Over the years that I have defended broker-dealers and investment advisors on customer-initiated claims, I have seen many things that would make any compliance officer cringe. One spine tingling (not in the good way) type of conduct is when an advisor engages his/her client when the client makes an informal complaint, instead of routing the complaint to compliance/supervision.whistle

So why is engagement against the rules of engagement? The most important reason is that engagement (aka arguing) may only make a simple customer service issues into a formal complaint. Rather than engage, my experience suggests that it is better to get the complaint (assuming it is in writing) to the proper person in compliance/supervision.

Dealing with an oral complaint is a little trickier because you are put on the spot. Nevertheless, the best course, as hard as it may be, is to try to defuse the situation by expressing that you understand the issue that is being raised, you will look into the issue and, finally, will respond further as soon as possible.

By defusing instead of engaging, you give all sides the opportunity to let cooler heads prevail. Many times a customer service issue can be easily addressed by taking a little time to consider the issues and formulate a response/course of action instead of blurting out the first thing that comes to mind; that is invariably the worst thing to say.

If you get a complaint; don’t jump to respond. Use your resources and formulate a well-reasoned response. Sometimes the client is wrong, but arguing with the client gets you nowhere except guaranteeing litigation.

Anyone in a professional service business, like being a stock broker, have been faced with a client who decides to make a stupid decision. But the issue we all face is when that decision results in the client losing money; who is to be held accountable.whistleblower

Fortunately, the law does not require you to stop a client from making a stupid decision with their investments. As long as a broker-dealer’s advice was suitable and the investment advisor’s advice is in keeping with the fiduciary duty, you should not be held accountable.

But this does not mean a client who has now lost money won’t try to hold you accountable for letting them make a stupid business decision. So how do you protect yourself?

The best way to protection yourself is to send the client a letter or email at the time that the client makes the bad decision. The communication should detail why you think it is a bad decision and the potential ramifications associated with that decision.

At a minimum, you should make a note in your file, either electronic or in hard copy, that the client made the bad decision and that you (presumably) advised against it.

The law should protect you from stupid clients, but make sure you protect yourself. Contemporaneous communication to the client and notation to the file may save you millions of dollars in the future.

In this day and age of instant information and overstretched supervisory personnel, you have to be careful to avoid forgoing a very useful supervisory tool. Meeting face to face with those associated persons under your supervision on a regular basis could mean the difference between routing out rogue advisors and being subject to regulatory and civil actions.Core Values

Face to face meetings are even more important where the people you supervise are in regional offices. In other words, those advisors you do not see on a regular basis. With these people in particular, you must go to their offices for regular visits.

You may ask why it is so important to have face to face contact with the people you supervise. After all, you monitor email and correspondence on a daily basis. The advisor submits her outside business and AML forms on at least an annual basis. So who cares about a face to face?

Believe it or not, people lie on forms. It is easier to lie on paper (real or electronic) than it is in person. Also, seeing someone in their natural environment may make it easier to solicit information from them because they are relaxed.

Face to face meetings also help to show whether a person is living beyond his or her means. For example ,what would it mean if a mediocre producer is now driving a Ferrari? Maybe nothing, but maybe a lot more.

People living beyond their means can be a sign that they have another source of income, legitimate or not. You would never know if there is a potential issue if you did not bother to go to this person’s office for a face to face. That person could be the next Madoff, but you would never know if you only sat in your office and stared at a computer screen all day.

If you are going to supervise, then do it. Never forget the value of face to face meetings with those under your supervision.

Unlike lawyers, especially litigators, the business model of a financial advisor is not dependent upon clients being stupid. Instead, financial advisors depend on their clients making smart decisions after full disclosure and consideration after speaking with their financial advisor. So what do you do when clients make stupid decisions?whistle

In defending brokers over the years, I have seen multiple instances where clients made stupid decisions. From a legal standpoint, there is generally no duty to prevent a client from making a stupid investment decision. It is what the advisor does in response that is the most important lesson to learn.

The mistake is when the advisor ignores his client’s stupid decision in light of an advisor having provided proper advice in the first place. The key thing is to document any instance where your client ignores your advice and does something stupid. A brief story solidifies this point.

A number of years ago, an advisor told his client not to sell his life insurance policy to take the cash out until the client cleared underwriting on a new policy. Of course, the client ignored the advice, went over the advisor’s head and cashed out the policy without clearing underwriting on the new policy. Turns out the client was “deathly” allergic of bee stings.

We were able to successfully defend because of something that the advisor did. He documented his recommendation not to cash out the old policy without underwriting being completed on the new policy.

But for the smart actions of the advisor, this situation would have turned out much differently. It is just as if not more important to document when a client ignores your advice as it is when you give advice to your clients. Doing nothing is never an option.

In the near 20 years that I have been defending financial advisors against claims, many of which brought by seniors, the biggest issue that I have seen is the failure to document the file in a proper manner. Why does this matter you may ask?Core Values

First and foremost, the way a file is documented tells a story about how the advisor managed the relationship. This is even more important now that there is an intense focus on suitability issues with senior investors. The better and more detailed the documentation in the file, the easier it will be to defend against any suitability claim.

Another key is to document all communications with your clients, especially seniors. This particularly comes into play when a client ignores your advice. When a client ignores your advice, an email or letter to the client detailing that action and the consequences for doing so are key, and can mean the difference between winning or losing a case.

One last comment deserves mention. If your file lacks documentation, do not try to recreate it after a client complains. Speaking from personal experience, recreating documents does not end well for the advisor. You can still defend yourself when file is documentation-light, but you can’t when you alter your file.

So remember, it is all in the documentation. Have very good documentation and protect yourself. Don’t document your file and roll the dice. The choice is yours.

