Financial Industry Trends

The Office of Compliance Inspections and Examinations (or OCIE) recently issued a Risk Alert that identified the five most frequent compliance topics that arising from OCIE examinations. These compliance topics include the following:

  1. Deficient compliance programs,
  2. Late or insufficient filings,
  3. Violations of the custody rule,
  4. Code of Ethics compliance deficiencies, and
  5. Books and records.

Among other things, OCIE noted that it continues to see untailored “off-the-shelf” manuals, deficient or non-existent annual reviews, as well as the systemic failure to follow procedures. So what does this all mean?Core Values

It would certainly appear from OCIE’s analysis that firms continue to take the easy way out when it comes to compliance. There is nothing per se wrong with an “off-the-shelf” compliance manual. The impropriety comes when the firm does nothing to modify that manual to conform to its business model. Not conforming a compliance manual to your individual circumstances is no different from not having a manual.

Equally problematic are the lack of meaningful annual reviews. Any annual review must be meaningful to have any regulatory significance. A meaningful review can look differently from firm to firm, but there are a few components were noting.

First, everyone at the firm must participate in the review process. Compliance comes from the tone at the top. Second, the firm should employ a checklist of required elements, and those that may be firm specific. Third, correct any deficiencies found through this process.

Compliance is not easy. But don’t take the easy way out. Having a robust compliance program takes hard work. Do it now, or pay the SEC later.

Like it has in the past, FINRA is sharply focused on examining brokers with a disciplinary past, including the identification and examination of such brokers being placed at the top of its 2017 exam priorities. Does this mean that firms cannot hire brokers with a past?

The short answer is no, but the longer is a bit more involved. A FINRA examination team is going to be conducting a quantitative analysis to review the broker’s test scores, number of prior employers and disciplinary history.Core Values

When FINRA finds such brokers, it will contact the employing firm’s compliance department to ensure that they know of this history. FINRA will also inquire about the type of supervision being used for the individuals. So what does this mean?

For one, you can hire individuals with a past, but you must do so with caution. That caution would necessarily entail placing such a broker on some form of heightened supervision for at least a period of time. At the end of that time, you can then consider removing or downgrading that supervision, assuming that the broker does not have any additional issues.

The key to remember is that FINRA’s goal is to protect the markets and the consumers who hire brokers who may have a past. Hiring brokers with a history and protecting consumers are not mutually exclusive. However, make sure you take special care in the decision to hire and then supervise such individuals because FINRA is watching.

On March 1, New York will go live with cybersecurity rules for financial service providers such as banks, insurance companies and others subject to the Department of Financial Services’ jurisdiction. At its core, the rules require these entities to have cybersecurity programs directed to consumer protection.

New York firms must now have written policies and procedures, as well as a designated chief information security officer to oversee, train, enforce the program and report hacking to the state. Any report of hacking must take place within 72 hours of the hack, where the hack has a reasonable likelihood to impact firm operations.

This program will necessarily create new costs for these companies. Specifically, there is a cost in finding an adequately trained and certified individual to serve in the role of chief information security officer. Additional costs will arise from the mandate that firms monitor all data leaving it and to have email systems that block certain forms of information like Social Security numbers.27782265_s

With this cost, however, will come added protection for consumers and, in turn consumer confidence in their financial institutions. This one of a kind program is likely not to be the only one in the coming years.

More and more states will implement such data security protocols for the purpose of consumer protection.   Are you doing enough now in the absence of regulation to protect consumer information?

A recent Investment News article highlighted a burgeoning market for financial advisors looking to protect their practices; namely, data breach insurance. Although such insurance seems like a great idea, you need to exercise due care when purchasing such insurance.19196909_s

According to the article, more and more firms are buying this insurance to supplement any gaps that may exist in regular D&O insurance. After all, the typical D&O insurance policy either does not cover or provides little coverage for the harm caused by a data breach.

Although this may make it seem as though data breach insurance is the easy answer, it may not be. For one, this insurance has historically been fairly expensive when compared to D&O insurance. In addition, data breach insurance often has many exclusions that can limit the coverage your purchase. So what should you look for in such insurance.

According to the article, you want a policy that covers as many of the following business expense as possible:

  • Lost data restoration.
  • Repairing or replacing damaged software or hardware.
  • Hiring public relations firms to address reputational damage.
  • Compensating clients for credit monitoring services.
  • Forensic investigators to investigate the incident.
  • Civil lawsuits, regulatory fines and penalties.
  • Lost profits caused by fraudulent wire transfers.

This list runs the spectrum, but are things you should consider before leaping into a cybersecurity insurance policy. Otherwise, you may not get what you pay for.

A broker-dealer recently agreed to pay a $650,000 fine after an OSJ’s cloud vendor failed to adequately protect customer information. Apparently, an outside hacker was able to gain access to non-public personal information about the firm’s customers.27782265_s

This breach and resulting fine should certainly serve as a wake-up to all firms, but, in particular, to smaller firms. These firms are those who are more likely to use outside vendors to maintain cost, but are at greater risk.

