On August 26, 2024, it was not the first time the SEC settled charges with a Registered Investment Adviser (RIA) for willfully violating Section 204A of the Investment Advisers Act (204A) by failing to establish, maintain and enforce written policies and procedures reasonably designed to prevent the misuse of material, nonpublic information (MNPI) despite no specific finding that the RIA or its employees illegally traded on MNPI or misused the information in any manner.¹

The SEC has been signaling for years through heightened enforcement efforts and increased examination surveillance that RIAs must adopt a set of policies, procedures, and controls related to the safeguarding of MNPI that adequately addresses the risks associated with the nature of their business activities. It is not sufficient for RIAs to have in place a general insider trading policy that blanketly prohibits trading on the basis of MNPI even when the firm implementing the policy is organized across multiple lines of business. Rather, firms should be actively thinking about whether their policies and controls are appropriately tailored to account for potential misuses of MNPI within the context of their specific business model and day-to-day operations.²

RIA’s Trade Activity While in Possession of MNPI

The RIA, subject to the SEC’s August 26, 2024 settlement, operated multiple lines of business related to Collateralized Loan Obligations (CLOs).³ The firm managed CLOs by determining which loans to buy or sell for the portfolio. It participated in ad-hoc lender groups or creditor committees with other entities to explore potential debt restructuring opportunities with the issuer (i.e., borrower) of the loans underlying CLOs and, as a result, periodically received MNPI about these issuers. It also traded in CLOs whose issuers were either clients of the firm’s credit investment business or, alternatively, managed by another third party.

The firm adopted an insider trading policy that prevented the firm and its employees from trading in securities of a company while the firm was in possession of MNPI concerning that company. The firm’s compliance department also maintained a restricted list and prohibited employees from trading in those securities either in a business or personal capacity. However, the restricted list and the general policy did not account for or address the MNPI about the underlying loans in issuers that the RIA possessed through its CLO management and credit committee businesses.

The order identifies a situation in July 2019 where a portfolio manager (PM) at the RIA reached out to the firm’s compliance department to request approval to sell portions of two equity tranches of CLOs. Compliance had been made aware that the credit side of the business possessed MNPI, shedding a negative light on the borrower of the underlying loans in that same CLO (i.e., the borrower needed emergency financing). At that time, the RIA had been one of the largest holders of term loans issued to that borrower and served as a member of a lender group for that borrower. Through its role in the lending group, the RIA became aware of confidential information revealing the borrower’s precarious financial situation. There was no indication that the PM was aware of the unfavorable MNPI and, as such, compliance approved the trade request in these products. The PM executed the transactions on the same day, and the price of the company’s loans precipitously dropped following the publication of the confidential information the next day.

RIA’s Policies and Procedures and SEC’s Sanctions

After these trades, the RIA initiated compliance reviews that considered, among other things, whether the firm possessed MNPI concerning the issuers of the loans involved in the CLO trades in question. The pre-trade reviews were not memorialized into a formal written policy until approximately three years later. Indeed, the firm did not adopt any kind of review or informal policy concerning the possession of MNPI regarding loans held in CLOs managed by third parties until after the commencement of the SEC’s investigation almost five years later. Finally, while the firm was structured across different business lines, it did not maintain information barriers between its PMs responsible for the credit investment decisions and the traders responsible for CLO trading. 

Due to its inadequate MNPI policies and procedures, the RIA was subject to a cease-and-desist order and censure and agreed to pay a $1.8 million civil penalty.

Key Takeaway

To be sure, the RIA’s compliance manual contained a general insider trading policy that prohibited trading in securities of companies for which it had MNPI. The policy did not, however, specifically address the impact that MNPI relating to a particular borrower can have on a proposed trade in a CLO that contains the borrower’s loans. Looking ahead, firms should establish, maintain, and enforce a set of risk-based policies and procedures that account for the MNPI that a firm is exposed to in the course of its particular businesses. Firms should further consider how confidential information may relate to the public and private market trading activity on behalf of the firm or by an individual employee. 

