• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Hot Topics for Investment Managers: Compliance & Technology Directives for 2012
 

Hot Topics for Investment Managers: Compliance & Technology Directives for 2012

on

  • 1,456 views

Your first priority is making sound investment decisions. But more than ever, investors and regulators expect firms to focus on their operations and infrastructure as well. Read on to learn more about ...

Your first priority is making sound investment decisions. But more than ever, investors and regulators expect firms to focus on their operations and infrastructure as well. Read on to learn more about how to meet your firm’s technology and compliance directives in 2012. Experts from ACA Compliance and Eze Castle Integration provided advice relative to:

• Form PF and other report filing and registration requirements;
• Tips for compliance program development, reviews and training; and
• Technology must-haves including email security, encryption, and more.

Statistics

Views

Total Views
1,456
Views on SlideShare
1,454
Embed Views
2

Actions

Likes
1
Downloads
47
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Dodd-Frank Act -SEC rule: 'written communications' rules under the Act, Hedge Funds must retain all internal and external electronic business communications. - goal is to protect investors from misrepresentationand fraud via electronic communications and to prevent record tampering - falls under the ‘investment advisors act’. - who: applies to registered investment advisorsREQUIREMENTS: In connection with maintaining “electronic records” under Rule 204-2, firms must: • preserve all SEC-mandated records (incoming, outgoing) regarding the Advisor’s business • store on indelible electronic storage media • retain in an easily accessible place for a 5 year retention period • retain in an appropriate office of the Advisor for the first two years of the retention period • arrange and index for easy search, retrieval and access • be able to furnish records “promptly” (defined as immediately, up to a few hours of request time) • have the ability to provide legible, true, and complete copies in original format, and printouts of such records • be able to provide a means for regulators to access, view, and print • store original and duplicate copies in separate locations • establish and maintain procedures to protect from loss, alteration or destruction, and to limit record access to authorized personnel and the regulators • ensure that if reproduced from hard copy, originals are complete, true, and legible when retrieved • implement an annual review system and the ability to store review results (cross-referenced with Rule 206(4)-7) SEC Rule 206(4)-7 requires firms to implement internal supervisory compliance controls for messagesemail & IM pursuant to new Rule 206(4)-7 under the Investment Advisors Act. Advisors are required to establish, maintain, and enforce written supervisory policies and procedures to detect and prevent compliance violations, including the misuse of non-public material information. With the growth of email and IM as a principle business communication tool, controls designed to protect investors from misrepresentation REQUIREMENTS: In connection with the supervisory compliance controls of Rule 206(4)-7 and corresponding SEC Final Rule Release IA-2204, firms must: • establish supervisory policies and procedures for all business-related communications with clients including: - methods of detecting and addressing prohibited electronic communications - safeguards for the privacy protection of client records and information - monitoring the accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements - controls for the accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction • implement internal compliance controls designed to detect and prevent regulatory violations • designate a chief compliance officer who is responsible for administering the supervisory compliance systems • review annually the firm’s written supervisory policies and procedures to ensure compliance • implement an annual review system and the ability to store review results (cross-referenced with Rule 202-4) In house legaleDiscovery features. Using powerful search engines, the Compliance Reviewer is able to retrieve, filter, review and monitor all archived email, IM, and Bloomberg messages. Best practices:1. General Email & IM Policy requirements; 2. Recordkeeping in accordance with SEC Rule 204-2; and 3. Supervision of Electronic Records in accordance with SEC Rule 206(4)-7. Key components of archiving solutions:Geo-remote redundant data centers; offsite, mirrored storageUser-friendly, quick retrieval of messages from anywhere (via browser) (from desktop, mobile device, etc)Seamless integration with existing infrastructureWORM format – on dedicated media with off-site backupsecure, National Security Agency (NSA) level AES and RSA dual encryption for highest protectionDedicated compliance team
  • Retain accurate records...Import legacy email data into archiveLog all activity associated with a messageSocial Media (Facebook, Twitter, Linked In...are also considered)Also, bloombergElectronic media:WORM; “Write Once, Read Many”Dedicated storage for you’re firm only, with an off-site backup.Also, ensure that your data is mirrored to redundant storage so that you haveIndex & Retrieval:Must be able to ‘promptly’ respond to an SEC audit – so cannot be stored only on ‘tape’. Do a quick search by a key word and return the relevant records. These records should then be available to view, download or print in order to easily and ‘promptly’ respond to an audit.Messages are integrated into a single unified archiveRetrieve messages from anywhere via a browser (expected to have an app for mobile device)Social Media:NRA Notice 10-06 (dated January 2010) advises that firms must ensure they have a solution in place to retain all records of social media communications as per SEC Rules 17a-3 and 17a-4 and NASD Rule 3110LinkedIn, Twitter and FacebookMessages are integrated into a single unified archiveAnnual review: in-house legal staff to assist (vendor)‘EVOLUTION OF TECH... And laws’
  • Some do not archive messaging from iOS; iOS devices are an open item with Apple because Apple does not allow Apps that forward messages from iOS devices into the App store. We are working with Apple, but for now the best option is to use a mobile device manager and prohibit text messaging. Let me know if that helps. n addition to emails, remember to backup and control security of instant messages, webmail, file transfers and other electronic communications exiting the company.PGP, authentication, ProteConsiderations for PII can include: national identification numbers, street addresses, driver’slicenses, telephone numbers, IP addresses, email addresses, vehicle registrations, and ages.(i.e. 201 CMR 17 ...Massachuseets Privacy act)Gramm-Leach-Bliley Act Data Protection Act of 1999 (GLBA) – Section 501(b) of GLBA requires financial services companies to protect the confidentiality and integrity of NPI, and to ensure it is secure from unauthorized access. In order to do so, organizations must identify potential threats to their information and implement controls which include:policies, procedures and technologies. These technologies include monitoring and detection systems for actual andattempted actions for gaining access to NPI. Noncompliance with GLBA may result in:• civil monetary fi nes of varying amounts up to $1 million or more,• prison sentences of up to fi ve years,• lower examination ratings and increased reporting requirements, and• enforcement actions, which can include board resolutions, memorandums of understanding, written agreements,and cease and desist orders.The specifi c action is based upon the number of deficiencies, risk profi le, and whether or not violations have beenencountered (such as transmitting unencrypted information to third parties, such as programmers, credit bureaus, loanprocessors, or other service providers).Identity Theft and Assumption Deterrence
