In its never-ending effort to thwart senior investor fraud, FINRA recently proposed a new rule to the SEC. This proposal would require member firms to obtain the name of a trusted contact person for the customer’s account. The new rule would also allow firms to place temporary holds on the disbursement of funds or securities when there is a reasonable belief of exploitation, and notify the trusted contact of such a hold.

This proposed rule is consistent with the advice I have been giving clients over the years as senior issues became more and more prevalent. So what does the potential formalized rule mean for the business?Conference Room

It should come as a relief to firms to have this type of safeguard. It is a difficult situation to say the least when a firm is uneasy with what a family member may be doing with a senior client of the firm. This rule change will give you somewhat of an out.

The key for having this proposal work is for the right selection of the trusted contact person. Assuming such a person can be identified, I think that it is a good idea for that person to be designated as a fiduciary to the client on the account applications and the account coded so that this trusted person receives regular account statements regarding the senior account.

By doing this, you as a firm have a separate set of eyes on the account activity by someone who may know the family/personal dynamics better that you. Having that person designated as a fiduciary on the account documents also should lend you some protection in the event that the trusted person is not so trustworthy.

Either way, this new rule should be embraced a positive step to protect both firm and clients.

Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.

 

 

The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.

19196909_sAccording to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.

As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?

Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.

Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.

The SEC is prepared; are you?

If you cannot answer this question, you may have an issue when you have your next FINRA exam. After all, firm culture is a FINRA exam priority. Does your firm have a culture of compliance?

This question only leads to another; what is a culture of compliance. For one, this is something that has to resonate from the top down. If senior management ascribes to uphold firm compliance, that should promote the “culture of compliance.”CEO tree

For example, does senior leadership enforce the firm’s written supervisory processes and procedures? In doing so, does senior management hold everyone accountable the same way, or are exceptions made for the “big producers”. If exceptions are made, you are not promoting a culture of compliance.

Does senior management ensure that there is adequate training of all personnel? There should be a robust and mandatory training program to account for changes to the rules and to make your personnel aware of risks and how to avoid them; one of the biggest being data security.

These are only two of many considerations for assessing whether there is a culture of compliance. The key in it all is leadership from the top. After all, people cannot follow a leader who does not lead. Be a leader.

Unfortunately, a bad broker does not take on the same attributes as a fine wine. Bad brokers do rarely improve with time.

At least this was the recent message of Robert Ketchum, head of FINRA. But should all brokers who have any pings on their record be foreclosed from the industry? Certainly not, but what should you do?Core Values

The question is tougher when the broker coming to you with some knocks on his record has been a historically high producer for his prior member firm. Surely, there must be more to the story.
In my experience, there usually is more to the story. Just because someone has some marks does not mean he/she is not worthy to be with your firm. But be careful.

Anyone coming to your firm with any pings on their U-4 should be brought on under heightened supervision. This way you can personally assess this person and test the reasons why this person has been pinged in the past. Maybe the registered representative was just the victim of circumstance in the past.

Either way, if you are going to bring someone on with a checkered past, you better be willing to take the time to watch over this person. After all, by bringing them to your firm, you have assumed responsibility for them. Take caution on the front end or be ready to pay the price later.

It was great speaking at the May 17 New York NSCP regional conference on risk issues facing firms where Ernie Badway and I discussed cyber-security, risk issues, regulatory matters, issues involving elder clients and ways compliance personnel can protect themselves.  For those of you who could not make the conference, these topics are frequently discussed in our various publications.  Feel free to access them here and use them as you see fit.  Core Values

Over the years that I have defended broker-dealers and investment advisors, a more robust overview of outside business activity (OBA) disclosures would have gone a long way to disprove a number of claims. So where did these firms go wrong?

The biggest issue that I have seen is a firm’s willingness to take the OBA of a representative or IAR at face value and not do any more due diligence. In one instance, that due diligence could have unraveled a Ponzi scheme at its inception, instead of years after the facts and millions of dollars lost.money and calculator

In that case, the representative disclosed a beneficial interest in another business and that certain of his clients used that other business for tax preparation services. Although that other entity was not subject to the firm’s authority, the firm could have done more than nothing.

