August 4, 2017

Survey Finds Advisers Continue to Take Cybersecurity Seriously; Custody Concerns Loom Larger

The Investment Adviser Association, ACA Compliance Group and OMAM recently released the results of their 12th annual survey of the top concerns of compliance officers working at registered investment advisers. While cybersecurity continued to dominate mindshare as the “hottest” compliance topic, custody—a common compliance deficiency among registered investment advisers, according to a memo released earlier this year by the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations—surpassed anti-money laundering/anti-bribery and corruption as the second-most consternated topic. The survey also found that a majority of advisers are not just unprepared for MiFID II, they are unsure what their obligations are to the new regulatory regime. (For more on custody, see “Custody Rule Compliance: Key Issues and Best Practices for Private Equity Managers:” Part One and Part Two)

This article extracts the key takeaways most relevant to private equity fund managers from the survey.


The survey, conducted online in April and May of this year, comprised responses from individuals at 599 investment advisers, half of which were to private funds. Nearly 40% of the respondents’ firms had less than $1 billion in assets under management, while 22% hailed from firms with over $10 billion in AUM. Two-thirds of the firms had 50 or fewer employees. Nearly nine out of 10 advisers have been in business for at least five years, with almost one-third in business more than 25 years. Three-quarters of the advisers operate from one or two offices. Less than one-quarter of the survey participants operate outside of the U.S., and 11% just market in a foreign region. Of those operating outside the U.S., the most popular locales are the UK, Hong Kong and Singapore.

Legal and Compliance Function

Three-quarters of the firms reported between one and five full-time legal and/or compliance personnel, and nearly one-third of the respondents reported a dedicated CCO. Compliance budgets seem to have crept up slightly as a percentage of firm revenues from last year’s survey, with just under half reporting that spend was less than five percent, while another quarter reported it was between five and 10%. Most of that spend is on internal compliance personnel, technology and third-party compliance consultants.

Interestingly, when it comes to how a firm demonstrates a culture of compliance, respondents’ top three answers were: the firm conducts annual (or more frequent) employee compliance training (90%); the CCO or other compliance personnel attends various committee meetings (such as best execution committee meetings) (79%); and the CEO or president is immediately apprised of material compliance issues/breaches (77%).

Compliance Priorities

Over the past several years, the SEC has emphasized that it has found problematic managers’ compliance, or lack thereof, in specific areas such as whistleblowing, custody, cybersecurity and business continuity plans. Advisers are therefore obligated to evaluate if their compliance programs contain any weaknesses in these areas or whether any weaknesses uncovered are adequately addressed. For example, almost 80% of firms report having a whistleblower policy in place, though more than half have not adjusted that policy in light of OCIE’s most recent whistleblower alert in late 2016. All but a small percentage of firms (four percent) said they have a business continuity and transition plan in place—with 82% of respondents noting their firm had a standalone BCP, though just 13% have a standalone transition plan—reflecting the emphasis the SEC has placed on BCPs recently.

The SEC’s recently-approved changes to Form ADV are effective with next year’s filing, and managers are grappling with the changes. A full 45% either are not clear on what the main impact areas are or feel they have a significant amount of implementation work still to do. The most onerous aspects of the new requirements involve separately managed accounts, including what constitutes an SMA under the Form, determining the classification of investment types held in SMAs and the increased reporting around SMAs, particularly as they pertain to derivatives and borrowing information.

Cybersecurity has remained top-of-mind for regulators, as recent ransomware attacks have plagued companies around the world, and likely will continue to. Advisers have responded to the threats: 75% of respondents affirmed their firm has a formal, written cybersecurity program. The majority of the remaining 25% said they do not have a standalone cybersecurity policy, but cybersecurity is incorporated into other policies and procedures. However, in spite of the concerns over cybersecurity, a majority of those surveyed—56%—reported that their firms have no cybersecurity insurance policy. Of those who do, nearly half have coverage of between $1 million and $3 million.

Respondents also said that their cybersecurity testing most frequently includes cybersecurity risk assessments, network penetration tests, vulnerability assessments, phishing tests and vendor/service provider questionnaires.

