InsightsKAP’s insights on private equity investor relations and fundraising
Compliance, cybersecurity, SEC audits and other highlights from the ACA Compliance conference.
Whether you are a Registered Investment Adviser (RIA), or are thinking about registering with the SEC in the near term, being prepared and SEC compliant is essential. Two key trends are occurring in the real estate and private equity marketplace: 1) whether you are registered or not, many institutional investors are requiring marketing collateral to be prepared in accordance with RIA standards, and 2) if and when you do register, the SEC is able to retroactively review your firm, inclusive of activity prior to your registration. At this point in time, not all real estate private equity funds are required to register, but that could change down the road, so being prepared and understanding compliance standards sooner rather than later is advantageous even for unregistered firms.
Above all that we learned, one thing is clear: it is imperative to work in conjunction with your compliance department to not only make it easy for investors to invest with you, but also to make it easy for the SEC to audit you. Yes, you read that right. Following best practices for compliance in all parts of your organization can prevent an audit from derailing your business. A smooth audit process may reduce the deficiencies examiners identify, limit time spent responding to audit requests, and keep your firm focused on its day job of investing.
Below are our key takeaways from the conference:
- During an SEC audit, SEC deficiencies are likely when items are not disclosed and/or when inconsistencies within your marketing collateral exist. Be transparent and consistent.
- Track records belong to the RIA, making team turnover within an organization irrelevant, at least from a disclosure perspective (though institutional investors will certainly still evaluate the soundness of your organization).
- Social media falls within the SEC’s domain. The SEC may ask for all business communication, even if it is conducted on non-business systems. It is important to provide policies and procedures, along with training to your employees to ensure that your organization is clear on how to handle all forms of social media.
- If you are a RIA and have not yet been audited, a mock SEC audit is highly recommended. It will allow you to uncover the deficiencies in your own organization and will give you time to mitigate them before your inevitable, actual SEC audit.
- Follow best practices during an SEC audit. Turn documents back to the SEC in a timely manner. Provide clear, well-organized information. Reduce your potential list of deficiencies by making the process easy for the examiner. Remember that SEC examiners are real people; build a relationship with your examiner. Enlist the help of counsel with regulatory expertise and deep familiarity with SEC audits.
- Consider vendor risk management. Do you have a clean desk policy? Do non-employees have access to your office outside of business hours? Are you properly conducting due diligence on third party vendors that have access to sensitive information? Do your contracts require notification for any changes within your vendor’s organization? Expect an initial review of each vendor to take five to 10 hours for adequate diligence. The frequency of diligence on each vendor depends on how critical that vendor is to your business.
- And, last, but certainly not least, what is your cybersecurity plan? Do you have cybersecurity insurance? Is your team equipped to deal with cyber-attacks, and/or do they know what to do if they receive a communication trap? Cybersecurity policies, employee training, and contingency plans are more important than ever. Be prepared to discuss them with institutional investors as well.