Articles Posted in Books and Records

The North American Securities Administrators Association—also known as “NASAA”—a cooperative association consisting of the chief securities regulators for each of the 50 United States, as well as Canadian and Mexican jurisdictions, has recently voted to adopt a model information security rule. NASAA’s new model information security rule could—if widely implemented by the individual NASAA Member jurisdictions—ultimately have a broad impact on the compliance programs of state-registered investment advisers.

Among its many roles as a confederation of individual regulators, NASAA frequently drafts and circulates “model rules” to its Members, who eventually vote on and adopt these draft rules for use by the various Member jurisdictions. A “model rule” is a familiar regulatory tool, which essentially provides a template upon which laws, rules, and other regulations can be drafted. For example, many of the individual states’ securities acts are variants of the Uniform Securities Act of 2002, a model act created by a group of legal scholars, regulators and veteran attorneys. NASAA’s new model rule is just such a template for regulators. Individual states and other jurisdictions may—at their discretion—adopt it in whole, in part, or not at all. That said, we believe that, especially given the growing importance of cybersecurity issues, it will be used more likely than not as the states come around to developing rules to parallel those already in place at the federal (SEC) level.  Continue reading

In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.

OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.

This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections. Continue reading

With annual compliance reviews in full swing this time of year, we write today to remind advisory firms to be sure to assess the sufficiency of their policies and procedures in the ever-developing area of electronic messaging.  Our note comes on the heels of a recent Risk Alert on this topic issued by the SEC’s Office of Compliance Inspections and Examinations or “OCIE,” which exhorts advisory firms to take a fresh look at their current compliance policies in light of the particular risks of non-compliance posed by the firm’s usage of electronic messaging.

“Electronic messaging,” as discussed in OCIE’s Risk Alert, refers to such mediums as text/SMS messaging, instant messaging, personal email, and personal or private messaging, but specifically excludes firm-wide email.  Notably, OCIE’s exclusion of firm email from analysis in the Risk Alert should not be read as diminishing an adviser’s compliance obligations to capture, store, and periodically review firm email communications.  Rather, as OCIE explains, “firms have had decades of experience complying with regulatory requirements with respect to firm email” and it is not as problematic from a compliance standpoint as compared to some of the newer technologies that run on third-party applications or platforms.  Continue reading

Following its publication of a Risk Alert in late 2017 detailing findings from examinations of municipal advisers, the SEC’s Office of Compliance Inspections and Examinations (OCIE) continues to examine municipal advisers in 2018.  In 2014, OCIE established the Municipal Advisor Examination Initiative to perform an examination on municipal advisers who recently registered for the first time.  OCIE performed over 110 examinations in the course of the Initiative and found that many municipal advisers did not have adequate knowledge of regulatory requirements for municipal advisers.  As a result, many municipal advisers were found not to be in adequate compliance with regulatory requirements pertaining to registration, recordkeeping, and supervision.  OCIE hoped that in publishing the 2017 Risk Alert, municipal advisers will be compelled to evaluate their policies and procedures to find possible areas for improvement.

Municipal advisers are obligated to register with the SEC pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”).  The SEC established its municipal adviser registration rules in September 2013, and the rules became effective in July 2014.  The Dodd-Frank Act also established the Municipal Securities Rulemaking Board (“MSRB”), which exercises regulatory authority over municipal advisers.  OCIE’s examinations of municipal advisers covered “compliance with regulatory obligations including registration, statutory fiduciary standard of care, fair dealing, recordkeeping, and supervision, among other things.”  OCIE discovered that the most common deficiencies among municipal advisers related to registration, books and records, and supervision requirements. Continue reading

On April 13, 2015, the North American Securities Administrators Association (“NASAA”) adopted a model rule concerning business continuity and succession planning for investment advisers. The model rule is intended as guidance for state-registered investment advisers to determine how to develop succession planning policies and procedures. Investment advisers without business continuity and succession plans face serious risks if the adviser is temporarily or permanently unable to service its clients. Included with the model rule are scenarios to help illustrate when business continuity plans are important for an investment advisory firm and many questions to help determine how to craft the plan properly.

Many different types of disasters can strike an investment advisers’ business. From naturally occurring disasters such as hurricanes and snow storms to unnatural disasters like terrorist attacks or a sudden death, it is important to have thought about and created a succession plan to ensure that your clients’ interests are not harmed. A business continuity and succession plan allows the adviser to safeguard critical business functions so that your firm can continue as long as needed when a disaster strikes.
Continue reading

In August of this year the Securities and Exchange Commission (“SEC”) settled an administrative proceeding that related to statements an investment adviser made during the SEC’s on-site examination. The adviser at issue, Parallax Capital Partners, LLC, is a registered investment adviser that focuses primarily on mortgage-backed bonds and other similar fixed income securities. Parallax also advises a private fund in addition to providing advisory services to individuals and other entities. During an examination of Parallax that the SEC conducted in April 2011, the firm’s Chief Compliance Officer represented to the examination staff that he had performed and documented the annual compliance review required by Adviser’s Act Rule 206(4)-7 for the year 2010. The CCO further represented that the review and documentation had been conducted in February 2011, and provided the examination staff with a memorandum purportedly documenting the compliance review for 2010 that stated: “This memo documents that I have performed the review and reported significant compliance events and material compliance matters.”

The SEC examination staff was able to determine, by a review of the metadata attached to the compliance memorandum, that it had not been drafted in February 2011 as the CCO had represented, but instead that it had been created and completed in April 2011, just three days prior to the onsite examination and after Parallax received notice of the impending examination.
Continue reading

Parker MacIntyre attorneys Steve Parker and Bryan Gort attended the 2015 annual conference of the North American Securities Administrators Association (NASAA) held last week in San Juan, Puerto Rico. As usual, the conference provided valuable guidance and updated information on areas of importance to state-registered investment advisers, as well as federal notice filed broker-dealers and SEC registered investment advisers.

Of interest to state-registered investment advisers are proposed amendments to Part 1B of Form ADV that would attempt to capture an RIA’s use of social media and information on the use of third-party compliance professionals.

NASAA also presented the findings of its 2015 coordinated investment adviser examination review, compiled from the results of over 1100 investment adviser examinations. Once again, books and records deficiencies was the leading category, with 78% of all examined entities having deficiencies in that area. Within that category the failure to maintain adequate client suitability data was the leading deficiency, accounting for 10% of the deficiencies noted within the books and record category.
Continue reading

The North American Securities Administrators Association (NASAA) released preliminary numbers this month showing that the number of enforcement cases brought by state regulators doubled during 2011. During that year, states brought about 400 cases compared to 208 cases brought during 2010. This increase is due in large part to an expansion of state examinations as a result of the Dodd-Frank financial reform law. Dodd-Frank gave the states examination authority for some approximately 2,400 “mid-sized” advisers (firms with less than $100 million in assets under management) which are required to switch from SEC to state registration.

As a result of the switch, some former SEC firms that haven’t been examined in many years, if ever, by the SEC now find themselves subject to a state examination and can also look forward to being examined by the state more frequently.
Continue reading