Please note that we provide links to external sites which were correct at the time of publication, but they may be updated. Cognitive GRC provides advisory services to regulated firms in Hong Kong on international requirements and works with various service partners to deliver these services. Firms should obtain specific advice relating to matters that we highlight here. This is neithe legal, accounting or investment advice.
What firms need to be thinking about as we move closer to 2024 from a GRC perspective
Please find an update on what we believe to be most relevant for our clients and what may be actionable over the close out of this year. Q4 is here, and we wonder where the year has gone. You can also refer to our separate updates on BRMQ 2024 and Digital Assets (coming soon).
Enforcement Summary
Another round of ramp and dump freezes, and prosecutions populate the list of enforcement cases, including illegal short selling and insider trading offences. A continued focus on sponsor obligations as well as senior management failings.
A lifetime ban for an RO for failure to maintain adequate financial resources and providing false and misleading information. One relatively small fine for failure to disclose relevant matters in a license application such as a prior refusal to obtain a license and a fine of HK1.3 million for failure to adequately monitor employee dealings.
Clients can refer to our summaries for the details which we will bring up in our usual annual training for staff.
SEC cases around unsanctioned communication channels, conflicts of interest and custody rules take the lead with dynamic issues being addressed by proposed rules/implemented requirements. See further discussion below where relevant to you. We cover the relevant cases in our annual training.
MLRO Updates
As usual, our team has produced the quarterly MLRO update with more detailed response options on the updated BRMQ questions being finalise for the season. We have discussed internally the relevant responses to the re-ordered section on AML. This is in addition to our general analysis of the latest BRMQ questions. Clients can choose to stay ahead of the inevitable post BRMQ phone-call from the case officer if they have not yet taken note of the new questions. Minor updates have already been incorporated into our procedural updates.
Specific Updates
A SFC reminder on cyber-health in September (See here Source SFC) should get people thinking about their regular review processes, but please refer to our update on operational resilience from this time last year, if you feel that you are already covered, as we help firms pre-empt potential risks across the operational risk universe. As you may be aware, we are working with a continuity and security expert to help firms do proper desktop reviews on a project basis and have successfully conducted such reviews on boutique managers in a useful manner. We don't want to just tick a box here as in the case of crisis management checklists need to be tested for effectiveness.
We also noted the update on streamlined Sophisticated Professional Investor processes and are not entirely clear how the update might impact single strategy asset managers. We don't believe the update was directed at independent managers, but are concerned with the unintended interpretations for investors who cannot satisfy the new sophisticated investor criteria.
Global Compliance Matters
The details of both US and European regulatory update are very well covered in AIMA's recently introduced AIMA Regulatory Horizon Scan (Source: AIMA -Non-Member Access) which is updated on a regular basis. As noted, it should not be the only source of your forward planning, but it is one of the best sources of up-to-date information on what firms should be considering as they peer into 2024. We have our own cognitive views those items, which we discuss below.
AIMA has now also produced a broader document on Regulatory issues called the Regulatory Almanac (Source: AIMA) for those of us interested in the broader regulatory change agenda.
You may also refer to reference ACA Group materials and/or your counsel for further discussions on US/European matters.
Please click the relevant chevron to see our thoughts on each line.
Climate Requirements (Global Consideration)
Hong Kong
It is a year since large Hong Kong ROOF managers needed to declare their position (August) and the anniversary for non-large ROOF managers is coming up soon. (November). [Reminder on Scope here[ Source SFC FAQ] It is time for a Hong Kong manager's governance team to reevaluate their stance on materiality and relevance, against their portfolio and performance.
US and Global implications
While there are still major differences in views on climate, we are moving forward on the basis that we need to be part of the solution. We covered the conundrums well last year (see our update on Climate Risk Management from August 2022). For a good summary of where on the fence the US sits and why this is a drag on progress, I would suggest you listening to industry peers at the SEC's own conference from summer, 2023 which clarifies the fundamental differences of approach in different jurisdictions.
Source SEC, May 2023, Emerging Trends in Asset Management. After about 33 minutes of intellectual self-stimulation on regulatory matters, there is an interesting discussion regarding the US stance (or lack of one) on Climate. It is a very good discussion on the different approaches and considerations.
