2020 Investment Adviser Update—There’s a “Voice Inside Your Head You Refuse to Hear” (But You Should)
The rules and regulations governing private equity and hedge fund advisers continue to develop in response to changes in technology. As a result, advisers are subject to an ever-increasing degree of supervision by the Securities and Exchange Commission (SEC) and self-regulatory organizations. This update summarizes some of the most important developments of the past year. We will focus on SEC examination priorities, look at some significant recent regulatory developments, and review certain recent SEC enforcement actions. Many investment advisers have already adopted similar policies and procedures to safeguard data and customer information, and it is hoped that others will quickly follow suit.
SEC Examination Priorities for 2020
On January 7, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published its examination priorities for 2020 (Exam Priorities) for various regulated entities, including investment advisers.  OCIE announces its exam priorities annually to provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets.  The Exam Priorities can serve as a roadmap to assist advisers in assessing their policies, procedures and compliance programs; testing for and remediating any suspected deficiencies related to the Exam Priorities; and preparing for OCIE exams. Advisers are encouraged to review their current policies, procedures and client disclosures with these priorities in mind. Exempt reporting advisers (ERA) as well as registered investment advisers (RIA), are subject to SEC examination, although the SEC has indicated that it does not expect to examine ERAs on a routine basis.
OCIE completed 3,089 examinations, including some 2,180 RIA examinations, in 2019. While this is a 2.7 percent decrease from 2018, OCIE attributes the relatively small decrease to the month-long suspension of examinations during the 2019 government shutdown. In 2019, the OCIE National Exam Program examined approximately 15 percent of all RIAs. OCIE has increased its examination coverage of RIAs over the past several years from 10 percent in 2014 to a high of 17 percent in 2018.
OCIE’s current examination priorities, as outlined in the Exam Priorities, reflect both perennial risk areas that have been emphasized in recent years and risks associated with developing products and services. The priorities are focused on seven topics: (a) retail investors, including seniors and those saving for retirement; (b) information security, including cybersecurity risks; (c) financial technology and innovation, including digital assets and electronic investment advice; (d) focus areas involving RIAs, investment companies, broker-dealers and municipal advisors; (e) anti-money laundering programs of financial institutions that are required by regulation to establish such programs; (f) market infrastructure; and (g) select areas and programs of FINRA and the Municipal Securities Rulemaking Board. 
Exams are Risk-Based and Data-Driven
OCIE notes that, while the Exam Priorities provide a preview of key drivers of OCIE examinations and where OCIE intends to focus its limited resources, they do not encompass all of the areas that will be covered in exams. As explained in the Exam Priorities, the scope of any examination is determined through a risk-based approach that includes analysis of the registrant’s operations, products offered, and other factors. The Exam Priorities emphasizes that this risk-based approach, both in selecting registered entities to examine and determining the scope of risk areas to examine, “provides OCIE with greater flexibility to cover emerging and exigent risks to investors and the marketplace as they arise.”
Continued Focus on Retail Investors
For both broker-dealers and investment advisers, OCIE continues to emphasize the protection of retail investors. Examinations will have a particular focus on (a) seniors, including recommendations and advice made by advisers targeting retirement communities, and on teachers and military personnel, and (b) retail-targeted investments, such as mutual funds and exchange-traded funds, municipal securities, other fixed income securities and microcap securities. Among other focus areas, examiners will look for financial incentives that may influence the selection of particular mutual fund share classes; will seek to ensure that investors are receiving fee discounts consistent with applicable requirements; and will review the oversight practices of fund boards of directors.
Other Focus Areas Relevant to Investment Advisers
Many of the topics covered in the Exam Priorities, including those discussed primarily in the section on retail investors, are relevant not only to advisers with retail clients, but also to advisers that advise other types of clients, including institutional clients and private funds. Focus areas include:
Disclosure, Conflicts of Interest, Fiduciary Duty OCIE will continue to examine RIAs to evaluate whether, as fiduciaries, they have fulfilled their duties of care and loyalty. This will include assessing whether RIAs provide advice in the best interests of their clients and eliminate, or at least expose through full and fair disclosure, all conflicts of interest that might incline an RIA, consciously or unconsciously, to render advice that is not disinterested. Among other things, OCIE will review for firms’ compliance with the Interpretation Regarding Standard of Conduct for Investment Advisers that was issued in June 2019, as well as the content and delivery of the new Form CRS Relationship Summary.
RIAs to Private Funds OCIE will continue to focus on RIAs to private funds that have a greater impact on retail investors, such as firms that provide management to separately managed accounts side-by-side with private funds. OCIE also will assess compliance risks, including controls to prevent the misuse of material, non-public information, and conflicts of interest, such as undisclosed or inadequately disclosed fees and expenses and the use of affiliates to provide services to clients.