  • PII can include: national identification numbers, street addresses, driver’slicenses, telephone numbers, IP addresses, email addresses, vehicle registrations, and ages.“Personal information” a resident’s first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account
  • Very mature industry, so there will not be much differentiation in functionality and price across solution providers.A comprehensive email security solution will include: a.) outbound email encryption: This functionality ensures that every outbound email message that contains confidential information or PIIis scanned by compliance and content filters. Then if any message matches a pre-defined compliance or policy rule, the message is encrypted before being delivered to the recipient. Typically, once the message is received, the recipient is asked to enter their password, which once verified, triggers the release of the decryption key and provides the recipient access to the message. b.) spam filtering & anti-virus protection: Inbound messages are inspected for unwanted junk email (known as spam) as well as for malware or viruses. Typically, messages are compared to live databases to identify known threats in order. c.) Data Loss Prevention: The goal of this type of solution is to interrogate outgoing mail for ingormation and attachments that may contain confidential information. Some solutions may leverage similar logic as outbound encryption however, the goal is different. Rather than encrypting data to be sent, DLP solutions prevent sensitive information from leaving the firm’s network. Such solutions can range in size, functionality, and complexity. Main difference: Level of involvement with the management of email security – most solutions will accomplish the same goals, however, a management service provider can simplify this process at minimal cost.In addition to emails, remember to backup and control security of instant messages, webmail, file transfers and other electronic communications exiting the company.ProteConsiderations for PII can include: national identification numbers, street addresses, driver’slicenses, telephone numbers, IP addresses, email addresses, vehicle registrations, and ages.(i.e. 201 CMR 17 ...Massachuseets Privacy act)Gramm-Leach-Bliley Act Data Protection Act of 1999 (GLBA) – Section 501(b) of GLBA requires fi nancial servicescompanies to protect the confidentiality and integrity of NPI, and to ensure it is secure from unauthorized access. Inorder to do so, organizations must identify potential threats to their information and implement controls which include:policies, procedures and technologies. These technologies include monitoring and detection systems for actual andattempted actions for gaining access to NPI. Noncompliance with GLBA may result in:• civil monetary fi nes of varying amounts up to $1 million or more,• prison sentences of up to fi ve years,• lower examination ratings and increased reporting requirements, and• enforcement actions, which can include board resolutions, memorandums of understanding, written agreements,and cease and desist orders.The specifi c action is based upon the number of deficiencies, risk profi le, and whether or not violations have beenencountered (such as transmitting unencrypted information to third parties, such as programmers, credit bureaus, loanprocessors, or other service providers).Identity Theft and Assumption Deterrence
  • With the explosion of mobile devices, end-users are demanding the ability to use their iphone or android devices on company networks. As you can imagine, this creates a security challenge in order to continue to protect company and client data. What happens if any unknown devices accesses the company network? How would you know? What if an unverified mobile app is downloaded and spreads a virus?What I lose my phone or tablet loaded with confidential client information?As you can see, mobile devices can expose a security vulnerability. Therefore, its critical to not only extend email security and message archiving to mobile devices, but also to have a sound solution for managing the devices that access a company’s network.Fortunately, there are a number of solutions on the market to assist with the management of mobile devices.known as Mobile Device Management
  • Mobile App Inventory & ProtectionLockdown securityPassword enforcementRemote lock & wipeDevices inventory & asset managementReal-time intelligence
  • n addition to emails, remember to backup and control security of instant messages, webmail, file transfers and other electronic communications exiting the company.PGP, authentication, ProteConsiderations for PII can include: national identification numbers, street addresses, driver’slicenses, telephone numbers, IP addresses, email addresses, vehicle registrations, and ages.(i.e. 201 CMR 17 ...Massachuseets Privacy act)Gramm-Leach-Bliley Act Data Protection Act of 1999 (GLBA) – Section 501(b) of GLBA requires financial services companies to protect the confidentiality and integrity of NPI, and to ensure it is secure from unauthorized access. In order to do so, organizations must identify potential threats to their information and implement controls which include:policies, procedures and technologies. These technologies include monitoring and detection systems for actual andattempted actions for gaining access to NPI. Noncompliance with GLBA may result in:• civil monetary fi nes of varying amounts up to $1 million or more,• prison sentences of up to fi ve years,• lower examination ratings and increased reporting requirements, and• enforcement actions, which can include board resolutions, memorandums of understanding, written agreements,and cease and desist orders.The specifi c action is based upon the number of deficiencies, risk profi le, and whether or not violations have beenencountered (such as transmitting unencrypted information to third parties, such as programmers, credit bureaus, loanprocessors, or other service providers).Identity Theft and Assumption Deterrence
  • Web filtering --- defining policies to restrict websites visited, limit use of social networking, analyze incoming and outgoing traffic – goal is to make best effort to detect and protect against Malware (Websense, Symantec, Cisco, etc)- Can be offered as a hosted service or on-premise at customer site...Intrusion detection --- a new Advanced Persistent Threats..Find and stop malicious traffic...deep ...stateful packet inspection