Corporate Disclosure Standards
While we hoped that international agreements on accounting standards in Sustainability and Climate would resolve the key conundrums, we understand there are still some differences of opinions on whether disclosures should be purely on financial impact, environmental or both, so the dynamic debate on disclosure continues across the different jurisdictions. IFRS 1 and IFRS 2 were issued (Source: IFRS.Org) by the International Sustainability Board (ISSB) in June and were endorsed by IOSCO (Source IOSCO) in July. The US manager framework is continuing to lean toward investor led benefits, with a view to letting the market decide, while the European framework continues to broaden the stakeholder benefactors to the community at large.
Cognitive Climate Solutions
While there are still a few general matters under discussion, we have worked with the Red Links (Source: Red Links) consortium and Inflection Point Intelligence to produce online training "Climate 101 for Managers and Analysts" because the key to getting to an ongoing solution is ensuring that the people involved in the research and decision making, understand the fundamentals on where climate comes into the risk reward decision. It is not something that a control function like compliance or risk can determine until the investment team decide what they wish to achieve when it comes to climate strategy. Sure, there are metrics that can be used as a yardstick but ultimately the decision-making team will need to determine their own goal posts if they wish to harden their stance on climate. This training has been designed to get that team on the same page, regardless of the remaining uncertainties.
If you are interested in getting decision makers onto the same page, we invite you to consider getting them to take this course which covers the things that would interest them from an investment point of view and includes references to the various sources of information that can help. Find a link to our course update here (Group Rates available) or you can directly sign on to the course here.
Cayman Governance Standards
CIMAs Governance Rule and Statement requirements come into play from 14th October. Please find a summary here (Source: Walkers). We expect that our clients satisfy the requirements as we tend to work with firms that utilise professional directors from well-established Cayman service providers but nevertheless, we are highlighting the obligations and consider any outliers as part of our ongoing governance reviews as independence and governance of a fund’s board is a key control mitigating conflict.
US Private Fund Rules (Managers of Private Funds)
Take a deep breadth, some paracetamol and be prepared to hibernate for the winter as the private fund rules are here (Private Fund Adviser Rules (aima.org)). While on the face of it, it appears to focus on US onshore funds (see detailed discussion here), an impact on non-US funds is inevitable.
There are a number of provisions that will not apply based on registration status (RIA only) but may impact firms that are sub-advising onshore funds.
With regards to preferential terms, as pointed out by AIMA, the SEC, clarify their intent in the adopting release: “We … clarify that the restricted activities rule and the preferential treatment rule do not apply to offshore unregistered advisers with respect to their offshore funds (regardless of whether the funds have U.S. investors)." This is an intent not to act, and intent can change.
Opinion: The sheriff is chasing perceived unfair practices off his patch (i.e., Onshore US) but the political nature of the changes will be likely to unfairly impact the majority of the industry and seem to favour a concentration of AUM to larger institutional managers. That is to say, the reduced incentivisation towards independent managers is likely to concentrate the industry by increasing barriers to entry, In the US, at least, this could restrict access to capital for start-ups, and choice for investors and this is why the associations including AIMA have taken up the cause. Firms should maintain awareness of the developments, in order to determine the best time to take action.
Private Fund Rules - Disclosure and Transparency on Terms
With regards to the disclosure and transparency requirements codified in the new US Private Fund rules, we have certainly been through the same debate many times before. During AIFMD (2013) and more recently during the Hong Kong's FMCC update (2018) transparency and disclose of preferential terms were tackled. In both cases similar disclosure standards on transparency were introduced but stopped short of prohibitions on preferential treatment for seed investors. Understanding your side letters, product offering, and seeding arrangements will be crucial for when it is time to focus on updates to fund documents with counsel.
From SFC Fund Manager Code of Conduct - 3.14.2
"Where a Fund Manager has granted preferential treatment (eg. side letters) to certain investors, it should disclose such fact and the material terms in relation to redemption in the side letters to all relevant potential and existing fund investors."
