The SEC Staff Answers Your Burning Questions on Examinations
Hear from Maryellen Maurer of the U.S. Securities and Exchange Commission to learn more about the private equity exam process and why fees, valuation and cybersecurity specifically continue to be a focus area for the commission.
Transcript below [9/21]:
Nicholas Donato: Hi everyone. Welcome to the latest round table in our compliance series. Today we will be asking a SEC staff member your burning questions on the private fund exam process, which I can tell you has only become more sophisticated and targeted as the years go on. I'm Navatar's Nicholas Donato and I'm going to be your moderator today. Very shortly, I will introduce you to April Evans and Maryellen Maurer.
But first allow me to tell you what led to today's conversation. In May, an important speech was delivered for those of us who track compliance in this industry religiously. The SEC's Director of Enforcement delivered a speech, or actually I'm going to call it a warning, to private equity firms that more enforcement cases were on the way. That the Commission was still seeing problem areas during their onsite visits. And then, the SEC delivered on that promise. Last month, WL Ross held charges that it wasn't doing a good job of disclosing how it charged investors certain fees. Soon after that, Apollo, another big name firm, paid its own fine for accelerated monitoring fees. And then, just this month, First Reserve settled charges that it wasn't sharing discounts, it was negotiating with its lawyers, with fund investors.
This is important stuff. GPs have been taking a hard top down look at their fee disclosures, their expense allocations and other areas flagged by examiners as problem areas. Now, this has all been going on for a few years and fund lawyers will tell you that huge improvements have been made since 2012 when Dodd Frank pushed most of the industry under the SEC's brighter spotlight.
But clearly gaps remain, so we want to talk about those gaps here today. Let's talk about the recent enforcement cases. What can firms do to avoid facing their own charges? What does it mean to create a culture of compliance? That's a phrase that we hear often. How should GPs be thinking about cyber security? Valuation? Fee practices? What should we anticipate next? The SEC just recently floated new rules on business continuity planning that may be a future focus here during exams.
Now, to help me talk about these issues intelligently, I have recruited the help of April Evans, who I've known for some years now as a former industry reporter. April is the first name that I thought of when Navatar started organizing this roundtable in partnership with ACG and I want her to take the lead here in directing some of the questioning. She is the CFO and CCO of Monitor Clipper Partners, a middle market firm. More importantly, for our purposes here, she is co-chair of ACG's Private Equity Regulatory Task Force or PERT, which is a task force comprised of industry professionals that have been speaking with regulators like the SEC about new rulemaking. April will provide you the details on PERT in just a bit. We also have with us Maryellen Maurer. She rejoined the staff of the SEC's Office of Compliance, Inspections and Examinations in December of 2014 where she focuses on private funds. More recently, though, she served as Deputy Chief Compliance Officer with the TPG, a firm I'm sure that we all recognize. Maryellen, in fact I'm going to kick things over to you real quick to give us a disclaimer.
Maryellen Maurer: Thank you Nick. I have to read this, sorry guys. The Securities and Exchange Commission as a matter of policy disclaims responsibility for any publication or statement by any of its employees. The views expressed herein are those of the author and do not necessarily reflect the views of the Commission or of the author's colleagues upon the staff or the Commission so in short these are my opinions and not necessarily those of my colleagues or the Commission. Thanks, Nick.
Nicholas Donato: Thanks, Maryellen. Now, how does Navatar fit into the picture? Well, we are a cloud services provider for the financial services industry and one of our aims is to ensure that clients bring a disciplined approach to their deal origination, to their fundraising, to their relationship management workflows. Basically, what we do is we offer GPs more structure and formalized processes that not only make the shop more lean and efficient, which is pretty important at a time when regulators and investors alike are taking a pretty critical eye to firm's operational risk management, but we bring more discipline to workflows. April, can you provide us some background on what PERT is doing?
April Evans: Happy to Nick, absolutely. PERT is the Private Equity Regulatory Task Force, and was formed two years ago to advocate an interface with federal regulators and policy makers on behalf of middle market private equity. What we do is, we are creating a network of peers to develop and share best practices. We educate PE professionals on regulatory issues that have a direct impact on us and our funds. We're now 50 members strong. We're close to issuing best practices on five areas of SEC focus for private equity RIAs. We've begun addressing best practices for a sixth, and we've held two fly-in's and dozens of meetings with both members of Congress and the SEC on private equity within this regulatory framework in which we live. We've done a lot of good work, but there is clearly more work to be done. There are about 500 attendees on today's webinar, which is quite impressive. I encourage those of you in PE firms to reach out to PERT to become a part of the dialogue in our effort.
And those of you who are service providers in the PE industry, to identify ways, such as Navatar is doing, to work with us. Feel free to reach out to Amber Landis. You can see her info at the bottom of the screen, email@example.com, with any questions you might have at all about PERT. It is doing some really good work with the SEC and with Congress these days.
Nicholas Donato: Thanks April, and PERT is recruiting for people across the country, is that right? People can join in from conference lines, they don't need to be physically there in person for every meeting right?
