On April 30, 2024, the Global Cross-Border Privacy Rules Forum announced the establishment of the Global Cross-Border Privacy Rules (CBPRs) and Privacy Recognition for Processors (PRP) Systems – multilateral and voluntary certification systems for participating companies to demonstrate compliance with internationally recognized data privacy principles and to facilitate the cross-border flow of data more seamlessly.

This article discusses the history and purpose of the CBPRs, and core elements of the new Global CBPRs and PRP certifications. It also includes guidance on how data controllers and processors can certify compliance under these frameworks, and the value-add for doing so.

See “Navigating Certification and Implementation Issues Under the U.S.-E.U. Data Privacy Framework” (Oct. 25, 2023).

History of the Cross-Border Privacy Rules

In November 2004, Ministers for the 21 Asia-Pacific Economic Cooperation (APEC) economies endorsed the APEC Privacy Framework, a set of nine guiding principles “to assist APEC economies in developing data privacy approaches that optimize privacy protection and cross-border data flows,” as explained by APEC.

To implement the framework, APEC developed its CBPR System as a way for participating companies to self-assess their data privacy policies and practices against the APEC Privacy Framework’s requirements using an APEC-recognized CBPR questionnaire, which is provided by an APEC-designated third-party certification body (accountability agent). Once an accountability agent finds the organization compliant with the CBPR program requirements, the organization is certified as CBPR-compliant, and relevant certification details are published on an APEC-hosted website.

As part of the APEC CBPR System, the multilateral Cross-Border Privacy Enforcement Arrangement (CPEA) was created among privacy enforcement authorities in APEC-member economies to assist one another in privacy cases.

According to APEC, 27 privacy enforcement authorities from 11 APEC economies currently participate in the APEC CBPR System. Participating economies include the United States, Mexico, Japan, Canada, Singapore, New Zealand, the Republic of Korea, Australia, Chinese Taipei, Hong Kong and the Philippines.

APEC CBPR System Goes Global

On April 21, 2022, the then-seven participating economies of the APEC CBPR System published a declaration establishing the Global CBPR Forum, which effectively expanded the APEC CBPR System beyond participating APEC economies.

In 2023, the Global CBPR Framework was established, consisting of the same nine guiding principles as the APEC CBPR System. What is significant about the Global CBPRs and the PRP Systems that were announced in April 2024 is that they operationalize the Global CBPR Framework by creating a certification system for participating companies of participating economies. The Global CBPR certification system applies to data controllers, whereas the PRP certification system applies to data processors.

“Businesses across the world need a uniform set of requirements to navigate the complex landscape of data privacy laws. The Global CBPR System and its respective certification framework bridges this gap, offering companies universal data privacy standards across diverse jurisdictions across the globe,” Divya Sridhar, vice president of the Global Privacy Division and Privacy Initiatives Operations at BBB National Programs, a U.S.-approved accountability agent, told the Cybersecurity Law Report.

Improved Interoperability of Cross-Border Data Transfers

As of May 2024, there are 137 countries with national data privacy laws, according to the International Association of Privacy Professionals. Many of these privacy laws have diverse rules, standards and mechanisms for cross-border data transfers – for example, standard contractual clauses, binding corporate rules, certifications and adequacy findings.

“It’s becoming very complex for companies that operate globally and cross-border to adhere to and comply with all these different requirements,” Hunton Andrews Kurth vice president and senior policy counselor for the Centre for Policy Leadership Markus Heyder, who was involved in developing the CBPRs, told the Cybersecurity Law Report. “The interesting thing about the CBPRs is that they offer a unique solution to the current complexity of cross-border data transfers.”

The idea is to create a common standard for cross-border data transfers across as many jurisdictions as possible. “The more countries that join this network of participating countries, and the more companies that become certified, the more their interoperability value grows,” Heyder added.

See “What the FAQ: Deciphering the European Commission Guidance on the New SCCs” (Nov. 16, 2022).

Accountability As the Foundation

One notable aspect of the Global CBPR System is how accountability is integrated throughout, applying to participating economies, accountability agents and participating companies alike, Joanne Furtsch, director of privacy intelligence development at TrustArc — another U.S.-approved accountability agent — highlighted during a webinar.

Specifically, countries interested in participating in the Global CBPR System must have a privacy law and at least one privacy enforcement authority (PEA). In the United States, the PEA is the FTC. Participating countries must also designate at least one third-party accountability agent to certify participating companies’ compliance with the Global CBPR Framework.

