In a recent SEC enforcement action, a registered representative was suspended for 6 months and fined $75,000 for, among other things, forwarding confidential client information from his personal email to a former registered representative who maintained the initial client relationships. The representative also used his personal email to conduct firm business. In some instances, he emailed customer information from his work email to his personal email.

This unfortunate situation shows another side of data security risks that firms must address; the rouge representative who is handling client information in violation of Regulation S-P. In some ways, this type of data breach can be even more difficult to prevent than an external threat.19196909_s

If someone really wants to get around your system, that person will likely do so. So what to do?

One thing firms should consider is a logging system when an associated person accesses client information subject to Regulation S-P. This way, firm supervisors can monitor who is gaining access to what information, when and how often. The enforcement opinion was silent on any firm protocols in this regard.

Although this type of access-logging system may not have prevented what happened, it could have put the odds in the favor of firm because it may have revealed unusual activity that the firm could have further explored.

The lesson to be learned is that data security is not just an external threat. There are internal risks that must be accounted for in order to have a fulsome data security program.

FINRA has identified that firm culture is in its cross-hairs. But what is firm culture?

Trying to figure out what’s meant by firm culture reminds of my law school days studying First Amendment law and, in particular, cases addressing pornography. A former Supreme Court Justice, Potter Stewart, seemed to get it right when he said something along the line of, I don’t know what pornography is, but I know it when I see it.CEO tree

I think that the same can be said about firm culture. No one really knows what it is, but FINRA is sure to determine when there is a failure of firm culture when FINRA sees it. So what should you think about when it comes to firm culture?

I think that the easiest way to think about firm culture is what does the leadership from the top down look like. How does the firm’s upper management approach issues involving compliance with the law and regulations, as well as the firm’s own written policies and procedures?

If the firm leadership does not take these issues seriously, then that same leadership cannot expect its registered representatives and staff to take those things seriously as well. In other words, the do as I say not as I do philosophy is a failed philosophy.

FINRA has identified firm culture as an exam priority and has recently reemphasized that point in its planned targeted examinations. It is now the put up or shut up moment. Is your firm’s leadership making compliance and supervision issues a top priority? If no, you should expect FINRA finding a problem with your firm’s culture. FINRA is sure to know it when it sees it.

A recent AWC demonstrates the old Watergate adage that the cover-up is always worse than the crime. In this AWC, FINRA suspended a registered representative for ten (10) months and fined her $15,000.

Among other things, the representative entered inaccurately identified her assistant as the person placing trade orders where the assistant was the only person between them licensed in the state. This person then went to another broker-dealer where she entered 200 discretionary trades without prior written client authorization or broker-dealer approval.robber.jpg

As if these securities violations were not bad enough, what came next really did this person in with FINRA. She lied to the first firm that her assistant placed the trade order and then went to her assistant and asked the assistant to confirm the lie. With the second broker, this person misrepresented on the branch office questionnaires that she had never entered any discretionary trades when she had actually entered 200.

So what are the takeaways? It is likely that the securities violations would have resulted in this person being terminated from both firms. However, it is an open issue if she would have been suspended for as long as she was and fine as much as she was but for lying and asking another person to do so on her behalf.

Although it may be difficult to accept, the best course of action when you mess up is to deal with what you did as opposed to lying about it and making the situation worse. As a number of people in the Nixon Administration learned, the cover-up is always worse than the crime.

A good test to guide your conduct is to ask yourself whether you would be embarrassed to hear about the situation on the news. If so, you are going down the wrong path.

