Bad Role Model: Quant Adviser Charged with Failures that Allowed Unauthorized Changes to its Investment Models

On January 16, the SEC announced that it settled charges with a quantitative investment adviser for failing to address known vulnerabilities in its investment models and for failure to supervise an employee who exploited these vulnerabilities to make unauthorized changes to key model parameters.

Specifically, the SEC alleges that the adviser allowed numerous employees to have unrestricted read-write access to a database where model parameters were stored, which was identified by the adviser’s personnel as a security concern. However, according to the SEC, the adviser failed to reach internal consensus on a resolution and, as a result, did not take action to address the vulnerability. The SEC’s order goes on to state that after an incident in which an employee inadvertently overwrote certain model parameters in the database, the adviser did implement additional procedures requiring programmers to submit tickets to the adviser’s engineering team in order to implement changes to the parameters. However, the SEC found these procedures to be insufficient because the requested changes were implemented automatically without any substantive review, testing, or approval.

The SEC states that the adviser’s failure to address this vulnerability allowed an employee to make changes to the model parameters (including fully nullifying certain parameters) that caused the models to make materially different investment decisions than would otherwise have been the case. The SEC alleges that this caused certain accounts to pay millions of dollars in additional fees to the adviser due to overperformance resulting from the model changes, and that the model changes also caused certain other accounts to significantly underperform.

Adding insult to injury, the adviser was also charged with violating the Dodd-Frank whistleblower protection rules because departing employees were required to sign a separation agreement representing that they had not filed any charges, complaints, or lawsuits against the adviser prior to executing the agreement. Although the separation agreements apparently included a carve-out that employees were not prohibited from reporting of possible violations of law or regulation to government agencies, the SEC found this to be insufficient because it applied to reports not yet made whereas the language above applied to reports made prior to signing the agreement.

The adviser agreed to pay $90 million dollars in penalties to settle the charges with the SEC as well as $165 million in voluntary repayments to investors who were negatively impacted by this incident. 

Key Takeaways

• As a general takeaway, this action should serve as a reminder to all advisers to follow through on addressing known vulnerabilities. The consequences are always worse if it comes to light that an issue arose from an adviser’s failure to act after learning about a weakness in its controls.

• All advisers (whether they employ systematic investment strategies or not) should assess their access controls to ensure they are adequate to safeguard sensitive information. Access to information should only be granted to individuals that have a legitimate business need and their level of access (e.g., read-only vs. read-write) should be appropriate for their role. Additionally, modifications to sensitive data should be subject to appropriate oversight, including requiring pre-approval, systematically logging changes, and conducting post hoc monitoring for inadvertent and/or unauthorized changes.

• Advisers that do in-house development, whether for investment models as in this case or for other proprietary systems, should have robust controls around modifications to source code and the integrity of data inputs. In general, except at the smallest advisory firms, it should not be possible for any one individual to make changes unilaterally, and, ideally, changes would be subject to review and approval by at least one person that is independent of the team initiating the changes. Material changes should also be subject to appropriate testing in a development environment before being deployed in production to ensure that the systems will behave as expected once the changes go live.

   

• Review with a fine-toothed comb your employment agreements, confidentiality agreements, severance agreements, written policies and procedures, and any other relevant documents for language that could be construed to limit a person’s ability to make a protected whistleblower complaint. Review these documents with the skeptical eye of a regulator even if you personally think it would be a stretch to claim that the language would stifle a potential whistleblower. If you identify any issues, make sure you work with qualified counsel to update the documents to address whistleblower protections and, if applicable, to address any instances in which someone received an earlier version of the document containing the problematic language.