Header graphic for print

Securities Compliance Sentinel

Analysis of cutting-edge securities industry issues

Who Wants To Avoid Being Sued In This Market

Posted in Arbitration, Financial Industry Trends, Public Customer Arbitrations, Punitive Damages, Registered Representatives

Now that I have your attention, there is a pretty tried and true method to avoiding customer complaints, especially in this volatile market. All too often, clients hide in their shelters when the market gets rough. The biggest mistake you can make is hiding in your own shelter.money and calculator

The best way to avoid a customer complaint in these trying times is to take the proactive approach and reach out to each and every one of your clients to take their temperature. Ideally, either you or one of your assistants will speak with each customer. At a minimum, you should email everyone to let them know you are on top of things and remind them to call if they want to discuss any concerns.

Many will only need a bit of hand holding. Some may want to revisit their overall investment goals and objectives. Most will just want to hear a friendly voice.

The worst thing you can do is nothing. This sends the opposite message to your clients; namely, that you really do not care about them as opposed to their money.

If you show a little proactive care, you may be surprised by the results. Some of your clients may have money on the sideline and be willing to deploy in the market adjustment. But you will never know if you do nothing. Nothing can only lead to one ending; a customer complaint. Don’t be a do nothing.

SEC Cracks Down on Compliance and Surveillance Failures

Posted in Compliance and Supervision, Insider Trading, SEC Compliance, SEC Enforcement, Uncategorized

Earlier this week, the Securities and Exchange Commission agreed to settle charges with a company related to prevention and detection of potential insider trading.  The SEC alleged that the company failed to enforce policies and procedures to prevent and detect securities transactions that could involve the misuse of material, nonpublic information, and that the company failed to adopt and implement policies and procedures to prevent and detect principal transactions conducted by an affiliate.  The agreed upon penalty was $15 million.

The SEC brought the charges under Section 15(g) of the Securities Exchange Act of 1934, which requires brokers and dealers to establish, maintain, and enforce policies and procedures to prevent the misuse of material, nonpublic information, as well as Section 206(4) of the Investment Advisers Act of 1940 and Rule 206(4)-(7), which require registered investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules.

In addition to the financial penalty, the company agreed to retain a consultant to review and recommend improvements to its trade surveillance and advisory account order handling and routing.

This serves as a reminder that the SEC is not just looking for actual insider trading violations, but is also focused on ensuring that the proper safeguards are in place and being followed.  Companies should therefore ensure that their policies and procedures to prevent the misuse of material, nonpublic information are adequate, but are also followed and enforced.

What Do Insider Trading And Data Breaches Have In Common

Posted in Cyber-Security, Federal and State Criminal Activities, Insider Trading, Money Laundering, SEC Enforcement, Securities Fraud

It is bad enough that firms and publicly traded companies have to make sure that their respective IT architecture is safe and secure, but recent developments demonstrate that you have to be weary regarding the media outlet with who you share material, non-public information.19196909_s

The SEC and the DOJ in a joint effort have brought civil and criminal proceedings against individuals part of an international scheme who hacked the systems of certain media outlets to steal and then trade on material non-public information.

Unfortunately, these events only further demonstrate that, no matter how good your security system may be, you are ultimately at risk of a cyber-attack that may be perpetrated on one of your vendors, or a media outlet. As to the latter, it would seem as though the only foolproof protection is not to provide media outlets with this information.

I doubt that any media outlet would give you any sort of assurances going forward that their systems are not exposed to such a strike. Nevertheless, if you are sharing this information before a public announcement, do your homework.

Ask about the media outlet’s data security program. Explore whether and how frequently the outlet tests its systems against unwanted intrusions. Ask whether they have ever been subject to an attack.

Only after you have reasonable comfort should you share such information. Otherwise, just save it for your public announcement or submission with the SEC.

CEO-Pay Ratio Rule Adopted by the SEC

Posted in Corporate Governance, Dodd-Frank, Financial Industry Trends, SEC Compliance, SEC Enforcement

As we predicted last month, the Securities and Exchange Commission adopted a final rule that requires a public company to disclose the ratio of the compensation of its CEO to the median compensation of its employees.  This measure was mandated under Dodd-Frank (section 953(b)), but the SEC maintains that its rule “provides companies with flexibility in calculating this pay ratio, and helps inform shareholders when voting on ‘say on pay.'”  Specifically, the new rule requires public companies to disclose:

  • The median of the annual total compensation of all its employees, except the CEO;
  • The annual total compensation of its CEO; and
  • The ratio of those two amounts.

