With the exception of those of you who have literally been asleep for the last few years, you are well-versed in the attention FINRA and the SEC are giving to issues surrounding elder investors. Among other things, there is a real focus on elder abuse.
Some commentators believe that all of this attention may inevitably lead to additional regulations regarding how you handle older investors. Like most things from a regulatory/legislative standpoint, the loudest wheel will get the most oil.
With the graying of the baby boomers, this section of society will undoubtedly have a large voice in whatever regulations or laws may come to pass. It seems as though most of the claims I have defended over the last 20 years have involved investors over the age of 60 such that I can say there is a real issue with how firms handle older clients.
Is there anything that can be done to avoid this potential regulatory headache? I think that there are things that can be done on both a macro and micro level.
The macro solution requires firms to take a big picture view of its customer composition. Assuming that there is a graying component to your customer base, you should have specific firm-wide policies and procedures that address elder issues; i.e., heightened supervision, alternate decision-makers, a committee that addresses elder issues, etc.
The micro solution is tied to the macro and can be addressed by a simple question. What are you as a firm doing to ensure your policies and procedures pertaining to elder investors are being carried through as written by your advisors/representatives? If you cannot answer this question, you might as well be signing off on those regulations.
Avoiding elder client regulations may still be in your hands. Are you doing enough to address the issue at your firm? Only time will tell.
- photo from freedigitalphotos.net
As we all know, cybersecurity remains a top priority for the SEC and FINRA. Unfortunately, a recent Investment News article would suggest that firms do not take it as seriously, or, at least, firm employees do not.
A recent study of passwords by SplashData demonstrates that advisers and firm employees are not taking to heart their role in the firm’s cybersecurity. The study showed that login passwords still include such impossible ones to decode like “12345” or “password”.
It is hard to believe that in this day advisers do not accept their own responsibility for securing client and firm data. For example, firms should consider multilevel verification for access to client information. Another change would be to have computers lock (requiring a password entry) after a shorter period of time. Although possibly inconvenient, this will better protect firm systems.
It seems to me that this study and article show that something is missing. That something seems to be adequate education and training. How else can you explain anyone using “12345” or “password” as a password?
Quite frankly, time is running out for firms. Your regulators are, no doubt, going to ding you if you have such weak passwords protecting client data. So what should you do?
First, adequately train all staff about the importance of an effective password. Second, make it a firm requirement that passwords be changed every 60 to 90 days. Third, implement multilevel steps to access client data.
You don’t want your clients reading about you being dinged by a regulator for not having adequate passwords. Take action now, and before it is too late.
Those famous words of the immortal Yogi Berra hold true when it comes to the SEC exam priorities for 2016. Among those at the top of the list are two familiar friends; protecting retail investors and investors saving for retirement.
It is clear that the SEC is looking in particular toward how retail firms are dealing with their older clientele since it is fair to assume that older client are those most likely preparing for retirement. So what does the SEC want to know?
The SEC is looking at retirement services being offered, focusing on whether there is a reasonable basis for recommendations, conflicts of interest, supervision and compliance controls, as well as marketing and disclosure practices. If you compare these priorities to FINRA’s exam priorities, you will see the overlap.
The overlap of these priorities should sound alarms bells off in your head. The SEC and FINRA have told you twice what your regulators will analyze during your next exam. You have a choice.
You can ignore these areas and not take prophylactic measures to make sure that your policies and procedures in these are consistent with current industry standards, or you can take a serious look at what your firm is doing for your clients who are focused on retirement investing. Something tells me that taking the path of least resistance will not win you any awards with your regulators.
So take affirmative steps and give your policies and procedures in these areas will deep thought. Do you have any policies and procedures in place? If so, do they go far enough and are they consistent with current industry trends and practices? FINRA and the SEC are doing some of your work for you, don’t miss out on the free advice they are giving you.
Other than the non-defined “culture”, FINRA’s 2016 exam priorities are also focused on supervision and risk management. At least these categories are a bit more defined so that you are not left guessing what FINRA means.
Under these broad topics, FINRA is focused on four primary areas, which include:
- Management of conflicts of interest, including incentive structures, investment banking and research business lines, information leakage, and position valuation.
- Technology, including the ever-present cyber-security, technology management and data quality governance.
- Outsourcing; what are firms doing to reduce costs by outsourcing but, at the same time, maintain responsibility for the work performed by that third-party.
- Anti-money laundering monitoring and controls.
So what do all of these have in common? Yes, you guessed it; all would fall within the general culture of compliance that is also a focus of these exam priorities.
All of the above-referenced priorities have appeared in some form in the past, but a couple warrant special attention; technology and outsourcing. This is a particular issue for smaller firms who, because of cost and infrastructure limitations, need to outsource cyber-security.
If so, the most important thing to remember is that you can outsource the work, but not the responsibility. So what do you have to do when you outsource?
For one, you need to vet your vendors. What are they doing to make sure they are adequately protected and, in turn, protect your electronically stored information? What does your contract provide for in the event of a breach under the vendor’s watch? Will the vendor defend and indemnify you?
These are only a couple of the issues to explore, but explore you must. After all you can never delegate the responsibly to protect customer information from cyber-attack. FINRA will want to know.
Well, guess what? FINRA does not agree with this statement to such a degree that culture is now part of FINRA’s exam priorities for 2016.
While the exam priorities acknowledge that “FINRA does not seek to dictate firm culture”, it is an important consideration when assessing a firm’s culture of compliance. After all, such a culture starts with leadership at the top.
