The SEC recently released its findings relating to exams of investment advisers.  https://www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf.

In particular, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) found weak compliance programs; insufficient or late filings; custody rule violations; Code of Ethics problems; and the often used books and records issues. OCIE, in fact, criticized the use of non-particularized, “off-the-shelf” manuals, nearly non-existent annual reviews, and plain and simple failure to implement or follow procedures.  Form ADV and Form PF filings also included inaccurate information or were late.  Investment advisers were also found to not have the requisite knowledge to follow the custody rule, its requirements, persons responsible, or adequate and readily available books and records.

Finally, RIAs should consider this release a warning shot.  That is, the SEC staff will most likely continue to focus on these issues during its future exams.

 

The Office of Compliance Inspections and Examinations (or OCIE) recently issued a Risk Alert that identified the five most frequent compliance topics that arising from OCIE examinations. These compliance topics include the following:

  1. Deficient compliance programs,
  2. Late or insufficient filings,
  3. Violations of the custody rule,
  4. Code of Ethics compliance deficiencies, and
  5. Books and records.

Among other things, OCIE noted that it continues to see untailored “off-the-shelf” manuals, deficient or non-existent annual reviews, as well as the systemic failure to follow procedures. So what does this all mean?Core Values

It would certainly appear from OCIE’s analysis that firms continue to take the easy way out when it comes to compliance. There is nothing per se wrong with an “off-the-shelf” compliance manual. The impropriety comes when the firm does nothing to modify that manual to conform to its business model. Not conforming a compliance manual to your individual circumstances is no different from not having a manual.

Equally problematic are the lack of meaningful annual reviews. Any annual review must be meaningful to have any regulatory significance. A meaningful review can look differently from firm to firm, but there are a few components were noting.

First, everyone at the firm must participate in the review process. Compliance comes from the tone at the top. Second, the firm should employ a checklist of required elements, and those that may be firm specific. Third, correct any deficiencies found through this process.

Compliance is not easy. But don’t take the easy way out. Having a robust compliance program takes hard work. Do it now, or pay the SEC later.

According to Bloomberg, Trump plans to order a review of Dodd-Frank, with an eye to significantly scale back the regulations.  Trump also plans to do away with the “fiduciary rule”, which requires retirement account advisers to perform in the best interests of their clients.

BoardThis confirms Trump’s goal to loosen regulations in the financial services industry.  While the Dodd-Frank review will not have an immediate impact, Trump’s order will stall the fiduciary rule from going into effect this April.  Trump is likely to face significant opposition to his efforts to dismantle Dodd-Frank, but will likely succeed in scaling back at least some of its regulations.

We will continue to monitor developments in this area and provide further updates as they unfold.

Like it has in the past, FINRA is sharply focused on examining brokers with a disciplinary past, including the identification and examination of such brokers being placed at the top of its 2017 exam priorities. Does this mean that firms cannot hire brokers with a past?

The short answer is no, but the longer is a bit more involved. A FINRA examination team is going to be conducting a quantitative analysis to review the broker’s test scores, number of prior employers and disciplinary history.Core Values

When FINRA finds such brokers, it will contact the employing firm’s compliance department to ensure that they know of this history. FINRA will also inquire about the type of supervision being used for the individuals. So what does this mean?

For one, you can hire individuals with a past, but you must do so with caution. That caution would necessarily entail placing such a broker on some form of heightened supervision for at least a period of time. At the end of that time, you can then consider removing or downgrading that supervision, assuming that the broker does not have any additional issues.

The key to remember is that FINRA’s goal is to protect the markets and the consumers who hire brokers who may have a past. Hiring brokers with a history and protecting consumers are not mutually exclusive. However, make sure you take special care in the decision to hire and then supervise such individuals because FINRA is watching.

On March 1, New York will go live with cybersecurity rules for financial service providers such as banks, insurance companies and others subject to the Department of Financial Services’ jurisdiction. At its core, the rules require these entities to have cybersecurity programs directed to consumer protection.

New York firms must now have written policies and procedures, as well as a designated chief information security officer to oversee, train, enforce the program and report hacking to the state. Any report of hacking must take place within 72 hours of the hack, where the hack has a reasonable likelihood to impact firm operations.

This program will necessarily create new costs for these companies. Specifically, there is a cost in finding an adequately trained and certified individual to serve in the role of chief information security officer. Additional costs will arise from the mandate that firms monitor all data leaving it and to have email systems that block certain forms of information like Social Security numbers.27782265_s

With this cost, however, will come added protection for consumers and, in turn consumer confidence in their financial institutions. This one of a kind program is likely not to be the only one in the coming years.

