Archives: Investment Company Regulation

The SEC recently issued an investor bulletin regarding one of our favorite topics; data security of customer accounts. The primary areas of the SEC’s focus were:

  1. Have a strong password, keep it secure and change it often.
  2. Use a two-step verification process if the firm offers it.
  3. Use different passwords for different on-line accounts.
  4. Avoid using public computers to access on-line accounts.
  5. Cautiously use wireless access to on-line accounts.
  6. Check and double check any links that are sent to you via email purporting to come from your advisory firm.
  7. Secure your mobile devices.
  8. Regularly check your account statements and confirmations for unusual activity.

In my view, the above guidance offers you opportunities with your clients. For example, you should offer a two-step verification process for on-line account access. By doing so, you are telling your clients that you value their business and the protection of their confidential information.

Similarly, you should consider providing similar guidance as an investor alert or the like t27782265_so all of your clients who have on-line access. First, this gives you another opportunity to be in front of your clients. Second, it demonstrates that your firm takes the issue of data security very seriously.

Although the prospects of suffering a data breach may be ominous, you can do something to educate your clients so that they do not become unwitting targets. Providing this type of client service can only strengthen your client relationships. There is no time like the present to take this affirmative step. Make yourself a valued resource for your clients.

A recent article in Onwallstreet.com highlighted certain areas of focus for investment advisors/broker-dealers when it comes to addressing cyber-threats. The article focused on four areas of particular significance.

First, a firm must have a robust risk assessment approach to cyber-security. After all, a firm cannot develop and deploy cybersecurity policies and procedures unless and until the firm identifies what are its risks.

Just as important, the risk assessment cannot be a one and done project. Best practices dictate that firms continually conduct risk assessments to determine new risks. The hackers are changing their tactics, so you may have to as well.19196909_s

Second, once you develop and deploy policies and procedures, you should create and test incident response plans. Otherwise, how will you know these policies and procedures work when confronted with an actual data breach.

Third, if you use vendors, perform due diligence on them on an ongoing basis to assess their cyber-security risks. For example, if you outsource email retention, you will want to know how that vendor is going to protect its email storage databases from an unwanted intrusion. Equally important, you want to revisit what the vendor is doing for cyber-security on a regular basis.

Fourth, train and retrain your staff so that they avoid inadvertently exposing the company to malware. Among other things, you should consider a policy for staff to follow before they download anything from an external email or web site.

These are just a few suggestions for this ever increasing focus for both firms and their regulators. Avoid being a victim; assess risk, develop plan/procedures, test the plan/procedures, and educate your staff.

At the end of last month, the SEC provided a guidance update on cybersecurity for registered investment companies and registered investment advisors. This guidance is equally instructive for broker-dealers and registered representatives.
Cyber threats are numerous and ever changing with technology. The SEC provided the guidance to highlight the importance of having a robust cybersecurity program because the failure to do so is just too risky for you and your clients.robber.jpg

The SEC identified a number of things that firms can do to make sure that they have an adequate cybersecurity program. These include, among others, the following:

  1. Periodic assessments of (1) the nature, sensitivity and location of information the firm collects; (2) internal/external threats; (3) current security processes and controls; (4) the potential impact of a compromise; and (5) the effectiveness of firm governance over cybersecurity.
  2. Creation of a cybersecurity strategy designed to prevent, detect and respond to the threats associated with cybersecurity.
  3. Implementation through written policies and procedures and training to provide guidance from the top to the bottom of the corporate tree concerning threats, measures designed to prevent and detect and to respond to such threats.

Teenagers playing on their computer are not the only threat to infiltrate a firm’s systems. Organized crime and foreign nations are engaged in this industry as well. Assess your cybersecurity systems on a regular basis throughout the year consistent with the SEC’s guidance, and don’t be a victim.

* photo from freedigitalphotos.net

It is that time of year again.  The SEC Office of Compliance and Inspection (OCIE) has announced its examination priorities for 2015.  Knowing what these priorities are will help firms gauge their compliance and supervision efforts over the next year.

For firms that are in the retail sector, OCIE has identified particular areas of interest.  These areas include the following: OCIE will focus on firm recommendations when there is a variety of fee arrangements and account structures at the firm.

