The ELF version 2.0 Platform contains a streamlined compliance workflow that allows employees to instantly connect to their brokerage accounts electronically, allowing for the seamless, automatic download of transaction and holdings data for compliance review purposes.

Typically, advisers comply with rule 204A-1 by receiving paper copies of employee brokerage statements.   The process of reviewing of these statements can be quite burdensome, even for smaller advisers.  The ELF platform streamlines this process by allowing for electronic links and automates much of the review process for CCO’s.

To learn more about the upgraded ELF platform, click here.

Todd Groome, Chairman of AIMA, said of the meetings:

“AIMA, as the global hedge fund association, has historically worked closely with U.S. and international supervisors, and we look forward to engaging with U.S. authorities in September and beyond regarding numerous issues related to the implementation of the Dodd-Frank Act, as well as its interaction with reforms in other jurisdictions.

“AIMA supports increased dialogue with supervisors, and the goal of improved trading and market transparency by the industry. That includes periodic reporting of data to supervisors so they may better assess broad market and potential systemic risks.   Hedge funds do not present a systemic risk, but our industry can contribute to the analysis of systemic risk and financial stability.

“We also support OTC derivatives reform, including the introduction of central clearing. We believe central clearing of eligible contracts is a very important reform aimed at improving financial stability. However, we remain focused on certain implementation issues, such as direct access, governance and capital or margin requirements.

“From the outset, we have also called for a globally consistent and coordinated regulatory framework. Many of the measures that feature in the Dodd-Frank Act are being discussed in other jurisdictions, and it is desirable that there is a large degree of consistency in terms of approach and implementation. If that consistency is not achieved it could lead to unnecessary duplication and increased costs.”

AIMA expresses its views on this legislation in more detail in its June 28, 2010 statement on U.S. financial reform.

The Investment Adviser Association (the “IAA”), a not-for-profit association representing the interests of federally registered investment advisers, has estimated that approximately 350 New York-based advisers would be forced to de-register with the SEC as a result of the Dodd-Frank law.  David Tittsworth, the executive director of the IAA, has commented that “the answer about where they register is unclear.  It’s highly likely that the SEC will, in time, issue some sort of transitional rules that will deal with this and other questions.”

In order to avoid leaving these New York advisers in “no man’s land”, one of two responses is likely before the law takes effect in July of next year: either the SEC will bring these advisers back within its jurisdiction or New York will adopt an examination program to meet the requirements of the law.  New York advisers affected by the law will have to sit tight for the time being until guidance is released.

While the Regulations themselves are best explained by Mr. Patrick Shea of HedgeOp Compliance in an earlier post of this blog, let’s take a moment to look at practical approaches to meeting (and exceeding) the requirements outlined in the Regulations. I will focus my post on the technological aspects of the Regulations but make sure you address the non-technology pieces, including risk identification and assessment, employee training, maintaining proper documentation, etc.

I would like to introduce you to what I call the C.I.A. of your data: Confidentiality, Integrity and Availability. As a business owner or IT gate keeper you want to make sure that your data remains secured, accurate and readily available to your employees and investors. We will get back to data C.I.A. in a second.

The Regulations start by requiring the development of a comprehensive information security program. You can definitely start this process from scratch, but you might want to check out Cisco Systems’ Security Policy Builder. By answering a few simple questions about your business, Cisco’s web based wizard will compile and email you a customized security policy. Although Cisco’s SPB is a terrific starting point for building your security policy, make sure you read through it, understand each section and modify it to meet your business, IT systems and needs.

After tackling the policy aspect, we are ready to implement our technological measures on the road to ensuring C.I.A.

Data Confidentiality

For our purposes, data confidentiality refers to defining who has the rights to access business information or more specifically, personal information regarding residents of the Commonwealth. Access to information deemed confidential should be on a “need-to-know” basis, rather than a firm-wide, unrestricted access. To ensure data confidentiality, IT staffers will most likely pick and choose some of the following technologies:

Strong password policies:
It is recommended to require employees to choose passwords that are hard to guess and to have them change the password regularly. Where possible, use two-factor authentication systems.

Email encryption:

• Transport Layer Security (TLS) can be enabled on your email server and is used for encrypting email correspondence between your organization and trusted service providers that might be exposed to confidential information. Once enabled, TLS encryption is done by the servers without changes or burden on the employees. If you are a client of HedgeOp Compliance and would like to enable TLS encryption between your email server and ours, drop us a line and we will be happy to work with you on that!

• Secure Socket Layer (SSL) can also be enabled on your public-facing servers like your email server, remote access server, extranet, etc. Whereas TLS encrypts communication between two participating servers, SSL encrypts data traffic between a server and a web browser (Firefox, Internet Explorer, etc.) on a remote computer. Websites that allow your employees to check your email remotely should definitely enforce SSL encryption.

• Another form of remote email access that is popular among managers and other road warriors is using the Microsoft Outlook email client to connect to the email server remotely. In this case, and since internet traffic is insecure by default, we recommend enforcing the use of Remote Procedure Calls (RPC) over Hypertext Transfer Protocol Secure (HTTPS). RPC over HTTPS “hides” the RPC traffic used by MS Outlook (client) and MS Exchange (server) inside an encrypted HTTPS tunnel thus making the email data unreadable.

Storage level encryption:

• If your employees travel with their notebook computers, Hard Disk Drive (HDD) encryption should be used to make all hard drive data unreadable unless the correct password is provided. This ensures that even if a laptop is stolen or lost, the data on the drive is scrambled and remains unusable. Disk encryption comes in two main flavors: whole disk encryption or container based encryption. Whole disk encryption comes standard with business laptops from leading manufacturers and is the recommended approach as it covers (encrypts) the entire content of the hard drive. Container based encryption allows you to encrypt a subset of data (certain files and/or folders) inside a single encrypted file. The advantage of this approach is that the encrypted file can be easily moved from one computer to another computer, as long as the password to decrypt the files is known.