AIFMD (EU Directive on Alternative Funds) - Disclosure obligations
"a description of how the AIFM ensures a fair treatment of investors and, whenever an investor obtains preferential treatment or the right to obtain preferential treatment, a description of that preferential treatment, the type of investors who obtain such preferential treatment and, where relevant, their legal or economic links with the AIF or AIFM;"
The implications of these changes were discussed in length but recognise a general duty to disclose potential for preferential treatment. The disclosure obligations are not too far of a stretch, the detailed reporting obligations imposed on certain topics are new, but the absolute prohibitions are likely to be hotly discussed at the very least.
Private Fund Rules - Documented Compliance reviews for Registered Investment Advisers
Cognitive GRC has always delivered ongoing documented compliance reviews. Whether you maintain separate compliance, risk or internal audit departments or not, if you are not conducting some form of independent review of your compliance with your obligations, you are leaving yourself exposed.
RIAs have always been required to conduct reviews, but the fact that the SEC are now mandating documentation of such activity for private fund managers (at least for RIAs with Onshore Funds) should not really impact most firms that already should be doing so. ACA have recently published a series of webinars on what these reviews should entail, and we are lucky to be aligned with those standards as part of our risk-based service. The series is definitely worth a look to consider where you sit within best practice.
Risk based compliance monitoring has been our forte so whether you are a registered investment adviser or not, we highly recommend regular documented reviews of what you do to mitigate risk. This is particularly important if you are looking to justify limited resources in your control infrastructure. It is not just to satisfy big-ticket investors; it is something that is key to a firm's longevity, and it assists with ongoing operational resilience. Trust but verify and evolve with your risk profile to justify your controls infrastructure. As we have been doing this for years, it forms the backbone of our product.
Private Fund Rules - General Approach
The bigger US issues will be debated over the next 6 months but are more than likely going to result in an update to private placement memorandums for both new and launching funds. There are some grandfathering provisions, but the disclosures requirements will be forward looking.
If you can support the institutions (Like AIMA and/or MFA) taking the SEC to account on these matters or if you have any influence on implementation of these matters, you should continue to press. At this stage we can only recommend that you do what makes sense according to your risk appetite and/or band-with and evaluate the damage that may be done to your business model by these changes.
AIMA is part of a group of interested associations pressing the SEC on matters that include the Private Fund rules and we are watching with interest. We hear that the courts have agreed to have the hearings sooner rather than later which is great news as the uncertainty does not reduce the anxiety. We cannot avoid the busy work here, but we hope to help our clients to avoid time that may be lost.
For currently registered investment advisers, the cost of offering your product to certain types of clients may become beyond your tolerance but such a cost may be necessary if you wish to continue to access US investors. Keeping funds offshore may help mitigate the costs but if you have onshore funds, the nature of the adoption may not give you an out as the prohibitions on unfair treatment extend across all pools.
We will watch the industry lawsuits as these developments play out and maintain a balanced awareness of what matters. Whatever the outcome we expect the service provider community will find a way to navigate and we can assist once the legal matters have been addressed. Expect some noise on this area.
US Form PF Event Reporting Guide (Registered Investment Advisers)
Applicable from 11 December, the event reporting obligations will apply to Large Hedge Fund Advisers for relevant events that occur after that date. Quarterly reporting applies to Private Equity Fund Advisers relating to events that occur after that date. The AIMA's summary gives more detail and they have also published a guide for members. For Large Hedge Fund Advisors with qualifying funds that are approaching the threshold (USD 1 point 5 billion), they should be considering the triggers for each reporting category as they kick in once the threshold is met and will require 72-hour notifications.
Extraordinary investment losses within a short period of time,
Significant margin, collateral or equivalent increases,
Receipt of notice of margin default or a determination of the fund’s inability to meet a call for margin, collateral or equivalents,
A counterparty defaults,
A prime broker relationship is terminated or materially restricted,
A significant disruption or degradation of the fund’s critical operations,
Significant cumulative calls for withdrawals and redemptions; or
Unable to pay redemption requests or suspension of redemptions.