SEC’s Related Enforcement Precedent

204A violations against advisors without any findings of insider trading or misuse of MNPI are not novel. In 2021, the SEC sought a significant penalty against a firm that did not implement any policies and procedures addressing the risk presented by senior personnel, considered above the firm’s existing information barriers, who allegedly had access to MNPI about many of the issuers in which the firm invested.⁴ The senior personnel purportedly acquired access to such MNPI through their work as consultants acting on behalf of entities affiliated with the firm. As a result, the firm was ordered to pay a penalty of $18 million. 

In what is a sign of broader enforcement to come on this issue, the SEC’s allegations, in this case, were based on the idea that the MNPI in question had been accessible across the consulting and trading areas of the firm due to the dual nature of the personnel’s roles. That idea is in sharp contrast to the allegations asserted in the August 2024 settlement, where the SEC notably made no indication that the credit side of the firm shared the accessible MNPI with the trading business.

More recently, in December 2023, a firm involved with middle market M&A activity was charged with violating 204A by disclosing MNPI relevant to potential merger and acquisition transactions involving public companies to third parties, such as investors and industry contacts, without consideration of the disclosure standards set forth in its own policies and procedures. The firm did so via unofficial email updates and marketing communications. The policies allowed for such disclosures where it was “necessary for legitimate business purposes.” However, the firm utilized Non-Disclosure Agreements (NDAs) as a safeguard against the risk of misuse of MNPI. This example is an important reminder that even where the SEC does not challenge the adequacy of a firm’s policies and procedures, it can still bring a 204A action for a firm’s failure to enforce such policies and procedures. Even further, this case makes clear that the SEC will bring a 204A action despite a firm taking some steps to protect the MNPI, such as the use of an NDA. The firm was ordered to pay a $4 million penalty in this case.

Finally, on the very last day of its fiscal year, September 30, 2024, the SEC announced new 204A charges against another RIA for violations arising, once again, out of participation on an ad-hoc creditors’ committee, which was one aspect of this firm’s business model in addition to a trading strategy focused on distressed corporate bonds. The final order does not state that the firm misused any MNPI. In fact, in contrast to the matters above, there are no allegations that the firm even received any kind of confidential information through its business activities. Rather, the order suggests that policies alone that contain identifiable deficiencies with regard to the risks related to the potential for receiving and misusing MNPI exposes a firm to potential liability under the securities laws. One of the deficiencies noted in the order was the absence of any framework for monitoring or supervising an employee’s participation on a creditors’ committee, even though its existing policies acknowledged that serving on such a committee could result in the receipt of MNPI. Although not directly tied to any policies, the order also discusses the firm’s decision not to restrict its trading until it entered into an NDA with the issuer⁵ in connection with its frequent communications between the firm’s analysts, at least one of its traders, and the financial advisor to the committee in possession of MNPI. The order further notes that the firm had no policies for employees to conduct due diligence concerning the financial advisers’ evaluation or handling of any potential MNPI. The SEC ordered the firm to pay a penalty of $1.5 million. Interestingly, the SEC made clear that it need not establish a predicate violation of the securities laws in order to pursue a firm for a 204A violation.⁶

SEC’s Recent Exam Findings

The SEC’s exam program has also spotlighted 204A-related findings.

In 2022, the Division of Exams issued a risk alert describing various deficiencies and weaknesses that it identified during regular reviews of policies and procedures related to specific categories of MNPI. Firms should pay attention to these observations, which relate to clear areas of interest for the Division, and consider the following guidance to help ensure compliance with 204A:

Alternative Data

There is a risk of receiving and using MNPI through alternative data sources. Examples include social media search data and email data obtained from applications and tools utilized by consumers. Potential measures to adopt:

• Establish and enforce a consistent diligence of alternative data service providers that applies to all sources of alternative data and is re-performed based on the passage of time or changes in a provider’s data collection practices.
• Assess the terms, conditions, or legal obligations regarding the collection or provision of alternative data.