Although the Global CBPR framework is voluntary, enforcement mechanisms are in place to keep participating jurisdictions and companies accountable. This is the purpose of the Global CBPR Forum’s establishment of the Global Cooperation Arrangement for Privacy Enforcement (CAPE), which serves as a multilateral arrangement for PEAs to collaborate on privacy cases globally, beyond the APEC economies. To date, 27 regulators from 12 economies have joined the Global CAPE.

Accountability Agents Criteria

Accountability agents must undergo “a very robust process and scrutiny to ensure that we have met the requirements so that we can certify against the CBPR framework,” Sridhar explained.

For example, accountability agents must be subject to an enforcement authority, meet a criteria checklist, and agree to use the Global CBPR System and/or the Global PRP System intake questionnaire to assess applicant organizations’ data privacy compliance programs.

Additionally, when implementing dispute resolution mechanisms that are in place for participating company enforcement, accountability agents are expected to be prepared to describe their process for reviewing and investigating complaints and the participating company’s suspected violations.

Accountability agents “have all kinds of mechanisms to leverage,” Heyder noted, such as suspending or revoking a certification. Matters may also be referred to a jurisdiction’s PEA, which can enforce the CBPR under its privacy laws, he said.

Data Controller Criteria: Core Privacy Principles

Data controllers (companies that determine the purposes and means of processing personal data) that are interested in being certified by a third-party accountability agent in their respective jurisdiction under the Global CBPRs must demonstrate compliance with the following nine core privacy principles, as described in the Global CBPR Framework:

• Preventing Harm: This principle recognizes that a primary objective of the Framework is to “prevent misuse of personal information” and describes what data protection and privacy approaches “should be designed to prevent harm to individuals from the wrongful collection and misuse of their personal information.”
• Notice: This principle speaks to controllers providing “clear and easily accessible statements” about their practices and policies concerning what personal information is collected about them, and how it is used.
• Collection Limitation: This principle limits the collection of personal information “to the purposes for which it is collected.”
• Use of Personal Information: This principle limits personal information usage to “fulfilling the purposes of collection and other compatible or related purposes,” including transferring or disclosing personal information.
• Choice (a variation of consent): This principle ensures that individuals are provided with “clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of information.”
• Integrity of Personal Information: This principle is directed toward ensuring that the controller of personal information maintains its accuracy and completeness of records and keeps them up to date. This principle also recognizes that these obligations are only required to the extent necessary for the purposes of use.
• Security Safeguards: This principle recognizes that data controllers “should protect personal information . . . with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure.”
• Access and Correction: This principle includes specific conditions for what would be considered reasonable in the provision of access, including conditions related to timing, fees, and the manner and form in which access would be provided.
• Accountability: When personal information is transferred to another person or organization, whether domestically or internationally, the controller should obtain consent “or exercise due diligence and take reasonable steps to ensure that the recipient . . . will protect the information consistently with these principles.”

The Global CBPR Intake Questionnaire includes a total of approximatey 50 granular data privacy and security questions organized under the nine core privacy principles. “This process is an important stepping stone to strengthen a company’s homegrown privacy program and pave the way to completing more in‑depth certifications, like the ISO certification process,” Sridhar noted.

See “How Uber, eBay and Pitney Bowes Built Principles-Based Global Privacy Programs” (Oct. 16, 2019).

Similarities to Other Data Privacy Frameworks

Many of the Global CBPR Framework’s principles closely align with the E.U.’s GDPR, as well as the E.U.-U.S. Data Privacy Framework (DPF). A 2021 analysis conducted by the Centre for Information Policy Leadership at Hunton Andrews Kurth found that 61 percent of the APEC CBPR System requirements, and 67 percent of the GDPR requirements (94 in total), appear either directly or indirectly in the E.U.-U.S. Privacy Shield (now, the E.U.-U.S. DPF).

A separate analysis conducted by BBB National Programs found that of the 161 GDPR requirements, the Privacy Shield and the APEC CBPR System are aligned on 125 requirements, a nearly 80‑percent overlap, Sridhar noted.

Areas of overlap include data controller-data processor due diligence, data subject access and correction rights, privacy disclosures and security safeguards. However, the GDPR provides additional areas of protection not addressed by the CBPR System, such as the processing of sensitive data and children’s personal data, Sridhar added.

See “Bridging the Atlantic: E.U.‑U.S. Data Privacy Framework Practical Takeaways” (Jul. 26, 2023).