The majority of these would be something that most regulators would expect to be informed about, but the specific timing is new, indicating updates to your investor redemption and broker management processes may be necessary.
US Cyber Incident Reporting
So you may of noted that the SEC has already implemented more reporting for issuers (listed companies, and funds) from end of this year (SEC Notice; Source SEC) but the proposed rules that will apply to managers and funds are due to come into play January 2024 with fairly tight deadlines.
These requirements are still under debate, but applicable to registered investment advisers and we are expecting further discussion during 2023.
Apart from requiring fund board approval, the requirements are not too dissimilar to what would be expected of most firms in UK, Hong Kong or Singapore with regards to cyber and data security, and summarised here:
Adopt and implement (and review at least annually) written cyber security policies and procedures reasonably designed to address cyber security risks, which would be required to cover several specific elements, including:
risk assessment.
user security and access.
information protection.
cyber security threat and vulnerability management; and
cyber security incident response and recovery.
Reporting of events within 48 hours.
Again, generally covered in prior recommendations and policies but something to be considered in annual reviews.
US Fund Names Criteria
In short, the SEC has updated and tightened expectations on naming of funds (US Registered Investment Funds, Unlisted Closed End Funds and Business Development Companies) and will provide a long time for funds to adjust (2 years for Funds with less than 1 billion, and 30 months for Funds with more than that). It is a good idea to be aware of this one as it re-iterates principles regarding mislabelling and provides a bright line percentage (80%) as to what they believe is acceptable with regards to names against investment policy.
Names Rule Notice: Source SEC
Fact Sheet: Source SEC
US Custody Rules
Don't fall foul of a foot fault on the application of custody requirements. Remind yourself of when they apply and why and how you comply as it is relatively straight-forward, to maintain compliance but the details of why are easy to forget. Check in with your advisors on status and note the recent cases and issues that have been found.
SEC Charges Five Advisory Firms (Source SEC)
Another area where proposed changes are under fire, as they will create a lot of effort in repapering relationships if they go ahead.
Proposed Rules: (Source AIMA)
Brian Daly of Akin Gump Strauss Hauer & Feld LLP created a great resource (Source: LinkedIn/Akin Gump) for those who need to get into the nitty gritty.
Fee Allocation and NAV Calculations Conflicts
We thought it would be worth highlighting some recent focus by regulators on conflicts of interest around the allocation of fees and valuations. As a general reminder, it is required for SFC Managers to conduct annual reviews of their valuation process and firms should also reference those reviews to best practice. We conduct such reviews for our client based on latest best practice.
One case, which was highlighted earlier this year contained reference to the level of flexibility that can be left in policies (e.g. with regards to fee allocations or impairment decisions) and shows how too much flexibility in a policy can jeopardises a firm’s ability to comply with the requirements.
In other words, if you try to be too clever in trying to obtain maximum flexibility in your policies, you could be found to have failed to mitigate the potential conflict that the policy was trying to address.
While this case was a private equity manager and related to a closed ended fund, the situation could apply to other type of firms (e,g, more liquid funds with side pockets) and policy applications. I have to give the credit to Vivek Pingili’s article (Source: LinkedIn) for raising awareness of this discussion as it helps elaborate on the concepts that should be considered.
SEC Charges Private Equity Fund Adviser for Overcharging Fees and Failing to disclose Fee Calculation (Source SEC)
Exempt Reporting Advisers (Offshore)
A note about the typical approach for Exempt Reporting Advisers that have US investors. Our typical client will not have a US domiciled fund, or a US managed account, but they will normally have US investors. They will typically have access to the exemption from being a registered investment advisor under the US requirements. Generally, this means that specific provisions will not apply.
While we find market participants can take comfort from their status as ERAs in that certain specific requirements of the marketing rules, and the new private fund rules will not apply, some of them could be applied either due to circumstances or under the general fiduciary obligations.
The private fund rules apply specific requirements to funds that meet certain criteria, but those specific requirements may still be applied, in cases were individual investors feel that the general fiduciary obligations have not been met. As highlighted in the private fund rule update, some of these rules are not applied because the SEC has declared that it is not their intent. However, intent is something that can easily change so we continue to caution overreliance on the exempt status.