April Evans: Correct. So we hold, for example, quarterly conference calls, where we are discussing issues, updating everyone on the call about latest developments and then strategizing next steps as well and those are held on a quarterly basis.
Nicholas Donato: Thanks April. So, let's get started. So what are we doing here today? As I alluded to earlier, we want to talk about the exam process, more broadly we want to talk about, how the SEC approaches its supervision of the private funds industry. We want to talk about what it means to create that culture compliance, and then, we can drill down into a few specific areas, like fees, cybersecurity, and valuation. And then we want to analyze a few recent important enforcement cases, as well as some rule proposals that are in the works. So, Maryellen, I know that you’ve prepared some thoughts for us on ways that the exam process has evolved since much of the industry was forced to register four years ago. Can you take us through those thoughts?
Maryellen Maurer: Sure. So we thought it might be helpful to first quickly step back to discuss how the SEC oversees private equity from an organizational standpoint. So these two slides are basically a bit of an outline. So you'll see on the first slide in front of you three groups within the SEC that are responsible for the day-to-day oversight. So those include, the Division of Investment Management, so that's primarily the rulemaking body. So when you think about what goes into the foreign PS, the ADV questions that are being asked with regard to private equity fund advisors and funds. Those are the folks, they also cover no action letters. If you want some kind of relief, or exemptive relief. For example, for a local contribution issue, you may submit that to IM. The next one is Division of Enforcement. And they become involved when there's a potential issue with the firm. So the administrative proceedings that you're seeing in the press, they're the ones that handle that. And then there is the Office of Compliance, Inspections, and Examinations, which I am a part of, and the short name for that is OCIE, and that's where all the examiners that will show up in your office sit. So they are the boots on the ground. And then on the next slide, you will see that in each of those divisions are OCIE. They're individuals who work on issues specific to private funds, including private equity funds.
So, I want to go through each of those. So within the division of the larger Division of Enforcement, there is what's called the Asset Management Unit, or AMU, and the individuals in enforcement who work on investigating potential issues with private equity firms are located there. So these folks have industry experts that assist on their cases, so those people sharpen document requests, testimony, advise any kind of investigation thesis, filled analytics around the thesis. And they include their attorneys. They include a former portfolio manager that was with an alternative investment firm, as well. And that unit was created in 2010, and so it's been around for almost six years, and they work very closely with OCIE. And then within the Division of Investment Management, there's another team of lawyers who make up what's called the Private Funds Branch, and they've absolutely developed expertise in the private equity area, and a person whose name you might hear a lot is Alpa Patel, who had set up, and she gets out to industry a lot.
And then, finally within OCIE sits the Private Funds Unit, and that's probably the unit you're most familiar with. And this is the unit that was started in 2014; and why was it formed? It was formed because the National Exam Program Management, which OCIE is a part of, recognized that the private funds face generally is complicated and diverse, and therefore it needed some specialized expertise that was widely distributed around regions with the higher concentration of private funds, and they felt it would benefit the industry and the Commission. So, almost two years in, and that team has grown to 25 permanent members, and those members don't necessarily come to the unit with expertise in this space, but rather grow to that by conducting focused exams where they developed pattern recognition of issues.
And the PFU folks however, still do include people from the industry, including myself and others that have come from private equity or in the accounting area operations, legal, and portfolio management. And that group is supplemented by a larger group, which is called the Private Fund Specialized Working Group, and they're over 120 members in that group, and they are disbursed all throughout the division and offices. They're basically people that are interested in the private funds space and private equity, and develop expertise. And one thing I wanted to note is the PFU will not necessarily be the only ones going out on private equity exams, so anyone in any of the regions who is an examiner could be on a private equity exam, so not just the PFU. When you think about 25 people, they're not going to get to all the private equity shops.
And then within OCIE there are two groups that provide assistance and identify issues. So one is the office of risk analysis and surveillance. And they are the ones that will go through the filings and look for any kind of key words or inconsistencies in your filing. So an ADV, or form PF. And then office of chief counsel as well. And they are the ones that will look at any particular issues that are coming up from a legal standpoint on exams. And try to write analysis to help the examiners when they go out on exams, to ask the right questions. For example, when with Backstreet issues that have come up, so that's something where the office of chief counsel will assist
So the PFU, as far as getting more sophisticated, one of the things it has done is actually meet with LP groups, like members of ILPA and other state pension plans to understand their concerns and get feedback. And it also helps with some initiatives that we develop. So for example, Igor Rozenblit, a week or so ago, he flew out to a state to meet with 30 people across a state's nine pension plans to go over those kind of issues. And it's a great dialogue. And then, it helped us to better understand the GP and LP relationship and what we should be asking for.
April Evans: Thank you Maryellen. That's a really helpful layout for those of us in middle market firms to understand how the SEC is approaching the overall responsibility of reviewing and examining our firms. As the SEC conducts an exam, how do you all think about the relative size and resources? One firm has available compared to those of another firm? In the context of a compliance program cybersecurity controls, etc. Is there a "one size fits all" philosophy to addressing compliance matters from your perspective?