The PRP System for Data Processors

While the CBPRs apply to data controllers, another important component of the cross-border data privacy initiative is the PRP System, the certification framework for data processors – those that process data on behalf of data controllers. Importantly, data processors can also be data controllers.

“The PRP System is more narrowly focused on data security,” Heyder explained. Under the PRP System, a participating data processor must meet 18 baseline program requirements, including eight security safeguards and 10 accountability safeguards to show that it has appropriate controls in place to help data controllers meet their obligations under the CBPR program requirements.

See “Compliance Takeaways From the Latest GDPR Enforcement Statistics” (Feb. 2, 2022).

Certification As a Competitive Advantage

“One of [the CBPR System’s] biggest promises, aside from being a transfer mechanism, is that it can serve as a due diligence tool for controllers to identify competent, accountable and qualified processors,” Heyder said. “For processors, it’s a great way to distinguish themselves from other processors who are not certified.”

“What we hear from companies that are certified against the CBPR requirements for controllers is that they want a simplified, streamlined way to know that their processors are able to help them” meet their data privacy and security requirements, and that they “have the appropriate mechanisms in place,” observed Furtsche.

Data processors that have been certified by a recognized accountability agent are in a great position to demonstrate to the controller that their security mechanisms are sufficient, “and it really streamlines the onboarding process of a processor for that controller,” Furtsche added.

Large companies, in particular, are “encouraging their vendors to go through this type of certification,” Furtsche stressed. There are “strong benefits” for a processor to achieve certification, she emphasized.

See “How CPOs Communicate Privacy’s Value to the Board” (May 31, 2023).

How the Certification Process Works

The role of accountability agents is to work with participating companies to ensure that their privacy practices meet all the program requirements of either the Global CBPR Framework for data controllers or the PRP System for data processors.

Only for Participating Jurisdictions

Companies may only get certified in a jurisdiction that participates in the Global CBPR System and where there is a privacy enforcement authority and an approved accountability agent. “However, you can certify an entire corporate family,” Heyder said.

For example, if a U.S.-headquartered parent company wants to certify with an accountability agent in the United States, “it can do so for all of its global affiliates and subsidiaries, so long as they follow the same privacy policy,” Heyder explained. It is possible, then, for a company to have “certified entities based in a jurisdiction that is not currently part of the CBPR.”

Scope of the Certification Process

When data controllers or data processors undergo the certification process with an approved accountability agent, the accountability agent will review that applicant’s privacy policies and practices, helping them come into compliance.

TrustArc, for example, works with clients to “define the scope together. You go through the CBPR questionnaire. You provide your policies and procedures. You explain your privacy practices. You will work with someone on our team on the review of your privacy practices and privacy notice. At the end of this review, we will identify compliance gaps and guide you on how to meet the program requirement of CBPR framework,” Maciej Piszcz, TrustArc’s manager of quality assurance, shared during the webinar.

BBB National Programs has a similar certification process. It helps certifying organizations map out each requirement and how to meet them, Sridhar explained. Once certified, data controllers and data processors are listed on the CBPR System Directory or the PRP Directory and can display the seal on their privacy notice.

Accountability agents must conduct annual recertifications and ongoing monitoring of clients. “We have ongoing conversations with the customer to see how they are progressing,” Sridhar added.

The certification process typically takes a few months, Piszcz noted. Other factors can make the process longer, he added, such as the maturity of the company’s privacy program and the scope of the certification itself.

Next Steps

Adopters of the APEC CBPR System have already begun transitioning to the Global CBPR System. “We are helping a lot of them transfer over to meet the likely June deadline of getting certifications live,” Sridhar said. These companies will be grandfathered into the new system through the end of their APEC certification since the core principles have not changed under the global framework and the process should be pretty seamless, she said.

Companies that are newly applying to the Global CBPR Framework, on the other hand, may need to start at step one, reviewing all the framework’s requirements, Sridhar added.

Small and mid-sized companies that may not have the resources or the staff to develop a comprehensive privacy program can benefit from the certification process, Heyder noted. “Going through the certification process with an accountability agent helps you set up a comprehensive privacy, accountability, and privacy program,” he said.

“A good starting point to get certified is having a comprehensive privacy compliance program in place that covers all the key elements of organizational accountability,” Heyder suggested. Such elements include leadership and oversight, transparency, risk assessments, written policies and procedures for data processing activities, employee training, monitoring and verification, internal enforcement, and redress mechanisms.

