Broker-Dealer Regulation

Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.



In the hectic world of financial services, registered representatives and investment adviser representatives are always looking to increase their assets under management. At what cost? Are there situations where you would be better off just saying no to accepting that one additional client?

In my many years of defending representatives and advisers from customer complaints, the unqualified answer is yes; there are situations when you are better off just saying no. Any good risk avoidance program will provide for the proper screening/selection of prospective clients. I have addressed this very issue in a risk avoidance handbook.whistle

The key to this screening process is being able to sniff out the types of clients that you do not want to accept. For example, are you the fourth adviser that this client has come to in the last four years? Does the client profile not fit your personal/company investment philosophy? Does the client have unrealistic expectations on what she is expecting you to deliver?

If the answer to any of these questions is in the affirmative, there should be a huge stoplight in front of you flashing red. Any client who fits any of these descriptions is also the client most likely to bring a claim against an adviser.

So before you take on any client with a little money, be cautious. Are there red flags coming into the relationship? If so, just say no.

Every time that I start a FINRA arbitration, I find myself having the same internal debate; did we pick the right person to serve as the arbitration chair. Unfortunately, you will not know the answer to that question until after your arbitration begins, or, more likely, after the award is issued. FINRA has proposed a rule change to open up the filed for chair arbitrators.Conference Room

Under the proposed rule, attorneys can serve as public arbitrator chair with less experience than they were required to have in the past. Pursuant to this proposal, attorneys would only need to have served on at least one arbitration that went to an award and the complete chair training.

FINRA’s stated purpose for the rule is to “protect investors and the public interest” by increasing the pool of eligible chairpersons. This way, chairs would ideally no longer have to travel to serve as a chair.

In theory, this all makes sense. If there are more available chairs, then investors and the industry will be better served. But will this work?

In my view, much still falls on the parties to critically review the CVs of potential chairs and do your due diligence. Call other lawyers who have had arbitrations with that person. Do some research of the professional backgrounds of the potential chair. After all, just because a lawyer passes FINRA’s vetting processing does not mean that you would want that person as your chair.

Over the years that I have defended broker-dealers and investment advisors on customer-initiated claims, I have seen many things that would make any compliance officer cringe. One spine tingling (not in the good way) type of conduct is when an advisor engages his/her client when the client makes an informal complaint, instead of routing the complaint to compliance/supervision.whistle

So why is engagement against the rules of engagement? The most important reason is that engagement (aka arguing) may only make a simple customer service issues into a formal complaint. Rather than engage, my experience suggests that it is better to get the complaint (assuming it is in writing) to the proper person in compliance/supervision.

Dealing with an oral complaint is a little trickier because you are put on the spot. Nevertheless, the best course, as hard as it may be, is to try to defuse the situation by expressing that you understand the issue that is being raised, you will look into the issue and, finally, will respond further as soon as possible.

By defusing instead of engaging, you give all sides the opportunity to let cooler heads prevail. Many times a customer service issue can be easily addressed by taking a little time to consider the issues and formulate a response/course of action instead of blurting out the first thing that comes to mind; that is invariably the worst thing to say.

If you get a complaint; don’t jump to respond. Use your resources and formulate a well-reasoned response. Sometimes the client is wrong, but arguing with the client gets you nowhere except guaranteeing litigation.

When faced with a customer complaining through a letter or email, it is human nature to try to appease the customer with a conciliatory response or no response at all. I have seen this “human nature” all too often when defending brokers and advisor from customer complaints.

In almost all instances, the complaining customer now claims that the conciliatory comment or non-response is the functional equivalent of an admission by the broker/advisor that he/she did something wrong. In turn, the broker denies that he/she made any admissions by being conciliatory or silent. While I generally agree with the advisors, it is always an issue that must be overcome.whistleblower

So what should an advisor do when confronted with a nasty/accusatory email/letter? Most important, forward the communication to the person/persons who are designated in your company to handle customer complaints regardless if you “think” this person is just blowing smoke.

Someone should always respond to such a communications. The responding communication does not have to be the functional equivalent of beating up baby seals with a bat. Instead, it should be nice, but be firm at the same time.

If a client claims that you misrepresented an investment that you recommended, the response should remind the client in detail what was discussed, and why the investment falls within the client’s overall investment objectives, goals and tolerance for risk. Ideally, prior written communications on the subject will be sent back to the customer as part of this “reminder.”

Although nothing will ultimately keep a client from suing you if he/she is really inclined to do so, avoid potentially making it worse by not responding or being too conciliatory to a complaining email/letter. The last thing you want to have do is explain away the poor response (or absence of any response) to an arbitrator or jury who may not really understand you were just trying to be nice.

The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.

19196909_sAccording to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.

As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?

Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.

Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.

The SEC is prepared; are you?

If you thought the SEC and FINRA were serious about elder issues, welcome to the Alabama, Indiana and Vermont. Each has focused on elder abuse issues.

These states will have mandatory reporting to state officials in instances involving the disabled or those over 65 years of age. They will also allow advisors to cease disbursing funds from clients and providing advisors with immunity associated with doing so. So what does this all mean?

