New Challenges on the TA Compliance Landscape

On the heels of the release of the 2019 NICSA Transfer Agent Compliance Guide, experts from Reed SmithFIS, and Northern Trust gathered for a special #WebinarWednesday event to provide insight on today’s most pressing compliance issues. 

The guide, produced by NICSA, Reed Smith, and Donnelley Financial Solutions (DFIN), is a comprehensive, educational resource of current compliance updates and standards as they relate to the transfer agent function within the asset management industry.

Timothy Johnson, Partner at Reed Smith and long-time NICSA member, moderated the webinar. 

“Transfer agents perform among the most critical non-investment functions in the whole of the investment management industry,” Johnson said. “Getting it right and doing so in a compliant manner is of the utmost importance. Yet, our primary regulator has provided limited input and even less help to the attainment of the objective of getting it right.”

NICSA has long helped to fill that void by summarizing all regulatory requirements applicable to transfer agency functions and compiling them into a single reference tool updated annually. 

This year’s version of that tool, the 2019 NICSA Transfer Agent Compliance Guide, contains updates on the GDPR, customer due diligence requirements, and Rule 30e-3, among other considerations.

CUSTOMER DUE DILIGENCE

As of May 11, 2018, covered financial institutions are required to comply with the Customer Due Diligence Requirements for Financial Institutions rule that FinCEN finalized in May 2016. “The main purpose of the rule is to mandate the identification and verification of beneficial owners of legal entity customers,” said Jim Kramer, Regional Director, Sales Support Operations, at Northern Trust.

The rule also amends the AML program requirements for each covered financial institution to require covered institutions to maintain appropriate risk-based procedures for ongoing customer due diligence. Kramer said it is important for all organizations to understand the nature and purpose of each customer relationship. 

“A covered financial institution’s AML program should include, at a minimum, a system of internal controls, independent testing, designations for a compliance officer or the individual responsible for day-to-day compliance, and training for appropriate personnel and risk-based procedures for conducting ongoing customer due diligence to understand the nature and purpose of customer relationships,” he said.

GDPR 

Bridget Ireland, Compliance Officer at FIS, focused on the GDPR in the European Union, which mandates that customers have a right to know what personal information is being collected, why it’s collected, and with whom it’s shared. 

“GDPR imposes compliance obligations on the data processors resulting in direct enforcement measures and potentially significant penalties if they do not comply,” Ireland said. “You do not have to be physically located in the European Union to fall under GDPR — you just have to hold data on EU citizens, have operations in the EU, or have intentions to expand into the EU.”

If a company breaches the GDPR, it is subject to fines up to 4% of its global annual revenue or 20 million pounds, whichever is higher. To avoid harsh penalties, Ireland summarized a few key points:

• GDPR goes beyond traditional personally identifiable information to include expanded metadata such as IP addresses, mobile numbers, and any other types of identifiers.

• EU citizens have the right to be forgotten. “Talk very closely to your compliance and legal folks because individuals have a right to have all personal data erased from a company database,” Ireland said. “The problem is, if you are already a registered entity in any way, you need to make sure you are not prematurely deleting records and putting yourself in a books and records violation.”

• Individuals also have a right to receive all personal data about themselves. Evaluate your exposure by understanding what data you have and where it is stored.  

• GDPR also requires that organizations disclose any personal data breaches to the appropriate regulatory authority within 72 hours of detection. 

RULE 30E-3

Ireland also focused on SEC’s Rule 30e-3, which creates an optional “notice and access” method for delivering shareholder reports. 

“Rule 30e-3 requires everyone to work together and in the same direction,” she said. “You need to make sure disclosures are happening on your annual and semiannual financial statement reports in a timely manner, and you also need to make sure your marketing folks, transfer agent, legal team, and compliance team are all working together.”

Ireland outlined a number of important considerations, such as the requirement that shareholder reports and other materials must be easily accessible, free of charge, at a website that is specified within the notice and access form. Additionally, the reports need to be alongside current reports to shareholders, prior reports to shareholders, and complete portfolio holdings from the reports. 

The format of materials must be both convenient to read both online and in print. To that end, Ireland created a compliance checklist with multiple considerations, including (but not limited to) the below:

• When you’re looking at the paper notice, are you using plain English? 

• Is it easy to follow and understand? 

• Do you have the appropriate disclosures on your notice and access form? 

• Do you provide instructions on how to request a paper email copy of the shareholder report at no charge and clearly state that, unless requested, the shareholder will not receive a paper email copy of the shareholder report? 

• Do you state that the shareholder, at any time in the future, can receive printed copies?

Ireland warned that the list is not all-inclusive, but NICSA members can use it to guide their operations by accessing a free archive of the webinar here. NICSA thanks Reed Smith for sponsoring the event.

Note: Although the observations contained in this work represent the best thoughts of the individuals comprising the NICSA panel, they do not necessarily reflect the views of NICSA or any of its member organizations. Matters addressed in this work may touch upon legal or regulatory matters, however nothing herein is intended to be or should be construed as legal advice. You should contact your own counsel in order to obtain legal advice regarding these or any other matters.



Leave a Reply

NICSA: 8400 Westpark Drive, 2nd Floor McLean, VA 22102 • Tel: 508.485.1500 • Fax: 508.485.1560