A company with a comprehensive privacy program that covers the aforementioned elements will “be very well situated to obtain certification, and anything that may be missing can be developed together with the accountability agent,” Heyder concluded.

See our four-part series on a roadmap for building an efficient global privacy program: “Organizational Structure” (May 4, 2022), “Scope and Prioritization” (May 11, 2022), “Buy-In, Scalability and Outside Resources” (May 18, 2022), and “Maintenance” (Jun. 1, 2022).

On April 4, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published its much-anticipated Notice of Proposed Rulemaking (Proposed Rule) to implement the requirements of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

The Proposed Rule likely is the most significant expansion of cybersecurity incident reporting regulation in the U.S. to date. Indeed, by CISA’s own estimation, more than 300,000 entities might be covered under the regulation as written. These entities will touch nearly every major industry, including financial services, telecommunications, IT, aviation and other transportation providers, government contractors, oil and gas, healthcare, pharmaceuticals, manufacturing, food and beverage, education and others.

Part one of this two-part article series examined the Proposed Rule’s significant definitions, including what entities and incidents are covered, and the time, manner and content of CIRCIA reports. This installment discusses the Proposed Rule’s key provisions, including data and records preservation requirements, limited exceptions and enforcement mechanisms. It also summarizes the next rulemaking steps and offers practical actions covered entities could take to prepare for when the final rule takes effect.

See the Cybersecurity Law Report’s two-part series on the new era of cyber incident reporting and cybersecurity regulation: “Key Provisions” (Oct. 12, 2022), and “How Companies Should Prepare and Engage” (Oct. 19, 2022).

Data and Records Preservation Requirements

Under the Proposed Rule, Covered Entities would be required to retain an enumerated list of communications, indicators of compromise, relevant logs and other forensic data; system information; information about exfiltrated data; ransom payment records; and any reports produced by the Covered Entity related to each Covered Cyber Incident.^[1]

Covered Entities must begin preserving these data and records from the earlier of either: (1) the date upon which the entity establishes a reasonable belief that a Covered Cyber Incident occurred; or (2) the date Ransom Payment was made. This information must then be preserved regardless of format or location, whether physical or electronic, for two years from the date the Covered Entity submitted its latest required report, including Supplemental Reports.

See “Compliance Challenges in Records Management” (Nov. 1, 2023).

Exceptions

The Proposed Rule includes three exceptions focused primarily on minimizing redundancies across regulated industries. Two of the exceptions are very narrowly tailored and apply to only certain Domain Name System entities and federal agencies covered under the Federal Information Security Modernization Act.

The third exception applies where a Covered Entity provides a legally required incident report to another federal agency that contains substantially similar information, is provided in a substantially similar time frame (i.e., 24 or 72 hours for ransom payments and cyber incidents, respectively) and can be shared within that time frame under an information sharing agreement between CISA and the other federal agency (CIRCIA Agreement).

When a CIRCIA Agreement is established, CISA will announce and catalog the agreement on a public-facing website. Only incident reports that are made to another federal agency that is a party to one of the publicly listed CIRCIA Agreements would qualify for this exception. While the exception appears broad on its face, the Proposed Rule’s commentary indicates that few, if any, existing reporting requirements would likely qualify.

Enforcement Mechanisms

If a Covered Entity fails to make a required report or CISA determines a report is deficient or otherwise noncompliant, CIRCIA permits the CISA Director to engage with the entity to obtain the required information through a Request for Information (RFI). If the Covered Entity fails to respond or provides what the CISA Director determines is an inadequate response, the CISA Director can issue a subpoena to compel disclosure of the relevant information.

A Covered Entity may appeal a subpoena to CISA, after which the agency must issue a decision either enforcing or withdrawing the subpoena, which constitutes final agency action subject to judicial review. If the Covered Entity fails to comply with the subpoena, the CISA Director can refer the matter to the DOJ, which can bring a civil action to enforce the subpoena.

Information provided in response to a subpoena is not subject to the information protections discussed below and may be referred to the DOJ or the head of a federal regulatory agency if the CISA Director determines that facts related to the Covered Cyber Incident or Ransom Payment may constitute grounds for criminal prosecution or regulatory enforcement action. CISA also has independent authority to pursue other enforcement mechanisms for certain Covered Entities that do not comply with reporting requirements, including potential suspension and debarment actions through referrals to the Department of Homeland Security (DHS) Suspension and Debarment Official or another cognizant contracting official.