Higher Risk Products OCIE will focus on higher risk products – including private placements and securities of issuers in new and emerging risk areas – such as those that are complex or non-transparent and/or have high fees and expenses, or in which an issuer is affiliated with the firm making the recommendation.
RIA Compliance Programs Areas of focus will include whether firms maintain effective compliance programs to address the risks associated with best execution and prohibited transactions. OCIE will prioritize examining firms that utilize the services of third-party asset managers in order to assess, among other things, the adequacy of due diligence practices. The Exam Priorities noted that OCIE has a particular interest in the adequacy of disclosures provided by RIAs offering new or emerging investment strategies, such as strategies that incorporate environmental, social and governance (ESG) criteria. OCIE also prioritizes examination for compliance with the Advisers Act custody rule, including audited financial statements and surprise examinations.
Never-Before-Examined Investment Advisers OCIE will continue to conduct risk-based examinations of certain investment advisers that have never been examined, including newly-registered advisers as well as advisers registered for several years that have not yet been examined. OCIE also will prioritize examinations of certain investment advisers that have not been examined for a number of years, to focus on whether the firms’ compliance programs have been appropriately adapted in light of any substantial growth or change in their business models.
Dual Registrants OCIE will continue to prioritize examinations of RIAs that are dually registered as, or are affiliated with, broker-dealers, or have supervised persons who are registered representatives of unaffiliated broker-dealers.
Information Security (including Cybersecurity) OCIE will continue to work with firms to identify and address information security (including cyber-related) risks. Specific to RIAs, OCIE will continue to focus its exams on assessing protection of clients’ personal financial information. Particular focus areas will include (1) governance and risk management; (2) access controls; (3) data loss prevention; (4) vendor management (including oversight practices related to network solutions and cloud-based storage); (5) training; and (6) incident response and resiliency.
Digital Assets In light of the perceived heightened risks of digital products, OCIE will continue to focus on market participants in the digital assets market. OCIE examinations related to digital assets will assess portfolio management and trading practices, the safety of client funds and assets, pricing and valuation and the effectiveness of compliance programs and controls. OCIE examinations related to digital assets also will assess investment suitability and supervision of employees’ outside business activities.
Robo-Advisers Examinations of RIAs that provide services to clients through automated investment tools and platforms (often referred to as “robo-advisers”) will focus on areas including SEC registration eligibility; cybersecurity policies and procedures; marketing practices; adherence to fiduciary duty, including adequacy of disclosures; and the effectiveness of compliance programs.
Recent Regulatory Developments and Guidance that May Affect an Adviser’s Compliance Program
The following regulatory developments may affect the compliance programs of certain advisers. Advisers may want to consider reviewing these and other changes in applicable laws, rules, regulations and/or SEC staff guidance to determine whether compliance policies and procedures need to be added or revised.
Guidance on Cybersecurity and Operational Resiliency
In January 2020, the OCIE issued observations from examinations of investment advisers and other SEC registrants to assist market participants in considering how to enhance cybersecurity preparedness and operational resiliency (Cybersecurity Guidance).  OCIE recognized at the outset of the report that there is no “one-size-fits-all” approach and that not all of the practices discussed in the report may be appropriate for any one firm. OCIE stated, “In sharing these staff observations, we encourage market participants to review their practices, policies and procedures with respect to cybersecurity and operational resiliency. We believe that assessing your level of preparedness and implementing some or all of the above measures will make your organization more secure.”
Governance and Risk Management The Cybersecurity Guidance stresses that effective cybersecurity programs start with the right tone at the top. OCIE has observed firms utilizing the following risk management and governance measures:
Devoting senior leadership attention to setting the strategy of and overseeing the firm’s cybersecurity and resiliency programs;
Conducting a risk assessment to identify, prioritize and mitigate cyber risks;
Implementing, monitoring and testing comprehensive written cybersecurity policies and procedures;
Continuously evaluating and adapting to changes; and
Establishing communication policies and procedures to provide timely information to senior management, customers, employees, other market participants and regulators, as appropriate.
Access Rights and Controls Access rights and controls are used to determine appropriate users for organization systems based on job responsibilities and to deploy controls to limit access to authorized users. OCIE has observed firms with strategies that include, for example:
Developing a clear understanding of access needs to system and data;
Managing user access through systems and procedures that implement separation of duties for user access approvals, re-certify access rights on a periodic basis, and utilize multi-factor authentication; and
Monitoring for unauthorized user access.
Data Loss Prevention OCIE has observed the following data loss prevention measures, among others:
Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, work stations and endpoints within both the firm and applicable third-party providers;
Implementing perimeter security capabilities that are able to control, monitor and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic;
Maintaining an inventory of hardware and software assets, including identification of critical assets and information;
Using tools and processes to secure data and systems through encryption and network segmentation; and
Verifying that the decommissioning and disposal of hardware and software does not create system vulnerabilities.
