A look into the future: What may the SEC have in store for Rule 38a1?

As with all business decisions, there are pros and cons to implementing a major change to the way that your firm’s operations work. With today’s trend towards outsourcing to managed service providers in the front-office, such as OMS and compliance systems, the obvious upside is that asset managers are able to refocus their energies away from the day-to-day operation of their systems, with the downside being that transparency into systems is lost. With that being the case, if asset managers do not have a clear grasp of their provider’s process and controls, they risk losing money, clients, their reputation, and perhaps their company. Do you want to be in this press release in the future?

SEC Fines EIA Asset Management $6.5 Million for failure to properly oversee trading system vendor

Washington D.C., September 19, 2020. Using its authority under rule 38a-1, the SEC today fined EIA Asset Management $6.5 million due to breaches stemming from its lack of oversight over its hosted trading and compliance system vendor’s work.  KOTRT Systems rule coding for trading and batch compliance, which resulted in a loss to mutual fund shareholders of over $5,000,000. In a statement, Commission Chairperson Black stated: “As investment trading technology evolves, and the control over compliance rule coding lies increasingly outside of the hands of investment advisers’ staff, the Commission will not allow registered investment companies to absolve themselves of their fiduciary responsibilities to mutual fund shareholders and other investors. It behooves the adviser community to constantly review and update their policies and procedures around overseeing third party vendors. Indeed, controls should be tightened to the point whereby there is no material difference between rule coding being done internally and by a technology vendor. Advisers should aim for, and demand to have, complete transparency into the operations of their third party vendors.”

In 2019, the SEC expanded the requirements of 17 CFR 270.38a-1 to include “managed service providers.”  Previously, only the fund, investment adviser, principal underwriter, administrator, and transfer agent of the fund was specifically impacted by this rule.

A series of events ultimately led to the compliance error in question.  First, it involved a lack of understanding by the investment adviser’s compliance staff around the meaning of coding logic that was meant to capture the rating of the underlying obligor of municipal bonds. Secondly, the vendor did not have the proper procedures and controls in place to accurately capture, define, test, record, and obtain a four eyes approval process before deploying the rule into a production environment. In addition, EIC Asset Management failed to review the procedures and controls of the vendor, as well as disclose this deficiency annually to the Board. Due to the miscoding of a compliance rule, an ineligible security for the fund made up over 4% of the net assets, which led to a $5.3 million loss to shareholders when the underlying obligor of the bond defaulted on its interest payments.  

What Compliance needs to know about their provider’s processes and controls

Although we are unaware of the SEC having taken action specific to vendor oversight to date, we do not rule it out. Under rule 38a-1 of the 1940 Investment Company Act, all registered investment companies must have policies and procedures regarding administrator oversight, as well as conduct an annual review of all administrators. Although 38a-1 does not specifically define technology vendors as administrators, with the outsourcing of the rule coding, technology companies are in effect playing the role of administrators.

In order for asset managers to protect themselves from trading errors and SEC action, we recommend that the following steps be taken:

1.     Review the SSAE 16 certification document from your managed service provider, or perform an audit as if you were seeking to certify the organization as SSAE 16 compliant.

To date the SEC has focused on audits of asset managers, however it seems inevitable that at some point an issue will rear its head, which puts the focus firmly on the vendor. On an annual basis, as is already required for fund administrators, the effectiveness of the implementation of policies and procedures should be tested.

2.    Additionally, the following questions should be asked of the providers:

a.     What are your procedures around setting up compliance rules?

Writing compliance rules accurately is a skill not easily mastered. In many cases, vendors will (regrettably) assign this responsibility to individuals with limited industry (let alone compliance- specific) experience. Due to this in particular, compliance SaaS providers should have highly detailed best practices and control/review procedures, which they can share with their clients.

b.     How do you notify the end-users about changes in functionality?

It has been our experience that not all functional changes to a compliance system’s rule coding language are communicated to clients ahead of time. Asset managers should confirm with their vendors on a frequent basis as to whether material changes have been made to the functionality of coding languages. This can take the form of conversation at face-to-face meetings, conference calls, or via e-mail.

c.     What additional controls are in place to keep clients up to date on changes to coding language, and the system capabilities in general?

The importance of being comfortable with your vendor’s level of transparency during system changes and its controls cannot be overstated. This should be expressed directly to your relationship manager at the firm early and often in the implementation phase and for as long as necessary during the relationship. You should be upfront with them about this and underscore that the health of the relationship is dependent on their transparency. An internal score sheet should be developed regarding any instances where changes were not communicated, and this should be shared with the client as necessary.

d.     Consider engaging external consultants to protect your interests when dealing with SaaS providers.

Consultants can bring their industry knowledge and experience with system implementations to the table, and advocate for you when undertaking a system conversion or implementation. IMP Consulting, offers its CLEAR (Compliance Library Enhancement and Audit Review) service, which can assist you with the steps outlined above, in addition to testing all the new rules coded on your vendor-hosted compliance system. Partnering with a firm like IMP can make all the difference between a failed implementation and difficult vendor relationship, and a well managed, productive vendor-client relationship.

In closing, as asset managers move their systems to SaaS providers, the temptation is to perceive the shift in responsibilities as a net time gain, however in the short term at least, this should not be viewed as a pure time-savings opportunity. Rather, asset managers should focus on ramping up the oversight of their new technology partners. The worst decision that can be made is to assume that your vendor has robust policies and procedures. On the contrary, until a high degree of confidence in the SaaS vendor’s controls has been achieved, review and testing of changes that the vendor makes should be undertaken on a regular and frequent basis.

This article was authored by Roger Binggeli, Senior Compliance Consultant.  For more information, please contact Roger at rbinggeli@impconsults.com or Jane Stabile at jmstabile@impconsults.com.  Roger can also be reached on 617-314-7415 x118.