If a Covered Entity’s noncompliance results in a subpoena, it risks forfeiting numerous protections for the information that is reported to CISA. The protections afforded under CIRCIA and the Proposed Rule include, among others: (1) exemption from disclosure under the Freedom of Information Act and similar non-federal laws; (2) protection from waiver of applicable privilege or protection provided by law (including attorney-client and work-product privileges); (3) a prohibition on federal or other government entities using information obtained solely through a CIRCIA Report or RFI to regulate or bring an enforcement action against a Covered Entity or any entity that made a ransom payment on behalf of a Covered Entity (subject to certain exceptions); (4) and a prohibition on CIRCIA Reports or responses to RFIs being received in evidence, subject to discovery, or otherwise used in any trial, hearing or other proceeding in or before any court, regulatory body, or other authority of the U.S. or a political subdivision thereof.

See “Lessons From CISA for In-House Counsel on Mitigating and Managing MSP Breach Threats” (Jun. 29, 2022).

What Is Next?

The Proposed Rule solicits feedback on numerous aspects of the regulation. Organizations may submit feedback during the review and comment period, which was extended to July 3, 2024. Under CIRCIA’s rulemaking requirements, CISA is likely to publish the Final Rule in the fall of 2025, at which point the requirements will go into effect.

See “A 2023 Cyber Regulation Look-Back and 2024 Risk-Management Strategies” (Dec. 13, 2023).

Practical Steps to Prepare and Engage

Organizations that are covered by the final rule are likely to face challenges complying with the aggressive reporting deadlines. As discussed in part one of this article series, Covered Entities can submit Supplemental Reports for information about a Covered Cyber Incident that is not yet known at the time an initial report is made. However, the Proposed Rule would nonetheless require Covered Entities to disclose details about covered incidents shortly after becoming aware of incidents at a time when entities are typically containing incidents, planning eradication strategies (if necessary), starting root cause analyses, beginning an impact assessment and assessing existing notification obligations under law and contract.

For organizations currently operating in less-regulated sectors, the Proposed Rule’s requirements might represent their first time being subject to cybersecurity reporting regulation outside of requirements related to the compromise of personal data. Even organizations in regulated sectors that are required to submit incident notifications, such as under the Defense Federal Acquisition Regulation Supplement, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, or (in the near future) the European Union’s Network and Information Security Directive, may not be prepared to report on incidents with this level of detail in such short time frames.

Accordingly, organizations of all sizes and regulatory profiles that operate or support other organizations in critical infrastructure sectors may need to adjust or develop processes to address these new requirements. This may require developing and incorporating new processes into existing incident response and notification procedures, which may also need to be harmonized with any existing processes to notify or disclose to various stakeholders, including individuals, regulators, shareholders, etc.

Understanding that the Proposed Rule is subject to change, organizations should nonetheless consider taking the following actions to prepare for the final rule.

Make a Covered Entity Determination

Organizations should consider starting the process to determine if they may be a Covered Entity, which is a broad definition that might apply to an entire entity merely because a disparate segment of the organization meets a sector-based criterion. This will be especially important for organizations in less-regulated industries that have not been previously subject to incident reporting requirements and may not follow these matters closely.

Include the Entire Organization in Preparations

Further to the point above, Covered Entities may not be able to limit their reporting obligations just to lines of business that own, operate or support critical infrastructure. The Proposed Rule commentary notes that Covered Entities must report all Covered Cyber Incidents or Ransom Payments that impact their organization, even if those events are unrelated to critical infrastructure.

Update Internal Procedures

Organizations should consider updating their incident response plans and notification procedures to remain agile to account for the Proposed Rule’s new requirements. They may need to gather and review significant amounts of detailed information in a short period and share it with CISA, while keeping in mind potential legal implications, as discussed below. Covered Entities also should plan for the potential need to continue providing updates to CISA.

See our two-part series on a ransomware tabletop’s 360‑degree incident response view: “Days One to Four” (Jan. 4, 2023), and “Day Five Through Post-Mortem” (Jan. 11, 2023).

Update Data and Records Preservation Procedures

Under the Proposed Rule, Covered Entities would be required to retain for each Covered Cyber Incident communications, indicators of compromise, relevant logs and other forensic data; system information; information about exfiltrated data; ransom payment records; and any reports produced by the Covered Entity relating to the incident.

Covered Entities must begin preserving these data and records from the earlier of either: (1) the date upon which the entity establishes a reasonable belief that a Covered Cyber Incident occurred; or (2) the date Ransom Payment was made. This information must then be preserved regardless of format or location, whether physical or electronic, for two years from the date the Covered Entity submitted its latest required report, including Supplemental Reports. Accordingly, Covered Entities should consider updating their data and records preservation procedures to account for these requirements.

