Monthly Archives: June 2018

Alternative Trading Systems (ATS)

ATS Registration Overview for Digital Asset Platforms

Digital asset platforms located in the U.S. that facilitate trading and exchange of digital assets (which are deemed to be securities) are generally subject to securities laws requiring such platforms to be registered as a national securities exchange (“NSE”) or fall within an exemption from NSE registration.  One exemption from registration as an NSE allows firms to conduct a platform business if such firm is registered as an alternative trading system (“ATS”).  This requirement was first highlighted by the SEC in the DAO Report released in July 2017.  We anticipate that many digital asset platforms currently facilitating trading will continue to face scrutiny as to whether they need to be registered as NSEs or an ATS and many have already begun the process to register as an ATS.

ATS Definition & Requirement to Register

The statutory definition of an ATS is:

any organization, association, person, group of persons, or system:

(1) That constitutes, maintains, or provides a market place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange within the meaning of § 240.3b-16 of this chapter; and

(2) That does not:

(i) Set rules governing the conduct of subscribers other than the conduct of such subscribers’ trading on such organization, association, person, group of persons, or system; or

(ii) Discipline subscribers other than by exclusion from trading.

As many digital asset platforms or exchanges technically fall within the ATS definition, these platforms will need to appropriately register with the SEC.  To register as an ATS, the platform will need to do the following:

  1. Register as (or buy) a broker-dealer
  2. File Form ATS
  3. Comply with Regulation ATS

1. Register as a Broker-Dealer

Registering as a broker-dealer (“BD”) is a pre-requite to becoming an ATS.  A firm may only file Form ATS with the SEC after receiving the Financial Industry Regulatory Authority’s (“FINRA”) approval of its broker-dealer application (or after purchase of a broker-dealer).  For platforms registering as a broker-dealer, at a high level the firm must:

  • Submit Form BD;
  • Comply with all applicable state requirements; and
  • Ensure all of its “associates persons” (BD representatives) have satisfied applicable qualification requirements.

The process to register as a new BD is well worn and relatively straight forward.  Firms applying to register as a BD will need to submit online through Form BD online and then submit a New Membership Application (“NMA”) to FINRA.  The NMA requires the firm to describe their business and compliance policies and controls in detail.  A firm will also be subject to an in-person new membership interview and will have to demonstrate how the ATS technology operates to FINRA staff.  As part of the BD process, the firm will need to become a member of at least one self-regulatory organization (“SRO”), which is likely to be FINRA, and become a member of the Securities Investor Protection Corporation (“SIPC”).

If a firm is already a broker-dealer (or has a broker dealer affiliate) but is not an ATS, the firm will need to submit a Continuing Membership Application (“Form CMA”) to FINRA.  For groups registering as a de novo BD, the firm should describe those parts of its business that will include the ATS function.  As with a de novo BD, an existing BD must demonstrate to FINRA staff how the ATS technology operates.

 2. File Form ATS

After a firm has registered as a BD and has discussed the ATS platform with FINRA (to FINRA’s satisfaction), the firm will need to notify the SEC that it is operating as an ATS.  Form ATS is the official SEC notification and must be submitted at least 20 days before the firm begins to operate its platform.

Form ATS is general in scope and requires information such as:

  • Certain identification information (i.e. full name, business name, address, CRD number, etc.)
  • Firm incorporation documents as attachments
  • Description of the types of users on the platform (i.e., broker-dealer, institution, or retail) and any differences in access to services between such users
  • List of the types of securities (digital assets/tokens which are deemed to be securities) that will be traded on the platform
  • Description of how the ATS will operate
  • Description of certain ATS operational procedures (i.e., entry of orders, transaction executions, reporting transactions, compliance, etc.)