Hot Topics for Investment Managers: Compliance & Technology Directives for 2012 Hot Topics for Investment Managers: Compliance & Technology Directives for 2012 Presentation Transcript

  • Hot Topics for Investment Managers: Compliance & Technology Directives for 2012
  • Agenda Form PF: What You Need to Know Maintaining an Effective Compliance Program Technology Must-Haves – Message Archiving – Email Security – Mobile Device Management
  • Hot Topics for Investment Managers: Compliance & Technology Directives for 2012 Nothing herein should be construed as legal advice or as a legal opinion for1 any particular situation. Information is provided for general guidance and should not be substituted for formal legal advice from an experienced securities attorney.
  • Sections of Form PF • Section 2: Large Hedge Fund Managers ($1.5B in RAUM)• Section 1: All Filers ($150M in RAUM) • Section 3: Large Liquidity Fund Managers ($1B in RAUM) • Section 4: Large Private Equity Managers ($2B in RAUM) 4 4
  • Filing Deadlines• 7/15/12 – Liquidity Fund Managers with ≥ $5B• 8/29/12 - Hedge Fund Managers with ≥ $5B• 1/15/13 - Liquidity Fund Managers with $1B to $5B• 3/1/13 – Hedge Fund Managers with $1.5B to $5B• 4/30/13 – All other filers 5 5
  • Filing Frequency• Large Hedge Fund & Liquidity Fund Managers: Quarterly• All Others: Annually 6 6
  • IT Challenges Posed by Form PF• Data from internal and external systems• Internal methodologies allowed, but strive for consistency and disclose assumptions• Desire for a scalable process (maybe next time) 7 7
  • Form PF Recommendations• Prepare a test filing• Assign each question to the subject matter expert• Coordinate with vendors early and often• Document assumptions 8 8
  • Maintaining an Effective Compliance Program 9 9
  • Integration of IT and Compliance• To the extent that firms don’t have strong IT resources supporting their compliance program in areas such as risk assessment, surveillance and testing, that can be a real challenge to effectiveness. In today’s market environment, if you have a compliance program that’s not using technology in sophisticated ways to do monitoring, testing and surveillance, then you’re probably behind the 8-ball. Generally, we’re getting pretty good at working with different data formats and developing tools that can help us take the data and perform effective analysis. – Carlo di Florio, Director of the SEC’s Office of Compliance Inspections and Examinations 10 10
  • Integration of IT and Compliance We’re going to be doing it, so I suggest you do it as well.– Norm Champ, Deputy Director of the SEC’s Office of Compliance Inspections and Examinations, discussing email surveillance 11 11
  • Common Email Review Focus Areas• Correspondence with competitors• Messages sent with attachments to personal accounts (Hotmail, Gmail, AOL)• References to restricted list entries• Outbound messages referencing names subject to confis• References to known conflicts of interest• Correspondence with government email addresses• Political contributions• Gifts and entertainment (conflicts of interest and FCPA) 12 12
  • Documenting Email Reviews• Scope• Risk areas and associated search terms• Number of hits per search term• Number of emails opened per search term• Findings and responses – Decide in advance how to respond to findings that appear to be especially serious. Consider escalating directly to outside counsel. – Word spreads quickly. Discussing questionable emails with employees will lead to changes in email behavior throughout the firm. 13 13
  • Record Retention• Electronic record retention welcomed – Readily accessible – Separately backed up – Be prepared to produce in electronic or paper format• Little flexibility in recordkeeping obligations – Rule 204-2 – Typically a 5 to 6 year retention period – Most advisers keep all electronic communications • Apple Messages are a problem 14 14
  • Technology Must-Haves for Investment Managers