In a recent SEC enforcement action, a registered representative was suspended for 6 months and fined $75,000 for, among other things, forwarding confidential client information from his personal email to a former registered representative who maintained the initial client relationships. The representative also used his personal email to conduct firm business. In some instances, he emailed customer information from his work email to his personal email.

This unfortunate situation shows another side of data security risks that firms must address; the rouge representative who is handling client information in violation of Regulation S-P. In some ways, this type of data breach can be even more difficult to prevent than an external threat.19196909_s

If someone really wants to get around your system, that person will likely do so. So what to do?

One thing firms should consider is a logging system when an associated person accesses client information subject to Regulation S-P. This way, firm supervisors can monitor who is gaining access to what information, when and how often. The enforcement opinion was silent on any firm protocols in this regard.

Although this type of access-logging system may not have prevented what happened, it could have put the odds in the favor of firm because it may have revealed unusual activity that the firm could have further explored.

The lesson to be learned is that data security is not just an external threat. There are internal risks that must be accounted for in order to have a fulsome data security program.

A recent AWC demonstrates the old Watergate adage that the cover-up is always worse than the crime. In this AWC, FINRA suspended a registered representative for ten (10) months and fined her $15,000.

Among other things, the representative entered inaccurately identified her assistant as the person placing trade orders where the assistant was the only person between them licensed in the state. This person then went to another broker-dealer where she entered 200 discretionary trades without prior written client authorization or broker-dealer approval.robber.jpg

As if these securities violations were not bad enough, what came next really did this person in with FINRA. She lied to the first firm that her assistant placed the trade order and then went to her assistant and asked the assistant to confirm the lie. With the second broker, this person misrepresented on the branch office questionnaires that she had never entered any discretionary trades when she had actually entered 200.

So what are the takeaways? It is likely that the securities violations would have resulted in this person being terminated from both firms. However, it is an open issue if she would have been suspended for as long as she was and fine as much as she was but for lying and asking another person to do so on her behalf.

Although it may be difficult to accept, the best course of action when you mess up is to deal with what you did as opposed to lying about it and making the situation worse. As a number of people in the Nixon Administration learned, the cover-up is always worse than the crime.

A good test to guide your conduct is to ask yourself whether you would be embarrassed to hear about the situation on the news. If so, you are going down the wrong path.

* photo from freedigitalphotos.net

As we all know, cybersecurity remains a top priority for the SEC and FINRA. Unfortunately, a recent Investment News article would suggest that firms do not take it as seriously, or, at least, firm employees do not.

A recent study of passwords by SplashData demonstrates that advisers and firm employees are not taking to heart their role in the firm’s cybersecurity. The study showed that login passwords still include such impossible ones to decode like “12345” or “password”.

It is hard to believe that in this day advisers do not accept their own responsibility for securing client and firm data. For example, firms should consider multilevel verification for access to client information. Another change would be to have computers lock (requiring a password entry) after a shorter period of time. Although possibly inconvenient, this will better protect firm systems.19196909_s

It seems to me that this study and article show that something is missing. That something seems to be adequate education and training. How else can you explain anyone using “12345” or “password” as a password?

Quite frankly, time is running out for firms. Your regulators are, no doubt, going to ding you if you have such weak passwords protecting client data. So what should you do?

First, adequately train all staff about the importance of an effective password. Second, make it a firm requirement that passwords be changed every 60 to 90 days. Third, implement multilevel steps to access client data.

You don’t want your clients reading about you being dinged by a regulator for not having adequate passwords. Take action now, and before it is too late.

As of December 12, 2015, FINRA will release Form U-5s within three business days of a member firm’s submission, instead of the fifteen days currently provided for under Rule 8312. The current version of the rule was meant to provide the departing registered representative ample opportunity to comment on the disclosure either though a Form U-4 or submitting a comment directly to FINRA. So why shorten the time period?money and calculator

BrokerCheck, FINRA’s on-line resource, makes certain information on Forms U-5 available to the public. In its never-ending effort for more transparency in the financial markets, FINRA wants this information available to the public faster than in the past, but at the same time providing the departing representative the opportunity to comment on the disclosure event.

Ideally, the representative left voluntarily to seek another opportunity such that the expedited comment period will make no difference. For those who are leaving a firm under less than ideal situations, they will have to move much faster to get “their side” of the story to FINRA.

In this day and age, more and more of the consuming public is using BrokerCheck. If you leave a firm, don’t dawdle responding to the Form U-5. Seek assistance where necessary to make sure your side of the events are accurately portrayed; otherwise, your “good name” may be forever impacted without you having a meaningful opportunity to comment.

In order to have sound cyber-security protocols, you need to do more than just physically protecting your systems and having written supervisory programs. Specifically, you need to fully engage your clients to be part of the protocol. Their participation can make your program work that much better than without them.19196909_s

How so? For one, every firm should educate their clients of what type of materials, electronic or otherwise, that the client should expect to receive from the firm. You should likewise tell clients to report back to you if they receive something not in keeping with the list you previously provided.

For example, clients should be reminded that trades and money transfers are not handled via email. Any email solicitation of trades or transfers should be reported to the firm because that may reflect a security gap.

Many clients have access to their accounts on line. These clients should be reminded not to share their passwords with anyone. Likewise, the firms should have a multiple verification process to allow clients to access their statements on-line; i.e., a password and a security question to which only the client would know the answer.

Finally, you should consider having a standard presentation that you can provide clients about your cyber-security protocols. In other words, let your clients know what you have and what you are doing to protect their data.

In short, any sound data security program is going to engage a firm’s clients as much as its own internal systems, programs and policies. A collective effort is the best course to protect firm and client data. Without this joint engagement, you only run a greater risk of client harm when you have a breach.