Incident Response and Resiliency OCIE has observed that many firms have incident response plans that include the following elements, among others:
Developing a risk-assessed incident response plan for various scenarios, including denial-of-service attacks, malicious disinformation, ransomware, and key employee succession, as well as other extreme but plausible scenarios;
Determining and complying with applicable federal and state reporting requirements;
Testing the incident response plan and potential recovery times; and
Developing a strategy for operational resiliency with defined risk tolerances tailored to the firm.
Vendor Management OCIE has observed the following practices:
Establishing a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented;
Understanding all contract terms to ensure that all parties have the same understanding of how risk and security is addressed; and
Monitoring the vendor relationship to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.
Other topic areas covered in the Cybersecurity Guidance include establishing policies and procedures that address the additional and unique vulnerabilities associated with mobile devices and applications and the key role of cybersecurity training.
Guidance Regarding Proxy Voting and Proxy Advisors
In August 2019, the SEC published the Proxy Voting Guidance to assist investment advisers in fulfilling their proxy voting responsibilities, particularly when relying on proxy advisors (e.g., ISS or Glass Lewis).  The SEC encourages investment advisers to review their policies and procedures in light of the Proxy Voting Guidance.
The Proxy Voting Guidance underscores that an investment adviser is a fiduciary that owes to each of its clients duties of care and loyalty regarding “all services undertaken on the client’s behalf, including proxy voting.” It also re-emphasizes that using a proxy advisor to assist with voting in no way relieves an investment adviser of its fiduciary duty to serve its client’s best interest.
The SEC notes, among other things, that an investment adviser and its client may agree on the scope of the investment adviser’s proxy voting authority and responsibilities. Investment advisers that assume proxy voting authority may establish a variety of voting arrangements with their clients, subject to full and fair disclosure and informed consent. For example, the investment adviser may vote according to specified parameters designed to serve the client’s best interest (e.g., in favor of all management proposals) or may vote only on certain types of proposals (e.g., relating to significant corporate events), based on the client’s preferences.
The SEC provides several examples of actions an investment adviser can take to ensure that it is making voting determinations in accordance with its proxy voting policies and procedures and in a client’s best interest. The SEC recommends, among other things, that an investment adviser consider:
Applying a more detailed, company-specific analysis for certain types of proposals (e.g., significant corporate events);
Annually reviewing a sampling of the proxy votes it casts; and
If it votes proxies on behalf of multiple clients with diverse investment goals, whether applying a uniform voting policy to all such clients would be in each of their best interests or whether different voting policies should apply.
The Proxy Voting Guidance provides a non-exhaustive list of factors the SEC believes an investment adviser should consider when deciding whether to retain (or continue to retain) a proxy advisor, including whether:
The proxy advisor has the ability to adequately analyze the matters for which the investment adviser is responsible for voting;
The proxy advisor has sufficiently informed the investment adviser about its methodologies in formulating voting recommendations; and
The proxy advisor’s conflict of interest policies and procedures provide “context-specific, non-boilerplate” disclosure of the proxy advisor’s actual and potential conflicts with respect to the services provided to the investment adviser.
The SEC stated that an investment adviser should consider taking certain steps if it becomes aware of potential factual errors, incompleteness or methodological weaknesses in a proxy advisor’s analysis that may materially affect the investment adviser’s voting determination, and should consider evaluating a proxy advisor’s services on an ongoing basis.
According to the Proxy Voting Guidance, even if an investment adviser has assumed voting authority on behalf of a client, it is not required to exercise every opportunity to vote a proxy for that client. Such instances include those in which (i) the investment adviser and its client agreed in advance to limit the conditions under which the investment adviser would cast a vote and (ii) the investment adviser has determined that refraining from voting is in the client’s best interest (e.g., the cost exceeds the expected benefit).
Finally, an investment adviser should review and document at least annually that its voting policies and procedures are reasonably designed to ensure that the investment adviser votes in its clients’ best interests.
Investment Adviser Standard of Conduct and Form CRS
On June 5, 2019, the SEC adopted new rules and interpretations related to the standard-of-conduct requirements for investment advisers and broker-dealers:
Regulation Best Interest (Regulation BI), a new rule imposing a “best interest” standard of conduct on broker-dealers making recommendations to retail clients;
Broker-Dealer “Solely Incidental” Exclusion, a new interpretation of Section 202(a)(11)(C) of the Advisers Act, which excludes from the definition of “investment adviser” any broker or dealer that provides advisory services when such services are “solely incidental” to the conduct of the broker’s or dealer’s business and when such incidental advisory services are provided for no special compensation;
Interpretation Regarding Standard of Conduct for Investment Advisers (the IA Interpretation), a new interpretation intended to clarify an investment adviser’s fiduciary duty to its clients; and
Form CRS Relationship Summary, a new rule requiring both broker-dealers and investment advisers to provide retail clients with summary information about the nature of their relationship.
