SEC

Securities and Exchange Commission Proposes to Modernize Key Market Infrastructure Responsible for Collecting, Consolidating, and Disseminating Securities Market Data

 

On February 14, the SEC proposed to modernize the infrastructure for the collection, consolidation, and dissemination of market data for exchange-listed national market system (NMS) stocks. Comments on the proposed SEC Rule are due 60 days after publication in the Federal Register. Release.

 

SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices

 

On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued observations gleaned from its examinations related to cybersecurity and operational resiliency practices taken by market participants (the “Observations”). The Observations impact the entire securities industry because OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy.

The Observations cover a broad range of operations in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. They highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to safeguard against threats and respond in the event of an incident.

Organizations subject to examination by OCIE should expect that the primary elements highlighted will be a focus of routine, as well as targeted examinations. The Observations are best regarded as a set of “best practices” that should be considered by regulated organizations in developing, implementing and monitoring the effectiveness of their own compliance programs.

The following are selected excerpts from the Observations that we believe are the most significant. A complete copy of the Observations can be found here.

Governance and Risk Management

OCIE emphasized that effective compliance programs “start with the right tone at the top.” As a top priority of any examination, senior leaders should be committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.

OCIE observes that a key element is the incorporation of a governance and risk management program that generally includes, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.

Access Rights and Controls

OCIE observes that “access rights and controls” are used to identify and determine who are the appropriate users within an organization who should have access to organization systems based on job responsibilities. Access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access.

Data Loss Prevention

“Data loss prevention,” as conceived by OCIE, typically includes a set of tools and processes an organization uses to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users.

Mobile Security

Mobile devices and applications may create additional and unique vulnerabilities. Examples of the mobile security measures OCIE has observed include the following elements: (i) establishing specific policies and procedures for the use of mobile devices, including managing the use of mobile devices., e.g., the compliance program addresses the special concerns that are presented when employees are permitted to use their own mobile devices in performing business functions; (ii) implementing security measures; (iii) training employees, including training employees on mobile device policies; and (iv) effective practices to protect mobile devices.

Incident Response and Resiliency

OCIE notes the importance of a compliance program including the following elements: (i) the timely detection and appropriate disclosure of material information regarding incidents; and (ii) assessing the appropriateness of corrective actions taken in response to incidents. OCIE emphasized that an important component of an incident response plan is a business continuity plan and resiliency plan that addresses how quickly the organization could recover and again safely serve clients if the operations of the organization were materially disrupted.

Vendor Management

OCIE found that practices and controls related to vendor management generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.

Training and Awareness

Training and awareness are key components of cybersecurity programs. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats.

OCIE has observed the following practices used by organizations in the area of cybersecurity training and awareness: (i) training staff to implement the organization’s cybersecurity policies and procedures and engaging the workforce to build a culture of cybersecurity readiness and operational resiliency; (ii) providing specific cybersecurity and resiliency training, including preventive measures in training, such as identifying and responding to indicators of breaches, and obtaining customer confirmation if behavior appears suspicious; (iii) monitoring to ensure employees attend training and assessing the effectiveness of training; and (iv) continuously re-evaluating and updating training programs based on cyber-threat intelligence.

SEC Proposes Amending the Definition of “Accredited Investor”

 

On December 18, the Securities and Exchange Commission by a three to two vote, voted to propose amendments to the definition of “accredited investor,” one of the principal tests applied under the federal securities laws for determining who is eligible to participate in transactions that are not required to be registered with the SEC. Such transactions are commonly referred to as “private capital markets” transactions. In the words of the SEC, the proposal “seeks to update and improve the definition to more effectively identify institutional and individual investors that have the knowledge and expertise to participate in our private capital markets.”

In announcing the proposal, Jay Clayton, Chairman of the SEC, asserted that: “The current test for individual accredited investor status takes a binary approach to who does and does not qualify based only a person’s income or net worth. . . The proposal would add other means for natural persons to qualify to participate in our private capital markets based on established, clear measures of financial sophistication . . . .” For example, natural persons could qualify as accredited investors based on their professional knowledge and experience, as evidenced by them having obtained professional certifications. Another welcomed aspect of the proposal highlighted by the Chairman is that it “specifically recognizes that certain organizations, such as tribal governments, should not be restricted from participating in private capital markets” transactions if they meet certain investment thresholds. Proposed Rule.

 

Posted in SEC

SEC Office of Compliance Inspections and Examinations Announces 2020 Examination Priorities

 

On January 7, the SEC Office of Compliance Inspections and Examinations announced its 2020 examination priorities, which include a focus on risks related to retail investors (including seniors and those saving for retirement), market infrastructure, information security, anti-money laundering programs and financial technology (including digital assets and electronic investment advice), among others. The SEC publishes its examination priorities annually to enhance the transparency of its examination program and to provide insights into its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets. SEC Release.

 

 

SEC Announces Three New Rulemakings

 

On September 26, the Securities and Exchange Commission (SEC) announced three significant rulemakings. Summarized in a Public Statement by Chairman Jay Clayton, they are designed to achieve the following objectives.

