Our partner, Frank C. Razzano, has recently published an article, entitled “What Lies Ahead: Halliburton v. Erica P. John Fund, Inc.,” in the Securities Regulation Law Journal (Spring 2015). It is a great article discussing a recent United Supreme Court decision dealing with class actions. Kindly let us know if you would like a copy for your review.
The Department of Labor delivered on a longstanding but controversial promise when it recently proposed a fiduciary duty rule for all brokers who work with retirement accounts. The primary purpose of the proposed rule is avoidance of conflicts of interest.
If the proposed rule becomes final in its current form, it will have the following impact:
- Anyone who is paid for providing individual advice to a plan sponsor, a participant in a retirement plan or an IRA for consideration of investments will be a fiduciary.
- It will continue to be acceptable for a plan sponsor and providers to continue educating investors in workplace plans and IRAs without being considered a fiduciary.
- Any fiduciary adviser must provide investment advice that is impartial and in the best interests of the client.
- Under what is called the “best interest contract exemption”, firms and individual advisers operating in conformity with the exemption can receive commissions and revenue sharing, but have to act in the clients’ best interests, and disclose potential conflicts and hidden fees.
This rule is a long way from becoming final, and, for that matter, may never become final. Nevertheless, the trend is set. Maybe the SEC will be next. . . .
* Photo from freedigitalphotos.net
At one time or another, member firms will likely need the services of an outside vendor. This may be particularly true for smaller member firms. Outside vendors have their place, but FINRA’s Report on Cybersecurity Practices details that level of vigilance needed when it comes contracting with vendors who have access to your IT systems.
The first thing that firms must do to protect themselves is to perform due diligence on the prospective vendor. When it comes to cybersecurity in particular, FINRA has noted that vendors should have a number of controls in place when it comes to, among other things, limits on data access by vendor employees, virus protection, and encryption of data while at rest and in transit to name a few. The key for firms is to make sure that these controls are covered in your vendor contract.
FINRA noted that a number of firms that were reviewed had language in their contracts that included provisions on the following subject areas:
- Non-disclosure agreements/confidentiality agreements.
- Data storage, retention and delivery.
- Breach notification policies.
- Right to audit clauses.
- Vendor employee access limitations.
- Use of subcontractors.
- Vendor obligations upon contract interpretation.
Best practices would certainly dictate including these areas in any contract with a vendor, especially those who have access to your IT systems. If your contracts do not cover these areas, it is time to revisit your vendor contracts and bring them up to date to account for cybersecurity.
* photo from freedigitalphotos.net
Around this time last year, the Securities and Exchange Commission’s Office of the Whistleblower warned lawyers that they may be disciplined for drafting contracts to incentivize whistleblowers to not bring alleged company wrongdoing to the SEC’s attention. It appears the SEC is beginning to make good on its threat. Last week, the SEC resolved its first enforcement action against a company for allegedly using improperly restrictive language in confidentiality agreements with the potential to stifle whistleblowers. That company agreed to pay a $130,000 penalty to reach a “no admissions” resolution with the SEC.
According to the SEC, the company required witnesses in certain internal investigations interviews to sign confidentiality statements with language warning that they could face discipline and even be fired if they discussed the matters with outside parties without the prior approval of the company’s legal department. Since these investigations included allegations of possible securities law violations, the SEC asserted that these terms violated Rule 21F-17 (enacted under the Dodd-Frank Act), which prohibits companies from taking any action to impede whistleblowers from reporting possible securities violations to the SEC.
The SEC said there were no apparent instances in which the company actually prevented employees from communicating with the agency, but that such a “blanket prohibition” on discussing internal investigations with outsiders has a “a potential chilling effect on whistleblowers’ willingness to report illegal conduct to the SEC.”
In addition to paying the fine to the SEC, the company also amended its confidentiality agreements by adding language making clear that employees are free to report possible violations to the SEC and other federal agencies without company approval or fear of retaliation.
As we previously cautioned, general counsel and securities compliance attorneys should be careful when drafting employment contracts to avoid including language that could be interpreted to incentivize employees to keep potential securities fraud whistleblower complaints in-house or confidential, or in this case disincentivize whistleblowers from bringing those complaints to the SEC. While the disclaimer described above should certainly be included in any employee confidentiality restrictions, the SEC has not stated that such a disclaimer would be a safe harbor for companies. Thus, counsel may want to consider additional cautionary language or revisions to their employment agreements to avoid broad restrictions that could discourage potential whistleblowers from reporting violations to the SEC.
In a recent Acceptance, Waiver and Consent (“AWC”) a broker dealer was censured and fined for, among other things, the failure to conduct an adequate pre-hire investigation of a registered representative. The importance of this AWC is that it may signal FINRA’s mindset for what firms must do under Rule 3110(e).
Under Rule 3110(e), FINRA expects member firms to more of a background check than simply reviewing the new hire’s CRD, and requires firms to have written supervisory procedures specifically designed to verify the accuracy and completeness of the information on the applicant’s U-4. The AWC noted that the member firm only reviewed the new hire’s CRD, and did not conduct any more investigation of that information even though the CRD showed the following: reportable events, including criminal charges, a termination for cause and customer complaints of unauthorized trading.
Although the AWC pre-dates the “go-live” date for Rule 3110(e), it is instructive to member firms. The AWC echoes the fact that a firm will not be insulated if it limits its pre-hire review to the information that appears in the CRD of the potential new hire. Instead, the member firm must do more to get behind the information contained on the CRD for a more detailed understanding.