It is important to note that Form ATS is a notice filing where the SEC provides no confirmation to the ATS regarding the filing status unless the form is deficient.  When a Form ATS has been filed with the SEC, it will be listed on the SEC website which will display the platform’s full name, the name(s) under which business is conducted, and the city and state of the ATS.  The reports on Form ATS are generally not published and are considered confidential.  Such reports will only be available to the SEC staff, state securities authorities, and any SRO for examination.

3. Ongoing Compliance

An ATS will be subject to numerous compliance obligations outside.  Some of the specific ATS obligations include:

  • File Form ATS-R (which summarizes the ATS’s transactions, on a quarterly basis) within 30 calendar days after the end of each quarter.
  • Amend Form ATS at least 20 calendar days before implementing a material change to the operation of the ATS.
  • Update Form ATS within 30 calendar days after the end of each quarter to correct any inaccurate or unreported information.
  • Permit the examination and inspection of its premises, systems, and records and cooperate with the examination, inspection, or investigation of subscribers by the SEC or SRO of which such subscriber is a member.

Additional BD, FINRA, and other guidelines, regulations, and obligations include:

  • Participating in the lost and stolen securities program.
  • Complying with the fingerprinting requirement.
  • Maintaining and reporting information regarding affiliates.
  • Following certain guidelines when using electronic media to deliver information.
  • Maintaining an anti-money laundering program.
  • Complying with the Department of Treasury’s Office of Foreign Assets Control (“OFAC”) programs.
  • Filing quarterly and annual financial statements to the SEC.

If an ATS is not in compliance with the above requirements it may be subject to steep penalties.  In addition, it is important to note that securities on a registered ATS platform may be subject to a wide range of holding periods which must be enforced for an ATS to remain in compliance.

Registration Timing

It is unclear exactly how long a particular ATS application will take to be approved – it will largely depend on the exact scope of activities the platform will be involved with.  In general a platform designed for trading of private placements (in a kind of closed system for accredited investors) would likely take anywhere from 6-12 months to become fully licensed after submitting the Form NMA.  Technically, FINRA is required to review and process a substantially complete NMA within 180 calendar days after receiving it.

Issues to Consider

There are a number of issues to consider with respect to an ATS application.

  1. Underlying Instruments – the securities on most current digital asset exchanges are unregistered securities which were originally offered outside of any sort of registration exemption. Essentially these are restricted securities and any person selling or reselling such securities are arguably violating US securities laws (for more background, please see our post on restricted securities and distribution structures).  In such a case, we are not sure how FINRA will view a platform which facilitates the trading of restricted instruments.  We have seen many token issuers over the last 6-12 months who have decided to offer their tokens/securities according to registration exemptions, including through SAFTs.  To the extent a digital asset platform only transacts with such tokens (or tokens which go through the S-1 IPO process, which we think will happen within the next 12 months), we believe it is likely that such a platform would be able to be registered with FINRA.
  2. Discussion with FINRA Regarding Trading System – we have not talked directly with FINRA about their review of ATS platforms.  Most ATS platforms were created to allow for “dark pool” trading in the traditional institutional securities space.  It is unclear if FINRA has the experience or technical understanding (currently) to deal with digital assets and applicable trading platforms.
  3. IRS Reporting Requirements – the IRS released a notice in 2014 regarding the tax treatment of virtual currency. Since then, the IRS has subjected exchanges to certain user reporting requirements.  It is unclear whether the IRS will extend these types of user reporting requirements to ATS platforms as well.
  4. FinCEN’s Money Services Businesses Requirements – the Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released guidance in March of 2013 regarding individuals who handle virtual currencies. FinCEN determined that a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency (an “exchanger”) is subject to money services business (“MSB”) registration.  Although it is unclear if an ATS qualifies as a MSB, FinCEN has taken action against virtual currency exchanges that did not register with the bureau.
  5. Anti-Money Laundering and Know Your Customer Requirements – MSBs are required by the Bank Secrecy Act to have Anti-Money Laundering (“AML”) and Know Your Customer (“KYC”) procedures. AML procedures are required to detect and report suspicious actives that may indicate money laundering and terrorist financing.  KYC procedures are identification verification actions taken to ensure that the user is truly who they claim to be in order to prevent fraud.
  6. State Regulations – many states have imposed their own laws regarding digital assets. In addition, each state has its own rules and regulations regarding ATS platforms that operate within the state.  Before beginning to operate an ATS, you will want to research what rules and regulations your state has imposed.

