Privacy laws: European GDPR is incompatible with SEC registration

One reading of the GDPR argues firms cannot share information with the US regulator.

What are the kids to do if the parents don’t agree?

The ongoing disagreement between US and EU securities regulators has left investment advisors feeling caught between two stalls. Securities and Exchange Commission registration applications from EU-based advisors have been piling up since last summer – a process that should take 45 days has languished for months with dozens of firms affected.

“We’re starting to have a great concern on the effects on our business reputation,” an EU general partner states, adding, “it’s an untenable situation.”

At the heart of the issue beats trust versus transparency. Blame GDPR. As the EU privacy regulation celebrates its first year, it has created a rift among regulators that requires healing.

When a private equity fund advisor applies to register with the SEC, it pledges to share documents requested by commission examiners.

Some read the GDPR’s embrace of privacy as forbidding EU-based advisors from sharing records with SEC examiners. That’s not going to fly with the examiners, and that’s why the agency staff hasn’t approved an EU applicant for months.  A tentative solution may be for an EU firm to obtain a written legal opinion promising to co-operate with SEC examiners. But only agreement between the regulators will produce a lasting resolution.

As a private equity firm CFO sitting on the sidelines, you could regard such a global regulatory spat as a petty distraction. But it’s much more than this. Eleven years after markets wobbled in a financial crisis that nearly tumbled into mayhem, the inability of international regulators to recognize that we’re all in this together is troublesome.

Private equity is big enough to need regulatory oversight. SEC-registered advisors manage more than $3 trillion in private equity assets and span the globe (although most reside in the US).

So transparency can be expected. Regulators have a legitimate oversight role. No one wants a repeat of 2008. That movie wasn’t that good the first time around.

Balance needed

But transparency must be balanced against trust. Why won’t EU regulators simply issue an edict that hands EU managers that are SEC-registered a free pass to cooperate with examiners?

Bureaucratic inefficiency and preoccupation with Brexit offer two answers. But let’s not dismiss thinking in the EU that the US doesn’t appreciate privacy as much as its cousins. They have a point: politicians continue to argue whether the Constitution even provides a right to privacy.

The issue of data privacy is closely tied up with cybersecurity. It may well be that EU regulators don’t trust the SEC to keep secrets. It was only four years ago that a foreign actor hacked into the personnel records of US government employees. A PE fund advisor CFO who covets privacy may well wonder how his or her records will be safe when the government can’t even protect its own.

Which brings us to trust. The industry should expect that regulators will keep their data safe. A skittish PE firm CFO shouldn’t have to worry that the Chinese will learn about the firm’s finances before his or her investors. Governments on both sides of the Atlantic must agree on data protections, just as registrants must recognize regulators’ legitimate oversight function.

Carl Ayers is the publisher of Regulatory Compliance Watch, sister publication to Private Funds CFO.