Compliance and Supervision

 

Over the last several months, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been conducting a “sweep examination” of over 70 broker-dealers and investment advisers to assess their cybersecurity policies and procedures.  https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.  In particular, OCIE looked at their preparedness regarding governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.

For the most part, OCIE found policies and procedures in place, and these firms did, in fact, conduct penetration tests and vulnerability scans; used a system to prevent data loss; installed software patches; adopted response plans; and conducted vendor risk assessments.  However, all the news was not good.  OCIE believes that these firms should have better tailored policies and procedures; conduct enhanced employee training; replace outdated systems; and make sure that various vulnerabilities were addressed in a timely fashion.  OCIE also informed these firms that it will continue to be vigilant in the cybersecurity sphere in both its examinations and testing.

In sum, with the exception of tweets from the White House, no area is getting more attention from the public and the government than cybersecurity precautions and detection.  It is critical that senior management and compliance at broker-dealers and investment advisers take this threat seriously or there could be serious repercussions if their business is attacked.

The CEO of FINRA recently announced that FINRA plans to provide firms with additional resources to deal with recidivist brokers. So what does this mean?

For years, FINRA’s exam priorities have focused on, among other things, brokers who are repeat violators of FINRA rules. FINRA has made this a priority as a way to weed out brokers who do not deserve to be in the industry because they are likely causing more harm than good.

FINRA is effectively asking the firms to do their part in cleansing the industry of bad brokers. What can a firm do in this regard?

First, firms must take more care in the hiring process. Your due diligence cannot begin and end by pulling the registered representative’s CRD. You should run a Google (or similar) style search on the broker. There are also services you can use to find out if there are judgments, liens or lawsuits against the broker. This way, you can find red flags that may not appear on CRD.

Second, once you hire the broker, you have to make sure he/she is coming under a robust supervisory and compliance overview. Be proactive if you sense there is a problem. By doing do, even if there is a problem, you may be able to cut it off before it gets worse.

There is no easy solution. From FINRA’s perspective, however, you are either part of the solution or part of the problem. The choice is yours.

FINRA is currently reviewing its rules regarding outside business activities and private securities transactions. From time to time, FINRA reviews its rules and application of those rules to see if anything needs to be tweaked. Is there any significance to FINRA looking at these particular rules?

From my experience, some bad brokers have used the outside business activity disclosure process as the tool to cover their tracks while engaging in activity that the firm would otherwise want to know about. In some case, the undisclosed outside business turned out to be a Ponzi scheme.Core Values

The purpose of requiring outside business disclosures is for a firm to make sure that it and its clients know about any conflicts of interest that their brokers may have. For example, the firm would want to know if the broker had a real estate broker’s license because that business may compete with the time the broker can give to her securities investing clients.

FINRA exploring this area should be a message to firms that they need to ask critical questions about what they are doing regarding outside business disclosures.

Ask yourself:

  • Are you doing enough to make sure you receive honest and complete disclosures?
  • What, if any, ramifications are there for incomplete or untimely disclosures?
  • Are you asking enough follow-up questions to understand the proposed outside business activity?
  • What follow-up, if any, do you make with brokers who make disclosures?

If you cannot answer these questions, you need to do more homework or be exposed to the bad broker who may be in your midst.

 

One certainty in the brokerage world is that registered representatives often switch from one member firm to another. There is nothing wrong with the switch, but there is a word of caution to be shared.

Before you leave, make sure you only have in your possession, if anything, only those things that the firm you are leaving lets you keep. If you take something you are not allowed to have, you can rest assured that your former employer will come looking for you.Core Values

Similarly, you should determine whether the old or new firms are members of the broker-dealer protocol. If so, you should check the protocol for what you are allowed to take and what notice you have to give to your former employer about the information you are taking with you.

If one or neither firm is a member of the protocol, it still makes sense to follow the protocol. By doing so, you can demonstrate, if ever challenged, that you tried to do the right by following an objective standard that many in the industry have accepted.

Another thing you should verify is whether you are under contract with your old firm to delay your formal commencement with the new firm; otherwise known as a garden leave policy. If so, you had better follow it. If you opt not to follow it, you should expect a disgruntled former employer coming after you.

So change firms if you like. Just be certain you know what you are doing before you do it. A couple missteps here and there could get you in front of FINRA on an enforcement case.

 

The SEC has recently issued an Investor Alert regarding commentary provided about investors from what appear to be independent sources. It turns out, many of those independent sources are not independent at all. Instead, they are paid shills.

The SEC has instituted enforcement actions against such companies for generating deceptive articles on investment websites. Among other things, these companies:

  1. Failed to disclose that they received payment even though companies had paid them directly or indirectly.
  2. Used different pseudonyms to publish multiple articles the promoted the same stock.

    24752961 - grunge rubber stamp with text disclosure,vector illustration
    24752961 – grunge rubber stamp with text disclosure,vector illustration
  3. Falsified their credentials; misrepresenting themselves as accountants or a fund manager, for example.

So where does that leave firms that rely upon commentaries for the sale of stock. For one, if you pay for it, you had better disclose that you paid for it. If you did no pay for it, do a little digging to make sure that the commenter is legitimate. If not, stay away lest the SEC pay a visit.