Conclusion

After the DAO report, there have been a number of recent comments from SEC officials regarding digital assets and trading platforms that show the need for the cryptocurrency industry to quickly begin the process of integrating into the traditional securities regulatory landscape.  We believe that the ATS structure will become the predominant structure for digital asset exchanges in the future.  We also believe that over the next 12-24 months, as regulators flesh out various issues, the process will become more streamlined and well worn.  A few cryptocurrency related platforms have already started the process to become an ATS, with more likely to follow.

****

Bart Mallon is a founding partner of Cole-Frieman & Mallon LLP.  Cole-Frieman & Mallon LLP has been instrumental in structuring the launches of some of the first digital currency-focused hedge funds and works routinely on matters affecting the digital asset industry.  Please contact Mr. Mallon directly at 415-868-5345 if you have any questions on this post.

Token Distribution and Unregistered/Restricted Securities

Digital Assets and Restricted Securities Background

Many recent Initial Coin Offerings (ICOs) and other token sales are being conducted through a Simple Agreement for Future Tokens (SAFT) or other private placement that exempts the token from registration as a security with the SEC. Tokens sold through these structures have become hot investments, and access to deals selling these tokens is generally difficult to obtain. Accordingly, many investors are creating private funds, unincorporated investment groups, syndicates or other types of investment-fund-like structures (“syndicates” or “investors” for the purposes of this post) to invest in these tokens or SAFTs. Many times these syndicates are established with the stated intent or objective to make distributions of the tokens immediately upon receipt. Effectively the sponsors of such structures have created a de-facto distribution system for VC like investments into blockchain projects. The question is how such a distribution structure fits with traditional securities regulations – specifically, can privately placed tokens (securities) be distributed shortly after receipt? The answer is probably no.

Background on Unregistered Securities

SAFTs, tokens from a SAFT, or other private placements are in most cases going to be unregistered securities (unless the token or instrument later becomes registered with the SEC which is highly unlikely).  In general federal securities laws prohibit the transfer of unregistered securities unless an exemption applies to the transfer.  Any person then who has possession of, and then transfers, an unregistered security without complying with an applicable exemption is breaking the securities laws and subject to civil penalty (fine, rescission, bar from industry, etc).  Additionally, many private placements and SAFTs contain contractual provisions that restrict transfer of tokens for a certain amount of time after issuance (with a wink and a nod from the token issuer that “everyone transfers them anyways”). Unless there is an exemption allowing for the transfer of the tokens (restricted securities), the transferor would be both breaking securities laws and breaching contractual representations made to the token sponsor.

Potential Exemptions

Section 4(a)(1)

Given the above framework, investors or syndicates will want to find an exemption so they can transfer the tokens in accordance with securities laws (the risk posed by breaching a contractual representation to the token sponsor is beyond the scope of this post). Among statutory exemptions, Section 4(a)(1) the Securities Act of 1933 (the “Securities Act”) provides an exemption from registration of the securities if the sales/transaction is not conducted by an issuer, dealer, or underwriter. These terms all have precise definitions, but in this context we would be most concerned about the transferor being deemed an “underwriter” which is defined, in part, as “any person who has purchased from an issuer with a view to, or offers or sells for an issuer in connection with, the distribution of any security, or participates or has a direct or indirect participation in any such undertaking.” This is a broad definition, and because of the stated or not-stated intent of creating a distribution structure for tokens, the syndicates described above may well be considered “underwriters” in this context and need to find another exemption on which to rely.