  1. OCIE is focusing on whether the arrangements and the fees charged are in the best interest of the client.
  2. OCIE is looking into the use of improper or misleading sales practices when recommending the movement of retirement assets from employee-sponsored defined contribution plans into other investments, especially those with higher fees.confusion.jpg
  3. OCIE is looking into the suitability of investing retirement assets into complex or structured products, including due diligence, and disclosures made to the investor.
  4. OCIE is looking into the supervision of branch offices, including using data analytics to identify branch offices that may be deviating from firm compliance.
  5. OCIE is continuing its focus on investment companies that are offering alternative investments.
  6. OCIE is looking into whether mutual funds with significant exposure to interest rates increases have implemented compliance policies, procedures and sufficient controls to ensure its disclosures are not misleading and that the investment profile is consistent with the disclosures.

Now that you know the SEC’s focus for the year ahead, ask yourself whether your firm is doing what it needs to do to answer the above issues with a positive response.  If no such response is forthcoming, you need to revisit what you are doing and act accordingly, lest you be a firm OCIE focuses upon.

* Photo from freedigitalphotos.net

The SEC’s Division of Investment Management is working on two ways to make its Risk and Examinations Office effective. http://www.sec.gov/News/Speech/Detail/Speech/1370540048684#.Uml5uBAWkoo.

According to the SEC’s website, REO was established in October 2012 to implement Section 965 of the Dodd-Frank Wall Street Reform and Consumer Protection Act.  The provision requires IM to have a staff of examiners to perform inspections and exams of registrants under its purview.  REO also was created to provide IM with quantitative risk analysis capabilities, and the unit maintains a monitoring program that provides ongoing financial analysis of the investment management industry.  REO has the authority to conduct its own exams.  However, REO staff will join staff from the SEC Office of Compliance Inspections and Examinations on their exam visits where practical.

This new exam unit will present novel challenges for the IM industry.

Tis the season for the regulators to announce their examination priorities.  No less than the SEC’s Office of Compliance Inspections and Examinations released its 2014 Examination Priorities for its National Examination Program (“NEP”).

In particular, the SEC identified several new issues for registered investment advisers, primarily for those RIAs, who are at least three years old and have never been examined; as well as continued presence exams for hedge and private equity managers; wrap fee programs; quantitative trading models; and disguised distribution payments.  OCIE will also continue to examine for failure to comply with the custody rule; conflicts of interest, including, but not limited to, undisclosed compensation and allocation of investment opportunities, and performance marketing; alternative investment strategies for registered funds; money market fund stress testing; securities lending; senior management meetings concerning risk management; IT systems’ supervision; dual registrants and suitability; private placement solicitations; and IRA rollovers.  OCIE stated that these priorities also apply to  broker-dealers, clearing agencies, and transfer agents.  See http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf.

In short, given these priorities, it looks to be an interesting year for securities entities subject to the SEC’s jurisdiction.

The SEC adopted a rule to adjust the maximum amounts it may recover for civil monetary penalties imposed under the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company Act of 1940 and the Investment Advisers Act of 1940 for inflation.  The SEC’s new rule-was effective upon publication, and also adjusts certain penalties under the Sarbanes-Oxley Act of 2002.

The rule was adopted pursuant to the Federal Civil Penalties Inflation Adjustment Act of 1990.  This statute requires federal agencies to adopt regulations at least once every four years to adjust for inflation the maximum amount of civil monetary penalties in their administered statutes.  The adjustments apply to violations after the effective date of the rule change.

This change will increase civil penalties for those subject to SEC actions, and is yet another factor to consider for those in SEC enforcement investigations and proceedings.

FINRA has published guidance on its new marketing Rule 2210.  See http://www.finra.org/Industry/Issues/Advertising/P197604

 

FINRA has indicated that retail communications that will now be subject to this filing requirement has to be filed by February 19, 2013.  FINRA suggested that retail communications relating closed-end funds and structured products must be filed.  FINRA wants, among other things, filed certain presentation scripts and correspondence.  However, mutual fund manager communications relating to past performance do not have to be filed.

 

Bottom line, compliance officials have more to worry about than ever.