize MNPI and are they always reporting it? Once policies are in place and believed to be adequate, a firm needs to educate.
Training comes in a variety of formats: in person presentation sessions, e-learning modules (yes, we do offer these, thanks for asking!), law firm led discussions, and the one I find most interesting – storytelling. This is why we brought Tom in for our clients. While understanding the definition of “tippee” is important and necessary, post-it note ingestion at a major NYC transit hub may be more memorable, see SEC v Eydleman and Metro. Hearing about how easily bad decisions can be made and where they lead is, in my opinion, most effective. Outside of the standard training, firms should consider which staff would benefit from additional time and conversation. New analysts immediately come to mind.
Training brings little benefit if staff are not comfortable asking questions or bringing concerns to management. Aside from insider trading prevention training, senior staff may benefit from leadership training. A firm requires a culture of openness, where staff feel comfortable discussing concerns, especially in relation to key risk areas. According to Tom, “Fostering a culture that encourages employees to speak up, is essential. Analysts should never make decisions in isolation as I did; they must feel comfortable seeking guidance when unsure about specific fact patterns.”
Back to the concerns voiced by certain compliance officers at our event. While we can’t ensure that staff always do the right thing, we can do our best to put them on the right path.
Click for more on our SEC Compliance services.