Investors my be in luck though as there are two other common exemptions that may be available – Rule 144 and Section 4(a)(1 ½).

Rule 144

Rule 144 of the Securities Act allows public resale of restricted securities if certain conditions are met.  The central condition is that the unregistered securities are held by the investor for a period of at least one year.  Further, the transferor/investor may not be an affiliate of the issuer.  There may be reduced holding period requirements if the issuer is subject to the Exchange Act Reporting requirements, but this is not a likely scenario in the digital asset space.  We believe for most syndicate groups, Rule 144 is the best way to comply with the transfer restriction. Of course, certain syndicates operating in this space might want or need to distribute the tokens before the expiration of Rule 144’s one-year holding period, and while imperfect as a solution, Section 4(a)(1 ½) (discussed below) may grant another option.

Section 4(a)(1 ½)

As mentioned above, Section 4(a)(1) of the Securities Act provides an exemption from registration for transactions by any person other than an issuer, underwriter, or dealer.  Section 4(a)(2) of the Securities Act provides a separate exemption for transactions by an issuer through a private offering. Over time, through case law and acknowledged by the Securities and Exchange Commission (the “SEC”), the “Section 4(a)(1 ½)” exemption was created.  This exemption generally is an exemption for private offerings, similar to Section 4(a)(2), but for entities that are not issuers.

To avoid being deemed an underwriter (and to ensure that a resale is sufficiently private), the investor/transferor must be able to show that it did not purchase the restricted securities with a view to distribution or resale.  In order to show this the investor/transferor should examine the following criteria :

  • Number of Purchasers – there should be a limited number of purchasers of the restricted security.  This generally can be satisfied if there are less than 25 purchasers.
  • Investment Intent – the investing entity’s intent in purchasing the tokens or SAFT should be to hold for an indefinite period of time and not with a view to resell or distribute.  The longer the investing entity holds the tokens or SAFT, the better the argument for the investor/transferor’s original intent.  Generally, in conjunction with other facts and circumstances, holding the security for at least six months will evidence the investor/transferor’s investment intent. The investor/transferor should also obtain a representation from purchasers that (1) the purchase is being made as an investment and not for resale and (2) any subsequent transfer will be made only in an SEC-registered transaction or in compliance with an exemption from registration.
  • Offeree Qualification – the investor/transferor of the token or SAFT should determine whether the buyer can hold the securities for an indefinite period of time and assume the risk of the investment by looking to the experience and sophistication of the buyer.
  • Information – the investor/transferor should provide access to all information about the investment and business of the issuer that would be necessary to the buyer. The investor/transferor should also provide access to any nonpublic information if it is an insider with such information.
  • Private Offering – No form of general advertising or general solicitation may be used in reselling the securities.

Because of the facts and circumstances determination for Section 4(a)(1 ½), the safest approach to addressing these restricted securities’ holding periods is for the investor/transferor to hold the securities for greater than one year in order to fall under the Rule 144 safe harbor.

Other Issues to Consider

There are a number of additional items that should be considered in the context of transferred digital assets that may have been issued as private securities:

  • Securities v. Non-Securities.  The restricted securities transfer rules apply to securities – they do not apply to non-security instruments.  Entities that invest in tokens and SAFTs may want to consider taking a position that the tokens are not securities and therefore not subject to securities laws.  Such a position would entail a facts and circumstances determination, and taking such a position is likely a risky strategy based on recent comments from SEC Chairman Clayton.  Also, taking the position that a SAFT is not a security would be problematic if the SAFT included language that it was a restricted security or otherwise contained a restrictive legend.
  • Distribution to syndicate owners.  If an entity wants to distribute the tokens or a SAFT instrument to its underlying owners, it should be aware that the above exemptions do not apply to a distribution to a syndicate’s underlying owners.  Additionally, the SEC would likely consider an in-kind distribution of tokens in exchange for redemption of interests in a syndicate as consideration sufficient to constitute a sale.
  • Regulation S.  Non-US investors may consider investing in a SAFT or purchasing tokens under Regulation S of the US securities laws.  While such investors would be non-US investors, Regulation S contains a one-year holding period similar to Rule 144 for sales to US persons so resale of such instruments would potentially be limited.
  • Timing.  No official guidance has been issued regarding holding periods and SAFT instruments.  We do not know whether the holding period begins when a SAFT is issued or once the actual tokens are issued (i.e. whether the SAFT and tokens are separate securities).  In cases where tokens are issued after a significant period of time following the SAFT execution, this determination may be significant.  Again, a determination one way or another will require a facts and circumstances analysis.