Maryellen Maurer: Okay. So having worked at a very large PE shop myself, when I conduct exams over the past, now almost two years, not quite two years, if I'm examining a small to mid-sized PE shop, I'll often hear, "You won't understand that my firm is not the size of so and so. We are a small shop. We all know each other and have worked together a very long time. And people here have to wear multiple hats." And I won't understand that. So what I say to that is there is a natural scaling to the regulations and enforcement of those regulations. For example, if you don't have a certain amount of assets, you make certain filings more frequently, or with a variety form PF, you don't necessarily need to fill out the whole form PF. Also, you might not be dealing with the same issues that you see in the cases in the press, such as operating partners, senior advisors, accelerated monitoring fees. Or with regard to cybersecurity you may have fewer systems that you're working with. Or outside people who would be accessing your information. And so you may need fewer policies and procedures, because you don't engage in these certain activities. So all of that is natural of scaling.
I do want to say that we see nothing inherently bad about having multiple hats, if you can handle all of them. We do pay attention to whether or not you can actually handle all of them. And often times an outcome of our exam is your firm decides on its own to add more compliance resources, or to shift some of your compliance hats over to somebody else. So in short, there's going to naturally be the need for less complicated resources with regard to compliance. The rules say that you have to have a program that's "right sized" for your business. So we are not looking for something that's outsized. We don't expect there to be a one size fits all. There's obviously always a nevertheless.
And the nevertheless is to follow the rules and know they apply to everyone. So, for example, your governing doc have disclosures that go over what a fund expenses are and management expenses. And those need to be re-followed regardless of your size. So your funds’ assets are your funds’ assets. And anytime the management company seeks to take some of that, no matter what size you are, you want to be sure that you've disclosed that fully. And you might not have because we definitely see in mid-sized shops people have senior advisors operating partners. You might not have 50 of those, you might have two, three. But the same issues occur with regard to shifting of expenses to the funds from the management company, and you can't ignore that. And then, if you have any kind of material conflicts between the fund and the management company or the GP, you want to address those.
And there are certain things that go before the advisory board or if you call it the advisory committee. And actually sometimes we see more of that in the middle market shops, as firms are trying to grow, there's more potential conflicts of interest. And then with regard to private securities, because it doesn't matter if you have private securities, if you're a large firm or you're a small firm, you need to value those at their value. And there's a process around that. So finally, there are many obligations requirements as a registered IA, which we call investment advisor from a compliance standpoint. So whether expertise is internal or external, or a combination there, we don't care. We just want to make sure that you're addressing your issues and are knowledgeable about your business.
April Evans: Thank you. Thank you. That's helpful and comforting frankly, that you do understand a natural scaling to the ways in which we are approaching our compliance programs. Building them out and then managing them. It's very helpful. What are some best practices managers can follow to ensure that the exam process goes as smoothly as possible? So, we get the best practices thing in terms of building our program, but then the exam process.
Maryellen Maurer: Yes. So the first piece of advice I would give is be prepared before we arrive. And, I think most importantly, and you'll see that in all of these cases, these sort of key words, conflicts of interest. So, know all of your conflicts of interest. How do you handle them? How do you work to mitigate them? And how do you actually disclose them? You can lay those out for yourself in a document, spreadsheet database, whatever works for you so that you're filling in any gaps. And, when we come in you don't necessarily have to hand it to us but, you're able to talk to us about it. That's going to go a long way.
Also, there's plenty of sample request lists that you can find out there whether you use consultants or attorneys. Go through those and test your production time. You'll often find, and I certainly do this myself all the time, find things take a lot longer to produce than you think. And it's a lot more difficult to produce certain things than you think. And, then almost equally as important as the conflicts of interest issue is, to be prepared, you need to read SEC speeches and cases. So, members throughout the SEC, and we'll pat ourselves on the back on this, I think we're very good about getting the word out there on what we care about. And, this won't necessarily be done by wrapping up the report and sending out a risk alert, like we did on business continuity that we published. But, rather it's done through speeches or articles where we're interviewed, things like this. And to date, most of those have come through the two co-heads of the private funds unit.
So, Igor Rozenblit, who's been around for a while. And Jennifer Duggan, who joined the SEC last year from the industry. But, as the private funds unit more solidifies, that will come from other people. And, you'll also hear obviously from Andrew Ceresney, a person who I know you guys know about. So, that's before the exam. During the exam, I would say first the CCO, no matter how many hats he or she wears, needs to know the business and have a knowledge of the responsibility with respect to compliance. So, that's even though we hear often times that we always ask the question, what percentage of your time do you spend on compliance? And typically it is definitely below 50 percent..
