One fallout from the insider trading investigations has been increased compliance demands on research providers of all types. Research firms have responded by upgrading their compliance infrastructure. However, the new compliance demands have arisen quickly without any clear regulatory guidance for regulated or unregulated research firms. Failing regulatory leadership, we have to fall back on industry best practices.
We have reviewed the compliance capabilities of over sixty research firms, the majority of these reviews taking place in the last eighteen months. Hedge funds, money managers and research distributors have hired us to supplement their own diligence efforts with in-depth reviews. This has given us an opportunity to understand the practices currently being followed by the research industry.
One thing that has impressed us is the adaptability of the industry. Firms with research processes that have higher risk of coming in contact with inside information have adopted extensive information controls. Firms with lower risk of receiving inside information are not ignoring the issue, but fewer controls are required.
As we look across the industry, we see a spectrum of risk, ranging from quantitative research firms at one end to expert networks at the other. In between are macroeconomic firms, policy research, industry consulting firms, fundamental firms, forensic research and channel checkers.
Best practices which make sense for expert networks may not make sense for fundamental firms because of differing research processes. For example, best practice among expert networks includes identifying companies which prohibit employees from outside consulting and setting up safeguards to prevent recruiting experts from those companies. This practice makes little sense for fundamental firms, unless they are users of expert networks.
Nevertheless, there are certain practices which are common to all forms of research:
- Each firm should have a designated compliance professional(s) accountable for the firm’s compliance policies and procedures. The compliance professionals may or may not be full time, depending on the nature of the firm and its attendant risks, but in all cases the compliance professionals need to ensure that the firm’s compliance platform is appropriate, and most importantly that policies are understood and actively followed.
- Establish and enforce compliance policies and procedures written in clear and understandable language. We’ve seen many examples of firms founded by ethical people who assume that if they hire good people that will be sufficient. Unfortunately best practices can’t be taken for granted and must be proactively communicated.
- Develop clear and understandable policies for information control. As we’ve seen from the recent insider trading convictions, confidential information and potentially material non-public information needs to be promptly detected and handled through written policies and procedures that are well-known and consistently followed. The policy should include examples of inside information that are relevant to the type of research conducted.
- Provide a regular training program for all employees regarding legal and ethical obligations. Training should include specific examples of confidential and material non-public information that might be encountered during the research process.
- Firms should monitor where its employees obtain information. Firms need to develop a process to determine with whom their employees are speaking to gather information and whether employees might be at risk of receiving confidential or potential material non-public information. As an example, firms should record details of surveys and channel checks conducted by employees.
- Periodically ‘spot check’ employee activity to ensure that it is consistent with policies. There are different ways to do this, but all entail a level of engagement with the research process. Compliance professionals need to understand the research process and to be in regular contact with research professionals.
Regulated firms start with a good compliance infrastructure. They have dedicated compliance professionals, written policies which typically include information controls and training programs. However, while sanctions against insider trading are well established in the current regulatory regime, some of the recently subtleties involving confidential information are not.
Policies in regulated firms typically define confidential information as internally generated, such as deal information within investment banking departments, and seek to prevent its dissemination through research advisory services. Regulated policies are typically silent on addressing the risks of receiving confidential information from research sources, which is one of the key takeaways from the recent insider trading investigations.
Another common issue with regulated entities is the degree to which compliance professionals understand the research process. Compliance professionals may not be aware of analysts’ use of primary research or outside consultants, or may not feel empowered to monitor it.
Whether regulated or unregulated, all research firms are adapting to the new compliance realities. The challenge is that while regulators have been quick to punish inside information, updated regulatory guidance on information controls is lacking. Fortunately, the research industry is not waiting around for guidance. Best practices are being adopted, and the industry is responding.