Conclusion

Investors should be aware that SAFTs and tokens in which they invest may be restricted securities that may not be resold absent an applicable exemption. With respect to digital assets, this issue is nascent and evolving, but investment managers should be cognizant to follow the securities laws in the absence of additional guidance from the SEC. Please reach out if you have questions on any of the above.

****

Bart Mallon is a founding partner of Cole-Frieman & Mallon LLP.  Cole-Frieman & Mallon LLP has been instrumental in structuring the launches of some of the first digital currency-focused hedge funds and works routinely on matters affecting the digital asset industry.  Please contact Mr. Mallon directly at 415-868-5345 if you have any questions on this post.

Notes on Regulation A+

Last week members from our firm attended the inaugural Reg A Conference in New York, where various industry participants gathered to discuss Regulation A under the Securities Act of 1933 (Reg A+). The conference covered a wide range of topics on the Reg A+ landscape, including the recent shift towards utilizing Reg A+ for initial coin / security token offerings (more on this below).

As background, Reg A+ is a securities exemption created by Title IV of the JOBS Act that allows issuers to conduct securities offerings of up to (i) $20 million for Tier 1 offerings or (ii) $50 million for Tier 2 offerings on an annual basis. Reg A+ is viewed by some as a “mini-IPO” that provides small issuers with a more affordable and expedited method of publicly selling securities to retail investors throughout the United States.

Regulatory Obligations

While Reg A+ may be an attractive option for many startup and emerging companies, there are some notable eligibility restrictions. Only issuers that have a principal place of business in the United States or Canada may conduct a Reg A+ offering. Additionally, Reg A+ is not available to:

  1. Companies subject to the Securities Exchange Act of 1934;
  2. Investment Companies;
  3. Business Development Companies;
  4. Blank Check Companies;
  5. Certain Bad Actors;
  6. Issuers of fractional undivided interests in oil or gas rights or a similar interest in other mineral rights; and
  7. Issuers disqualified due to filing deficiencies.

Issuers that are eligible to issue securities under Reg A+ must undergo a review process with the SEC and potentially state securities regulators. Tier 1 issuers must qualify with state securities regulators as well as the SEC. Tier 2 issuers must qualify offerings solely with the SEC, as state review is preempted for Tier 2 (although state notice filings may be required). Tier 2 issuers must also provide audited financials as part of the qualification process.

Issuers that do qualify and issue securities pursuant to Reg A+ are also required to maintain post-qualification filings. Tier 1 issuers must file a Form 1-Z after the termination of an offering, whereas Tier 2 issuers must file annual audited financials, semi-annual unaudited reports, and current reports for ongoing offerings.

Why Regulation A+?

The primary selling point of Reg A+ is that it provides an expedited path for startup and emerging companies to issue securities to retail investors. Unlike private placements under Rule 506(b) or Rule 506(c) of Regulation D, securities offered pursuant to Reg A+ are purchasable by retail investors and freely tradeable upon issuance. Furthermore, while Rule 506(b) offerings institute a prohibition on general solicitation and registered offerings enforce a quiet period, issuers offering securities pursuant to Reg A+ may freely advertise before, during, and after the qualification period (subject to certain disclosure and disclaimer requirements).