What we want to be sure is during the exam, you don't leave us with the impression that compliance is an afterthought. Or, alternatively, which we do find people say, "We think it's really important, really important", and then we ask you what you actually do and you can't really point to much with any kind of specificity with regard to compliance. You may go over personal trading and you know the other side, which is often times the CFO's business quite a bit, but it's compliance that we're there to talk about. And, that will really leave us with an impression and decide what we need to do from there. I'm just going to leave that point. But, then on a responsiveness, that's another key point. From the moment we start the exam, it's really important to be responsive to us. We're not in that often after you register. You don't know when you're going to see us. And, then say you've been examined, the next time you'd be examined it could be many years later. So, it really should be all hands on deck, and that's not just the compliance piece of that. We've seen things be unsuccessful really, if it's left solely to compliance and we don't get the responsiveness.
Next, I would proactively communicate with us. So, don't let us be the ones following up with you to ask if you're going to be producing something. If it's going to be on a deadline maybe or beyond say 24 to 48 hours since we asked for them, just give us an update. That said, what we don't want to happen is for you to produce inaccurate information, because you're rushed. So, if there is a need to slow it down for you to produce the information, that is as important as giving us accurate information and timely information is important.
Two last things I would say is, things which we do run into. So if you're using consultants or outside counselors to review the documents before producing them to us and then stamping them, for example, which we do see in mid-size shops, all different shops, you need to bake that into your production time. So, we don't give you extra time to do that. It’s your prerogative to do it. But understand that the deadlines are there and however you want to manage those deadlines just manage them.
And then, lastly, because I've been on the receiving end of many exams throughout my career, I personally always tell firms before I leave the firm that once we are offsite, we may contact you right away and ask you more questions and interviews. It may be a few weeks before we do that. An exam may go on for a while. So, it really is not going to be helpful to yourselves to try to gauge, if your LP, for example are asking when is the exam going to end? How's it been going? It really isn't going to be helpful for you to answer that because you're not going to have a gauge. Something could be going on for a long time, really unrelated to the exam, people are tied up with other things. It may mean something negative, where we're pursuing something with your firm, but it may simply be again administrative issues. So it's really not helpful to gauge it.
Nicholas Donato: Mary Ellen, real quick question because this is important for the mid-market level, where you have few senior decision makers. During that onsite portion of the exam process, what would it mean to you if somebody was on vacation, or if they're traveling or they're working in a different country and they can't be there onsite? And not just for the CCO, but say the senior managing director. Is there leeway in trying to reschedule an exam? Or is the expectation that somebody comes back onsite to answer your questions face to face. Any insights to share on that?
Maryellen Maurer: Sure. As far as leeway on the start date of the exam, there's not a lot, frankly. The reason for that in part two is before we even do this contacting to you, there's been multiple attempts. Lots of hours spent on coordination, who's going to be involved? When is it going to happen? Where will you sit in the risk-reward scale for us? So there's a lot of work that goes into it before we examine you, so moving the date is difficult. As far as being onsite, we don't care if somebody in that role is going to be onsite, we have calls all the time with people. I just was on exam, somebody was in Singapore, somebody was in Taiwan, we have the phone calls and the people on the other end make themselves available, whether it's at 11:00 at night or 5:00 in the morning. It's to your best interest to keep the exam going, but there will be flexibility around that. If somebody's on vacation, we don't require them to come back. Recently, somebody was in, I want to say Maine, and I was in Connecticut. We're not going to require them to come back, if they can get on the phone, great. But we try to keep the exam moving, so there's some flexibility, but typically not on the start time.
April Evans: Thank you for that and I took a little bit of comfort in your statement that sometimes if you're not getting back to us to wrap things up , it has not a thing to do with what's going on within our firm, it has to do with your other administrative responsibilities. So, getting worried doesn't get us further down the road. Let's, if I can, shift us to some specific categories of SEC interests and focus over the last few years. Largely, private equity firms have improved our disclosure of fees and expenses, but we're still hearing from SEC officials that we as an industry have more work to do. Can you give us some details about what that means?
Maryellen Maurer: Sure. The short answer is, there's still an opportunity for advisors to improve documents, and those are governing documents, and DDQs. It is something for advisors to think about and to take action on, rather than waiting for us to arrive and tell you what to do. And unfortunately, that is still a scenario that we are often in. And we understand that the governing docs have been produced a long time before we arrive and it may not be practical to have them changed as we've come out and said these speeches about what we're concerned about. However, before you allow the advisor or the GP to collect some form of compensation, or share in compensation, that takes away an asset that could go to the LPs, you need to be sure that your documents or disclosures were in place before someone committed the capital; that's certainly something you're seeing lately in the cases. Before somebody is actually committing capital, they need to clearly understand where those expenses are going.
So that may actually involve you using your LPAC advisory board more often to get approvals for some compensation and then notifying LPs that you're taking the action. And then, take the action, so not taking it before. So next, the advice I would give to middle-market shops, based upon what we are seeing, is to try to re-think, so go back through whether or not you are actually engaging in any of these activities that you see us talking about in the papers or speeches in enforcement cases. So oftentimes, and I've been part of it, we hear an immediate "No, I don't engage in that activity that you guys just talked about." But then, when they think about it more and we ask more questions, they come back with, "Oh, I actually, we probably do do something that is similar to that in this particular category."
