Over the past several years, the SEC, through examinations and enforcement actions, has made it clear that it expects registered investment advisers to undertake meaningful due diligence of their service providers.
In 2010 and 2011, a significant portion of advisers’ third-party due diligence efforts focused on reviewing expert network firms' policies and procedures, as well as vetting their controls. More recently, many advisers have shifted their due diligence attention to cybersecurity concerns, and concentrated their third-party reviews on vendors with access to advisers' confidential and proprietary information. Entities targeted for review include fund administrators, custodians, and information technology providers. In addition, hedge funds, quantitative investment firms, and other advisers have increased their use of research vendors that provide new forms of data and other non-traditional research.
In light of this trend, advisers should review their third-party due diligence efforts and consider whether they are adequately assessing their research providers.
In 2009, U.S. attorneys and SEC enforcement officials initiated a series of criminal prosecutions and enforcement actions against hedge fund managers that, the SEC alleged, traded on material nonpublic information (“MNPI”) obtained from expert network firms. In response, many investment advisers using expert network firms re-examined their compliance programs and adopted meaningful policies and procedures that employees of these firms were required to follow when using expert networks. At the same time, expert network firms responded to this existential threat to their business by dramatically increasing their recordkeeping and consultant training, and implemented other controls designed to reduce the risk of dissemination of MNPI through their networks. It became an obvious best practice that expert networks were to be used only with great care and under rigorous controls.
During the course of recent investment adviser examinations, the staff of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) appears to be suggesting that an investment adviser’s policies, procedures, and controls around MNPI extend beyond expert networks. For example, ACA has seen an uptick in SEC examiner expectations and comments around an adviser’s oversight, controls, and procedures to conduct surveillance of meetings with executives of public and other industry experts. Through these examinations and in public comments from the staff, the SEC has taken the position that it expects Chief Compliance Officers (“CCOs”) of registered investment advisers to understand who the firm’s investment professionals are interacting with during the research process.
The SEC has also consistently maintained that an adviser’s compliance controls should address the risks in its business. Advisers whose research efforts are more likely at risk of discovering MNPI have an obligation to impose greater controls around these research activities.
Compliance Considerations for Research Vendors
Investment advisers, particularly those with fundamental investment strategies or otherwise at risk of uncovering MNPI during the investment research process, should implement specific controls and procedures when dealing with their research providers. These policies should be tailored for each firm considering the nature of its business. A fundamental principle of these policies should be that a research firm is reviewed by the CCO or designee. These reviews should include a summary of any compliance policies the research provider has adopted, including an evaluation of whether the research provider has adequate policies in place to address the dissemination of MNPI.
The increasing use of data-driven strategies by hedge fund advisers (for both algorithmic trading and in support of fundamental research) has led many advisers to work with both established and newly formed research firms under pressure to provide new data products. These firms may offer data sets obtained from unusual sources or through potentially questionable means. It is important that CCOs monitor these vendors and inquire as to the source of this data. Key compliance considerations in reviewing data providers include, among other things:
- Was the data was obtained legally?
- Does the vendor have the legal right to sell the data?
- Does the data contain personal identifying information of any individual?
- If the data was obtained through web scraping, was it from a publicly available source or through the use of authenticating credentials to enter the target website?
- Has the firm ever received a cease and desist letter?
Based upon ACA’s experience with clients in recent investment adviser examinations and the enforcement activity described above, we believe it is a best practice for advisers to formally review and approve the use of alternative data research providers. Though the nature of these reviews, and the depth of the inquiry, will vary based on the nature of the investment manager’s business, a CCO must show a sufficient level of due diligence in approving these vendors.
About the Author
Mike Seery is a Senior Principal Consultant at ACA Compliance Group. He helps hedge fund, private equity fund, and other SEC-registered investment advisers create and maintain best-in-class regulatory compliance programs. Mike advises clients on complex regulatory issues, including portfolio valuation, expense allocation, soft dollars, and expert networks.