For one, states are starting to run on the coattails of federal regulators who have made elder issues an examination priority in recent years. In addition, such state laws should be a wake-up call for brokerage and advisory firms who service elder and calculator

The actions of these states should force you to ask yourself; what is my firm doing to prevent, detect and report elder abuse. Although a FINRA proposed rule does not require reporting, its goal is the same because it would allow advisors to designate a third-party to who they can inform of suspected problems.

In the absence of reporting requirements, firms should consider having clients aged 65 or above designate a trusted family member or friend when the advisor suspects that the client may be the subject of some abusive conduct. At that point, you may have a group approach to address suspected abuse.

Firms may also want to consider requiring these elder clients to designate a trusted family member or friend to receive copies of account statements. This way, someone who is “independent” can check an account for irregular activity as well.

Whether you are required to address elder abuse or not, firms should make sure that they are taking special care with their elder clients. Federal regulators and now states are focused on the issue. Are you doing anything to make sure your firm does not get into an elder abuse nightmare?

If you cannot answer this question, you may have an issue when you have your next FINRA exam. After all, firm culture is a FINRA exam priority. Does your firm have a culture of compliance?

This question only leads to another; what is a culture of compliance. For one, this is something that has to resonate from the top down. If senior management ascribes to uphold firm compliance, that should promote the “culture of compliance.”CEO tree

For example, does senior leadership enforce the firm’s written supervisory processes and procedures? In doing so, does senior management hold everyone accountable the same way, or are exceptions made for the “big producers”. If exceptions are made, you are not promoting a culture of compliance.

Does senior management ensure that there is adequate training of all personnel? There should be a robust and mandatory training program to account for changes to the rules and to make your personnel aware of risks and how to avoid them; one of the biggest being data security.

These are only two of many considerations for assessing whether there is a culture of compliance. The key in it all is leadership from the top. After all, people cannot follow a leader who does not lead. Be a leader.

My friend and a legend in the securities regulatory field, Edwin Nordlinger, who served as Deputy Regional Director in the SEC’s New York office for years, was one of the nation’s premier experts on the SEC’s net capital and customer protection rules.  He taught hundreds of SEC staff members and others about these rules over the years.  However, when Ed would begin one of these lectures, he would always introduce himself by saying: “Hello, I am Ed Nordlinger from New York, where you do not go to jail for killing people, but you will go to jail if you violate the net capital or customer protection rules.”  Well, Ed, you continue to be right on point about these rules and their impact.

The SEC’s net capital rule, SEC Exchange Act Rule 15c3-1, requires firms to maintain certain capital so that the firms will be able to meet their financial obligations to customers and other creditors.  Similarly, SEC Exchange Act Rule 15c3-3, the customer protection rule, requires a firm that clears transactions to maintain certain reserve amounts to protect customers in the event of a firm failure.

Recently, the SEC found a firm to have violated the customer protection rule, and settled the matter with the firm whereby the firm agreed to pay a fine of $358 million and a total amount of $415 million.  Further, the SEC also charged the firm’s regulatory reporting officer and financial operations principal for aiding and abetting the violations by misleading regulators about the real reason behind certain transactions that caused the violations.  In particular, the SEC claimed that the firm used synthetic securities transactions solely to reduce the reserve calculation and release capital.  The firm also apparently used non-qualifying bank accounts that could be subject to bankruptcy if the firm were to fail.

The real kicker, however, is the SEC’s announcement that it plans to undertake a targeted sweep of firms to find potential violations by other firms of the customer protection rules.  Of course, the SEC also encouraged firms to self-report any potential violations of the customer protection rule.

In short, Ed, after all these years, you are still right.  Firms need to seriously undertake compliance with these rules, or there will be significant consequences.  Accordingly, although the rules may seem technical with no fraud or customer losses, the SEC plans major activity to ensure compliance.

The SEC recently announced that an equity advisory firm and its owner agreed to pay more than $3.1 million to resolve charges that they improperly engaged in brokerage activity, as well as charging fees without registering as a broker-dealer.  In other words, the firm acted like a broker-dealer but never bothered to register as one.

The SEC’s investigation demonstrated that the firm performed brokerage services in-house, instead of using investment banks or broker-dealers to handle the acquisition and sale of portfolio companies for a pair of equity funds they advised.  Interestingly, the firm disclosed to its customers that it would provide brokerage services and charge customers a fee for doing so.

The problem is that the firm provided those services itself even though it was not registered to do so.  This action should serve as warning, particularly for firms who may be engaged in Reg. D offerings.

money and calculatorIf part of the offering you find yourself engaged in the sale of securities, you better be registered as a broker-dealer to be doing so.  Alternatively, you could have retained the services of a broker-dealer to sell interests in the fund.  The law is clear; you need to do one of the two.

Another point of interest is that the SEC uncovered this improper conduct through an ordinary examination of the investment advisory firm.  In other words, there was no customer complaining that it suffered any harm.  So what lessons are to be learned?

For one, only broker-dealers can engage in brokerage services.  Second, the SEC in its exam process is looking for such activity and going after it.  Don’t make the same mistake; register as a broker-dealer or retain one to provide those services for you.