So, think about that before we arrive. And then, next on expense shifting, we unfortunately are still seeing plenty of evidence of expense shifting. So the best thing a firm I'd recommend doing is, to sit there, take apart the schedules on expenses, and be sure all of them are properly disclosed to the LPs prior to the commitment. So that's an action that you can take. There is some expense shifting without proper disclosure that we still continue to see. That includes use of related party service providers, which appear to be full members of a manager's team – so operating partners, senior advisors, some captive consulting firms. And again, it doesn't matter what size you are, because we are seeing this in the smaller shops, and advisors who look and appear like they're employees with access and you don't have controls around them, so they do have access and their expenses we know are not off set. They don't offset management fees per the documents, but they look like employees to us.
Next on software costs. Think about if that software cost that you're implementing actually making the business better? Is that really a management expense or is it a fund expense? Is it somehow benefiting the fund? Outsourcing traditional back office functions to related parties around accounting, legal and risk. Regulatory filings, it's certainly something we are seeing people are hiring firms to use. Help with form PF and other filings; those are kind of things to just think about, is it a fund filing? And does it come under your fund obligation or is it coming under your advisor obligation, which means a management covered expense? Insurance, which is something you see in First Reserve; so are those payments really covering the funds? Or is there a piece that's covering the management company.
So, I was on an exam where there was insurance that was covering cybersecurity. Great, covering cybersecurity a portion of that once we started asking the questions, it turns out that a portion of it was information that could be stolen from employees. So not related to the funds, but was being protected and the funds were covering those expenses. It wasn't something that the firm was trying to do intentionally and trying to have the funds pay for it, but simply they didn't ask enough questions. And then falsely informing investors that the advisor is charging "below market rates."
So this is where investors agree to expenses being recovered to the funds by claiming investors are saving money by not using third parties. But the management company actually isn't totally providing the services that you would see at a third party. And there is no documentation of any effort to support the statement that the services are actually below market rates. That's an area that definitely firms need to work on. And then with regard to fees rather than going into detail, the Fenway Partners enforcement case action, that was in November of last year. Alright, so the cases are fact specific about topics in that case, but are something that we are definitely seeing still.
April Evans: Thank you. That's quite a list. We feel like we've made a huge amount of progress and a lot of what you've described doesn't apply to all firms, but we should focus on those things that do resonate for our particular firms. And make sure that we have understood it properly, calculated it properly, and can explain it when you come to visit properly. Let me shift gears to valuations for a moment, which continue to be a focus for the Commission. From your vantage point, where have valuation practices gone in the past four years? And in what areas does the industry still require improvement? And allow me to pile on, if I may, one more question in that category. Given the fact that fund audits spend a great deal of time on valuations, why does the SEC still believe it's an important area of focus for the SEC?
Maryellen Maurer: Sure. So valuation practices definitely has become better in terms of increasing the consistency of documentation around the processes. Being able to produce for us the backup of how values were arrived at. Ensuring that the committee is looking at the same underlying materials every time and also some checks and balances, so that is improved. So, some areas that still need improvement is, we still find that everyone is not actually being fully transparent to the LPs about their practices. But how to go about doing valuation as a summary document. It's good, but when you get into the details, it is best to be more transparent to LPs.
So the best thing a private equity firm can do to ward off any kind of accusations is absolutely to be transparent on how they derive valuations. So the LP should be able to review the valuation methodology used for portfolio companies and clearly understand it in detail. So for example, if there is a valuation summary page that you give to the LPs, they should be able to understand everything that's on that summary page and you should be able to explain that to them. In terms of the act of proving valuations, the reason why there is still some improvement to be had there is, we see two ends of the spectrum sometimes. And that's where there is somebody in the valuation process that is very much ruled by a specific person. Or on the other end of that you have a committee that really is relying on the underlying team. And it's not asking too many questions, being a bit too trusting. And then not looking at the input. So they're relying on junior people for inputs and not asking them questions about, is this really the right control premium? Is this really the right trading multiple? Who are you using as our peers?
We're also seeing summary information and going to the people that are actually approving. So if you think about the staff, why does the staff think that this is an important area of focus? They're obviously still out there raising money, raising money at any time. So inflated values in valuations can be misleading to investors with respect to performance. Particularly at fundraising times and these are often at times, even when it hasn't been audited, it's interim valuations that are going on. And we see interim valuations as important to LPs, whether or not they're going to invest in the next fund based upon what that last fund did. And also there are times when I know it's not that frequent people transfer in and out, the secondaries that are occurring, so that's all the reasons why we think it's important. As far as the auditors, we do put some reliance on the auditors and get some comfort from that, but we are still asking auditors questions.
And auditors will tell you that. We ask them about how they look at reasonable methodologies. We look at what testing that they're actually doing. We'll look at their work papers. We'll go onsite and look at their work papers. We also then compare that to what the GP is telling us when they do their own reviews and how they are working with the auditors. The auditors sometimes find all of the issues, and sometimes they don't. So we can't give 100 percent reliance on what the auditors are doing. We basically have to look at valuations as if the auditors sometimes aren't there. I would say, that we do have a senior specialized examiner that focuses on valuation that works very closely with the Private Funds Unit.