Information regarding the IA Interpretation and Form CRS is provided below.
Standard of Conduct for Investment Advisers The IA Interpretation,  which is largely consistent with previous SEC statements on the federal fiduciary standard, reaffirms and clarifies the SEC’s view that an investment adviser owes a fiduciary duty to its clients under Section 206 of the Advisers Act. In the IA Interpretation, the SEC emphasizes that an adviser must (i) at all times serve the best interest of its client and not subordinate its client’s interest to its own interests and (ii) make full and fair disclosure of all material facts, with particular attention to potential conflicts of interest.
The release interprets an investment adviser’s obligations to all of its clients (not only retail clients), but states that sophisticated clients such as registered investment companies and private funds are permitted to shape the scope of their relationships to which fiduciary duties apply. The release confirms that while no adviser can ask any client to waive fiduciary status entirely, “it will apply in a manner that reflects the agreed-upon scope of the relationship.” The release states that a client’s informed consent following “full and fair” disclosure can be either explicit or implicit, depending on the facts and circumstances. The question of whether a hedge clause seeking to limit an adviser’s liability violates the Advisers Act’s anti-waiver provisions depends on all of the surrounding facts and circumstances, including the sophistication of the client.
The IA Interpretation affirms that, generally speaking, an investment adviser can disclose conflicts for purposes of obtaining informed consent with no categorical duty to mitigate or eliminate those conflicts. However, the SEC states that if an investment adviser “cannot fully and fairly disclose a conflict of interest to a client such that the client can provide informed consent, the adviser should either eliminate the conflict or adequately mitigate (i.e., modify practices to reduce) the conflict such that full and fair disclosure and informed consent are possible.” According to the SEC, stating that an adviser “may” have a conflict is insufficient if the conflict actually exists, but using the term “may” can be appropriate if the conflict does not currently exist but might reasonably present itself in the future.
Form CRS Relationship Summary Effective June 30, 2020, RIAs must provide retail investors with summary information on Form CRS (new Form ADV Part 3) about the nature of their relationship. For purposes of Form CRS, “retail investor” is defined as “a natural person, or the legal representative of such natural person, who seeks to receive or receives services primarily for personal, family or household purposes.” (Notably, there is no exception for sophisticated natural person clients.) An investment adviser to a pooled investment vehicle, such as a hedge fund or private equity fund, that includes natural persons who may be “retail investors” as defined in Form CRS is not required to deliver a relationship summary to those investors or the fund. 
Form CRS must be delivered to each retail investor before or at the time the adviser enters into an investment advisory contract with the retail investor. If an adviser does not have any retail investors to whom it must deliver a relationship summary, it is not required to prepare or file one.
The form requires summary information about the types of client relationships and services the adviser offers; its fees and costs; any conflicts of interest; the required standard of conduct; the disciplinary history of the firm and its financial professionals; and how to obtain additional information. Form CRS must be prepared in a question-and-answer format, with standardized questions functioning as the headings in a prescribed order. The adviser also must include follow-up questions for retail investors to ask their financial professionals as “conversation starters.” Broker-dealers also must provide Form CRS to their retail investors; dual registrants can prepare one single Form CRS discussing both brokerage and investment services. The form must not exceed two pages for investment advisers and four pages for dual registrants. Form CRS must be updated within 30 days whenever the form becomes materially inaccurate.
For investment advisers, Form CRS must be filed electronically with the Investment Adviser Registration Depository (IARD) filing system as Part 3 of Form ADV. Advisers that are required to file Form CRS and are already registered or have an application for registration pending with the SEC before June 30, 2020 must electronically file Form CRS beginning on May 1, 2020 and by no later than June 30, 2020, either as: (i) an other than-annual Form ADV amendment or (ii) part of the Form ADV initial application or annual updating amendment. As soon as the adviser has filed its first Form CRS online, delivery to new and prospective retail investors must begin. Form CRS must be delivered to existing retail investors within 30 days from the date the adviser has filed its Form CRS.
Principal and Agency Cross Trading Compliance Issues
On September 4, 2019, OCIE issued a Risk Alert identifying common issues regarding principal trading and agency cross transactions found during investment adviser examinations performed by OCIE over the last three years.  Below are examples of the most common deficiencies or weaknesses identified.
Principal Trading OCIE staff observed advisers that did not appear to follow the specific disclosure and client consent requirements of Section 206(3) of the Advisers Act. For example, staff observed that:
While acting as principal for their own accounts, some advisers purchased securities from and sold securities to individual clients without recognizing that such trades were subject to Section 206(3). Thus, these advisers did not provide the required written disclosures to clients or obtain client consent.
