The Dodd-Frank Act has ushered in a paradigm shift in the traditional compliance risk management practices on the buy side — especially for hedge funds. This shift has been accentuated to a great extent by the recent perp walks, indictments, civil and criminal prosecutions, and heavyweight convictions relating to old and new clandestine insider trading activities. The old mind-set dealt with hedge fund compliance as either a "necessary evil" that could be risk managed superficially with minimum capital expenditure, or as a risk that could be ignored with little consequence to the fund and/or its management. That is no longer the case.
As recently inducted regulated entities, hedge funds must alter their approach to compliance; those old-style options are now off the table for hedge funds, which can expect that they will face a new level of scrutiny from both regulators and investors. The challenges these firms face are indeed daunting, and there are two paths forward for funds. Some firms will continue to be under-resourced and under-focused on compliance, risk controls and technology, potentially leaving a ticking time bomb under the beds of their chief compliance officers (CCO) and C-suite partners. For others, compliance will be addressed with the same gusto, spirit and expectation of results with which the firms deliver alpha returns to their portfolios, and they will make a real effort to develop a strong compliance program.
For those firms, robust compliance policies and procedures are the bedrock of successful compliance risk management. Obviously, the development of policies and procedures requires an in-depth understanding of the business models, strategies and execution activities of the fund in order to ensure that they contemplate the corresponding compliance risks. Policies and procedures need to be owned and managed as living documents and updated contemporaneously with regulatory changes and/or additions to the business models.
Good News and Bad News
The good news is, for most hedge funds the development of such policies and procedures is the easy part of establishing the compliance infrastructure. The not-so-good news is that creating the risk controls that will enable the organization to execute its own self-professed policies and procedures is, without exception, both challenging and daunting (e.g., having the capacity to connect the dots across multiple asset classes that are part of the same strategy, high-frequency algo gaming, etc.).
Yet the crucial step of moving from policies and procedures to thoughtful and sophisticated risk controls that are capable of detection and prevention is essential. Failure to do so will only exacerbate the risks to the firm and its management associated with a breach of the rules, regulations and statutes that govern the activities of hedge funds. Developing compliance risk controls requires that accountabilities and responsibilities are appropriately delegated both within business management and the compliance department, and the manner in which those responsibilities are discharged are the hallmark of any successful compliance risk management program.
Risk controls at hedge funds seem to be implemented with three varied approaches: The first is the "do nothing" approach in which the organization takes a deep breath, closes its eyes and keeps its fingers crossed. The second approach is what is perhaps best described as a "fictional" surveillance program that monitors activities manually (the old-world "eyes-on method"). The third strategy, which we'll call the "High-Frequency Data Collection and Analysis" approach, uses technology to collect, collate and interpret data through algorithms and to identify activities and behavior patterns that breach the company's risk controls. These three approaches are utilized currently by buy-side firms and, as hedge funds feel the pressure to step up their compliance and risk programs, they will be expected to implement an approach that leans on technology, despite the proclivity of some to lean toward "doing nothing" or to rely on manual monitoring.
To correctly implement the third type of compliance risk management program, next-generation technology is essential. Business models that are complex, and that are based on scale, can only be effectively risk managed with a risk platform that is smart, agile and scalable. The technology that firms use to support their risk controls needs to be intelligent enough to facilitate connecting the dots: the analysis of any anomalies; the identification of potential conflicts (at the enterprise level); the conclusions reached through the analysis of any anomalous activities, event or potential conflicts; and the resolution and/or remediation of such matters.
Many market practitioners have suggested that anyone who has convinced themselves that compliance can effectively be risk managed manually — and without periodic validation of the firm's controls — is not accepting the reality of the legal, regulatory and franchise reputational risks and exposures that this methodology invites. The challenge of analyzing orders and executions in the context of the prevailing market, their impact on the market, the imputed economic benefit of such activities from a P&L perspective and the delta in the risk position/exposure are impossible to do via any manual process/methodology.
As such, right-sized technology that aligns with the firm's risk controls, policies and procedures will not only ensure that the organization has the resources to effectively risk mitigate its activities, it will also provide the much needed flexibility and scalability firms need to deal with changing regulation and strategies over time. For organizations with a global footprint, the scalability of a homogeneous risk platform that contemplates the compliance risk needs across all regions is critical. For all firms, having a platform that enables "reactive" and "proactive" compliance risk management is imperative.