* photo from freedigitalphotos.net

As we previously blogged about (here and here), FINRA is focusing on your firm’s culture as its top priority this year.  FINRA is planning to meet with your executive, compliance, legal, and risk management teams to discuss “how your firm communicates and reinforces those values directly, implicitly and through its reward system”, and in particular, “how your firm measures compliance with its cultural values, what metrics, if any, are used and how you monitor for implementation and consistent application of those values throughout your organization.”  FINRA has announced that, in order to facilitate such a meeting, it will be asking for the following information in advance:

Core Values

  1. A summary of the key policies and processes by which the firm establishes cultural values.
  2. A description of the processes employed by executive management, business unit leaders and control functions in establishing, communicating and implementing your firm’s cultural values.
  3. A description of how your firm assesses and measures the impact of cultural values (to the extent assessments and measures exist) and whether they have made a difference at your firm in achieving desired behaviors.
  4. A summary of the processes your firm uses to identify policy breaches, including the types of reports or other documents your firm relies on, in determining whether a breach of its cultural values has occurred.
  5. A description of how your firm addresses cultural value policy or process breaches once discovered.
  6. A description of your firm’s policies and processes, if any, to identify and address subcultures within the firm that may depart from or undermine the cultural values articulated by your board and senior management.
  7. A description of your firm’s compensation practices and how they reinforce your firm’s cultural values.
  8. A description of the cultural value criteria used to determine promotions, compensation or other rewards.

If your firm has already received such a targeted exam letter from FINRA requesting this information, then you know that you only have about a one month turn-around.  You should immediately begin to prepare a thorough response, especially considering this is a new area of focus for FINRA, and thus we have not yet seen practically how FINRA will perform and react to an assessment of firm culture.  If you have not yet received such a request from FINRA, you should at least begin to start considering how your firm will respond to such a request.  Identify any key areas in which you may be deficient and focus on improving them now, so that if you eventually do receive a targeted exam letter such as this, you will be in a much better position to respond.

Client relationships and expectations can be the source of success and liability at the same time.  Ernie Badway and I will be speaking on May 17 in New York City at a regional conference of the National Society of Compliance Professionals.  We will be speaking about risk avoidance techniques that you can use in the everyday world, as well as highlighting issues and challenges that you face managing risk.  For more information about the conference, go to NSCP.org.  We hope to see you there.

FINRA has issued an investor alert involving high-yield CD offers that are really bait for the sale of a high commission investment. Apparently, FINRA has received calls on its senior hotline making it aware of a sales practice that involves enticing a client in to the office to purchase a CD and then being sold a high commission product like a fixed or equity-indexed annuity.whistle

You might ask, so what? Think of it this way. If FINRA is issuing an investor alert regarding what it thinks is a shady practice, you should be concerned. In other words, you have to anticipate that enforcement cases are on the horizon where FINRA finds these sales practices.

This alert should be a message for anyone who sells CDs and/or high commission annuity products that FINRA may be looking at your sales practices in the future. There is nothing wrong with selling these investments as long as they are suitable for the client and there is full disclosure.

If you sell these products, it may make sense to test your salespeople to see if they are using CDs as a bait scheme. Weeding out bad apples should always be part of your supervision and compliance programs. It is better that you learn of the problem and stop it before your regulator does it for you.

With the exception of those of you who have literally been asleep for the last few years, you are well-versed in the attention FINRA and the SEC are giving to issues surrounding elder investors. Among other things, there is a real focus on elder abuse.

Some commentators believe that all of this attention may inevitably lead to additional regulations regarding how you handle older investors. Like most things from a regulatory/legislative standpoint, the loudest wheel will get the most oil.confusion.jpg

With the graying of the baby boomers, this section of society will undoubtedly have a large voice in whatever regulations or laws may come to pass. It seems as though most of the claims I have defended over the last 20 years have involved investors over the age of 60 such that I can say there is a real issue with how firms handle older clients.

Is there anything that can be done to avoid this potential regulatory headache? I think that there are things that can be done on both a macro and micro level.

The macro solution requires firms to take a big picture view of its customer composition. Assuming that there is a graying component to your customer base, you should have specific firm-wide policies and procedures that address elder issues; i.e., heightened supervision, alternate decision-makers, a committee that addresses elder issues, etc.

The micro solution is tied to the macro and can be addressed by a simple question. What are you as a firm doing to ensure your policies and procedures pertaining to elder investors are being carried through as written by your advisors/representatives? If you cannot answer this question, you might as well be signing off on those regulations.

