It’s time for another periodic round-up of noteworthy SEC enforcement actions. Topics in this update: hypothetical and back-tested performance, cybersecurity/privacy, and private fund conflicts, and then a lightning round of other odds and ends.

“Hypothetical” and “Back-Tested” Performance

While many people still have vivid memories of prior significant SEC enforcement actions related to the use of hypothetical and back-tested performance, the SEC settled a new action at the end of August to give everyone a reminder of the perils of using back-tested performance without adequate disclosures.  Briefly, the case arose out of the investment adviser marketing from 2006 to 2015 using performance information for a hybrid fundamental research/quantitative strategy portfolio going back to 1995 that used (i) actual fundamental research recommendations from the entire period, beginning in 1995, (ii) back-tested quantitative recommendations for the period from 1995 to 2000, and (iii) a mix of actual quantitative recommendations and back-tested quantitative recommendations from 2000 to 2003 (after which time the performance information used actual quantitative recommendations).  The settlement order noted that although the depiction of the performance was consistently labeled as “hypothetical,” none of the advertisements disclosed that a portion of the performance was based on back-tested quantitative recommendations.  The SEC also criticized the firm’s responses to RFPs related to the strategy, quoting:

Using fundamental and quantitative rating data at [the adviser]since the mid-1990s, we evaluated whether or not stocks that were buy-rated by fundamental research, buy-rated by quantitative research, and buy-rated by both sources of research added value relative to the market benchmark… Additionally, we wanted to see if the same three categories of sell-rated stocks lagged that same broad market benchmark… The unconstrained simulation illustrated . . . shows the powerful results generated by combining [the adviser’s] two sources of research. (emphasis added)

Similarly, the order also referenced how the adviser presented its methodology in a white paper, again quoting:

In order to assess the blended approach, we used fundamental and quantitative rating data gathered by [the adviser] since the mid-1990s and evaluated stocks that were buy- or sell-rated by fundamental research, buy- or sell-rated by quantitative research and buy- or sell-rated by both sources of research… The data show that the combination of the two independent and complimentary sources of alpha provides greater return potential than when the fundamental and quantitative signals do not overlap or intersect. The same phenomenon also holds true on the short side… (emphasis added)

The order implies that the adviser’s process for reviewing advertising materials was partially to blame for not catching these issues, noting that compliance personnel were not aware of the fact that the quantitative ratings for the earlier period of the hypothetical track record were back-tested, and that different groups of compliance personnel were responsible for reviewing different marketing pieces, with the result that each was describing the back-tested research in a different way than the other.

The biggest take-away here is simply that advisers should use extra care when describing any type of, well, not-actual performance.

Cybersecurity & Privacy

The SEC settled a significant enforcement action against a dual-registered investment adviser/broker-dealer regarding violations of the “safeguards rule” in Regulation S-P and the identity theft prevention program requirements from Regulation S-ID.  Mayer Brown will be preparing a more in-depth review of this case as part of National Cyber Security Awareness Month (which, for those of you who weren’t aware, is October), and I’ll update this post to include a link as soon as it’s available.  In the mean time, a brief synopsis:

The issues arose out of the use of a proprietary web portal by independent contractor representatives of the IA/BD (which I’ll refer to as “IC Reps”), through which the IC Reps could access personally identifiable information of the IA/BD’s clients.  Over a period of 6 days in April 2016, one or more persons impersonating IC Reps called the company’s tech support line and requested password resets to access the portal.  Two of those instances were originated from phone numbers that the IA/BD had previously identified as being associated with fraudulent activity (which also involved attempts to impersonate company personnel using tech and customer support lines).  Tech support staff reset the passwords and provided temporary passwords over the phone, and, in two instances, also provided the IC Rep’s username.  The targeted IC Rep notified tech support within three hours of the first fraudulent request (after he had received an email indicating the password had been reset, even though he had not requested a reset), which prompted the IA/BD to take steps to respond to the intrusion, but those steps did not prevent intruders from gaining access to the portal by doing the same thing to other IC Reps in the following days.

The intruders gained access to personal identifiable information of at least 5,600 customers.  The order notes that there have been no known unauthorized transfers of funds or securities from customer accounts as a result of the intrusion.

With respect to the Safeguards Rule/Reg. S-P, the order notes that the company’s policies and procedures were deficient because, among other things, they were not reasonably designed with respect to resetting contractor representatives’ passwords, terminating web sessions in its proprietary gateway system for contractor representatives, identifying higher-risk representatives and customer accounts for additional security measures, and creation and alteration of online customer profiles.  With respect to the Identify Theft Prevention Program/Reg. S-ID, the order notes that although the IA/BD adopted a program in 2009, it did not review and update the program in response to changes in risks to its customers or provide adequate training to employees, and did not include reasonable policies and procedures to respond to red flags, such as those detected during the intrusion.