If anything, this fine only enhances the fact that firms are responsible for the vendors that they hire. A partner of mine taught me long ago that you can always delegate the task, but not the responsibility. The same holds true here.

It is perfectly fine to use a cloud vendor or some other third-party for your firm operations, but you must, at the same time, engage in heightened diligence. You must do more to protect yourself.

Although you cannot rid yourself of the responsibility to protect client information, you could assign the risk of loss to the other firm. In other words, the other firm would have to indemnify you for any fines if their system is breached.

At the same time, part of your due diligence when hiring a firm must include asking tough questions. Like, have you ever sustained a breach. And, if so, have you had another one since.

In short, go ahead and outsource, but make sure you know who you are using. Ask the hard questions, and protect yourself with negotiated terms in your contract.

In its never-ending effort to thwart senior investor fraud, FINRA recently proposed a new rule to the SEC. This proposal would require member firms to obtain the name of a trusted contact person for the customer’s account. The new rule would also allow firms to place temporary holds on the disbursement of funds or securities when there is a reasonable belief of exploitation, and notify the trusted contact of such a hold.

This proposed rule is consistent with the advice I have been giving clients over the years as senior issues became more and more prevalent. So what does the potential formalized rule mean for the business?Conference Room

It should come as a relief to firms to have this type of safeguard. It is a difficult situation to say the least when a firm is uneasy with what a family member may be doing with a senior client of the firm. This rule change will give you somewhat of an out.

The key for having this proposal work is for the right selection of the trusted contact person. Assuming such a person can be identified, I think that it is a good idea for that person to be designated as a fiduciary to the client on the account applications and the account coded so that this trusted person receives regular account statements regarding the senior account.

By doing this, you as a firm have a separate set of eyes on the account activity by someone who may know the family/personal dynamics better that you. Having that person designated as a fiduciary on the account documents also should lend you some protection in the event that the trusted person is not so trustworthy.

Either way, this new rule should be embraced a positive step to protect both firm and clients.

Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.

 

 

In the hectic world of financial services, registered representatives and investment adviser representatives are always looking to increase their assets under management. At what cost? Are there situations where you would be better off just saying no to accepting that one additional client?

In my many years of defending representatives and advisers from customer complaints, the unqualified answer is yes; there are situations when you are better off just saying no. Any good risk avoidance program will provide for the proper screening/selection of prospective clients. I have addressed this very issue in a risk avoidance handbook.whistle

The key to this screening process is being able to sniff out the types of clients that you do not want to accept. For example, are you the fourth adviser that this client has come to in the last four years? Does the client profile not fit your personal/company investment philosophy? Does the client have unrealistic expectations on what she is expecting you to deliver?

If the answer to any of these questions is in the affirmative, there should be a huge stoplight in front of you flashing red. Any client who fits any of these descriptions is also the client most likely to bring a claim against an adviser.

So before you take on any client with a little money, be cautious. Are there red flags coming into the relationship? If so, just say no.

That is the question that the SEC has essentially posed for registered investment advisers in a National Exam Program Risk Alert. In doing so, the SEC has stated that it will be “examining compliance oversight and controls of registered investment advisers that have employed or employ individuals with a history of disciplinary events . . . .”

The SEC will essentially be examining the investment advisers business and compliance practices, particularly focused on higher risk individuals. Does this mean that you should not hire or retain someone who may have a disciplinary past?Core Values

Of course, not. Instead, this alert should be telling you that such people, if you do decide to hire (or retain) them, should come under some form of heightened supervision for a period of time, if not forever. But be forewarned that the SEC is going to check up on you by reviewing certain information, including the following:

  1. Your compliance program , including the practices surrounding the hiring and ongoing reporting obligations of investment adviser representatives.
  2. The firm’s disclosures (i.e., Form ADV) that it makes to its customers to ensure that they are accurate.
  3. The conflict of interest that the firm discloses.
  4. The firm’s marketing.

By reviewing these areas, the SEC believes that it can better understand how firms are handling and representing advisers with a past to their customers. If you decide to hire or retain such advisers, you should focus on what you are saying to the public about them through your words and actions before you are in the SEC doghouse following an examination.

Every time that I start a FINRA arbitration, I find myself having the same internal debate; did we pick the right person to serve as the arbitration chair. Unfortunately, you will not know the answer to that question until after your arbitration begins, or, more likely, after the award is issued. FINRA has proposed a rule change to open up the filed for chair arbitrators.Conference Room

Under the proposed rule, attorneys can serve as public arbitrator chair with less experience than they were required to have in the past. Pursuant to this proposal, attorneys would only need to have served on at least one arbitration that went to an award and the complete chair training.

FINRA’s stated purpose for the rule is to “protect investors and the public interest” by increasing the pool of eligible chairpersons. This way, chairs would ideally no longer have to travel to serve as a chair.

In theory, this all makes sense. If there are more available chairs, then investors and the industry will be better served. But will this work?

In my view, much still falls on the parties to critically review the CVs of potential chairs and do your due diligence. Call other lawyers who have had arbitrations with that person. Do some research of the professional backgrounds of the potential chair. After all, just because a lawyer passes FINRA’s vetting processing does not mean that you would want that person as your chair.