In 2017, there was a continued focus on many of the same regulatory issues that have been top-of-mind for private equity managers over the past several years, including performance advertising, cybersecurity oversight, and the disclosure of conflicts of interest to fund investors, particularly with respect to the allocation of expenses.
Frequent Compliance Issues Identified by SEC Staff
As it has done in prior years, the Securities and Exchange Commission’s (SEC) Office of Compliance Investigations and Examinations (OCIE) issued several Risk Alerts to highlight the most frequent compliance issues identified in its examinations of investment advisers. In February 2017, OCIE issued a Risk Alert that noted five general compliance topics frequently cited in examination deficiency letters.
Compliance Rule. The use of “off-the-shelf” compliance manuals that do not reflect advisers’ individualized business practices was cited by SEC staff as a frequent compliance deficiency, as was the failure to conduct meaningful annual reviews.
Regulatory Filings. The staff noted several common inadequacies in required filings, including inaccuracies and late filings of Form ADV and Form PF.
Custody. The failure by many advisers to identify circumstances where they have “custody” of client assets for purposes of the Custody Rule was an important theme in 2017 (as discussed further below). Specific instances identified by the staff include advisers that have the power to dispose of client funds and advisers that act as general partners of private equity funds and other pooled investment vehicles.
Code of Ethics. The staff noted several common rule violations, including with respect to the identification of access persons, providing for a thorough review of personal trading activities and describing advisers’ codes of ethics in Form ADV.
Books and Records. Advisers failed to maintain all records required under the Investment Advisers Act of 1940, committing errors in documentation, including fee schedules and client records, and failed to identify inconsistencies in required records.
Shortly after this Risk Alert was issued, the staff of the SEC’s Division of Investment Management issued additional interpretive guidance regarding the Custody Rule, asserting a broad view of client arrangements that can result in investment advisers having “custody” of client assets. Although most private equity sponsors avoid the most onerous aspects of the Custody Rule by providing audited financials to fund limited partners, sponsors that also manage separate accounts and “funds-of-one” should consider whether they have “custody” of client assets in light of the staff’s recent guidance and ensure that they are meeting all of their obligations under the Custody Rule.
Learn more about the staff’s recent custody guidance here and about OCIE’s 2018 examination priorities here.
Compliance Issues Related to Marketing and Advertising Practices
In September 2017, OCIE issued a separate Risk Alert focused exclusively on investment adviser advertising practices. The September alert also identified several frequently cited deficiencies, including:
-
Misleading performance results, particularly the use of gross performance in circumstances that may be misleading;
-
Misleading claims of compliance with certain voluntary performance standards, in particular, the CFA Institute’s Global Investment Performance Standards (GIPS);
-
Cherry-picked or otherwise misleading presentations of profitable investment selections;
-
Inadequate compliance policies and procedures regarding the presentation of investment performance and other marketing activities; and
-
Certain deficiencies identified as a result of OCIE’s “touting initiative,” including misleading third-party rankings, and the misleading use of professional designations and testimonials.
Investment performance presentation and other potentially misleading marketing practices are an area of perpetual concern for the SEC staff. In addition to the topics cited above, we have observed an increased interest from the examination staff in reviewing and verifying the records that substantiate performance claims in PPMs, presentation books, RFP responses, and other marketing materials. On the heels of several enforcement actions in recent years alleging failures by investment advisers to maintain these records, private equity sponsors may consider reviewing their recordkeeping practices to ensure that they have records to support all performance claims made to third parties. This is particularly important in situations where the sponsor does not capture records of the performance in the normal course of business, such as the presentation of model investment performance, unrealized performance based on third-party or internal valuation, and the performance of investments made at prior firms.
Disclosure of Conflicts of Interest Related to Fund Expenses
In December, the SEC entered a settlement order against TPG alleging that the firm failed to provide sufficient disclosure regarding the acceleration of monitoring fees paid by portfolio companies. The settlement order was the latest in a series of recent enforcement proceedings related to inadequate disclosures regarding fee practices and other conflicts of interest to fund investors in the private equity fund context. The order against TPG is noteworthy because it restates the position taken by the SEC in recent actions that a private equity fund manager may not cure disclosure deficiencies that existed at the time a fund is launched through subsequent disclosures to investors or their representatives. According to the SEC, limited partners that did not have notice of a conflict at the time of their investment could not provide informed consent to the conflict. It is possible that after-the-fact ratification by an advisory committee or other limited partner representative would cure the deficiency, but whether this process would fully inoculate private equity fund managers against similar actions would depend on the specific facts and circumstances of the situation.
In light of this and other recent actions, fund sponsors should carefully consider whether their past and present disclosure practices adequately address conflicts related to the receipt of fees or other benefits in connection with its management of portfolio companies, including:
-
Portfolio monitoring fees and the acceleration thereof;
-
Discounts received by the manager from service providers in return for directing portfolio company business to those service providers, especially where the portfolio companies do not receive the full benefits of those discounts;
-
Allocation of broken deal expenses;
-
Allocation of expenses, including overhead, among funds, co-investments, the manager, and principal investment activities; and
-
Recharacterizing management fees and other sources of revenue to avoid triggering fee offsets and/or “most favored nation” obligations.
Cybersecurity
In 2017, the SEC continued to make cybersecurity a top priority. Following several cybersecurity risk alerts issued over the last three years, in August, OCIE issued a Risk Alert discussing its observations from recent cybersecurity examinations. While OCIE noted that investment advisers and broker-dealers had generally enhanced cybersecurity measures over the preceding years, it noted several outstanding concerns regarding cybersecurity preparedness, including that cybersecurity policies and procedures were not reasonably tailored to a firm’s activities and that procedures often did not reflect actual practice. In light of this continued attention to cybersecurity matters, private equity sponsors may consider whether their existing cybersecurity policies reflect the following elements that OCIE considered to represent robust controls:
-
Maintenance of an inventory of vendors, data, and information, including classifications of the risks, vulnerabilities, data, business consequences, and information regarding each vendor;
-
Detailed cybersecurity-related instructions regarding items such as penetration test, security monitoring and system auditing, access rights, and reporting;
-
Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;
-
Established and enforced controls to access systems and data, including “acceptable use” policies and prompt termination of access for terminated employees;
-
Mandatory cybersecurity training for all employees; and
-
Involvement by senior management in vetting and approving cybersecurity policies and procedures.
Notably, cybersecurity is also listed as one of OCIE’s 2018 exam priorities.