Regulation watch: Who guards the guards?

US regulator reviews own cybersecurity

The Securities and Exchange Commission has stepped up its cybersecurity programme after an attack on its system allowed hackers to make “illicit gains”.

Chairman Jay Clayton said the agency has created a senior-level cybersecurity working group to co-ordinate information sharing, risk monitoring and incident response efforts throughout the agency.

The agency’s corporate filings system EDGAR was breached in 2016, but it only learned in August this year that the attackers had used the information to make profitable trades. The software vulnerability exploited by the attackers was patched promptly after discovery, Clayton said.

SEC Boston office making ‘surprise’ visits

Private fund managers based in the New England city should be prepared for unannounced visits and exams from the SEC, according to compliance sources.

Speaking at Private Equity International’s Private Funds Finance and Compliance Forum in San Francisco, experts said firms in the area should discuss what they will do in the event of a surprise knock on the door.

“There should be a discussion about who will be the back-up in the event a key person is away,” a partner at a third-party compliance service provider said.

Firms in the city are advised to have a discussion of tactics, and be even more vigilant in ensuring documents – such as those detailing deviations from fees and expenses policies – are up to date.

“It’s unlikely to spread beyond Boston, but internal preparation should be made on the off-chance,” a law firm partner from the city said.

While exams may be triggered by a specific event, they are thought to be “points on the board” exercises, with examiners looking to cover more ground.

Non-Boston-based firms should be aware that the standard two-week notice period given before an inspection is often shortened.

UK tax evasion law has kicked in

The UK tax authority expects firms to have certain measures in place after the Criminal Finance Act came into force on 30 September.

Firms must now demonstrate management is committed to preventing facilitation of tax evasion – failure to do so becomes a criminal offence – and they have made a risk assessment, have communications plans and a timeline for full compliance.

“As a first step, it is critical that fund managers in this situation carry out a risk assessment, with a view to putting in place a reasonable policy for each entity they think may be affected by these rules. Importantly, they will need to analyse their fund structures and third-party service provider arrangements to see which entities are relevant and therefore require such a policy,” said Laura Charkin, tax partner at law firm Goodwin.

The full compliance programme should be based on six principles Her Majesty’s Revenue and Customs said should be applied in a “risk-based and proportionate rather than prescriptive way.” These principles are: risk assessment, proportionality, top-level commitment, due diligence, communication, and monitoring and review.