GR compliance roundtable: AIFMD II, DORA, cyber and LinkedIn messaging

Reporting from Global Relay’s quarterly asset manager compliance roundtable – December 2023.

This valuable session began with an overview of the COO and CCO industry events attended by some of the group in November.  

At the key COO event the big topic was Private Fund Adviser Rules (Q1 2024 effective) that had just come out in the US. Everyone was grappling with them. The SEC rep at this event had kept to the script so the most value had been from the output of the panel. The assumption is that if you do not have a US fund, there is no impact though inevitably all investors will start to expect equivalence in other regions.

One attendee was advised to set up a fund out of Delaware (Cayman preferred) to try to avoid this. Others expressed the view that the applicability of the rules might not be as cut and dried in terms of whether a firm has a US fund or not. US investors might still have expectation that a harmonized approach is offered.

The SEC’s reserved position is natural when there is still a lot of guidance to be released. Litigation challenging the whole basis for the new rules is also still in flight. Jack Inglis, the CEO of AIMA, spoke passionately at another event on this. There is no general expectation that the lawsuit against the SEC will be successful. Delay is the most probable outcome but the industry needs to be ready for a change. There is also the risk that it might result in legislation rather than just SEC rules.

Positive developments on the AIFMD II front

AIFMD II was also a lively topic of conversation. One key controversial issue for the UK FCA was the EU potentially not allowing EU funds to delegate to UK fund managers. But that fear has receded as the concern that politics would prevail here has subsided. There is also positive news on loan origination (indirect lending) and harmonization of loan origination records across Europe. Jurisdictional rules apply now if you want to set up a loan origination fund but there is potential for this to be harmonized.

Luxembourg is the easiest jurisdiction now in which to achieve this but Ireland is trying to catch up. The desire is to have equivalent rules across the EU. This is significant for the private credit sector and is an opportunity for Ireland and France to compete with Luxembourg.

Marketing was touched on and the concept of blacklists related to taxation and AML greylists (Cayman still on this for EU) though the need to monitor both FATF and EU lists was called out.

Edinburgh Reforms are positive tinkering

The UK Edinburgh Reforms resurfaced and there was discussion of the benefits of the short sale changes with less reporting and thresholds not quite as low as previously. This has maintained momentum and will be a genuine boon to the industry. The bonus cap has gone but really only affects the big firms that are dual regulated. All of the recommendations related to research have been accepted by the Treasury.

The group was surprised that proposed changes to allow bundling again are going to be revealed so quickly in Q1 of 2024 after its removal under MiFID II. Asset managers were not allowed to bundle payment for research with the trading commission charged to their funds in a bid to reduce conflicts of interest. This marks a speedy reversal and takes everyone back to where they were, almost as if it had not happened. The group concluded that the Edinburgh Reforms can best be described as ‘tinkering’ rather than any wholesale regulatory change.

Economic Crime and Transparency Act means more training

The Economic Crime and Transparency Act was touched on (enforceable December 26 last year) and those attending were trying to estimate if they were within the SME exemption. Some of those there said that they might tweak their financial crime training to include it. Guidance is slated for Q2 but MLROs have compared its reach to the Bribery Act and the connection to third parties needs careful consideration.

Any exemption only covers the failure to prevent fraud. The chief concern is the change whereby a corporate now has to assume responsibility for the act of an employee who conducts the fraud. Corporate criminal liability and its impact on senior managers was also discussed – the scope has widened beyond directors to managers.

As the guidance rolls out, action will need to be taken internally to educate and train those affected. It affects all corporates and not just finance companies, so existing generic fincrime controls should provide a very solid base to cover this. Standard Bank was one of the first corporates to be indicted under the Bribery Act and one attendee said that there might be some precedent with this new legislation, in the sense of finance being an obvious first target.

DORA welcome to address cyber threats and systems resilience

The Digital Operational Resilience Act (DORA) was discussed – most of those attending are interested because they have a large number of suppliers and some are critical ICT service providers. The fact that the EU’s DORA will come before the UK version was mentioned. The group actually saw benefit in third parties being supervised more formally to reduce their need for constant cyber diligence. Single points of failure that are not finance specific are a vulnerability – Bloomberg and Microsoft were mentioned as potential crisis instigators if they go down.

The conversation moved to the recent ransomware attack at ICBC and the rumors that the hackers had got into one unpatched inactive server. Many questioned whether backups were being done (a hot replication ideally) – many do not test the backups they do. A full live trading system backup is rare now for disaster recovery as it takes weeks to do proper failover. Backups do occur at some of the firms in attendance and hybrid approaches can provide some risk mitigation with a blend of cloud and on premises servers used. Some data might be on Microsoft Exchange with more on hosted servers.

It seems to be a regular discussion at senior levels but to test it properly would require a firm to stop trading for a week, which is not practical. Instead the tests that can be done while the firm is operating go ahead and the hope is that systems will be resilient enough if there is a live need. Recently the CSFF (Luxembourg regulator) had asked one firm if they had been looking at DORA as part of its thematic review.

Approaches to LinkedIn messaging are diverse

The archiving of LinkedIn (LI) messaging was covered. One of the group asked if people are allowed to use LI for business purposes and if the messaging is being captured. One compliance officer said that they have a policy that requires any business dialogue to be moved straight to a captured channel.

Most of the contact on LI is from suppliers and inbound interest directed at the Investor Relations team. Another firm uses a social media management tool that aggregates all the messages and sweeps them into their archive. Others said that their salespeople complain to Compliance that their competitors are active in a non-compliant way on LI. This expanded into a discussion where many stated that the use of, and sending of emails to, personal email was a perennial issue still, especially with attachments.

Cyber and regulatory change key worries for 2024

Current worries were: cyber attacks are happening every day and if you are a trophy firm, you are at risk; markets are scratchy and febrile as we come off higher interest rates – compliance people are personally attached now to anything that goes awry with their funds; on regulatory change it is dealing with all the SEC stuff in 2024 even with the support of a decently resourced legal and compliance team.