Header graphic for print

Securities Compliance Sentinel

Analysis of cutting-edge securities industry issues

Why Should You Care About Cyber-Security

Posted in Broker-Dealer Regulation, Compliance and Supervision, Financial Industry Trends, FINRA Compliance, FINRA Enforcement, SEC Compliance, SEC Enforcement

The short answer to this question is that the SEC and FINRA care.  Both regulators have made this issue an exam priority for the year, and it was recently a focus of an SEC roundtable. 

We hear of data breaches on nearly a daily basis at retail stores, to name a common target.  But what about the financial services industry.  Is it at the same risk?  In some ways, broker-dealers and RIAs are even more at risk. 

The common data breaches that we hear about involve an outside source breaking into a company’s data warehousing system.  This is what I would call the macro cyber-security issue.  This is one that firms must address on an across the firm systemic basis with their information technology resources.robber.jpg 

Equally troubling are what I call the micro level risks.  These include efforts by outsiders to divert funds from a client’s account through the use of the email system. 

The typical situation involves a compromise of your client’s email.  Then an email comes from your client’s email address purporting to ask for funds to be forwarded to an account outside of the firm.  The unknowing advisor executes the trade with the client unknowingly having been compromised. 

The easiest way to deal with this issue is to have and enforce a written supervisory procedure that forbids brokers from executing orders that come through email.  Instead, such a distribution request should only be effectuated with a confirming call to the client. In this day and age of instant messaging it is critical not to forget the phone.   

There are a number of benefits to this approach.  For one, a simple call to your client may avert a financial disaster.  Equally important, any time you speak with your clients is a way to assure your clients that you have their best interests at heart.  Doing so, is also simply another marketing opportunity to get in front of your clients. 

We are all at risk of cyber-attack so all firms must be certain to have their technology tested to ensure against macro attacks.  Firms must also train their brokers to understand the signs of a micro level attack.  The failure to take these actions is a recipe for disaster.

* photo from freedigitalphotos.net

Who Wants To Know Something About FINRA’s New Written Procedures Rule?

Posted in Broker-Dealer Regulation, Compliance and Supervision, FINRA Compliance, FINRA Enforcement, Registered Representatives

New FINRA Rule 3110 (effective December 1, 2014) sets out various written procedures and requirements for member firms.  You should pay particular attention to these rules because they suggest those areas of focus in any upcoming examination. 

Among other things, new FINRA Rule 3110.06 provides for the review of correspondence and internal communications.  Importantly, this rule permits the “use of risk-based principles to review its correspondence and internal communications.” 

So what is a risk-based review?  In simple terms, a risk-based review allows the firm to focus on certain conduct and communications as opposed to reviewing all internal and external communications.  If a firm’s written procedures do not require the review of all communications, a risk-based review program must provide for the following: 

  1. Education and training of the associated persons regarding the firm’s procedures regarding correspondence;
  2. The documentation of such training; and
  3. Surveillance and follow through to ensure procedures are being followed.

 Equally important, under Rule 3110.07, the firm must keep evidence of its review of correspondence and internal communications.  As the high school football coach of our managing partner used to say, “the film don’t lie”.  In other words, keep adequate records of your communications review otherwise you may as well not do it.  money.jpg

 The focus on communications in new Rule 3110 should be a message for everyone.  Firms must ensure that they have an adequate review process in place, which must be well-documented.  If not, dust off your checkbook after your next examination.

Photo from freedigitalphotos.net

RIAs Permitted to More Freely Advertise on Social Media

Posted in Investment Adviser Regulation, SEC Compliance

The SEC’s Division of Investment Management  issued guidance permitting advisers  greater use of social media while maintaining the  prohibition on testimonials.   See http://www.sec.gov/investment/im-guidance-2014-04.pdf.

IM indicated that advisers could link public commentary from a third social media party site, and it would not violate the Investment Advisers Act of 1940 so long as the adviser had no ability to influence any commentary published on a completely independent site.  Further, the adviser could also not restrict the commentary to only favorable comments, and the site had to permit all commentary on a real-time basis.  The adviser also could not supress any negative comments, but may refer clients to a third party social media site in advertising as well as include “friends” or other communities of users provided there was no favorable bias towards the adviser.  

In short, the SEC seems to be grudingly entering the modern era.  However, we suspect that the SEC will most likely review these postings in the future during  exams and inspections.

What Do You Need To Know About FINRA’s New Supervision Rules

Posted in Broker-Dealer Regulation, FINRA Compliance, Registered Representatives

Effective December 1, 2014, there will be new rules for broker-dealer supervision.  With these changes, FINRA is placing more burdens on a firm’s supervisory system.   

With respect to “supervisory systems”, Rule 3110 covers the following: 

  1. Establishing and maintaining written procedures and designating principals responsible for supervision.
  2. Designating offices of supervisory jurisdiction.
  3. Designating OSJ/non-OSJ branch principals.
  4. Supervision of one person OSJs.
  5. Assigning supervisors for registered representatives determining qualifications of supervisory personnel.pointing.jpg
  6. Annual compliance meetings.