Some advisers recognized that they engaged in principal trades with a client but did not meet all of the requirements of Section 206(3), such as failing to obtain appropriate prior client consent for each principal trade and/or failing to provide sufficient disclosure regarding the potential conflicts of interest and terms of the transaction.
In some cases, client consent was obtained only after the completion of the transaction.
Some advisers effected trades between an advisory client and an affiliated fund, but failed to recognize that the adviser’s significant ownership interests in the fund caused the transaction to be subject to Section 206(3).
Some advisers effected principal trades between themselves and fund clients without obtaining consent from the fund prior to completing the transactions.
Agency Cross Transactions Compliance issues noted in connection with agency cross transactions include:
Some advisers engaged in agency cross transactions in reliance on Rule 206(3)-2, despite telling their clients that they would not engage in agency cross transactions.
Some advisers effected agency cross transactions, purportedly in reliance on Rule 206(3)-2, but could not produce any documentation that they had complied with the written consent, confirmation and disclosure requirements of the rule.
OCIE staff also noticed advisers that engaged in principal trades and agency cross transactions without having adopted policies and procedures regarding such transactions, as well as advisers that had such policies and procedures in place but did not follow them.
OCIE encouraged advisers to review their policies and procedures, and the implementation of such policies and procedures, to ensure they are compliant with the principal trading and agency cross transaction provisions of the Advisers Act and the rules thereunder.
Safeguarding Customer Records and Information in Network Storage
On May 23, 2019, OCIE issued a Risk Alert identifying security risks associated with the storage of electronic customer records and information in various network storage solutions, including cloud-based storage.  Concerns identified during recent examinations include misconfigured network storage solutions, inadequate oversight of vendor-provided network storage solutions, and insufficient data classification policies and procedures.
OCIE noted that implementing a configuration management system that includes policies and procedures governing data classification, vendor oversight and security features will help to mitigate the risks associated with on-premise or cloud-based network storage solutions. Examples of effective practices observed during examinations include:
Policies and procedures designed to support the installation, on-going maintenance and regular review of the network storage solution;
Guidelines for security controls and baseline security configuration standards; and
Vendor management policies and policies that include regular implementation of software patches and hardware updates followed by reviews to ensure that the patches and updates did not unintentionally change or weaken the security configuration.
Among other points made in the Risk Alert, OCIE encouraged advisers to actively oversee any vendors they use for network storage to determine whether the service provided by the vendor is sufficient to enable the adviser to meet its regulatory responsibilities.
Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies
In an April 16, 2019 Risk Alert, OCIE staff discussed compliance issues related to Regulation S-P identified during recent examinations of investment advisers. 
Privacy and Opt-Out Notices OCIE staff noted, among other things, that some advisers did not provide initial privacy notices, annual privacy notices and opt-out notices to their customers, as required by Regulation S-P. In other cases, the notices provided did not reflect the adviser’s policies and procedures accurately and/or did not provide notice to customers of their right to opt-out of the adviser’s sharing their non-public personal information with non-affiliated third parties.
Lack of Policies and Procedures OCIE also observed advisers that did not have written policies and procedures addressing administrative, technical and physical safeguards for the protection of customer records and information, as required by the Safeguards Rule of Regulation S-P.
Policies Not Implemented or Not Reasonably Designed OCIE staff observed firms with written policies and procedures that did not appear to be implemented or reasonably designed to (i) ensure the security and confidentiality of customer records and information; (ii) protect against anticipated threats or hazards to the security of records and information; and (iii) protect against unauthorized access to or use of customer records or information. For example, staff observed:
Policies and procedures that were not reasonably designed to safeguard customer information on personal devices;
Inadequate employee training and monitoring with respect to the encryption, security and transmission of customer information;
Failure to require outside vendors to contractually agree to keep customers’ personal information confidential; and
Inadequate incident response plans.
Developments in Privacy Law – New York, California and Cayman Islands
New York On July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to increase protections surrounding New York residents’ personal data. Effective March 21, 2020, the SHIELD Act broadens, among other things, New York’s data breach notification law by imposing notification requirements that apply to any entity or person with private information about New York residents. Previously, such law applied only to those conducting business in New York. The SHIELD Act also expands the definition of “private information” to include biometric data and username and password information or security questions and answers. Moreover, the SHIELD Act requires businesses to adopt “reasonable” administrative, technical and physical safeguards to prevent breach of such private information.