April Evans: Thank you. I think it's probably helpful that there are increasing numbers of folks from industry who are in valuations illiquid, and so they are very difficult to value to begin with. So that's got to be a helpful thing to have folks within the SEC understand how those illiquid valuations have worked historically in industry. Let me shift gears to cybersecurity, if I may. It's a relatively new area of focus for the SEC. Although most PE firms have been addressing our own IT security matters all along. And of course, one of the challenges with cybersecurity, we've all known this all along is that we never know if we've done enough. You can never be 100 percent secure, and safeguards can always be improved. Can you provide some insight on what the SEC expects of middle market firms in this category? Again, going back to that earlier question of differing amounts of resources available to those of us in middle market firms compared to the larger titans in the industry.
Maryellen Maurer: Okay. Well, cybersecurity has been and continues to be definitely, as you said, it's an area of focus for OCIE. While the federal security clause do not specifically address the firm's requirement for cybersecurity preparedness, just know that there are rules and regulations, tangentially that address the firm's responsibility in this area. So these regulations, regulation FP, identify theft rule, regulations involving safeguarding of books and records, which you hear about a lot, and then the compliance rule, that's a specific rule for investment advisors. So in 2014, the staff conducted reviews of 105 firms, and 49 of those are investment advisors. All different sizes, including middle market firms. Observations from those reviews are in a risk alert, and that was published on February 3rd of 2015, and just go to the SEC website.
It's a good summary of the sweep and the results. And then, phase two of our cyber review was announced and outlined in a risk alert that was issued in September of last year. That's called "The Cybersecurity Phase two Initiative." A good document for you to look at. So similar to the 2014 exams, the results of the 2016 exams have been shared with the SEC to help inform the Commission and the staff on industry practices, but we don't know yet whether or not we will make the results public. As part of that initiative, there were about 50 different firms across the US that were examined. So what we expect to see is, basically, that you can readily answer questions about what your vulnerabilities are and what you're going to do to address it. We absolutely understand that there is only so much that can be done, but you have to decide yourselves where that spot is. We can't tell you that or opine on that.
Nicholas Donato: Maryellen, just jumping in here. One of the things that I have seen since joining with Navatar is this debate in the industry about whether or not the firm should migrate its data to the cloud. I have heard from some CFOs that they like seeing the data systems on-site. I've heard from others saying, "No, no. It's more secure to have it in the cloud. You don't have to worry about business disruption as much. The software is more advanced." Does the SEC take a view on that within the overall context of cybersecurity?
Maryellen Maurer: So the short answer is the SEC does not opine on whether or not you can use the cloud. We don't say there is anything wrong with you using the cloud. But what we do say is that you should establish a set of standards for protecting client information. We want to see what your standards are that you're using and be sure that they are protected. So there are tools out there that can be helpful for you. There is something that's called The Federal Financial Institution Examination Council, and they have a document that – by the way the SEC isn't a member of that council – but if you go to their website, they have some tools on there that are helpful to identify the risks and determine your cybersecurity preparedness, including related to the cloud.
So they'll give you some ideas on what cloud service providers should be providing to you; what questions you should be asking, so these are the things that we will ask about. So what are you looking at in your agreements? An example is using DropBox. We went on one exam, and the firm was using DropBox, but they were using the one that anybody could use and sign up for, and there aren't necessarily controls around that. The service provider can access the information, versus the other DropBox service, which is the corporate service, where there are controls around that. So that is important. Also, one thing, just a side note, if there's any kind of password protection going on, that you need to be sure when using the cloud, that if we come in and ask for documents, if your service provider cannot go in and reset the passwords for you that you have a way to do that. So, in short, we are not saying that you can or cannot use the cloud. We ask you about controls around it.
April Evans: Thank you. Thank you. Let me shift to one more recent thing, if I may, and that is that in June the commission proposed a new rule that would require registered advisors to adopt and implement written business continuity and transition plans. How is this any different from the compliance program rule, which already requires us to have these policies in place? Are we missing something here when we scratch our heads and say, "But that's already a rule and we're already doing it?"
Maryellen Maurer: In the wake of Hurricane Sandy, OCIE reviewed business continuity plans, and that was approximately 40 advisors in impacted areas to see, basically, what the issues were, and they detailed that, again, in a risk alert. Then, the National Exam Program which is, again, part of OCIE, published another compliance alert after Hurricane Katrina, and those can be found on the SEC website. And as you said, this past June there's this new rule that's been proposed. And that's to require investment advisors to adopt and implement a written plan addressing how to provide continuous advisory services and protect client assets and information in the event of a business disruption. So, the one thing of note is the proposed rule is, I guess I would call more prescriptive than the part of the current compliance program rule that relates to business continuity plan.