Equity offerings pursuant to Reg A+ can also be listed on a registered exchange, with many issuers opting to do so. In short, Reg A+ effectively bridges the gap between Regulation D private placements and registered securities offerings by providing issuers access to the broader retail market and exchanges without the commitment and expense of conducting a registered offering.

Application for Initial Coin Offerings

There has been much discussion of late regarding the best mechanism for digital asset issuers to conduct initial coin offerings (ICOs) that are compliant with United States securities laws. While there has been some evidence that certain digital assets—namely Bitcoin and Ethereum—are likely not securities, there is strong evidence that the SEC considers most ICOs unregistered securities offerings.

In what is seen as the SEC’s initial assertion of jurisdiction in the digital asset and cryptocurrency economy, the SEC has repeatedly stated that ICO issuers must register offers or sales of securities unless a valid exemption applies. This has led many to believe that the SEC was signaling that token offerings could be offered pursuant to existing securities rules and exemptions. This belief was further solidified when SEC Commissioner Jay Clayton plainly stated: “It is possible to conduct an ICO without triggering the SEC’s registration requirements.  For example, just as with a Regulation D exempt offering to raise capital for the manufacturing of a physical product, an initial coin offering that is a security can be structured so that it qualifies for an applicable exemption from the registration requirements.”

With these statements and policies in mind, we believe that an increasing number of token issuers will look to conduct security token offerings (STOs) pursuant to Reg A+. Currently, multiple entities are working to register with the SEC and FINRA as broker-dealers and/or alternative trading systems capable of listing STOs and brokering related transactions. If STOs gain popularity as an alternative method to raise capital and/or securitize interests in assets, Reg A+ is the natural landing spot for tokenized securities—it is the most practical exemption that allows issuers to access retail investors and list the tokenized securities on exchanges without going through a full registration.

Conclusion

Although Reg A+ has only been in existence for three years (Reg A+ became effective in June 2015), it appears to be gaining traction as a preferred method for raising capital. While it can be challenging to determine the exact amount of capital that issuers have raised due to staggered and less frequent reporting timeframes, the SEC’s Office of Small Business Policy disclosed that Reg A+ offerings raised approximately $600 million from June 2015 through September 2017. Industry professionals estimate that number is now closer to $1 billion in the three years since the establishment of Reg A+.

In March of this year, the U.S. House of Representative passed the Regulation A+ Improvement Act of 2017, which would increase the cap on Tier 2 Regulation A+ offerings to $75 million. If the legislation passes the Senate and is signed into law, the increased cap could potentially provide tailwinds for further proliferation of Reg A+ as a funding mechanism for startup and emerging companies.

Please feel free to reach out to us if you have any questions about this post or if you believe your company could benefit from issuing equity, debt, or digital assets pursuant to Reg A+.

****

Kevin Cott is a partner of Cole-Frieman & Mallon LLP.  Cole-Frieman & Mallon LLP has been instrumental in structuring the launches of some of the first digital currency-focused hedge funds. For more information on this topic, please contact Mr. Cott directly at 770-674-8481.

General Data Protection Regulation (GDPR)

Overview of GDPR for US Private Fund Managers

The General Data Protection Regulation (“GDPR”) is a new set of requirements intended to strengthen the protection of citizens’ personal data as well as data movement within the European Union (“EU”).  GDPR was adopted on May 24, 2016 by the European Parliament and the Council of the European Union and went into effect on May 25, 2018.  The regulation replaces Directive 95/46/EC, known as the Data Protection Directive and may apply to certain organizations (including private fund managers) in the US who work with persons in the EU.  This post is designed to give fund managers an overview of the regime and some initial items that should be considered.

What is GDPR?