Rule 3110(e) becomes effective on July 1, 2015. Between now and then, firms should be reviewing their written supervisory procedures regarding pre-hire due diligence. Make sure you have procedures that go above and beyond the CRD, or be faced with possible consequences for the failure to do so.
* photo from freedigtalphotos.net
At least one New York City official would answer that question in the negative. The city comptroller released a proposal that would require a financial advisor to clearly state whether he or she must act in the investor’s best interests.
In other words, do what the SEC has yet to do through a uniform fiduciary duty for all advisors who provide retail investment advice. Under the city comptroller’s proposal, an advisor would have to provide the following disclosure at the beginning of the relationship and frequently thereafter:
“I am not a fiduciary. Therefore, I am not required to act in your best interests, and am allowed to recommend investments that may earn higher fees for me or my firm, even if those investments may not have the best combination of fees, risks and expected return for you.”
A concern raised by this proposal is that it is not neutral, but instead unfairly focuses on broker dealers. That concern could be addressed by adding to the statement a message about the suitability standard that broker dealers must follow.
Although it is unclear whether this proposal will ever make it to the legislature, it shows a growing impatience with the SEC’s failure to adopt a uniform fiduciary duty standard. Maybe this proposal will send a message that the SEC has to finally take action on the long promised uniform standard.
* photo from freedigitalphotos.net
Over the years that I have defended financial advisors and their firms, I have frequently spoken and written about ways to avoid the risk of being sued. I prepared a guidebook a couple of years ago that detailed some common sense approaches to risk avoidance. I have updated that guidebook to take into account new issues that you face. You can access this material by clicking on guidebook.
I hope that you find this of use in avoiding the risk of being sued.
We recently highlighted the Security and Exchange Commission’s 2014 OCIE Cybersecurity Initiative. Not to be outdone, FINRA also released its Report on Cybersecurity Practices, which provided a much more in-depth report on cybersecurity. Therein, FINRA offered its own insights into what it expects from firms’ cybersecurity risk management practices:
- FINRA recommends that firms have a sound governance framework with strong leadership, including board- and senior-level engagement on cybersecurity issues.
- Firms should conduct comprehensive risk assessments if external and internal threats, as well as asset vulnerabilities.
- FINRA expects firms to implement sound technical controls, such as identity and access management, data encryption, and penetration testing.
- FINRA recommends that firms develop, implement, and test incident response plans, which should include containment and mitigation, eradication and recovery, investigation, notification, and making customers whole.
- Regarding the use of vendors, FINRA recommends that firms should establish appropriate contract terms and perform strong due diligence before and during the engagement.
- FINRA emphasizes the need for training that is tailored to staff needs.
- FINRA encourages firms to take advantage of intelligence-sharing opportunities to protect themselves from cyber threats.
Firms that are deficient in any of these areas should review FINRA’s Report in detail and consult outside counsel regarding implementation of cybersecurity risk management practices to ensure compliance. Not doing so leaves deficient firms open to more than just the increased threat of data breach – the SEC and FINRA could come down hard on firms that do not have a fulsome cybersecurity policy, either during an examination or after a breach. Do not fall behind on cybersecurity.
For more information and resources related to cybersecurity, check out Fox Rothschild’s Privacy Compliance & Data Security blog.
Earlier this week, FINRA launched its redesigned website FINRA.org. The website boasts a cleaner and more intuitive design, making information easier to find and read for users. Streamlined navigation also allows users to more quickly access tools and resources on this site, such as BrokerCheck, investor education, and information about registration and qualification exams. In particular, BrokerCheck users can expect an improved experience.
Additionally, FINRA.org has improved is searching capabilities. Users can now narrow and sort search results according to content type, date, and other parameters. This improved search functionality is simple, yet effective, and will save time by allowing users to focus their searches and receive targeted results.
FINRA.org also now has a mobile-friendly platform, which differs depending on whether you are using a smartphone or tablet. Certainly this addition is long overdue and will allow users to more easily access FINRA’s website on the go.
FINRA.org is an excellent source of information regarding FINRA’s past, present, and future actions and decisions. Previously, I found the website to be outdated and not user-friendly, and would often just use Google to search for FINRA related information. I am hopeful that with these changes, particularly the search functionality, FINRA.org has become a more useful database for practitioners. Time will tell.
More and more investors are using social media as a tool for their investing needs. As a result of the inherent risks associated with social media, the SEC has issued an Investor Bulletin to highlight best practices for those clients.
It makes sense for firms to review this Bulletin so that you are in the best position to advise your clients accordingly about their use of social media as an investing tool. The SEC’s tips included the following:
- Check the security default settings and modify them before posting any information on social media.
- Consider customizing the privacy settings to minimize the amount of available biographical information.
- Never communicate account information through social media; a financial advisor’s social media site may not be firm-sponsored and subject to firm-specific security settings.
- Think long and hard before accepting “friend” requests from a financial services provider, particularly when considering the purpose of the social media site.
- Investors should understand the functionality of the site before broadcasting any financial information because certain information may be widely seen.
- Investors should always have a strong password, at least eight characters and with a mix of letters, numbers and symbols.
- Use separate and unique passwords for each social media site.
- Investors should avoid accessing their social media accounts through public or shared computers.
- Be very careful before clicking on a link, even if it appears to be one from a “friend”.
- Secure your mobile devices with a unique password, especially if the mobile device is linked to any of the investors’ social media accounts.
These are only a handful of suggestions from the SEC. If you have clients using social media for investing tools, you would be well-served to give them this guidance, or else they too may be the victim of internet crime.*
* photo from freedigitalphotos.net