For one, the firm could have conditioned its approval of the OBA on the representative providing bank account statements for the other firm so that the FINRA-regulated firm could have assessed the scope of its clients using that other firm. By doing so, the firm could have uncovered that its clients were transferring money in not insignificant sums from their brokerage accounts to this third-party.

Conversely, if the representative refused or unable to get these statements, the firm could have denied approval of the OBA. Although this extra step may not have exonerated the firm from its representative’s use of the OBA to perpetrate a fraud, it would have provided a solid argument that it should have no liability because the representative acted outside the scope of his authority.

The moral of the story is that there is no perfect system for assessing OBAs. The important thing, however, is to take nothing at face value. Ask questions and push for information. If your employee is unwilling or unable to get that information, then the best thing is to not approve the OBA and lay the foundation for a defense if you are ever questioned about your employee’s outside business activity.

It is no secret that FINRA and the SEC are sharply focused on issues regarding elder clients, including severe disciplinary action. There is another elder “issue” that must be kept in the forefront as well; senior designations.

Senior designations are “certifications” that financial advisors tag onto their other designations like CFA, etc. Such designations are meant to give an advisor an air of credibility or specialization when it comes to servicing elder clients.whistleblower

However, not all such designations are legitimate. Indeed, some are no different than the secret decoder rings we used to get out of a box of cereal. So what should you do?

You should not let any of your advisors tout any such designations unless and until you have had a chance to vet the legitimacy of the designation and the entity that is promoting it. Is there any sort of testing and continuing education requirement to maintain this designation? Have FINRA or the SEC ever commented on this designation and/or the entity that may be promoting it?

The key to any sort of senior designation is for you to conduct proper due diligence to ensure its legitimacy. Otherwise, you run the risk of running afoul with your regulator for allowing your advisors to tout a specialization that does not exist.

FINRA recently barred a registered representative and fined that person $52,270, which represented the commissions he received from the sale of debentures to 12 senior investors. So what was so bad about those transactions?

For one, the high commission investments were not suitable for these elder investors. Second, there were misleading statements made to seven of the 12.
In addition, all but one were retired at the time of purchase. Nine of the ten investors were over the age of 70 at the time of investment. pointing.jpg

This disciplinary action is significant because it enhances two points from FINRA’s 2016 exam priorities. You may recall, FINRA announced that it was going to focus on elder issues and, in particular, suitability of investments.

How should firms address these issues? As I have stated in other blogs, the easiest solution is to put elder clients (those over the age of 65) on something akin to heightened supervision. In other words, someone in a supervisory capacity must scrutinize each and every trade made by one of these investors to ensure investment suitability.This may seem a bit much to manage. There is, however, no denying that FINRA is razor focused on this issue and is not taking elder issues lightly.

So maybe heightened supervision is too much for your firm, but do something. Implement some policies and procedures to ensure that proper steps are undertaken to ensure only suitable investments are sold to your elder clients. Otherwise, expect a call from FINRA.

  • photo from freedigitalphotos.net

In a recent SEC enforcement action, a registered representative was suspended for 6 months and fined $75,000 for, among other things, forwarding confidential client information from his personal email to a former registered representative who maintained the initial client relationships. The representative also used his personal email to conduct firm business. In some instances, he emailed customer information from his work email to his personal email.

This unfortunate situation shows another side of data security risks that firms must address; the rouge representative who is handling client information in violation of Regulation S-P. In some ways, this type of data breach can be even more difficult to prevent than an external threat.19196909_s

If someone really wants to get around your system, that person will likely do so. So what to do?

One thing firms should consider is a logging system when an associated person accesses client information subject to Regulation S-P. This way, firm supervisors can monitor who is gaining access to what information, when and how often. The enforcement opinion was silent on any firm protocols in this regard.

Although this type of access-logging system may not have prevented what happened, it could have put the odds in the favor of firm because it may have revealed unusual activity that the firm could have further explored.

The lesson to be learned is that data security is not just an external threat. There are internal risks that must be accounted for in order to have a fulsome data security program.