California Effective January 1, 2020, California enacted the California Consumer Privacy Act (CCPA), a comprehensive privacy law that regulates the disclosures companies have to make regarding their privacy practices and the privacy rights that businesses have to offer to California residents. The CCPA governs a wide range of consumer personal data and, with certain exceptions, provides rights to California residents to access and delete their personal data maintained by businesses. The CCPA applies to companies “do[ing] business” in California that collect California consumers’ personal information and that (i) have gross annual revenues of more than $25 million, (ii) receive, share or sell for commercial purposes the personal information of 50,000 or more California consumers, households or devices or (iii) derive 50 percent or more of its annual revenue from selling personal information. The CCPA also imposes requirements on businesses to maintain “reasonable security” regarding the protection of personal data and establishes a private cause of action for California consumers to recover statutory damages for data breaches that are the result of a failure to maintain reasonable security. The CCPA includes a number of limited exceptions, including an exception for data that are collected, processed, sold or disclosed pursuant to the Gramm-Leach-Bliley Act. This exception, however, does not apply to the private cause of action afforded to individuals for information security incidents.
Cayman Islands Effective September 30, 2019, the Cayman Islands introduced The Data Protection Law (DPL) to regulate the privacy practices of entities established in or processing personal data in the Cayman Islands. “Personal data” includes any information relating to an identifiable natural person. Among other things, the DPL requires regulated entities to (i) provide notice of their collection and use of personal data, (ii) afford individuals the right to access their personal data and restrict its processing, (iii) maintain such data for no longer than necessary, and (iv) restrict the transfer of personal data outside of the Cayman Islands only if certain conditions are satisfied. The DPL also includes data breach notification requirements.
SEC Rule Developments
SEC Proposes Amendments to Advisers Act Advertising and Cash Solicitation Rules
On November 4, 2019, the SEC proposed amendments to modernize the rules under the Advisers Act addressing investment adviser advertisements (Rule 206(4)-1) and payments to solicitors (Rule 206(4)-3).  The proposed amendments are intended to update these rules to reflect advancements in technology, changes in investor expectations and the evolution of industry practices.
Proposed Amendments to the Advertising Rule The proposed amendments to Rule 206(4)-1 would replace the rule’s broad restrictions with principle-based provisions. The proposed rule incorporates certain principles set forth in no-action letters and guidance issued over the years and provides some flexibility based on the sophistication of the recipients and relevant disclosures. It contains general prohibitions of certain advertising practices, as well as more specific restrictions and requirements that are reasonably designed to prevent fraud with respect to specific types of advertisements. Subject to certain conditions, the proposed rule would permit references to “past specific recommendations” and the use of testimonials, endorsements and third-party ratings, and would include tailored requirements for the presentation of performance results based on an advertisement’s intended recipients. The proposed rule also would require internal review and approval of most advertisements and require each adviser to report additional information regarding its advertising practices in its Form ADV.
Proposed Amendments to the Cash Solicitation Rule The proposed amendments to Rule 206(4)-3 would expand the rule to cover solicitation arrangements involving all forms of compensation rather than only cash and, in a significant and controversial change, would apply the rule to the solicitation of investors in private funds. The proposed amendments would retain several requirements of the current rule, including that an adviser enter into a written agreement with a solicitor to set forth the arrangements between the adviser and the solicitor. However, the adviser no longer would need to obtain a written acknowledgement from each referred client that the client had received the required disclosures from the solicitor, and a solicitor no longer would need to deliver a copy of the adviser’s Form ADV Part 2A to the prospective client. The proposed amendments would add additional disciplinary events that would disqualify a person or firm from acting as a solicitor for an adviser, while also adding a limited carve-out for certain types of SEC actions.
Recent Enforcement Initiatives and Proceedings
The following is a summary of several recent enforcement actions of relevance to investment advisers.
Compliance Failures Related to Valuation of Fund Assets
The SEC settled charges with a large RIA and its primary trader for alleged violation of the Compliance Rule in failing to adopt and implement reasonably designed compliance policies and procedures relating to valuation of fund assets and failing to implement the RIA’s existing policy. 
According to the SEC order, although the RIA had written policies regarding valuation, they were deficient in a number of respects. Specifically, although the firm’s policies stated it would value securities at “fair value” in accordance with Accounting Standards Codification 820 (ASC 820), the SEC observed that the firm’s written policies “lacked procedures on valuation regarding how, in the context of the specific markets relevant to [a fund] and the specific types of inputs available to [the RIA], it should ensure consistency with the requirements of ASC 820 for the positions they valued.” The SEC also stated that the policies “did not mention any valuation techniques or methodologies, and further lacked procedures designed to promote consistency in valuation and to reduce the potential conflict of interest arising from the role of traders valuing securities they managed.”
Additionally, the SEC found that the RIA had failed to implement its existing valuation policy. Although the firm had a policy to value bonds based on “observable inputs such as market transactions and market information over unobservable inputs such as assumption about inputs,” in practice the traders would rely on assumptions rather than trading activity. According to the SEC, part of the firm’s failure to implement its policy was due to the makeup of the RIA’s risk committee. The committee, which was responsible for ensuring the fund was in compliance with the firm’s pricing source protocol, was composed of individuals who lacked expertise in bond valuation and therefore were unqualified to determine whether bonds were valued in accordance with Generally Accepted Accounting Principles (GAAP).
