Regulation in the Cloud: Where is it Headed?
July 6, 2012
Fund managers and financial advisors are looking to the cloud to reduce costs, enhance performance, and improve accessibility.
Most advisors to large hedge funds and other private funds earlier this year were required to join advisors to mutual funds and exchange-traded funds and register with the Securities and Exchange Commission as investment advisors. This followed the elimination of the "private advisor exemption" under the Dodd-Frank Act.
The question now is: Is additional regulation on the horizon for support functions that advisors put in the cloud or contract out to cloud services?
The Investment Advisers Act, its accompanying rules, and SEC guidance make no mention of cloud computing. The SEC generally views cloud computing as a form of outsourcing, and advisors have been outsourcing back office operations for many years to prime brokers, clearing brokers, custodian banks, and fund administrators.
These outsourcing service providers, which often compete to provide support services, have been pouring millions into developing cloud technology to maintain their market positions. Order management, messaging systems, data repositories, recordkeeping, accounting, reporting and models for pricing and trading are examples of services currently being offered to advisors in the cloud.
Since 2004, investment advisors registered with the SEC have been required under Rule 206(4)-7 of the Investment Advisers Act of 1940 to adopt and implement written policies and procedures reasonably designed to prevent violations of the Investment Advisers Act and its rules by both the investment advisor and its supervised persons. Firms must, at least annually, review the adequacies of those policies and the effectiveness of their implementation.
Advisors to funds can be held accountable for the actions of the vendors that support regulated activities on their behalf. This is particularly important in a situation where the entity performing the cloud services is outside the SEC's purview.
Advisors should perform initial and ongoing due diligence of cloud providers, and have procedures reasonably designed to prevent violations. For advisors to funds that outsource complex pricing and valuation models, careful attention is needed to supervise providers of these models.
Advisors are required to maintain certain books and records under the Investment Advisers Act, Regulation S-P, and under privacy rules set forth under the Gramm-Leach-Bliley Act. Records must be maintained for five years, the first two in a reasonably accessible location.
Depending on the services they provide, outsourcing or cloud providers may themselves generate records attributable to the advisor, subject to the same preservation requirements. Advisors to funds should ensure that their selected providers offer ample security and are able to respond quickly by providing records in a readily accessible form in the event of an audit.
Advisors to large private funds will also be required to make supplemental disclosures on a regular basis by filing the SEC's new Form PF. The information and data reported on Form PF is designed, among other things, to actively monitor and track systemic risk among private fund advisors and in the U.S. financial system as a whole.
An entire cottage industry has developed with companies providing support to private funds in collecting data, making calculations, and otherwise assisting with Form PF filings.
Finally, investment advisors have a fiduciary duty to serve the best interests of their advisory clients, the funds, and not subordinate the funds' interests to their own. Satisfying the fiduciary obligation is an important consideration when entering into outsourcing or cloud computing arrangements. Fees and expenses should be fairly allocated and potential conflicts of interest should be identified and avoided.
Though the SEC may view cloud computing as a form of outsourcing, it has provided little guidance for outsourcing by advisors.
Adding to the uncertainty, examinations of advisors are performed very infrequently by the SEC's Office of Compliance Inspections and Examinations (OCIE). The SEC is considering options to improve the level of compliance by registered entities, while managing its limited resources.
One possibility is that the SEC will hand off oversight of investment advisors to the Financial Industry Regulatory Authority, a result that could bring more frequent examinations and fines for violations. Even if the SEC decides to keep oversight with OCIE, it may follow an approach analogous to the broker-dealer outsourcing model, where guidance has culminated in FINRA's Proposed Rule 3190.
Under FINRA's outsourcing guidance, broker-dealers may not delegate their responsibility for outsourced functions and must be accountable for failures. Outsourcing of activities in support of regulated functions is generally permissible, subject to limited exceptions for movements of cash or securities, the preparation of net capital or reserve formula computations, or the adoption or execution of compliance or risk management systems.
Unclear is whether advisors might eventually be subject to a similar range of outsourcing restrictions.
Michael Kurzer is an associate in the New York office of Milbank, Tweed, Hadley & McCloy and a member of the firm's Intellectual Property Practice Group.