Another compliance concern among respondents is pay-to-play, in part because last year’s U.S. elections cast a spotlight on the pay-to-play enforcement actions the SEC levied against 10 firms earlier this year. Most of the incidents came in spite of the firms’ established policies and procedures. Seventy-eight percent of those surveyed confirmed that their firms also have policies and procedures in place addressing pay-to-play issues. Six percent of firms have a standing prohibition on political contributions. Forty percent of firms reported testing compliance with pay-to-play policies and procedures annually, while nearly one-quarter test quarterly. The most significant change to firms’ policies and procedures has involved revisions requiring covered persons to pre-clear all political contributions. (For more on the enforcement actions, see “SEC Enforces Pay-to-Play Rule Against 10 Firms That Accepted Pension Fund Fees Following Campaign Contributions”)

Fees and Expenses

Among the myriad expenses incurred by the respondents, the most prevalent that firms charge back to their clients include third-party legal, third-party accounting, third-party administration, custodial and broker fees. How managers maintain their fee and expense policies varies, with just 27% having a specific fee and expense policy, while 12% address them in other policies and 40% relegate the policies to legal agreements with clients. Shockingly, nearly one-fifth of respondents said they have no written fee and expense policy.

The most popular way firms assure compliance with their fee and expense policies is by tasking the compliance function with making adequate disclosures in the Form ADVs, fund documents and client reporting. Form ADV, Part 2A was the most popular method to disclose to clients the types of expenses they are charged.

Respondents said their firms’ testing around fee arrangements involves ensuring clients’ charges are in line with their agreements, the correct AUM is used to calculate clients’ fees and the ADV accurately reflects fee arrangements. Similarly, firms’ fee expense testing focuses on ensuring that expenses billed to clients are in line with the fund’s offering documents and policies and procedures, as well as explicitly disclosed in Form ADV. (For more on fee and expense testing, see “Reviewing Fee and Expense Disclosures and Allocations: Rationales and Best Practices,” Part One and Part Two)

Compliance Monitoring

Just one percent of firms failed to conduct an annual compliance review, down from eight percent in last year’s survey. Meanwhile, of the firms that performed a review, 55% documented it with a “lengthy written report.” Four out of five times, the respondents’ compliance review resulted in the detection of compliance issues, however only one-tenth of the time were those issues material. The top three compliance issues uncovered related to custody, personal trading and advertising/marketing. Cybersecurity (75%) was the top area where advisers have increased the scope and/or frequency of their compliance testing. (For more on compliance testing, see “Best Practices for Conducting an Effective Annual Compliance Review,” Part One and Part Two)

Two-thirds of managers use automated/electronic compliance systems, most frequently to monitor personal trading, gifts and entertainment, and political contributions. Fifty-seven percent of users of these compliance systems report they have increasingly relied on them over the past year, and about the same anticipate that reliance to continue to increase.

Among other compliance testing, over half of the advisers surveyed test their business continuity plan at least annually, with the focus on their ability to recover data, access back-up records, and inform and communicate with employees. Additionally, firms are testing their third-party service providers’ BCPs, primarily through the due diligence process and review of the document. Interestingly, over one-third rely on “assurance reports” by an independent party.


Firms are increasingly relying on outsourcing as they seek to focus on their core strengths in investing. The top functions the survey participants outsourced were email archive vendors, attorneys, custodians, information technology, compliance consultants and employee benefits and payroll. Oversight of these vendors most often includes annual due diligence reviews, confidentiality agreements, references and designating an internal employee as responsible for the relationship. (For more on service provider due diligence, see “Executing Effective Service Provider Due Diligence in Four Steps”)


MiFID II regulations are set to take effect in the EU next year, and nearly 70% of firms with a non-U.S. presence have some form of EU presence that leaves them either indirectly or directly affected by the new rules. Just over 40% of those firms reported they still have a significant amount of implementation work to do or are not yet even clear on what the main impact areas are. Throughout the responses, most of those surveyed said they are unsure what their obligations are to the various rules, which option their firm will utilize to pay for research under the new regulations, how they will handle reporting requirements or how they are going to handle requirements that vary across jurisdictions.