Failure to Disclose Conflict of Interest; Use of Client Assets for Personal Benefit
The SEC settled charges with an RIA and its sole owner for alleged failure to disclose a conflict of interest in connection with certain investment recommendations.  According to the SEC, the RIA had an arrangement with a third-party firm for a loan and access to a line of credit under terms that created an incentive for the RIA to recommend investments in the firm to the RIA’s clients. The SEC found that the RIA recommended such investments to clients without disclosing this conflict of interest to its clients. Furthermore, the SEC found that the RIA failed to disclose this conflict of interest in its Form ADV.
Additionally, the SEC alleged that the owner, through the RIA, advised a client to purchase an interest in the RIA, representing that the investment would be used to support and expand the RIA’s business. The SEC found that instead, the owner used half of the client’s investment for his personal benefit, including paying his personal taxes and debt. The SEC found that the investment was fraudulently obtained from the RIA’s client.
Custody Rule Violations; False Statements in Form ADV; Failure to Conduct Annual Compliance Program Review
A former RIA settled SEC charges that it violated the Custody Rule, made false statements in its Form ADV and failed to conduct an annual review of its compliance program. 
With respect to a private fund that it advised, the RIA attempted to rely on the “audit provision” of the Custody Rule, which requires an adviser to distribute a fund’s audited financial statements (prepared in accordance with GAAP) to the fund’s investors within 120 days of the fund’s fiscal year end, as a means of complying with the relevant provision of the Custody Rule. According to the SEC, the RIA failed to distribute the audited financial statements to investors, either within 120 days of the fund’s fiscal year end or at any time thereafter. The RIA engaged an audit firm to conduct an annual audit of the fund’s financial statements for fiscal years 2012 through 2015. However, for each of those years, the audit firm was not able to complete the audit and express an opinion on whether the fund’s financial statements were prepared in accordance with GAAP. Instead, for each year, the audit firm issued a report well after 120 days following the fiscal year end, in which the firm stated that it was not able to obtain sufficient audit evidence to provide a basis for the audit opinion. The SEC noted that such disclaimer does not constitute the performance of an audit in compliance with GAAP and therefore did not comply with the Custody Rule. For fiscal year 2016, the RIA was unable to engage an accountant to audit the fund’s financial statements.
The SEC also found that the RIA made Form ADV filings during this period stating that it had distributed audited financial statements prepared in accordance with GAAP to investors, when it had not, in fact, done so. The RIA also stated that it had “not yet received a report” in response to the question of whether the audit report contained an unqualified opinion and failed to file an amended Form ADV updating the response to “no” when the report was received. The SEC found that in making these representations, the RIA violated Section 207 of the Advisers Act by filing a Form ADV with untrue statements of material facts.
Additionally, the SEC found that the RIA failed to comply with the requirement under the Compliance Rule to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and the rules thereunder, including the Custody Rule, and to conduct an annual review of the adequacy and effectiveness of its policies and procedures.
Misleading Fund Clients to Benefit Parent Firm
The SEC settled an enforcement action against two RIAs relating to alleged violations of the Advisers Act anti-fraud provisions, as well as the requirement under the Compliance Rule to adopt and implement written policies reasonably designed to prevent violations of the Advisers Act. The SEC cited the RIAs failure to (i) adequately disclose their securities lending recall practice involving 94 mutual funds they advised and failure to disclose the related conflict of interest, and (ii) timely reimburse the funds for certain tax expenses.  The SEC found that the funds were reorganized so that the RIAs’ parent company could receive certain tax benefits. These benefits to the parent, however, came with negative consequences to the funds.
According to the SEC, when the RIAs sought approval from the fund boards to reorganize the funds as partnerships for tax purposes, the RIAs disclosed that the purpose was to increase a tax benefit to the RIAs’ affiliates, but failed to disclose the adverse impact to the funds of the securities lending recall practice or the related conflict of interest. Additionally, the SEC found that the RIAs did not disclose or fully describe the recall practice during an examination later conducted by the SEC, but the SEC order acknowledges that the RIAs subsequently self-reported the conduct (as well as the foreign tax issue discussed below) to the SEC, cooperated with the staff's investigation, and voluntarily reimbursed the funds.
Also, because of the reorganizations, the funds were subject to less favorable tax treatment in certain foreign jurisdictions. The SEC found that, while the RIAs assured the boards that the funds would be reimbursed for this less favorable treatment, they failed to adequately reimburse the funds for a period of 12 years.
Form PF Reporting Requirements
Most RIAs that advise private funds are required to file Form PF either quarterly or annually; advisers exempt from SEC registration, including ERAs, are not required to file Form PF. Form PF, which is a joint form between the SEC and the Commodity Futures Trading Commission with respect to Sections 1 and 2 of the form, is filed with the SEC via the Private Fund Reporting Depository electronic filing system and is not publicly available.