However, companies are given flexibility in CEO treeselecting a methodology for identifying their median employee compensation, based on their own facts and circumstances.  In doing so, companies are permitted to take into account either their entire employee population or just a statistical sampling, as well as apply a cost-of-living adjustment.  Companies are also permitted to adjust this methodology once every three years.  However, companies are also required to disclose their methodology for determining their median employee compensation.

Companies are required to make these disclosures in their registration statements, proxy and information statements, and annual reports, which must already include executive compensation information as set forth under Item 402 of Regulation S-K.  However, companies are not be required to disclose the pay ratio information in reports that do not require executive compensation information, such as current and quarterly reports, nor update their disclosure for the most recently completed fiscal year.

The disclosure requirement applies to all companies required to provide executive compensation disclosure under Item 402(c)(2)(x) of Regulation S-K, but not smaller reporting companies, foreign private issuers, MJDS filers, emerging growth companies, and registered investment companies.  Such companies are required to disclose their pay ratio beginning on or after January 1, 2017.

Thus, companies subject to this disclosure should begin testing various methodologies for determining their median employee compensation, so as to be able to disclose a pay ratio that is the best fit for them by 2017.

The SEC May Be Getting A Longer Stick

Posted in Federal and State Criminal Activities, Financial Industry Trends, SEC Enforcement, Securities Fraud, Securities Legislation

Two years ago, the United States Supreme Court stated in an opinion that the five-year statute of limitations for the SEC to seek civil monetary sanctions began from the date of the fraudulent act, as opposed to when the SEC discovered the fraudulent act. In doing so, the Court rejected the discovery rule.

The discovery rule extends the statute of limitations because it provides that the statute does not begin to run until the party brining the claim discovers the wrongdoing. For example, if the fraud happened 10 years ago, but was discovered yesterday, the SEC would have had five years from yesterday to bring a claim against the fraudster. Applying the Supreme Court’s rule noted above, the SEC would be out of luck to bring a claim for civil penalties.money and calculator

This week, Senator Reed of Rhode Island introduced a bill that would extend the SEC’s statute of limitations from five to 10 years. Applying this new limitations period, the above-referenced scenario would fall within the time in which the SEC could act.

The logic behind extending the limitations can be seen as a way to insulate the impact of the Court’s decision and the absence of the discovery rule. In other words, it extends greater protection to investors who are the victim of a fraud.

Under the new proposed limitations period, the SEC would have twice as long to uncover a fraud to seek civil monetary penalties. The moral of the story; if you are committing securities fraud be prepared for the SEC to have more time to come after you. Better yet; don’t engage in fraud.

Who wants some advice regarding cyber-threats?

Posted in Books and Records, Broker-Dealer Regulation, Collateral Consequences, Compliance and Supervision, Cyber-Security, Federal and State Criminal Activities, Financial Industry Trends, FINRA Compliance, Investment Adviser Regulation, Investment Company Regulation, SEC Compliance

A recent article in Onwallstreet.com highlighted certain areas of focus for investment advisors/broker-dealers when it comes to addressing cyber-threats. The article focused on four areas of particular significance.

First, a firm must have a robust risk assessment approach to cyber-security. After all, a firm cannot develop and deploy cybersecurity policies and procedures unless and until the firm identifies what are its risks.

Just as important, the risk assessment cannot be a one and done project. Best practices dictate that firms continually conduct risk assessments to determine new risks. The hackers are changing their tactics, so you may have to as well.19196909_s

Second, once you develop and deploy policies and procedures, you should create and test incident response plans. Otherwise, how will you know these policies and procedures work when confronted with an actual data breach.

Third, if you use vendors, perform due diligence on them on an ongoing basis to assess their cyber-security risks. For example, if you outsource email retention, you will want to know how that vendor is going to protect its email storage databases from an unwanted intrusion. Equally important, you want to revisit what the vendor is doing for cyber-security on a regular basis.

Fourth, train and retrain your staff so that they avoid inadvertently exposing the company to malware. Among other things, you should consider a policy for staff to follow before they download anything from an external email or web site.

These are just a few suggestions for this ever increasing focus for both firms and their regulators. Avoid being a victim; assess risk, develop plan/procedures, test the plan/procedures, and educate your staff.

FINRA Election Results: Shaken, not Stirred

Posted in Broker-Dealer Regulation, FINRA Compliance, FINRA Enforcement, Investment Adviser Regulation

The FINRA Board of Governors election results are in.  There were three vacancies among the 10 seats reserved for industry representatives:  one Large, one Mid-Size, and one Small Firm Governor.  John Thiel, head of Merrill Lynch Wealth Management, who ran unopposed, won the Large Firm Governor Seat.  Joe Romano, president of Romano Wealth Management, won the Small Firm Governor Seat.  And, interestingly, Brian Kovack, Votepresident and co-founder of Kovack Securities Inc., won the Mid-Size Governor Seat.