See “Data Retention and Destruction Lessons From FTC’s Blackbaud Case” (Feb. 28, 2024).

Consider Other Legal Obligations

Organizations may want to consider how Covered Cyber Incident Reports, Ransom Payment Reports, Joint Covered Cyber Incident and Ransom Payment Reports, and Supplemental Reports (collectively, CIRCIA Reports) could implicate other legal risks even though CIRCIA and the Proposed Rule provide certain protections related to the submission of the report, as described in part one. For example, reports that describe operational impacts could inform the need to file other regulatory submissions or make notifications to other stakeholders. Accordingly, organizations and their legal counsel should carefully consider existing processes for drafting reports and review the applicability of the protections afforded under CIRCIA.

See “Complying With the FTC’s Amended Safeguards Rule’s New Reporting Requirement” (Jan. 3, 2024); “Navigating the SEC’s Newly Adopted Cybersecurity Disclosure and Controls Regime” (Sep. 6, 2023).

Plan for Operational Technology Impacts

Incidents and ransomware attacks that trigger reporting include events that impact not only IT systems and data, but also operational technology (OT) related to cyber-physical systems. Organizations that rely on OT (e.g., telecom, manufacturing, utilities, hospitals, oil and gas, food and beverage) may need to address a wider range of reportable incidents in their incident response plans.

Adapt Third-Party Agreements

Given the sweeping definition of Substantial Cyber Incidents, which incorporates third-party incidents (e.g., compromise of a Cloud Service Provider or Managed Service Provider) and a Supply Chain Compromise, organizations might consider how to cover such requirements in the various agreements that may be in place that govern their third-party relationships.

See “Key Terms and Negotiation Issues in Data Processing Agreements” (Sep. 13, 2023).

 

Ashden Fein is the vice chair of Covington’s global cybersecurity practice, where he advises clients on cybersecurity and national security issues. In particular, he specializes in advising clients on cybersecurity incident response, risk and crisis management, government and internal investigations, and regulatory compliance.

Caleb Skeath is a partner in Covington’s data privacy and cybersecurity group. He advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, pre‑incident compliance and preparation, and defending against class-action litigation.

Web Leslie is an associate in Covington’s data privacy and cybersecurity group. He previously served in government in various roles at the DHS, including at the National Protection and Programs Directorate, the predecessor to CISA, where he specialized in cybersecurity and critical infrastructure, public-private partnerships and interagency cyber operations.

Shayan Karbassi is an associate in Covington’s data privacy and cybersecurity group. He assists clients with cyber and data security incident response and preparedness, government and internal investigations, and regulatory compliance. He previously served in government as a member of the U.S. Intelligence Community.

Covington associate Kristen Chapman also contributed to this article.

Rule 206(4)‑7 under the Investment Advisers Act of 1940 (Advisers Act), commonly known as the “Compliance Rule,” requires advisers to review the adequacy and effectiveness of their compliance policies and procedures. One of the essential tools advisers use to fulfill their obligations under the Compliance Rule is testing. An ACA Group presentation, part of its “Building a Gold Standard Compliance Program” series, examined the role of testing in a compliance program; hallmarks of effective testing; and testing design and implementation. The program featured L. Allison Charley, director, and Jaqueline Hummel, director of thought leadership, at ACA Group. This article synthesizes their insights.

See “More Regulators Accept New Tool to Streamline Companies’ Cyber Compliance” (Jan. 26, 2022).

Role of Testing in a Compliance Program

Development of a compliance program should start with an understanding of relevant regulatory requirements and fiduciary duties, Hummel said. An adviser should then conduct an assessment to identify the risks specific to the adviser’s business. That assessment serves as a roadmap for developing compliance policies and procedures. Once the adviser adopts and implements such policies and procedures, the adviser must conduct testing and monitoring to ensure they are being followed and working as intended.

The overarching purpose of compliance testing is to be able to demonstrate that the adviser’s policies, procedures and practices are, in fact, effective, Charley explained. Although there is no explicit requirement for compliance testing in the Advisers Act, it implies that compliance testing is part of appropriate supervision. For example, the Compliance Rule requires advisers to not only adopt and implement policies and procedures reasonably designed to ensure compliance with the Advisers Act and the rules thereunder but also review their adequacy and effectiveness at least annually. In addition, when adopting the new rules for private fund advisers, the SEC also amended the Compliance Rule to require advisers to maintain written documentation of their compliance reviews.