  • Message ArchivingAll electronic messages must be captured and retained. SEC requires advisers to retain all internal and external electronic business communications Tape backup by itself is not adequate! Know the regulations & sound practices for archiving
  • Message ArchivingRule 204-2: Retain all internal and external electronic businesscommunications Requirements Solution• Retain accurate records Archive all electronic messages for up to 7 years• Electronic media WORM format with off-site backup• Index & retrieval Messages are indexed for easy & fast retrievalRule 206(4)-7: Adopt written compliance policies & procedures Requirements Solution• Prevent & detect Internal supervisory compliance controls violations• Annual review Robust reporting to facilitate annual reviews Messaging archiving technology can simplify record retention & compliance reporting.
  • Message ArchivingSome questions to ask your solutions provider... Will my data be stored on dedicated or shared storage? Is WORM storage used to ensure data integrity? Are all messages searchable from a single search command? How is user access to data controlled? Do you archive messages from all devices? Do you provide 24X7 support and/or in-house legal support?
  • Email SecurityEmail Security helps comply with data privacy regulations.Regulations: Gramm-Leach-Bliley Act Data Protection Act of 1999 (GLBA) – Section 501(b): – Protect Non-public Information MA 201 CMR 17 (Massachusetts ): – Protect Personal Identifiable Information (PII) Common sense: Firm’s reputation is at risk the moment customer privacy is violated.
  • Email Security SolutionsA standard email security package goes a long way.Email Security Outbound Encryption Spam Filtering Anti-virus protection Data Loss PreventionEnsure security of all outgoing electroniccommunications!
  • Email SecuritySome questions to ask your solutions provider... What level of encryption is used to protect my email? How do I access an encrypted message? Can I create specific email security policies? How can I prevent sensitive data from leaving my network? How do my virus-outbreak filters stay current? How much system maintenance is required of me?
  • Mobile Device ManagementEnterprise data is moving to smartphones & tablets! What devices are accessing your network? Are all the mobile apps safe to use? Has anyone lost a phone recently?
  • Mobile Device Management (MDM) Convergence of work and Visibility into mobile devices... personal devices... Context – match activity to location, time, and network Activity – user behavior patterns Content – identify & secure files on each phone Application – provision, configure, troubleshoot Device – track settings, status, inventory, policies, functions MDM is essential for a comprehensive data protection strategy.Photo Source: Mobile Iron
  • Mobile Device Management (MDM)Some questions to ask your solutions provider... What mobile operating systems does your MDM solution support? What asset management & inventory capability exists for managing devices on the network? What remote administration functionality is available? Password enforcement What reporting is available across operators, operating systems and locations?
  • Other Technology Considerations Web Filtering – Protection from malware originating over the internet Intrusion detection – Protection against hackers attempting to invade a network Endpoint encryption – Encryption of data on laptops and all other devices
  • Eze Castle Integration OverviewFounded 1995Headquarters 260 Franklin Street, 12th Floor, Boston, Massachusetts, 02110 Chicago, Dallas, Geneva, Hong Kong, London, Los Angeles, Minneapolis, New York City,Additional San Francisco, Singapore and StamfordOffices • Strategic IT Consulting • Private Cloud Services • Outsourced IT Solutions • Business Continuity Planning • Professional Services • Disaster RecoveryCore Services • Project & Technology Management • Compliance Solutions • Communications Solutions • Storage Solutions • Network Design & Management • Colocation Services • Internet Service • E-Mail & IM ArchivingAwards Received
  • 260 Franklin Street, 12th floor Boston, MA 02110 Tel: 617-217-3000 www.eci.com