Of particular interest in this new rule is the provision governing single person OSJs (Rule 3110(b)(6)).  It reminds firms that the single person OSJ cannot supervise himself and that, to avoid conflicts of interest, the firm must conduct focused reviews of the single OSJ. 

As firms continue to grow and their supervisory systems gets stretched further and further, firms must refocus their use of single person OSJs.  Although they are beneficial for firms with a diverse demographic foothold, Rule 3110(b)(6) reminds member firms that a single person OSJ is not an island onto itself. 

Rule 3110 does not become a reality for eight months.  Use that time wisely.  Review your supervisory systems and take a particularly hard look if you are using single person OSJs.

* photo from freedigitalphotos.net

E-Mail Guidance from FINRA …. What took you so long?

Posted in Broker-Dealer Regulation, FINRA Compliance

FINRA amended its supervisory rules to include new Rules 3110 and 3120.   See http://www.finra.org/Industry/Regulation/Notices/2014/P465941.  Those Rules replace FINRA Rules 3010 and 3012 and add some additional requirements. 

FINRA provided some additional guidance concerning  electronic communications, including customer correspondence and internal communications.  FINRA will now permit member firms to use a “lexicon-based” screening tool or system for email reviews.  Nonetheless, supervisors are still responsible for the system and how it operates.  Such guidance implies that FINRA is still going to review these supervisorty systems, and respond accordingly if something goes wrong.

In short, member firms need to be careful with email review and ensure their systems are operating properly.

 

SEC Discourages Incentivizing Whistleblowers to Keep Complaints In-House

Posted in Compliance and Supervision, Dodd-Frank, SEC Compliance, SEC Enforcement

What’s good for the goose is apparently not so good for the gander, as the SEC warns in-house attorneys against whistleblower contracts. 

The SEC has been financially incentivizing whistleblowers to bring securities fraud complaints to the agency’s attention for years, with increasing success.  The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 empowers the SEC to reward whistleblowers who provide original information that leads to an SEC enforcement action in which more than $1 million in sanctions is ordered.  In such instances, the whistleblower reward can range from 10% to 30% of the total money collected.  The Act also established the SEC Office of the Whistleblower, which takes in, evaluates and, pursues whistleblower complaints.

The number of complaints to the Office of the Whistleblower has increased in recent years as large whistleblower rewards are publicized.  According to the 2013 Annual Report to Congress on the Dodd-Frank Whistleblower Program (http://www.sec.gov/about/offices/owb/annual-report-2013.pdf), “[t]he number of whistleblower tips and complaints the Commission receives annually increased from 3,001 in the 2012 fiscal year to 3,238 in the 2013 fiscal year.”  The 2012 number was also up from 334 tips and complaints in the last four months of 2011, when the Dodd-Frank whistleblower program began.

In recent comments, the SEC’s whistleblower chief, Sean McKessy, said the Commission was receiving an average of 9 or 10 tips a day.  Commodity Futures Trading Commission whistleblower chief Christopher Ehrman also recently stated that tips into the CFTC have increased about 50 or 60 percent over the past year. 

This number is only expected to increase, as larger awards are publicized.  For example, the SEC announced on October 1, 2013 that it awarded over $14 million to a whistleblower – the SEC’s largest whistleblower award to date – who provided information that led to an SEC enforcement action that recovered substantial investor funds.

Naturally, securities compliance attorneys are actively brainstorming creative solutions to guard against the growing number of whistleblower complaints.  As in-house attorneys weigh their options, however, they should consider avoiding contracts that offer incentives for employees to keep whistleblower complaints in-house.

At remarks before the Georgetown University Law Center Corporate Counsel Institute last Friday, March 14th, the SEC’s whistleblower chief, Sean McKessy, warned lawyers that they may be disciplined for creatively drafted contracts attempting to incentivize company whistleblowers from bringing alleged company wrongdoing to the SEC’s attention:

“Be aware that this is something we are very concerned about.  If you’re spending a lot of your time trying to come up with creative ways to get people out of our programs, I think you’re spending a lot of wasted time and you run the risk of running afoul of our regulations. . . .  And we are actively looking for examples of confidentiality agreements, separates agreements, employee agreements that . . . in substance say ‘as a prerequisite to get this benefit you agree you’re not going to come to the commission or you’re not going to report anything to a regulator.’”

McKessy noted that securities compliance attorneys should know the risk of drafting such contracts, reminding those in attendance that the agency has the power to revoke attorneys’ ability to appear before the commission:

“And if we find that kind of language, not only are we going to go to the companies, we are going to go after the lawyers who drafted it . . . We have powers to eliminate the ability of lawyers to practice before the commission. That’s not an authority we invoke lightly, but we are actively looking for examples of that.”

