Collateral Consequences

Over the years that I have defended broker-dealers and investment advisors on customer-initiated claims, I have seen many things that would make any compliance officer cringe. One spine tingling (not in the good way) type of conduct is when an advisor engages his/her client when the client makes an informal complaint, instead of routing the complaint to compliance/supervision.whistle

So why is engagement against the rules of engagement? The most important reason is that engagement (aka arguing) may only make a simple customer service issues into a formal complaint. Rather than engage, my experience suggests that it is better to get the complaint (assuming it is in writing) to the proper person in compliance/supervision.

Dealing with an oral complaint is a little trickier because you are put on the spot. Nevertheless, the best course, as hard as it may be, is to try to defuse the situation by expressing that you understand the issue that is being raised, you will look into the issue and, finally, will respond further as soon as possible.

By defusing instead of engaging, you give all sides the opportunity to let cooler heads prevail. Many times a customer service issue can be easily addressed by taking a little time to consider the issues and formulate a response/course of action instead of blurting out the first thing that comes to mind; that is invariably the worst thing to say.

If you get a complaint; don’t jump to respond. Use your resources and formulate a well-reasoned response. Sometimes the client is wrong, but arguing with the client gets you nowhere except guaranteeing litigation.

The SEC recently issued an investor bulletin regarding one of our favorite topics; data security of customer accounts. The primary areas of the SEC’s focus were:

  1. Have a strong password, keep it secure and change it often.
  2. Use a two-step verification process if the firm offers it.
  3. Use different passwords for different on-line accounts.
  4. Avoid using public computers to access on-line accounts.
  5. Cautiously use wireless access to on-line accounts.
  6. Check and double check any links that are sent to you via email purporting to come from your advisory firm.
  7. Secure your mobile devices.
  8. Regularly check your account statements and confirmations for unusual activity.

In my view, the above guidance offers you opportunities with your clients. For example, you should offer a two-step verification process for on-line account access. By doing so, you are telling your clients that you value their business and the protection of their confidential information.

Similarly, you should consider providing similar guidance as an investor alert or the like t27782265_so all of your clients who have on-line access. First, this gives you another opportunity to be in front of your clients. Second, it demonstrates that your firm takes the issue of data security very seriously.

Although the prospects of suffering a data breach may be ominous, you can do something to educate your clients so that they do not become unwitting targets. Providing this type of client service can only strengthen your client relationships. There is no time like the present to take this affirmative step. Make yourself a valued resource for your clients.

A recent article in highlighted certain areas of focus for investment advisors/broker-dealers when it comes to addressing cyber-threats. The article focused on four areas of particular significance.

First, a firm must have a robust risk assessment approach to cyber-security. After all, a firm cannot develop and deploy cybersecurity policies and procedures unless and until the firm identifies what are its risks.

Just as important, the risk assessment cannot be a one and done project. Best practices dictate that firms continually conduct risk assessments to determine new risks. The hackers are changing their tactics, so you may have to as well.19196909_s

Second, once you develop and deploy policies and procedures, you should create and test incident response plans. Otherwise, how will you know these policies and procedures work when confronted with an actual data breach.

Third, if you use vendors, perform due diligence on them on an ongoing basis to assess their cyber-security risks. For example, if you outsource email retention, you will want to know how that vendor is going to protect its email storage databases from an unwanted intrusion. Equally important, you want to revisit what the vendor is doing for cyber-security on a regular basis.

Fourth, train and retrain your staff so that they avoid inadvertently exposing the company to malware. Among other things, you should consider a policy for staff to follow before they download anything from an external email or web site.

These are just a few suggestions for this ever increasing focus for both firms and their regulators. Avoid being a victim; assess risk, develop plan/procedures, test the plan/procedures, and educate your staff.

In determining whether to seek admissions in the settlement of an enforcement action, the SEC will not take into account any collateral consequences that might befall the defendant in question.

Recent changes in the “nether admit/nor deny” policy is not about collateral consequences.  Instead, the SEC is determining if admissions are justified based upon the need for accountability.  The SEC will have to try those cases where the defendant refuses to make an admission.  Collateral consequences, including follow-on private securities litigation and other enforcement actions by foreign and domestic authorities, are a main reason that defendants balk at admitting to SEC violations.  Additionally, given that the SEC will have to pick and choose the cases where it wants admissions, it is incumbent upon the SEC to closely monitor how such decisions are reached, and their attendant costs and benefits.

However, it seems that the SEC could achieve accountability without demanding admissions.