  • The Modernization of the Approval Framework for ETFs. This new rule: “(1) sets forth a clear and consistent framework that will allow exchange-traded funds (ETFs) meeting certain standardized conditions to come to market without obtaining an individualized exemptive order, and (2) amends certain forms to enhance disclosures for investors.”
  • The Expansion of “Testing-the-Waters” Communications to All Issuers. This new rule: “will extend to all issuers the flexibility provided by the JOBS Act to communicate with institutional investors about potential IPOs and other registered offerings to better gauge market interest.”
  • The Enhancement of the Regulation of the OTC Markets. These proposed amendments to the rules governing the publication of quotations for over-the-counter (OTC) securities are “designed to better protect investors from fraud and manipulation, while at the same time facilitating more efficient OTC trading in certain well-capitalized issuers.”

Chairman Clayton emphasized that these rulemakings “share common themes.” Foremost, they “modernize decades-old regulations . . . taking account of our experience, advances in communications technology and changes in the operation of our markets.” Significantly, these “common sense actions better align our regulations with the preferences and investor protection interests of our long-term Main Street investors, while also facilitating capital formation.”

SEC Adopts New Rules and Amendments under Title VII of Dodd-Frank

 

On September 19, the SEC adopted new rules and amendments under Title VII of the Dodd-Frank Act establishing recordkeeping and reporting requirements for security-based swap dealers and major security-based swap participants, and amending those requirements for broker-dealers.  The new rules aim to allow the SEC to better monitor compliance and reduce risk to the market. Release.

’40 Act Leeway for Mortgage REITS and Others

The SEC Investment Management Division published a no-action letter on August 15 addressed to Redwood Trust that provides a certain degree of Section 3(c)(5)(C) compliance leeway for mortgage REITs and mortgage bankers. The Redwood letter is a recognition by the staff that the ebb and flow of mortgage loans into and out of a mortgage banking business, and the retention of cash proceeds from time to time, is an integral part of the business, as is the retention of the right to service loans to facilitate both loan sales and securitizations.

Specifically, the staff concluded that there would be no objection to Redwood treating certain MSRs and cash proceeds in the manner described below for purposes of the Section 3(c)(5)(C) exclusion from the registration requirements of the Investment Company Act of 1940. Redwood Trust No-Action Letter – 2019

  • MSRs created when mortgage loans are sold or securitized can be treated as “qualifying interests” under Section 3(c)(5)(C), and
  • Cash proceeds from mortgage principal amortizations, interest payments and payoffs in connection with real estate-related assets, as well as from the sale of such assets, including to securitization trusts, can retain the characterization of the assets from which the cash proceeds were derived for purposes of Section 3(c)(5)(C), subject to the time limitations indicated in the letter; e.g. sell whole loans and treat the cash proceeds of the sale as “qualifying interests” (subject to such time limitations).

As we stated in our April 12, 2019, letter to the SEC staff on behalf of Redwood, these cash proceeds are “integral parts of and directly related to and arising from Redwood’s mortgage banking activities” and, likewise, created MSRs “are acquired as a direct result of Redwood’s mortgage banking activities”. Our letter references the staff’s Great Ajax no-action letter of February 12, 2018, in which the staff said that it “would be willing to entertain other no-action requests to treat as qualifying interests certain other mortgage-related assets if they are acquired by an issuer as a direct result of the issuer being engaged in the business of purchasing or otherwise acquiring whole mortgage loans (e.g., certain “A-Notes” and servicing rights)”. Orrick Letter to SEC, April 12, 2019

(Redwood also obtained a no-action letter in 2017 relating to the treatment of credit risk transfer securities as “real estate-type interests” under Section 3(c)(5)(C). In the Orrick letter to the staff, we noted, among other things, that credit risk transfer securities share similar characteristics with, and have the same economic substance as, agency partial pool certificates, which are treated as “real estate-type interests” under Section 3(c)(5)(C). In its letter, the staff recognized the similarities between credit risk transfer securities and agency partial pool certificates and concluded that the credit risk transfer securities described could be treated as “real estate-type interests”.  Redwood Trust No-Action Letter – 2017 ; Orrick Letter to SEC, September 5, 2017)

SEC Staff Observation from Examinations of Investment Advisers

 

On July 23, the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on its “Observations from Examinations of Investment Advisers: Compliance, Supervision, and Disclosure of Conflicts of Interest.” The purpose of this Risk Alert is to raise awareness of certain compliance issues that OCIE observed by sharing the Staff’s observations from these examinations. The Risk Alert provides a good summary of the Staff’s observations across a broad range of compliance topics, but emphasized its specific observations relating to employees or prospective employees with disciplinary histories. As stated by the Staff: “the key takeaway is that OCIE encourages advisers, when designing and implementing their compliance and supervision frameworks, to consider the risks presented by hiring and employing supervised persons with disciplinary histories and adopt policies and procedures to address those risks.” Risk Alert.

SEC Adopts Rules and Interpretations to Enhance Protections and Preserve Choice for Retail Investors in Their Relationships with Financial Professionals

 

The U.S. Securities and Exchange Commission (SEC) adopted and clarified a number of rules intended to improve the relationships between retail investors, investor advisers and broker-investors, while also maintaining retail investors’ access to investment services and products. Under Regulation Best Interest, broker-dealers must act in the best interest of a retail customer when recommending any securities transaction or investment strategy. The Form CRS Relationship Summary requires registered investment advisers and broker-dealers to provide retail investors with easily comprehensible information about their relationship with their financial professional. Lastly, the SEC clarified investment advisers’ fiduciary duties and the activities that trigger a broker-dealer to be considered an investor adviser under the Advisers Act. Press Release. For further detail on the subject, read an analysis from Orrick’s Securities Litigation team here.