So what is FINRA looking for when it makes “culture” an exam priority? FINRA has noted that it is looking for the following things.
- Whether control functions are valued in the firm.
- Whether policy or control breach are tolerated at the firm.
- Whether the firm proactively seeks to identify risk and compliance events.
- Whether supervisors are effective role models for firm culture.
- Whether there are sub-cultures at the firm (such as in branch offices) that do not confirm to the overall firm culture are identified and rectified.
FINRA spelling out these “five indicators” are meant to tell firms what you should be looking for in your own organization. If you do not have meaningful answers to each of these items, it may be safe to say that you do not have a firm culture that FINRA will like.
So don’t be afraid to look yourself in the proverbial mirror and assess your culture. Is it one that promotes compliance? If the answer is no, you have a lot of work to do before your next examination.
When faced with a customer complaint, the key is what you do next. In the last of our podcast series, Ernie Badway and I discussed what firms should do when confronted with a customer complaint. Enjoy.
FINRA released its 2016 Exam Priorities yesterday, and its top priority ventures into a very grey area. FINRA has announced that beginning this year, it will formalize a process of assessing “firm culture”. In doing so, FINRA appears to be focused primarily on ethics and conflicts of interest and insists that it “does not seek to dictate firm culture”.
FINRA has defined “firm culture” as “set of explicit and implicit norms, practices, and expected behaviors that influence how firm executives, supervisors and employees make and implement decisions in the course of conducting a firm’s business.” In its assessments, FINRA plans to focus on five indicators of acceptable firm culture:
- Whether control functions are valued within the organization;
- Whether policy or control breaches are tolerated;
- Whether the organization proactively seeks to identify risk and compliance events;
- Whether supervisors are effective role models of firm culture; and
- Whether sub-cultures (e.g., at a branch office, a trading desk or an investment banking department) that may not conform to overall corporate culture are identified and addressed.
While FINRA’s intentions are well-placed, this level of micromanagement is unprecedented. Assessment of company values and culture is inherently subjective, which makes it difficult for a government regulator to assess and enforce. Thus, it will be interesting to see how FINRA actually develops its formal evaluation of firm culture.
As you may know, FINRA, last April, launched a senior helpline to address issues pertaining to senior investors. According to recent reports, FINRA received calls on many different issues such as how to read an account statement up fraud targeted to senior investors.
FINRA has reported that some of these calls resulted in follow-up calls from FINRA and ultimate referral to federal and state authorities. So what is the take away from the hotline?
For one, senior investors are actively seeking FINRA’s assistance on issues from the mundane to the serious. With respect to those more serious issues, FINRA, in turn, is showing how serious it takes them.
If you have not already done so, it is critical that you revisit your policies and procedures for senior clients. If you do not have policies and procedures, you need them.
At a minimum, you should consider placing all accounts of anyone 65 years old and over on some form of heightened supervision. By doing so, you are in a better position to learn about issues before they become a problem and, worse yet, get reported to FINRA through the hotline.
From my perspective, one of the biggest issues you face will be suitability of investment recommendations to seniors. By having policies and procedures that demand your attention to this issue (such as heightened supervision), you may avoid liability and regulatory issues in the future. Many issues can be avoided by simply improving the lines of communication with your senior clients.
Do nothing, and you have already set your boat down a rough course.
* photo from freedigitalphotos.net
The SEC is conducting an exam sweep that focuses on retirement advice being given to clients of investment advisors and broker-dealers. Some commentators see this as a turf war between the SEC and the Department of Labor (DOL) because the sweep focuses on things that may come under the DOL’s jurisdiction.
Whether the exam sweep intrudes upon the DOL’s purview is really not the point. The real take away as I see it is the general subject matter and those clients who would be most implicated.
This past year, the SEC and FINRA issued a joint report with their findings from an exam sweep focused on elder clients. This current SEC sweep can, at least in part, be seen as an extension of that work; elder clients may be the ones most impacted by retirement account advice.
So what does this mean for you? If your firm is not razor focused on what it is doing with elder clients and retirement accounts, you may be in for a rude awakening during your next regulatory exam.
As the year ends, dust off your WSPs and take a hard look at it for elder and retirement account issues. Are you addressing prior findings of the SEC and FINRA that they have made available in various reports? Has anything changed this year with the way you are running your business that may warrant a different approach? Do you need to do things differently because of changes to your business model?
Ask these questions internally now and maybe you can avoid answering the same to your regulator. You may not like the response you get from the regulator.
As the New Year dawns, financial firms should only expect greater and more sophisticated attacks. After all, not only do you house personal identifying information, you also have access to client funds.
In a recent Investments News round-table, this threat was considered in more detail. There were a number of concerns noted, which include:
- Email. In particular, client generated email should be a real focus because it may be very difficult to determine if it is really the client or a hacker emailing you.
- Your IT infrastructure (hardware/software). Make sure you understand your IT architecture because this is one of the only ways you can assess and correct weaknesses in your systems against possible attack.
- Education. Are you educating your advisors about your systems, policies and procedures and are they educating their clients about caring for their sensitive information that hackers are looking to steal or manipulate to gain access to your systems?
- Vendors. You have to ask yourself how safe is the vendor and should you trust it to have access to your systems because a hacker can access your IT system through a vendor weakness.
There are many more issues that you will likely face when it comes to cyber threats in the coming year. But take one step at a time.
Can you honestly say you are doing all you can about the above. If not, regroup and revisit. If so, move on to review additional risks to your IT environment. After all, you are on the front lines of this battle.