Additionally, as reported by Bernice Napach of ThinkAdvisor, two new governors were appointed to the FINRA board.  Kathleen Murphy, president of personal investing at Fidelity Investments, was appointed as an industry board governor.  Randal Quarles, managing partner and co-founder of the Cynosure Group, was appointed as a public governor.

Kovack’s win stands out as somewhat of a coup, having defeated the FINRA-nominated candidate to represent mid-size firms FINRA’s Board.  As we reported last month, with credit to Melanie Waddell of ThinkAdvisor, Kovack ran a “Dissident” campaign, calling for “immediate reforms” to FINRA’s arbitration system, the exam process, and U4 disclosures.  Given Kovack’s victory last week and presence on FINRA’s Board for the next three years, we should expect to see proposals – or at least discussions – on reforming FINRA’s arbitration process, exams, and U4 disclosures going forward.

A Look Ahead: SEC to Adopt CEO-Pay Ratio Rule?

Posted in Corporate Governance, Dodd-Frank, Financial Industry Trends, SEC Compliance

According to Andrew Ackerman and Joann Lublin of the Wall Street Journal, the Securities and Exchange Commission is “poised to complete a rule requiring companies to disclose the pay gap between chief executives and employees”. Under the proposed rule, companies would be forced to disclose median worker pay as compared to their CEO compensation.  This rule was a measure included in Dodd-Frank, and could be approved by the SEC as early as next week.

A point of contention appears to be the money and calculatorexclusion of overseas workers.  The WSJ expects that the SEC will allow companies to exclude 5% of their international workers’ compensation from the pay-ratio calculation; however, companies are pressing for a larger exclusion.  There is also concern among stakeholders that the cost associated with compiling such information will outweigh the benefit of it.

Whether the SEC takes action on this rule next week or not, it is expected to implement a pay-ratio rule in the not-so-distant future.  Thus, companies should continue to provide their comments to the SEC now before the rule passes, and prepare for its eventual impact.

How can a phone call save your career

Posted in Cyber-Security, Financial Industry Trends, FINRA CRD, FINRA Enforcement

A 17-year veteran advisor recently agreed to a lifetime ban for falsifying the signatures of a client on 10 documents transferring money out of the client’s accounts over a period of two months. Part of this transfer also involved 17 unauthorized trades in the client’s non-discretionary accounts. So how could a phone call have saved this advisor’s career?

It turns out that the advisor was the subject of a phishing scam. Apparently, the client’s email account had been hacked and the hacker emailed the advisor asking for funds to be transferred. This type of scam is commonly called phishing; the hacker is probing a potential victim to get information or money.

The advisor could have avoided this entire problem if he would have simply picked up the phone and called the client to confirm the instruction to transfer funds; FINRA’s records are not clear whether such an attempt was made.27782265_s

Firms can avoid this headache a couple of way. First, firms should require all trades/redemptions to be requested via telephone, followed by proper documentation of that request. Second, firms should prohibit advisors from taking trade/redemption requests via email.

The hijacking of email accounts is one of the oldest and least sophisticated cyber-crimes out there. Yet, people continue to fall for the scam.

Protect yourself. Pick up the phone and call your client. You may save your career and get more business at the same time.

 

Who wants to know some pre and post data breach considerations

Posted in Books and Records, Cyber-Security, Financial Industry Trends, Internal Investigations

In a recent blog by Chris Pogue (a digital forensic expert), he highlighted a handful of considerations for firms both pre and post data breach. After all, the issue is not really whether you will suffer a breach, but when and how bad will it be.

Those considerations bear repeating, and include the following:

  1. Retention of counsel to navigate the firm through the legal issues that arise from a breach.
  2. Retention of external forensic experts to triage when a breach takes place.19196909_s
  3. Notification of relevant law enforcement, such as the FBI regarding the breach.
  4. Designate one person in the company who will communicate in response to media inquiries; ensure the accuracy of whatever is said because you cannot take it back.
  5. Fully inform executives, investors, the board of directors and customers regarding the breach; i.e., what happened, why and what is being done to remediate.
  6. Should you pursue the hackers criminally/civilly, or focus on the remediation and prevention of future breaches.

Taken together, these considerations have one focus. You want to able to demonstrate to your constituents that you took immediate action to understand what happened, correct why it happened, and put yourself in the best position to avoid it from happening again.

In light of the highly sophisticated nature of the hackers, it may be impossible to prevent a breach of some kind. It is not impossible, however, to have an action plan to deploy in the event of the breach so that you can protect your company in your constituents’ minds. Prepare now or pay for it later.