More and more states will implement such data security protocols for the purpose of consumer protection.   Are you doing enough now in the absence of regulation to protect consumer information?

A recent Investment News article highlighted a burgeoning market for financial advisors looking to protect their practices; namely, data breach insurance. Although such insurance seems like a great idea, you need to exercise due care when purchasing such insurance.19196909_s

According to the article, more and more firms are buying this insurance to supplement any gaps that may exist in regular D&O insurance. After all, the typical D&O insurance policy either does not cover or provides little coverage for the harm caused by a data breach.

Although this may make it seem as though data breach insurance is the easy answer, it may not be. For one, this insurance has historically been fairly expensive when compared to D&O insurance. In addition, data breach insurance often has many exclusions that can limit the coverage your purchase. So what should you look for in such insurance.

According to the article, you want a policy that covers as many of the following business expense as possible:

  • Lost data restoration.
  • Repairing or replacing damaged software or hardware.
  • Hiring public relations firms to address reputational damage.
  • Compensating clients for credit monitoring services.
  • Forensic investigators to investigate the incident.
  • Civil lawsuits, regulatory fines and penalties.
  • Lost profits caused by fraudulent wire transfers.

This list runs the spectrum, but are things you should consider before leaping into a cybersecurity insurance policy. Otherwise, you may not get what you pay for.

According to Fortune, outgoing Securities and Exchange Commission Chair Mary Jo White is refusing to delay adoption of new rules and regulations.  Senate Republicans–in particular the Senate Banking Committee’s top two Republicans, Chairman Richard Shelby and Mike Crapo–requested White delay adopting new rules until after Trump takes office.  However, as reported by Reuters, White responded to Shelby and Crapo on December 12th, stating that she intends to move forward with derivative reforms mandated by Dodd-Frank, including capital and margin requirements for swap dealers, and a limit on how mutual funds and exchange-traded funds use derivatives to leverage returns.

BoardThere remain obstacles to these rules.  First, because two commissioner positions remain vacant, there are only three remaining commissioners, of which there must be a quorum to pass the new rules.  The other two commissioners, Kara Stein and Michael Piwowar, are democrat and republican, respectively.  Second, Congress could quite easily reverse any new rules within 60 legislative days of becoming final, which the Republican-controlled Congress could very well vote to do.

Thus, the takeaway is that firms must still monitor proposed new rulemaking under White’s SEC for the next few weeks, while also keeping an eye on what Congress will do in response to any new rules promulgated over the next month or so.

A broker-dealer recently agreed to pay a $650,000 fine after an OSJ’s cloud vendor failed to adequately protect customer information. Apparently, an outside hacker was able to gain access to non-public personal information about the firm’s customers.27782265_s

This breach and resulting fine should certainly serve as a wake-up to all firms, but, in particular, to smaller firms. These firms are those who are more likely to use outside vendors to maintain cost, but are at greater risk.

If anything, this fine only enhances the fact that firms are responsible for the vendors that they hire. A partner of mine taught me long ago that you can always delegate the task, but not the responsibility. The same holds true here.

It is perfectly fine to use a cloud vendor or some other third-party for your firm operations, but you must, at the same time, engage in heightened diligence. You must do more to protect yourself.

Although you cannot rid yourself of the responsibility to protect client information, you could assign the risk of loss to the other firm. In other words, the other firm would have to indemnify you for any fines if their system is breached.

At the same time, part of your due diligence when hiring a firm must include asking tough questions. Like, have you ever sustained a breach. And, if so, have you had another one since.

In short, go ahead and outsource, but make sure you know who you are using. Ask the hard questions, and protect yourself with negotiated terms in your contract.

Following up on our earlier report that Mary Jo White, the chair of the Securities and Exchange Commission, will step down at the end of the Obama administration, news of other departures within the SEC has begun to spread.  The latest is Keith Higgins, head of the Division of Corporation Finance, who announced his plans to leave the SEC in January.  According to Sarah N. Lynch at Reuters, Higgins was oversaw the adoption of many rules pursuant to the 2012 Jumpstart Our Business Startups (JOBS) Act.

CEO treeOther top SEC officials who have recently announced their planned departures include: Stephen Luparello (Trading and Markets Division Director), Mark Flannery (Chief Economist), Matthew Solomon (Chief Litigation Counsel), and James Schnurr (Chief Accountant).

According to Lynch, Andrew Ceresney (SEC Enforcement Director), who worked alongside White prior to joining the SEC, both in private practice and at the U.S. Attorney’s Office in New York City, declined to comment on any plans to leave the SEC.

As we noted previously, these departures will continue to pave the way for President-Elect Trump to to deregulate the financial sector.