Value-add Investors

Certain investors, such as public company officers or directors, principals of an asset management firm, and investment bankers, are more likely to possess MNPI. Potential measures to adopt:

• Establish policies and procedures that account for the increased risk that exists based on the nature of an individual’s role or position, including correctly identifying to whom these policies should apply and tracking their relationships with potential sources of MNPI.

Expert Networks

Firms should incorporate policies and procedures that address interactions with expert network consultants who may have access to MNPI. Potential measures to adopt:

• Track, log, and summarize calls with such consultants.
• Conduct a secondary review of notes from expert network calls.
• Conduct trade activity review of supervised persons in the securities by issuers who are in similar industries as those discussed during those expert network calls.

The 2022 risk alert was not the first time the Division of Exams drew attention to deficiencies with 204A policies and procedures, and it likely won’t be the last. A separate risk alert issued in 2020 by the Division of Exams (formerly Office of Compliance Inspection and Examinations (OCIE)) echoed similar concerns. More recently, the SEC’s 2024 Examination Priorities Report cited as a key risk area the assessment of advisers’ controls to protect client’s MNPI in connection with several of the risk areas discussed above.

Final Thoughts

Key 204A Policy Considerations and Other Compliance Measures

Above all, firms must develop 204A policies and procedures that are tailored to their unique business practices. We offer a few important recommendations to help firms achieve that objective:

1. Context matters when it comes to defining which information is material for purposes of insider trading. As a result, firms should carefully consider all aspects of their business and the various stakeholders that they interact with and include within their policies a practical definition of materiality responsive to the potential risks related to their regular business activities.
2. A policy’s enforcement is equally as important as its adoption. Firms should consider how to consistently enforce their policies across the firm and whether any of them could conflict under certain scenarios. For example, an information barrier policy should not be preempted by an above-the-wall procedure that allows certain senior executive personnel of the firm who straddle multiple lines of business to operate without any oversight or controls.
3. Organizations benefit from a diligence process that is clear, predictable, and well-documented as opposed to one that is informal and ad-hoc. Firms should memorialize a pre-clearance trading process for both public and private securities transactions that explains the mandatory requirements in order to execute a trade.
4. Compliance should document the process it undertakes to conduct its diligence. 

There are several other measures firms can adopt to strengthen their compliance regime and improve the overall enforcement of their policies and procedures. Below are some examples:

• Initial and annual training regarding the firm’s MNPI policies and procedures;
• Periodic policy reminders that discuss the firm’s rules governing MNPI as well as the safeguards in place to comply with them;
• Regular surveillance of electronic communications through the use of complex lexicon searches;
•  Utilization of secure systems for the distribution and access of MNPI; and
• Senior executive endorsement that acknowledges the risks surrounding MNPI and promotes a good example at the firm.

¹ In this case, the firm was also charged with Section 206(4) and Rule 206(4)-7 for failure to adopt and implement policies reasonably designed to prevent violations of the Advisers Act.

² Section 204A of the Investment Advisers Act (requiring firms must establish, maintain, and enforce policies and procedures that take into consideration the nature of the adviser’s business).

³ A CLO is a security that is collateralized with a pool of corporate loans and is composed of multiple tranches that differ primarily in terms of priority of repayment. These CLOs are actively managed vehicles.

⁴ See also an earlier enforcement action involving similar conduct (fining a private equity firm $1 million for maintaining policies and procedures that failed to account for the special circumstances presented by having an employee serve on the portfolio company’s board, as well as while that employee continued to participate in trading decisions regarding the portfolio company).

⁵ The Firm began building a position in the issuer in March 2020 and continued doing so even after it joined the creditors’ committee in September 2020. It then restricted its trading in November after it signed an NDA with the issuer. In October 2020, the firm also sold credit default swaps referencing the issuer. 

⁶ See footnote 2 of the order.