And the compliance program rule, it's not specifically mentioning business continuity in the rule, it's discussed in an adopting release, and the adopting release provides examples of what areas we expect to be covered, and it talks about business continuity generally. So, that's more principal-based. So, the actual proposed rule requires the advisor to have a plan based upon the particular risks of the advisor's operations, and, more specifically, it include policies and procedures addressing specific components. So, it's specific. The maintenance of the systems and protection of data, prearranged alternative physical location, communications plans, review of third-party service providers, and then a transition plan in the event the advisor is winding down or is unable to continue providing advisory services. So, there are a lot more elements to this rule, and it goes into with fair specificity about what is needed, versus the current compliance program rule, which talks about it more generally. It's the Commission's belief that, basically, proposing this rule will assist advisors and preserve the continuity of the services in the event of a business disruption. So that's something that's temporary or permanent. There are a broad array of things, national disasters, cyberattacks, technology failures, key people leaving, which wasn't necessarily discussed previously, and then similar events. So that's helpful.
April Evans: Thank you. So the June is more of a specific roadmap if you will, sounds like.
Maryellen Maurer: Exactly. Good point.
April Evans: Thank you. Nick, I know that you're the one who's receiving questions from folks. So let me turn it to you, because we had wanted to cover several enforcement cases, as well as you had Q&A. So let me turn it to you in the interest of managing our time effectively here.
Nicholas Donato: Sure, let's breeze through some audience questions. I want to make sure that we get some interaction here, and then, if we still have time at the end of the hour, it would be important to hit some of these enforcement cases. So, Maryellen, just your quick thoughts, a few questions. How much advance notice does the SEC typically give before they come onsite for an exam?
Maryellen Maurer: Sure. It does vary. I can say, the private funds unit gives a longer leeway if you're subject to one of their exams, and that typically can run up to six weeks in advance. If you’re examined otherwise, it typically is in the two week time frame. If it is a shorter time frame, again, do not presume it means that somebody has called in an enforcement issue on you. It could mean that, but I would say the two weeks is fairly normal, unless you're being examined by the Private Funds Unit, which is a long bit of leeway.
Nicholas Donato: I see. We have another question coming in. This is someone asking, what if the CCO, and I'm guessing that this would be a CCO that wears multiple hats, so, doubling up as a CFO, delegates a lot of the compliance work to someone junior. So that they're only doing maybe 20 percent of their time on compliance and the rest of it on other work. Would the SEC see that as a potential issue?
Maryellen Maurer: The short answer to that is no. As long as everything is being covered, we understand that people have other responsibilities and we would hope where the CCO is spending their time is on identifying the risks of the firm, doing that risk assessment. The junior person can do the test and the junior person can do the training, but the CCO is really the face of the compliance program. So we definitely see that it can be split between the CCO and more junior people. Frankly, a lot of the compliance work is very detailed and sometimes administrative things that need to be done, so we understand that, but please think about the CCO has to be involved in knowing the risks of the firm and making sure that you're addressing that, that can't be delegated to the junior person.
Nicholas Donato: We have a question related to the valuations portion of the roundtable. Someone wants to know, would the SEC have a preference – or see one way as better than the other – to have an LP committee look over the valuations and oversee the process, or do they prefer having that the more in-house, led by the CFO? Any thoughts on that?
Maryellen Maurer: We don't have a preference. We are seeing, as valuation becomes more of an issue, that firms are bringing in outside entities. And that could be the LP that are part of it. Obviously, they're invested in the funds, so there isn't a preference between the two, we're seeing mixtures and it can be done either way. I do want to say on valuation, because it's something I forgot to mention earlier, now that somebody's bringing up this question, we are seeing compliance people being a little too hands off for what we're expecting. So the compliance people should know, not just the process, oftentimes they're part of the committee, but to be able to do testing. So you haven't changed the transaction multiples or trading multiples in six quarters, and now you're suddenly changing it, you're suddenly introducing a firm that you didn't introduce before. They need to know why that's happening and whether or not it's appropriate. So going back to your question, LPs have experience, we understand and then internally this experience, so good with either.
Nicholas Donato: Another question coming in that appears simple on the face of it, but may actually be difficult to answer: What is the best source for compliance training? Have you received that question from CCOs? Is there any resources that you generally point towards?
Maryellen Maurer: We don't have anything too specific because we can't endorse any kind of vendors or anything like that, but I would say to start with the SEC speeches. That's a topical area. The SEC speeches that are sitting on the website. In addition to that, honestly, if you can sign up for lots of law firm [client memos], we can't tell you who. But, there are lots of law firms that are fairly specialized in this area, and they will send out newsletters and alerts when things come out. That's an excellent source of training. They summarize things for you and then you can read all the details. But I would heavily emphasize the speeches and the articles that the SEC is actually talking about. And then lastly, obviously, using a consultant, which I know it can be expensive for a small to mid-size shop, but having somebody come in to give you some information initially, and then maybe being part of their alerts is the way to get information that's helpful for people that are seeing things across the US.
Nicholas Donato: Another question, if you have an organization that has multiple teams, units, and only one of those is a private equity unit, would an exam ever just focus on that one unit, or will it always be part of the organization as a whole?