Private Fund Conflicts

Some notes on a few settlements involving private fund conflicts of interest:

  • One case involved the principal of a private equity advisory fund adviser that caused one of the adviser’s funds to make a loan to a portfolio company where that portfolio company had agreed to use a portion of the loan proceeds to purchase an interest in another company from the principal of the advisory firm.  Notwithstanding that the adviser’s compliance procedures and the fund’s limited partnership agreement required the adviser to disclose transactions involving a conflict of interest to the fund’s limited partner advisory committee, it was not disclosed.
  • A second case arose out of another private equity fund adviser that failed to provide material information to fund investors in connection with an offer by the owner of the adviser to purchase fund interests from investors, near the end of the fund’s life.  Specifically, the order involved a fund in its seventeenth year that had two remaining portfolio companies, with investors expressing a desire for liquidity.  In response, the adviser offered fund investors the opportunity to sell their fund interests to the adviser’s owner in May 2015, valued at 100% of the December 2014 net asset value of the fund.  However, asset set out in the order, the adviser failed to disclose to the investors that on May 1, 2015, the adviser and its owner had “received preliminary information indicating that the [fund’s net asset value] had potentially increased significantly during the first quarter of 2015 from the [December 2014 net asset value]. The SEC remarked that “[t]he omission of this information regarding the potential increase in the value of [the fund]’s portfolio companies result in certain statements in [the letter sent by the adviser to investors] being misleading.”  It also appears from the settlement order that the adviser also delayed in providing fund investors with Q1 2015 financial information, which also would have showed an increase in the fund’s net asset value.
  • A third case against a private fund adviser involved two “agency cross” transactions and a principal transaction between and among various advised funds and a wholly owned subsidiary of the adviser.  While the principal trade is fairly straightforward, the “agency cross” transactions are somewhat more interesting–essentially, the SEC took the view that the adviser was acting as a “broker” in connection with a cross trade between two fund clients because, in accordance with the terms of its agreement with the selling fund, as a result of the trade the adviser was paid a percentage of the sale price of the assets sold to the buying fund.  Under Section 206(3) of the Advisers Act, an investment adviser must provide advance written notice and get a client’s consent before acting as a “broker” in a trade between two advisory clients (or between an advisory client and a brokerage client).

Lightning Round!

Finally, a few of the other interesting cases since the last round-up:

  • Custody Rule (Late Delivery of Financial Statements) – Substantially a carbon copy of the case from the last round-up regarding late delivery of a fund’s audited financial statements, only… more.  For anyone who looked at the last case and thought to themselves, “okay, but other than that one year, they weren’t that late delivering their audited financial statements,” I present the late delivery breakdown from this new settlement:
Fiscal Year Number of Funds Number of Funds with Late Audits Range of Days Late
2012 68 40 8 – 591
2013 69 27 6 – 616
2014 73 31 8 – 1,050
2015 76 30 11 – 766+
2016 75 33 9 – 415+
2017 79 17 31 – 35+

(And the “+” character included in the late day range for 2015, 2016, and 2017 indicates that no audit had been completed for at least one fund in each fiscal year.)

  • Custody Rule (Auditor Independence) – This case was actually against the auditor for causing violations of the custody rule (and causing violations of the broker-dealer audited financial statements rules) because the auditor failed to meet its independence tests under Regulation S-X.  In each case, the auditor was involved in preparing or revising the financial statements it was auditing, which compromised its independence.
  • Improper Use of Soft Dollars – An adviser used soft dollars to pay for research software from a company owned by the adviser’s Chief Investment Officer (who served on the Management Committee of the adviser, which was responsible for decisions regarding the use of soft dollars).
  • Use of Testimonials – An adviser placed ads with a local radio station–including a mix of pre-taped and “live” spots–but failed to monitor the content of the ads, including after one of the radio hosts became an advisory client and began including testimonials in the ads.
  • Cross Trades – Crossing a bad price (the bid price), which disadvantaged one client over the other.
  • Registered Fund Interpositioning/Cross Trades – An adviser to a registered investment company and a hedge fund caused the hedge fund to sell units of a thinly-traded master limited partnership using one broker, and then used a second broker to buy the very same securities for the registered investment company.
  • Undisclosed Precarious Financial Condition and Failure to Refund Pre-Paid Fees
  • Conflicted Selection of Affiliated Wrap Program – Adviser that recommended wrap programs to clients failed to disclose economic incentive for clients to select a wrap program sponsored by an affiliate.  (While the adviser did disclose that it was affiliated with one of wrap program providers, it failed to disclose certain material terms of its economic arrangement with its affiliate that differed from arrangements with third party wrap program sponsors.)
  • Wrap Program Trading Away
  • Errors in Quantitative Investment Model
  • Misappropriation
  • Reinsurance Trust Misappropriation – While the conduct involved here, as described in the order, is pretty straightforward fraudulent misappropriation, the context involving reinsurance trusts makes it somewhat more interesting.
  • Cherry Picking (RIA/Individual)

That’s all for now.  Catch you next time in SEC Enforcement Round-Up III: Round-Up Harder.