Given the volume and complexity of the work involved, many private fund advisers face a number of challenges in preparing Form PF, including making decisions regarding (and documenting) assumptions and methodologies, due to the ambiguous or subjective nature of a number of Form PF’s instructions, definitions and questions. The SEC staff has provided assistance with respect to these issues and other Form PF questions, both directly in response to private inquiries  and in FAQs posted (and periodically updated) on the SEC’s website.  According to a December 2019 SEC staff report, the staff regularly contacts individual filers when staff members identify anomalous and possibly erroneous data, as well as possibly delinquent or missing filings, and works with these individual filers to determine steps for improving timeliness and accuracy of filings. 
When delinquencies persist, the staff has taken further steps to ensure that information is appropriately filed. In June 2018, the SEC announced settlement orders with 13 RIAs that repeatedly failed to file Form PF.  Each adviser was charged a $75,000 penalty. During the course of the SEC investigation, the advisers remediated their failures by making the necessary filings.
Please refer to our 2018 annual investment adviser alert,  which discusses who is required to file Form PF, the various filing categories for advisers, and the frequency of reporting and filing deadlines.
Finally, please also refer to our newsletter for annual calendar-related filing dates, ongoing and compliance requirements, and additional annual considerations  that private fund advisers may wish to consider.
 Regular readers of this annual newsletter have probably figured out the recurring theme of using song lyrics (2018 -The Who) and titles (2019 - Led Zeppelin) from the author’s favorite groups in the title to the newsletter. 2020 is no exception.
 SEC Office of Compliance Inspections and Examinations, “2020 Examination Priorities” (January 7, 2020), https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2020.pdf .
 SEC Press Release 2020-4, “SEC Office of Compliance Inspections and Examinations Announces 2020 Examination Priorities” (January 7, 2020), https://www.sec.gov/news/press-release/2020-4 .
 See Note 2 above.
 OCIE, Staff Guidance, “Cybersecurity and Resiliency Observations” (January 27, 2020), https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf .
 Commission Guidance Regarding Proxy Voting Responsibilities of Investment Advisers, IA-5325 (August 21, 2019), https://www.sec.gov/rules/interp/2019/ia-5325.pdf .
 SEC, Release No. IA-5248, “Commission Interpretation Regarding Standard of Conduct for Investment Advisers” (June 5, 2019), https://www.sec.gov/rules/interp/2019/ia-5248.pdf .
 See Frequently Asked Questions on Form CRS, https://www.sec.gov/investment/form-crs-faq (most recently updated on February 11, 2020).
 SEC National Exam Program Risk Alert, “Investment Adviser Principal and Agency Cross Trading Compliance Issues” (September 4, 2019), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Principal%20and%20Agency%20Cross%20Trading.pdf .
 SEC National Exam Program Risk Alert, “Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features” (May 23, 2019), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf .
 SEC National Exam Program Risk Alert, “Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies” (April 16, 2019), https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf .
 SEC, Release No. IA-5407, “Investment Adviser Advertisements; Compensation for Solicitations,” https://www.sec.gov/rules/proposed/2019/ia-5407.pdf .
 SEC Administration Proceeding File No. 3-19190 (June 4, 2019), https://www.sec.gov/litigation/admin/2019/ia-5245.pdf.
 SEC Administrative Proceeding File No. 3-19227 (July 1, 2019), https://www.sec.gov/litigation/admin/2020/34-88249.pdf .
 SEC Administrative Proceeding File No. 3-19448 (September 13, 2019), https://www.sec.gov/litigation/admin/2019/ia-5344.pdf .
 SEC Administrative Proceeding File No. 3-19455 (September 16, 2019), https://www.sec.gov/litigation/admin/2019/ia-5346.pdf .
 The public Form PF inquiry email address and a phone number to reach staff with questions relating to Form PF are available at https://www.sec.gov/divisions/investment/iard/iardhelp.shtml .
 See Form PF Frequently Asked Questions, http://www.sec.gov/divisions/investment/pfrd/pfrdfaq.shtml (most recently updated on January 18, 2017). FINRA, as administrator for the PFRD filing system, also posts information to assist Form PF filers, including PFRD System Frequently Asked Questions, http://www.iard.com/pfrd/pdf/PFRD_System_FAQs.pdf (most recently updated on January 18, 2017).
 SEC, Annual Staff Report Relating to the Use of Form PF Data (December 30, 2019), https://www.sec.gov/files/2019-pf-report-to-congress.pdf .
 SEC Press Release 2018-100, “SEC Charges 13 Private Fund Advisers for Repeated Filing Failures” (June 1, 2018), https://www.sec.gov/news/press-release/2018-100 .