GDPR sets restrictions on those who process, transfer, or monitor personal data and the procedures by which this is done.  The term “personal data” means any information relating to an identified or identifiable natural person.  The term generally means any information that directly or indirectly can lead to the identification number, location data, online identifier, or similar items related to the identity of a natural person (can include physical, physiological, genetic, mental, economic, cultural, social data, etc).   Organizations that are subject to GDPR but are not compliant can be fined the greater of €20 million or 4% of global annual turnover. GDPR requires that any personal data breach must be reported within 72 hours and justification must be given for any delays.

One of the key aspects of GDPR is that it requires organizations to appoint a Data Protection Officer (DPO) in the following three situations: (1) if the organization is processing public data as a public authority; (2) the organization’s processing operations require regular and systematic monitoring of data subjects on a large scale; and (3) the organization has large scale processing of personal data relating to criminal convictions or special categories that reveal identity of a natural person (including physical, physiological, genetic, etc.).  Although private fund managers may not fall into any of the above categories, it is encouraged under Article 29 Data Protection Working Party (“WP29”) for organizations to appoint a DPO as part of good practice procedures and to demonstrate compliance with GDPR.

Who is regulated?

The requirements of GDPR applies to controllers (the person(s) or entity that determines the purposes and means of processing personal data) or processors (the person(s) or entity that processes personal data on the controller’s behalf) of personal data.  It also applies to the processing activities related to offering goods or services to the data subjects from the EU or monitoring behaviors that take place within the EU.

*** Practically, for private fund managers, GDPR is applicable if you have European investors in a fund or actively solicit or market to European investors.  

What are the initial steps a private fund manager should take?

Depending on the scope of activity, we believe that managers should think about implementing a full GDPR compliance program.  In the meantime, managers subject to the directive should take immediate actions:

  • Send a disclosure statement to EU investors regarding GDPR and the fund’s obligations under GDPR.
  • Attach the disclosure statement regarding GDPR to the fund subscription documents moving forward to ensure that all new investors receive it.
  • Update the fund’s offering documents with a GDPR disclosure.
  • Amend agreements with service providers who processes EU investors’ personal data on the fund’s behalf.
  • Determine whether the fund needs to establish an EU Representative.

How do you create a GDPR compliance program?

Managers with data subject to GDPR will need to take inventory of their data which is covered by the regulation and should create certain procedures and controls with respect to the data.  We believe that initial steps should include the following:

  • Create a list of all types of personal information your fund holds, the source of that information, with whom you share it, what you do with it and how long you will keep it.
  • Create a list of places where your fund keeps personal information and the ways data flows between them.
  • Create a publicly accessible privacy policy, which includes a lawful basis to explain why the fund needs to process personal information, that outlines all processes related to personal data.
  • Appoint a Data Protection Officer (DPO) if necessary.
  • Create awareness among decision makers about GDPR guidelines.
  • Review and/or update the fund’s security technology that is used to process personal data (i.e. firewalls, security verification tools, etc.).
  • Update e-mail security to reduce the risk of phishing and other attacks on protected information.
  • Create a compliance program that includes staff training on data protection items.
  • Create a list of third parties that process personal data for you and update your privacy policy to disclose your use of these third parties.
  • Put a contract in place with any data processors with whom you share data containing explicit instructions for the storage or processing of data by the processor.

Conclusion

Managers should begin this process of exploring the impact of GDPR on their operations immediately if they have not already done so.  Managers should also consult with offshore counsel, compliance consultants, and/or GDPR specialists for guidance on how to best comply with GDPR to meet the fund’s particular needs.  GDPR has radically changed how personal data is processed in the EU and abroad.  The sooner a manager enacts GDPR compliant policies, the sooner the manager can cater to EU citizens and the less likely it will be subject to penalties.

****

Bart Mallon is a founding partner of Cole-Frieman & Mallon LLP.  Cole-Frieman & Mallon LLP has is a leader in the hedge fund space and routinely works with managers on legal, regulatory and compliance issues. If there are any questions on this post, please contact Mr. Mallon directly at 415-868-5345.