In light of this strong language from the SEC’s McKessy – who appeared alongside Commodity Futures Trading Commission whistleblower chief Christopher Ehrman and the Government Accountability Project’s legal director, Tom Devine – general counsel and securities compliance attorneys should be cautious when drafting employment contracts to avoid including language that could be interpreted to offer incentives for employees to keep potential securities fraud whistleblower complaints in-house.

Attribution:  Brian Mahoney reported on McKessy’s recent remarks in Law360:  http://www.law360.com/articles/518815/sec-warns-in-house-attys-against-whistleblower-contracts

What To Make Out Of FINRA’s Proposed Rule On Bonus Disclosures

Posted in Broker-Dealer Regulation, Conflicts of Interest, FINRA Compliance, SEC Compliance

Bonuses and other forms of compensation are frequently used by one firm to attract talent away from another firm.  FINRA has now proposed a rule that would require brokers who receive in excess of $100,000 to disclose that payment to their customers.  Does this make any sense? 

FINRA’s rationale for the rule is that it would clarify potential costs that customers incur when they move their accounts from one member firm to another.  FINRA cited, for example, costs to close the account at the first firm, as well as tax consequences associated with the liquidation of investments that are not transferable.idea.jpg 

This rationale does not make much sense when considered more fully.  These so called costs should be disclosed to a customer who closes an account regardless of the reason.  Tying it to compensation paid to a broker who intentionally fails to advise her client about costs rings a bit hollow for a justification. 

The opposing view to this rule is that it will have a chilling effect on the movement of registered representatives.  After all, who would want their clients knowing how much they were paid to move from one firm to another. 

In my view, if registered representatives are honest with their clients about the costs associated with closing and moving an account, there would be no need for this rule.  It unfortunately seems as though FINRA is letting the actions of the minority impact the majority of brokers who move firms.  FINRA and the SEC should do more to weed out the bad seeds rather than punish those who are honest with their clients.

 

* photo from freedigitalfotos.net

Should You Breath Easy Because FINRA Enforcement Actions And Fines Decreased In 2013

Posted in Broker-Dealer Regulation, Conflicts of Interest, FINRA Compliance

The Sutherland Asbill firm recently released its report regarding FINRA enforcement actions. In all, the report reflects that enforcement actions and fines decreased over the past year.  So what does this all mean?

According to the firm, this could be a reflection of the larger financial crisis cases having worked their way through the system. One statistic that particularly caught my attention, however, was the decrease in the number of suitability cases; according to the report, a 38% drop.

Does this mean that FINRA is less focused on suitability cases? Not in the least.money.jpg

According to FINRA, suitability remains one of its primary exam priorities in 2014. FINRA has stated that it is particularly focused on suitability when it comes to more complex products. FINRA is also focusing on those situations where there is a financial incentive for the recommendation of a particular investment. Examinations will focus on how material risks are being disclosed.

Don’t take the statistics lightly when it comes to suitability. Make sure your registered representatives are doing their job when making recommendations, especially when it comes to sophisticated and incentive-based products. Otherwise, you may contribute to an increase in suitability statistics next year.

 * photo from freedigitalfotos.net

When in Rome Do as the Romans or At Least Play by the Rules

Posted in Broker-Dealer Registration, Broker-Dealer Regulation, Foreign Broker-Dealers, International Securities Regulation

Usually, we spend a fair amount of time advising our American broker-dealer clients, who do business overseas, that they have to follow the rules of those countries as well.  However, the “shoe” may sometimes be on the other “foot.”  See http://www.sec.gov/litigation/admin/2014/34-71593.pdf.

Recently, a foreign broker-dealer was forced to pay a 9 figure judgment to resolve an action brought by the SEC.  This foreign broker-dealer solicited and serviced thousands of American clients and made 8 figures in annual revenue over a 5 year period.  However, a slight detail was ignored.  The foreign broker-dealer never bothered to register as an American broker-dealer or investment adviser.

Sadly, some will never learn especially in this case where it seemed the foreign br0ker-dealer could have easily become registered.  In any event, this is a good example of what happens when you believe you can avoid the rules if you do not speak the “language.”

FINRA “Sweeping” Firms for Cyber-Security

Posted in Cyber-Security, Financial Industry Trends, FINRA Compliance

We keep saying it, and we will keep saying it, cyber-security issues will not go away.

Now, FINRA has notified its member firms that it will begin assessment examinations regarding controls, procedures, approaches and management of cyber-security threats.  See http://www.finra.org/Industry/Regulation/Guidance/TargetedExaminationLetters/P443219.  In particular, FINRA examiners will review business continuity plans, service provider arrangements, other third party vendor agreements, reporting lines, cyber-attacks and responses, training, and insurance.  FINRA will use this information to assess its member firms potential response to these issus as well as their infrastructure.

Seriously, member firms need to take this risk seriously and ensure that core systems are protected.