See our four-part series on a roadmap for building an efficient global privacy program: “Organizational Structure” (May 4, 2022), “Scope and Prioritization” (May 11, 2022), “Buy‑In, Scalability and Outside Resources” (May 18, 2022), and “Maintenance” (Jun. 1, 2022).

Hallmarks of Effective Testing

Focus on Key Risk Areas

The adopting release for the Compliance Rule lists 10 areas the SEC expects every compliance program to cover, Hummel said. An adviser should test those areas. It should also focus on longstanding SEC exam focus areas, risk alerts and guidance. The agency targets ways that investors could be harmed and ranks firms for exams based on its own risk assessments. If an adviser has done a risk assessment, it can use that assessment to inform and prioritize testing. Additionally, ACA Group’s annual compliance testing survey offers useful benchmarks. SEC focus areas do evolve, but the core areas of interest remain the same, so advisers should test accordingly, Charley added.

See “2024 SEC Examination Priorities: New Approaches to Old Areas of Concern” (Jan. 17, 2024).

Identification of Gaps

Testing should seek to identify trends, patterns or anomalies that are inconsistent with regulations or the adviser’s policies and procedures, Charley advised. It should complement the adviser’s other controls to help find weaknesses and gaps.

A well-designed test will help an adviser find out what it is missing, Hummel concurred. The SEC will review an adviser’s compliance manual, policies and procedures and ask whether and how the adviser tested the covered areas. Thus, test design should always start with the compliance manual. An adviser should create templates for testing with checklists, spreadsheets and procedures that facilitate the process, including location of relevant data.

See “Six Practical Tips for Building an Effective Privacy Risk Assessment Program” (Jan. 6, 2021).

Verification of Compliance With Policies

Testing is more than a check-the-box exercise, Hummel stressed. It is essential to understand the purpose behind each test. For example, when testing a policy statement, it is not sufficient to determine whether the policy statement accurately reflects the relevant regulation. The test should also verify whether the firm is actually complying with the statement.

Efficient Design

An adviser can make testing efficient by focusing on finding anomalies. “Test smarter, not more,” Hummel recommended. Tests should also focus on the areas of greatest potential impact for the firm, such as trade errors or errors that could bring steep SEC monetary sanctions. They should also cover the areas that the SEC has identified as focus areas.

See “Understanding and Implementing Privacy Audits” (Nov. 30, 2022).

Testing Methods and Parameters

The SEC has never provided guidance on how tests should be conducted, Charley remarked. Testing involves both art and science. The Office of the Comptroller of the Currency’s (OCC) Comptroller’s Handbook offers a comprehensive discussion of sampling methodologies that OCC examiners use in their supervision of banks.

A firm’s CCO is not responsible for conducting every test. The CCO may rely on the relevant professionals within the firm.

According to Charley, there are three main types of testing:

1. transaction testing, which entails examining every transaction to determine whether it deviated from policies and procedures;
2. periodic testing, which involves testing over a particular period of time; and
3. forensic testing, which is used to identify unusual patterns or anomalies.

See “Effective Use of Privacy Impact Assessments” (May 4, 2022).

Determine Testing Frequency

The frequency of testing will depend on the nature of the activity being tested, Charley noted. Higher risk areas may need more frequent testing. The timing of certain activities may also affect timing of testing. For example, if an adviser bills fees quarterly, then fee testing should also be quarterly. The period covered by a test should be long enough to obtain meaningful results without making the testing too onerous.

Identify Relevant Data

Determine what data is needed for the test, keeping in mind that it may be necessary to obtain data from more than one source, Charley said. Consider whether relevant data is available and in what format, as well as whether there is sufficient expertise to analyze it. An adviser may be able to leverage technology for certain processes, such as trade monitoring.

See “How eBay and PayPal Use Key Performance Indicators to Evaluate and Improve Privacy Programs” (Jan. 8, 2020).

Define the Population

Defining the relevant population sample is a critical step in test design, Charley stressed. Determine which and how many clients, meetings, transactions or communications should be covered in a particular review. Each test is different – testing is not a one-size-fits-all exercise.

There is no rule as to how large a sample should be, but it must be large enough to offer meaningful results, Charley noted. The larger the sample size, the more confidence the adviser can have in the test’s results. Moreover, an adviser should not want to be in a situation in which the SEC finds something before the adviser does.