This is just a reminder not to cling to the exemption too tightly as while there are elements of the exemption that apply, the way in which the specifics apply to registered advisers will be considered should the application of the fiduciary requirements come up for those that are otherwise exempt.
This is why we would typically look to the higher standard from a conflicts or fiduciary duty when looking at these matters, even where clients are not onshore registered investment advisers.
Record Keeping - Unapproved Record Keeping Channels
The fines keep coming in on use of non-sanctioned communications channels. Firms need to be aware of the consequences as the numbers are large and the SEC is promoting self-reporting.
If a ban on all forms is not practical, and the technology solution is not yet being considered, we note that there are some more cost-effective solutions emerging and there are other ways of protecting the firm if the industry norms are not coming in line. Simple changes to policy and procedures can be employed here.
Earlier in the year, we noted that the SEC (Source: SEC) adopted some changes to broker dealer/swap dealer rules that now accepts the status of alternate solutions to WORM compliance within outsourced infrastructure and matches some of the points made during our own EDSP discussions in Hong Kong.
In addition, the SEC have underlined the importance of reviewing service providers (Source: SEC) from a data security and control point of view. We have previously dealt with this under operational resilience updates, but it is great to see the SEC is coming in line with regards to earlier IOSCO positioning on outsourcing from last year and aligning their views. We re-iterate the importance of your service provider reviews in this regard.
CSRC - Privacy Requirements
The China Securities Regulatory Commission and the Cyberspace Administration of China has been continually active in the last few years adopting frameworks for the management of data. The measures mirror controls that have been put in place in other countries to protect individual's data and rights. However, there are ones which may be considered a little extra. Obviously, it is extremely important for anyone involved in cross border data collection, storage and transfer to obtain specific advice on their individual circumstances but even firms with limited exposure to the activity should consider their position. It has been difficult to source good material to present the broad requirements but reference to the cross-border element has been provided by Hong Kong's Office of Privacy here (Source: Privacy Office Hong Kong). There is also a good summary here (Source: Market Research Society 2023) but you should definitely reach out to your China Data specialist. There appears to be some de minimus levels but a detailed analysis of your exposure would be necessary to confirm.
Obviously there has been some situations that have arisen with regards to transfer of sensitive information and firms should adopt controls equal to their potential exposure. Firms that collect data from third parties should have controls to avoid coming into contact with sensitive data that would give rise to concerns.
Firms that have adopted GDPR level internal assessment and procedures should be able to satisfy themselves of coverage in terms of data inventory and locational matters, but they should be also considering exposure to these requirements if they operate with a cross border element. Those that have not yet covered this may need to do a self-assessment to consider their position.
Obviously sensitive data will create a concern. Transfer of personal data will create a need to conduct an analysis but not all transfers will require a formal review. Any transfer of personal data cross boarder will need to be subject to appropriate controls.
Use of Artificial Intelligence
While some are steaming ahead, like many new things that we are dealing with, often the old wisdom still applies. Unless the database that you are using only exists, in a ringfenced environment on your network, then putting anything into to that system will expose it to be used or accessed by others. Appropriate care is required. Don't put sensitive data into such systems. We are still looking at what this means for policy and procedures but are raising it as part of training.
General
We produced these summaries to make sure we are covering areas of concern. If you feel that you are covered on these topics, then we would assume that you are our clients, but if not, please do contact us. If there is anything you think is important, but we have not covered, please do reach out to your consultant or contact me directly at dmg@cognitivegrc.com.
Look out for updates on the Consultation on Market Sounding in Hong Kong, and Beneficial Ownership reporting from the US.
We are again taking part in Regulation Asia's annual Technology Awards providing us with access to the latest and greatest system solutions for Compliance matters that are being offered, keeping us up to date on the latest solutions.
Office
You may have noted that we have moved back to our old office in LKF Tower after our hiatus in Sheung Wan.
Training
Please note the addition of online Climate training produced with Red Links and the updates to AML training in respect of digital assets if you have a chance. We have provided a youtube update here.
The team and I are looking forward to continuing to support you.