The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.

19196909_sAccording to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.

As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?

Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.

Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.

The SEC is prepared; are you?

If you cannot answer this question, you may have an issue when you have your next FINRA exam. After all, firm culture is a FINRA exam priority. Does your firm have a culture of compliance?

This question only leads to another; what is a culture of compliance. For one, this is something that has to resonate from the top down. If senior management ascribes to uphold firm compliance, that should promote the “culture of compliance.”CEO tree

For example, does senior leadership enforce the firm’s written supervisory processes and procedures? In doing so, does senior management hold everyone accountable the same way, or are exceptions made for the “big producers”. If exceptions are made, you are not promoting a culture of compliance.

Does senior management ensure that there is adequate training of all personnel? There should be a robust and mandatory training program to account for changes to the rules and to make your personnel aware of risks and how to avoid them; one of the biggest being data security.

These are only two of many considerations for assessing whether there is a culture of compliance. The key in it all is leadership from the top. After all, people cannot follow a leader who does not lead. Be a leader.

Unfortunately, a bad broker does not take on the same attributes as a fine wine. Bad brokers do rarely improve with time.

At least this was the recent message of Robert Ketchum, head of FINRA. But should all brokers who have any pings on their record be foreclosed from the industry? Certainly not, but what should you do?Core Values

The question is tougher when the broker coming to you with some knocks on his record has been a historically high producer for his prior member firm. Surely, there must be more to the story.
In my experience, there usually is more to the story. Just because someone has some marks does not mean he/she is not worthy to be with your firm. But be careful.

Anyone coming to your firm with any pings on their U-4 should be brought on under heightened supervision. This way you can personally assess this person and test the reasons why this person has been pinged in the past. Maybe the registered representative was just the victim of circumstance in the past.

Either way, if you are going to bring someone on with a checkered past, you better be willing to take the time to watch over this person. After all, by bringing them to your firm, you have assumed responsibility for them. Take caution on the front end or be ready to pay the price later.

It was great speaking at the May 17 New York NSCP regional conference on risk issues facing firms where Ernie Badway and I discussed cyber-security, risk issues, regulatory matters, issues involving elder clients and ways compliance personnel can protect themselves.  For those of you who could not make the conference, these topics are frequently discussed in our various publications.  Feel free to access them here and use them as you see fit.  Core Values

Over the years that I have defended broker-dealers and investment advisors, a more robust overview of outside business activity (OBA) disclosures would have gone a long way to disprove a number of claims. So where did these firms go wrong?

The biggest issue that I have seen is a firm’s willingness to take the OBA of a representative or IAR at face value and not do any more due diligence. In one instance, that due diligence could have unraveled a Ponzi scheme at its inception, instead of years after the facts and millions of dollars lost.money and calculator

In that case, the representative disclosed a beneficial interest in another business and that certain of his clients used that other business for tax preparation services. Although that other entity was not subject to the firm’s authority, the firm could have done more than nothing.

For one, the firm could have conditioned its approval of the OBA on the representative providing bank account statements for the other firm so that the FINRA-regulated firm could have assessed the scope of its clients using that other firm. By doing so, the firm could have uncovered that its clients were transferring money in not insignificant sums from their brokerage accounts to this third-party.

Conversely, if the representative refused or unable to get these statements, the firm could have denied approval of the OBA. Although this extra step may not have exonerated the firm from its representative’s use of the OBA to perpetrate a fraud, it would have provided a solid argument that it should have no liability because the representative acted outside the scope of his authority.

The moral of the story is that there is no perfect system for assessing OBAs. The important thing, however, is to take nothing at face value. Ask questions and push for information. If your employee is unwilling or unable to get that information, then the best thing is to not approve the OBA and lay the foundation for a defense if you are ever questioned about your employee’s outside business activity.

It is no secret that FINRA and the SEC are sharply focused on issues regarding elder clients, including severe disciplinary action. There is another elder “issue” that must be kept in the forefront as well; senior designations.

Senior designations are “certifications” that financial advisors tag onto their other designations like CFA, etc. Such designations are meant to give an advisor an air of credibility or specialization when it comes to servicing elder clients.whistleblower

However, not all such designations are legitimate. Indeed, some are no different than the secret decoder rings we used to get out of a box of cereal. So what should you do?

You should not let any of your advisors tout any such designations unless and until you have had a chance to vet the legitimacy of the designation and the entity that is promoting it. Is there any sort of testing and continuing education requirement to maintain this designation? Have FINRA or the SEC ever commented on this designation and/or the entity that may be promoting it?

The key to any sort of senior designation is for you to conduct proper due diligence to ensure its legitimacy. Otherwise, you run the risk of running afoul with your regulator for allowing your advisors to tout a specialization that does not exist.