Select Sampling Method

After defining the relevant population, determine how to select a sample from it, continued Charley. One approach is numerical sampling, in which each item is equally likely to be selected. Random sampling is similar to numerical sampling but uses a randomizer to ensure the selection is truly random. Finally, proportional sampling can be used when it is particularly important to test a certain segment of the population.

See “A Checklist to Help Fund Managers Assess Their Cybersecurity Programs” (Jul. 27, 2022).

Set Tolerance/Exception Levels

Although advisers may set an acceptable tolerance level for exceptions identified in a test, the SEC expects advisers to address any exceptions that arise and remedy any investor impacts, Charley advised. They should also evaluate why the exception occurred and whether any corrective action is needed.

Use Both Art and Science

Effective testing involves both science and art, Charley reiterated. After taking into account the scientific elements of testing, compliance personnel can add value by informing the testing process with knowledge of the relevant population and applicable regulations. They may know if a matter being tested is an area of SEC focus, a high risk for the firm or in an area with repeated violations. Additionally, compliance personnel may want to ensure testing in particular situations. For example, they may be concerned about an investor that has experienced recurring compliance-related issues.

“You cannot catch everything,” Hummel stressed. An adviser must be reasonable in setting testing parameters and document the results carefully, even if some things occasionally slip through the cracks. Some people will deliberately circumvent compliance controls, and it will not always be possible to catch them. The adviser’s goal should be to show that it has done what is reasonable under the circumstances. Thus, an adviser should be able to explain why it chose a particular sample, what it found and what remedial steps it took. Documentation of those processes is critical. If testing is not finding any errors or exceptions, it may have to be adjusted.

See “Hallmarks of High-Impact Compliance Programs and Compensation Trends for Compliance Officers Who Implement Them” (Sep. 25, 2019).

Documentation of Test Results

Once an adviser has established the relevant parameters for a compliance test, it should develop a process for conducting the test and documenting the results, Charley said. Documentation should cover:

• when the test was conducted;
• who conducted it;
• what was tested;
• the source of the data for the test, which will facilitate subsequent testing;
• test results, even when the test did not identify any issues; and
• if the test detected issues, the steps taken to resolve them, including any escalation and remediation.

Documentation of testing will help an adviser demonstrate that it has supervisory controls in place and that its policies and procedures are sufficient to maintain compliance with applicable laws and regulations, Charley added. It can be helpful to categorize testing findings as “high,” “medium” or “low” risk, especially if the firm has extensive testing and findings.

The speakers encouraged advisers to be thoughtful when documenting compliance issues. It is better to use the term “issue” than a term like “breach,” Hummel recommended. Moreover, issues vary in severity. For example, when testing code of ethics compliance, a late filing of a personal trading report is less serious than trading without pre-clearance. A CCO should seek to learn all relevant facts and understand an issue prior to making a conclusion about the issue or documenting it.

It is better to use terms like “potential issue” or “item of interest,” Charley concurred. “When it comes to raising potential issues, be very mindful of the paper trail that you are creating,” she warned. The SEC often asks about compliance issues on exams. Thus, a serious issue should not be committed to writing until the adviser has established all the relevant facts and understands the situation. Moreover, in Hummel’s experience, many firms have emails that say things such as, “We have a huge issue,” but no documentation that the issue was ever addressed.

See “Defining, Documenting and Measuring Compliance Program Effectiveness” (Jan. 20, 2016).

Testing Example: Fees and Fee Disclosures

Fees and expenses are always areas of interest to the SEC. Hummel discussed how an adviser that charges management fees quarterly could test the calculation of those fees and their consistency with the adviser’s disclosures, which require it to calculate fees as of the first day of a quarter. To test the fees charged in the first quarter of 2023, that adviser should:

• identify and document the relevant fee disclosures in its Form ADV and investment management agreement, including the amount/rate; when fees are charged; how and when assets are valued; and how the charges are paid;
• determine how many accounts to test;
• request the account custodian’s statements both for December 2022, to determine the value of the assets on which the fees were to be calculated, and January 2023, to check if the adviser deducted the correct amount of fees;
• apply the disclosed fee methodology to each investor in the sample to determine whether the adviser calculated and charged the fees consistently with those disclosures and applied any requisite fee discounts or rebates; and
• document the testing process and results, and retain copies of the documents reviewed.

See “SEC Director Offers Clarification on New Cyber Disclosure Regime” (Jan. 3, 2024).