• The section about data availability will mention that you should have a robust plan for backing up your data but since we are still looking at data confidentiality, I can inform you that most modern backup programs on the market support password protection and encryption of backup data stored on tapes or to the network.

• Lastly, please remember the very popular way of accessing corporate emails and files: smart phones. They come in all shapes and forms, named after all sorts of fruits and they are very capable of connecting to your computer systems and storing information on large internal memory chips (beyond your network boundaries). Make sure that you only allow access to those devices that sport secure connections to your systems, phone-based encryption and preferably the option to accept a remote command to wipe the device should it gets stolen or lost.

Enough about data confidentiality! It is time to protect the integrity of our data.

Data Integrity

Data integrity breaches occur when a person/system (either trusted or not) manipulates the data in an unauthorized way. Such manipulation either makes the data unusable or changes the original meaning/intent of the data.

• To maintain the integrity of your data, consider using permission-based access control and enable access auditing. The auditing feature will maintain an electronic audit trail showing who accessed files, when and how.

• It is also a best practice to keep all business files on your company servers rather than on dispersed computers. Maintaining a centralized repository for your data helps you control data confidentiality, lower risk of data integrity attacks and surely simplifies your backup, recovery and data availability planning.

• The Regulations also call for regular monitoring of your security program and procedures. To simplify and automate the monitoring process, a large selection of network monitoring applications is available on the market and such a system can be implemented with relative ease. Monitoring systems are typically capable of monitoring the availability of your systems, as well as reviewing event logs on your systems. Noteworthy events are failed logon attempts and failed attempts to access restricted files. Once a monitored condition or event is found on the network, the monitoring application is capable of notifying the administrator via email, SMS or other means.

Data Availability

Data availability is not part of the Data Security Regulations but it is crucial for your business so I will briefly explain what it means. Data availability describes the practice of ensuring that our business files are readily available to those who need them (and no one else!) during normal business operation or in a Disaster Recovery (DR) situation. Two commonly mentioned DR considerations are Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO is a fancy term for the last point of backup, after which data is lost as a result of a disaster. RTO simply means the time it takes a company to restore access to the data and resume normal operation following a disaster.

Key points to consider:

• Take frequent backups to minimize the RPO. Backup frequency should be determined based on how quickly your stored data changes (added, modified, deleted) and can vary from real-time replication to hourly images to weekly backups. We recommend that at a minimum, you backup your data on a nightly basis.

• Securely store a copy of the data off-site, either at your DR data center or with a trusted online backup provider.

• To the extent possible, move data off-site electronically (using secure connections) rather than carrying tapes or DVDs.

• Familiarize yourself with the different DR site options (Cold site, Warm site and Hot site). If possible, avoid Cold sites as these extend your recovery time (RTO) to hours and days.

• Test your backups and disaster recovery procedures on a regular basis. This will shorten your RTO, ensure that files are intact and that your IT staff is familiar with the process.

I hope I was able to provide you with valuable information. If you have any question or would like to discuss a specific scenario, please post your question to the blog or contact me directly.

Dotan Akiva

The amendment to PTE 84-14 that the DOL recently adopted introduces new conditions that a QPAM must meet when managing assets of its own plan (or a plan sponsored by an affiliate of the QPAM).  Effective after November 3, 2010, the relief provided by PTE 84–14 will apply to a transaction involving the assets of a plan sponsored by the QPAM, or a plan sponsored by an affiliate of the QPAM, if: (a) the QPAM has discretionary authority or control with respect to the plan assets involved in the transaction; (b) the QPAM adopts written policies and procedures that are designed to assure compliance with the conditions of the exemption; and (c) an independent auditor conducts an exemption audit (on an annual basis) and following completion of such audit, issues a written report to the plan presenting its specific findings regarding the level of compliance and the auditor’s overall opinion regarding whether the QPAM’s program complied with the policies and procedures adopted by the QPAM; and with the objective requirements of the exemption.  The exemption audit and the written report must be completed within six months following the end of the year to which the audit relates.  Without going into specifics, it is also noted that the transaction must meet all other applicable requirements of PTE 84-14.

As is always the case, and perhaps even more so when it comes to ERISA and Internal Revenue Code matters, readers are encouraged to discuss specific questions with their ERISA and/or tax counsel.  The above is intended to serve only as a summary of the most recent PTE 84-14 amendment.

FINMAR 1 contains rules on the FSA’s information gathering powers, which have been revised and expanded to, among other things, include the power to require disclosure of information and documents by certain persons whose activities the FSA views as relevant to the stability of one or more aspects of the financial system.

The new FINMAR sourebook comes into force on August 6, 2010.

FINMAR 2 contains rules on short selling, which incorporate to a large extent the existing FSA short-selling disclosure regime (currently set out in the FSA Code of Market Conduct (“MAR”)), but also add new short-selling powers and penalties granted to the FSA by the UK’s outgoing Labour government under the Financial Services Act 2010 (the “FS Act”, which came into force on April 8, 2010).

Among other things, the FS Act provides that the FSA has the power to:

1. Require a person to provide information and documents that the FSA reasonably requires for the purpose of determining whether a person, or a person connected to them, has contravened any provision of short-selling rules; and/or
2. Impose a financial penalty or public censure on a person that contravenes any provision of short-selling rules or on a person who was knowingly concerned in the contravention.

The new FINMAR sourcebook will come into force on August 6, 2010, which is also the date on which the revised and recast rules will come into effect and the existing short-selling rules in MAR will be deleted.