FINRA recently barred a registered representative and fined that person $52,270, which represented the commissions he received from the sale of debentures to 12 senior investors. So what was so bad about those transactions?

For one, the high commission investments were not suitable for these elder investors. Second, there were misleading statements made to seven of the 12.
In addition, all but one were retired at the time of purchase. Nine of the ten investors were over the age of 70 at the time of investment. pointing.jpg

This disciplinary action is significant because it enhances two points from FINRA’s 2016 exam priorities. You may recall, FINRA announced that it was going to focus on elder issues and, in particular, suitability of investments.

How should firms address these issues? As I have stated in other blogs, the easiest solution is to put elder clients (those over the age of 65) on something akin to heightened supervision. In other words, someone in a supervisory capacity must scrutinize each and every trade made by one of these investors to ensure investment suitability.This may seem a bit much to manage. There is, however, no denying that FINRA is razor focused on this issue and is not taking elder issues lightly.

So maybe heightened supervision is too much for your firm, but do something. Implement some policies and procedures to ensure that proper steps are undertaken to ensure only suitable investments are sold to your elder clients. Otherwise, expect a call from FINRA.

  • photo from freedigitalphotos.net

In a recent SEC enforcement action, a registered representative was suspended for 6 months and fined $75,000 for, among other things, forwarding confidential client information from his personal email to a former registered representative who maintained the initial client relationships. The representative also used his personal email to conduct firm business. In some instances, he emailed customer information from his work email to his personal email.

This unfortunate situation shows another side of data security risks that firms must address; the rouge representative who is handling client information in violation of Regulation S-P. In some ways, this type of data breach can be even more difficult to prevent than an external threat.19196909_s

If someone really wants to get around your system, that person will likely do so. So what to do?

One thing firms should consider is a logging system when an associated person accesses client information subject to Regulation S-P. This way, firm supervisors can monitor who is gaining access to what information, when and how often. The enforcement opinion was silent on any firm protocols in this regard.

Although this type of access-logging system may not have prevented what happened, it could have put the odds in the favor of firm because it may have revealed unusual activity that the firm could have further explored.

The lesson to be learned is that data security is not just an external threat. There are internal risks that must be accounted for in order to have a fulsome data security program.

FINRA has identified that firm culture is in its cross-hairs. But what is firm culture?

Trying to figure out what’s meant by firm culture reminds of my law school days studying First Amendment law and, in particular, cases addressing pornography. A former Supreme Court Justice, Potter Stewart, seemed to get it right when he said something along the line of, I don’t know what pornography is, but I know it when I see it.CEO tree

I think that the same can be said about firm culture. No one really knows what it is, but FINRA is sure to determine when there is a failure of firm culture when FINRA sees it. So what should you think about when it comes to firm culture?

I think that the easiest way to think about firm culture is what does the leadership from the top down look like. How does the firm’s upper management approach issues involving compliance with the law and regulations, as well as the firm’s own written policies and procedures?

If the firm leadership does not take these issues seriously, then that same leadership cannot expect its registered representatives and staff to take those things seriously as well. In other words, the do as I say not as I do philosophy is a failed philosophy.

FINRA has identified firm culture as an exam priority and has recently reemphasized that point in its planned targeted examinations. It is now the put up or shut up moment. Is your firm’s leadership making compliance and supervision issues a top priority? If no, you should expect FINRA finding a problem with your firm’s culture. FINRA is sure to know it when it sees it.

A recent AWC demonstrates the old Watergate adage that the cover-up is always worse than the crime. In this AWC, FINRA suspended a registered representative for ten (10) months and fined her $15,000.

Among other things, the representative entered inaccurately identified her assistant as the person placing trade orders where the assistant was the only person between them licensed in the state. This person then went to another broker-dealer where she entered 200 discretionary trades without prior written client authorization or broker-dealer approval.robber.jpg

As if these securities violations were not bad enough, what came next really did this person in with FINRA. She lied to the first firm that her assistant placed the trade order and then went to her assistant and asked the assistant to confirm the lie. With the second broker, this person misrepresented on the branch office questionnaires that she had never entered any discretionary trades when she had actually entered 200.

So what are the takeaways? It is likely that the securities violations would have resulted in this person being terminated from both firms. However, it is an open issue if she would have been suspended for as long as she was and fine as much as she was but for lying and asking another person to do so on her behalf.

Although it may be difficult to accept, the best course of action when you mess up is to deal with what you did as opposed to lying about it and making the situation worse. As a number of people in the Nixon Administration learned, the cover-up is always worse than the crime.

A good test to guide your conduct is to ask yourself whether you would be embarrassed to hear about the situation on the news. If so, you are going down the wrong path.

* photo from freedigitalphotos.net