Avoiding elder client regulations may still be in your hands. Are you doing enough to address the issue at your firm? Only time will tell.

  • photo from freedigitalphotos.net

Those famous words of the immortal Yogi Berra hold true when it comes to the SEC exam priorities for 2016. Among those at the top of the list are two familiar friends; protecting retail investors and investors saving for retirement.

It is clear that the SEC is looking in particular toward how retail firms are dealing with their older clientele since it is fair to assume that older client are those most likely preparing for retirement. So what does the SEC want to know?whistle

The SEC is looking at retirement services being offered, focusing on whether there is a reasonable basis for recommendations, conflicts of interest, supervision and compliance controls, as well as marketing and disclosure practices. If you compare these priorities to FINRA’s exam priorities, you will see the overlap.

The overlap of these priorities should sound alarms bells off in your head. The SEC and FINRA have told you twice what your regulators will analyze during your next exam. You have a choice.
You can ignore these areas and not take prophylactic measures to make sure that your policies and procedures in these are consistent with current industry standards, or you can take a serious look at what your firm is doing for your clients who are focused on retirement investing. Something tells me that taking the path of least resistance will not win you any awards with your regulators.

So take affirmative steps and give your policies and procedures in these areas will deep thought. Do you have any policies and procedures in place? If so, do they go far enough and are they consistent with current industry trends and practices? FINRA and the SEC are doing some of your work for you, don’t miss out on the free advice they are giving you.

Other than the non-defined “culture”, FINRA’s 2016 exam priorities are also focused on supervision and risk management. At least these categories are a bit more defined so that you are not left guessing what FINRA means.

Under these broad topics, FINRA is focused on four primary areas, which include:money and calculator

  1. Management of conflicts of interest, including incentive structures, investment banking and research business lines, information leakage, and position valuation.
  2. Technology, including the ever-present cyber-security, technology management and data quality governance.
  3. Outsourcing; what are firms doing to reduce costs by outsourcing but, at the same time, maintain responsibility for the work performed by that third-party.
  4. Anti-money laundering monitoring and controls.

So what do all of these have in common? Yes, you guessed it; all would fall within the general culture of compliance that is also a focus of these exam priorities.

All of the above-referenced priorities have appeared in some form in the past, but a couple warrant special attention; technology and outsourcing. This is a particular issue for smaller firms who, because of cost and infrastructure limitations, need to outsource cyber-security.

If so, the most important thing to remember is that you can outsource the work, but not the responsibility. So what do you have to do when you outsource?

For one, you need to vet your vendors. What are they doing to make sure they are adequately protected and, in turn, protect your electronically stored information? What does your contract provide for in the event of a breach under the vendor’s watch? Will the vendor defend and indemnify you?

These are only a couple of the issues to explore, but explore you must. After all you can never delegate the responsibly to protect customer information from cyber-attack. FINRA will want to know.

Well, guess what? FINRA does not agree with this statement to such a degree that culture is now part of FINRA’s exam priorities for 2016.

While the exam priorities acknowledge that “FINRA does not seek to dictate firm culture”, it is an important consideration when assessing a firm’s culture of compliance. After all, such a culture starts with leadership at the top.

So what is FINRA looking for when it makes “culture” an exam priority? FINRA has noted that it is looking for the following things.Core Values

  1. Whether control functions are valued in the firm.
  2. Whether policy or control breach are tolerated at the firm.
  3. Whether the firm proactively seeks to identify risk and compliance events.
  4. Whether supervisors are effective role models for firm culture.
  5. Whether there are sub-cultures at the firm (such as in branch offices) that do not confirm to the overall firm culture are identified and rectified.

FINRA spelling out these “five indicators” are meant to tell firms what you should be looking for in your own organization. If you do not have meaningful answers to each of these items, it may be safe to say that you do not have a firm culture that FINRA will like.

So don’t be afraid to look yourself in the proverbial mirror and assess your culture. Is it one that promotes compliance? If the answer is no, you have a lot of work to do before your next examination.