Maryellen Maurer: Without knowing more detail about the question, I'm going to have to phrase the question. So if the whole entity is a registered investment advisor, and there is one unit within that that is private equity, yes, we could just focus on that one unit and not look at the other pieces of the firm. We may look at it from the outset of understanding the business and how that business flows through and any interactions with the other, I want to say, units or divisions within the larger organization. Because, as you see in cases where you're looking for conflicts of interest between management company and funds, but also potential conflicts of interest with other units or flowing of information between units. So, say you have a hedge fund unit and say you have a private equity unit or an asset management unit that's not even private, we could just still focus on the private equity division, but understanding how you interact with the others.
Nicholas Donato: One final question and then I want to kick it back over to April to talk about some recent enforcement cases in our last five or so minutes here. It's on cybersecurity. Any opinion on if a firm's able to produce a data map? So this is some way to trace how all the data is moving throughout the firm.
Maryellen Maurer: Yeah. So that is incredibly helpful for us. Not helpful for us in the sense of us poking holes in what you're doing, but just seeing that you're covering the issues, and that you're thinking about it. And it makes the questioning go a lot more efficiently, and it makes us understand that it may be an area that you are absolutely thinking about and we can move on from it. So that is something I certainly work a lot in in my other firms when I was being examined, because a lot of times it was something that naturally you should have in place but wasn't, and when you've examined it, it's helpful.
April Evans: Thank you, Maryellen. As you know, there have been a number of cases recently that have gotten a fair amount of attention and perhaps in the last few minutes we have available, we could focus on a couple of them. Apollo had some interesting things and an affiliated loan issue, personal expenses, can you speak a little bit to the takeaways with respect to that particular enforcement action?
Maryellen Maurer: Sure. So one thing I would note too obviously a big part of the Apollo enforcement action was related to accelerated moderating fees, which was also the issue in Blackstone from 2014 and I do know that a lot of middle market firms don't necessarily have to deal with that issue, but just to quickly say on that, it's the whole issue about if someone has committed capital and is already in the fund, whatever disclosure they received that's what they're relying on. So, Apollo did a lot of disclosing about the fact that they were receiving a salary with moderating fees and the amounts and did what they were supposed to do there, but there were some conflicts of interest that they did not disclose in advance of people investing in the funds. So that was that issue.
So, if we move on to the loan area, you're going to see in wherever you're examined next by us, there are going to be lot of questions on loans. So loans that are involving the funds or related parties and we're looking for situations where there's a benefit to the advisor or GP that's not being disclosed to the LPs that potentially represents a conflict interest, particularly where the fund is the lender. That was the case in Apollo, and it's definitely something worth spending time on, that we feel that compliance professionals could do more to spend time on this issue. It's certainly right for problems, often times not that straightforward, it's a little complicated, so we just ask that you look at your loan situations, because we'll certainly ask about it.
And the other sort of fail at Apollo, I don't want to get into the specifics of it, but think about it thematically. Basically, you had a rogue individual. So a partner who submitted expenses, that weren't fund expenses, and the funds are paying for them. So thematically here in conducting exams, we do see a little bit too much reliance on investment professionals and not enough testing of their expenses that what the expenses that they're submitting are appropriate. So whether or not they're inflated and we really care about this, because fund expenses are assets of the fund and therefore the LPs and you should treat it like that. So taking away dollars and money from the funds is an issue for us. So, one of the things that we see sometimes is an invoice that's being submitted, it'll be on an AmEx bill, it'll be that's what's used, and it'll be a hotel amount, and the investment advisor is not asking for the invoice and the detail behind that.
Now, we know that at hotels, there's a lot more things that you can charge on your bill than just for the hotel stay. So those are the things like maybe golf outings or other personal outings that are unrelated to doing due diligence on the deal, so that's something that you need to pay attention to and not just look at the high level numbers. And then also just, a recent example for me again was, car rentals. If people are just getting that invoice and not looking at the dates of the car being rented and it may be a quite nice car and that's going as a fund expense, you should know that expense is related to a deal, a particular deal or sourcing a deal and it was during a particular time, not say two weeks before, and, "Oh this was generally in the area that I was, and I'm going to put it through as a fund expense." So that's an area that again we think there could be some improvements.
Nicholas Donato: So that just about does it for time here. I want to give a big thank you to Maryellen Maurer for joining us today. It's always important to hear from the SEC staff about their approach to supervision. And a big thanks to April Evans who did a fantastic job representing the CCO community here. You'll see contact info for me on that last slide there. Please reach out if you would like to team up with Navatar to do a roundtable or similar thought leadership exercise. We’re always looking for intelligent speakers to opine on pressing industry issues. You will also see contact information there for Amber Landis. As mentioned at the start of the webinar, she is recruiting industry professionals for PERT, that's the Private Equity Regulatory Task Force that regularly meets with the SEC and other regulatory agencies to discuss new rulemaking and other issues. On behalf of Navatar Group, I'm Nick Donato, thanks for joining us today.