I recently completed an assignment for a Private Equity (PE) firm with one of the objectives being to ensure they were ready to complete the SEC registration. The engagement was focused on the IT capabilities and organization but, as with every other business, this impacts every function in the company with project and process support. The firm had several on-going projects related to SEC registration, in which IT was only marginally involved, even though the success of the projects would require heavy IT involvement. (A great topic for another posting). Today I want to discuss the overall requirements for SEC registration and the technologies and practices needed to accomplish this. I will avoid mentioning specific products. Also, I am not a Dodd Frank expert. I offer my perspective as a practitioner implementing processes and controls with experience in compliance, including Sarbannes Oxley and Dodd Frank. This posting is intended for both the business and IT leadership in a PE firm.
As a set-up to this posting, I want to provide insight on the composition of a PE firm for anyone not familiar with the industry. From reading news articles you may think these are large organizations. You hear of managing funds that are billions of dollars in size and of buying and selling of large companies. In reality, the majority of these firms are small with even the larger firms generally having less than 100 total staff. There may be multiple locations, but these are generally related to the ‘deal’ function of the organization and will be small in staff size. Key applications for a PE firm will include CRM, a portfolio management application to manage investor communication and financial controls and reporting, a file management system, external financial research applications, and the normal office productivity applications. Being a financial services firm, there is a high focus on up-time and security. I am defining up-time here as the number of hours per day where support may be required. The deal teams will work very long hours and week-ends.
Although PE firms are in the financial services industry, they are not high volume transaction organizations. From a complexity standpoint, they compare to mid-size firms, except in their requirements for security and compliance monitoring. The IT staff is focused primarily on infrastructure support. With the focus on up-time and security, there will be a higher IT staff to user ratio than other industries.
Dodd Frank has generated additional requirements for discovery (e.g, email, files related to companies being discussed or pursued), monitoring (e.g., internet access, remote access) and process management (policy and personal investment compliance). I have segmented the IT infrastructure (Direct) requirements from the new general business (Additional) requirements below.
IT Direct Requirements
The direct IT requirements related to registration are straightforward. The primary focus is on business continuity with IT disaster recovery and data security. The question on disaster recovery is, as with any other business, what is the correct balance of investment in DR recovery versus the cost of a significant business interruption. Even though a PE firm is in the financial services industry it is not a high transaction processor and there are few time-critical transaction points. In revising the DR plan, current investments need to be reviewed to possibly off-set new investments, along with new technology opportunities such as SaaS based products and outsourced data centers.
The IT organization does need to have strong practices around incident management, problem management and change management. Standard policies and tools need to be in place for practices including malware protection, mobile device management, password management, personal technology use, and other common IT responsibilities identified in industry frameworks such as COBIT or ITIL.
Additional Requirements
Discovery
Email – There must be a policy and tool in place to identify any communication that may be related to an investigation. This is directly tied to policies on retention of emails. You must be able to prove that email is managed as any other document. There are numerous tools as SaaS providers for this type of discovery and monitoring service.
Electronic records – A full data retention policy needs to be established. This includes the duration of storage and a policy and taxonomy for storing any data file such as Excel, Word, PDF’s, Power Point or any other electronic file created during the normal course of business. This could be a simple as shared folders or using automated workflow and storage applications.
Monitoring
Electronic communications –As with email discovery, there must be a policy and tool in place to monitor all electronic communications including email, instant messaging (IM), social networks, and websites. Email and IM must be audited on a regular basis and any possible compliance risks must be addressed. The ability to manage this may cause access to IM and social networks to be restricted or removed altogether. Unified messaging will also need to be addressed to ensure compliance.
Remote access – This requires secure network access and management of business-related files. Access should be through secured, IT managed connections and there should be a policy governing the use of personal devices. Business related files should be stored on the network or on company owned or managed equipment.
General Policies and Personal Investment Management
General Policies – The designated Chief Compliance Officer (CCO) is responsible for establishing and updating a new set of policies managing a broad range of personnel activities such as trading, ethics, gifts, advertising – as defined by the investment act. A tool to manage these policies is needed to ensure everyone is informed of updates, and that receipt has been acknowledged. Again, there are numerous applications or development platforms to create this capability.
Investment Management
A key provision to the investment act is the tracking and monitoring of personal investments by company staff. There are consolidation tools available to collect these transactions.
Once again, my caveat—I am not a legal expert on the Dodd Frank act. This is far from a comprehensive list, but represents my experience working through pre-SEC registration with private equity firms. Hopefully, this will be food for thought for your organization.
Management and technology consultant and former CIO in Fortune 300 companies. Currently leading the consulting practice focused on support of Private Equity organizations and their portfolio companies to allow realization of the full value of the investment.
