Articles Posted in Compliance

A new Risk Alert released by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) reminds advisers of the added compliance obligations that arise when hiring representatives carrying the baggage of reportable disciplinary histories. While by no means exhorting advisers not to hire such persons, the Risk Alert nonetheless encourages advisers to properly consider the obvious compliance risks presented by such hiring practices, and, in turn, to adopt prudent policies and procedures to address those risks.

We follow OCIE’s periodic Risk Alerts closely as they not only provide insights regarding the focus of recent OCIE examinations, but also provide insights as to what OCIE management will be directing the staff to focus on in the future. This particular Risk Alert is a read-out of the results of a recent series of OCIE exams from 2017 specifically targeting advisory firms that (i) previously employed, or currently employ, any individual with a history of disciplinary events and (ii) for the most part serve retail clients. Indeed, OCIE makes special notation of its “focus on protecting retail investors” as a genesis for both the targeted exam initiative (the “Initiative”) as well as this new Risk Alert. Accordingly, advisers with a large retail customer base should pay especially close attention to the new Risk Alert.

In conducting the Initiative, OCIE’s staff focused on three areas of interest: (i) the compliance policies and procedures put into place to specifically cover the activities of previously-disciplined individuals; (ii) the disclosures relating to previously-disciplined individuals required to be made in filings and other public documents (including advertising); and (iii) conflicts of interest implicated by the hiring of previously-disciplined individuals. With this roadmap in place, the Initiative identified a variety of observed deficiencies across a range of topics, including:

The Massachusetts Securities Division (“MSD”) has announced the adoption of new rules requiring that investment advisers registered with the MSD provide, to clients and prospective clients, an additional one-page stand-alone disclosure document specifically detailing the adviser’s fee schedule. This new disclosure document or “Fee Table” will need to be “updated and delivered consistent with the existing requirements for Form ADV (including the Brochure).” The new rules, which were adopted pursuant to the MSD’s notice and comment process, take effect—and will be enforced—commencing on January 1, 2020.

While only applicable to advisers registered with the MSD, the new rules requiring the Fee Table could portend similar future action by additional states. Moreover, the new rules come on the heels of the SEC’s June 5th high profile standard-of-conduct releases (which we have previously chronicled) that also include a new stand-alone disclosure document for SEC-registered advisers to be known as Form CRS. If the MSD’s actions here are in fact echoed by additional states, it could cause potential headaches for the RIA industry, as this would require RIAs operating in multiple states to conform to multiple differing disclosure document regimes. Additionally, with the new Form CRS (applicable to SEC-registered advisers only) beginning to circulate at about the same time, an assortment of new documents being presented to clients may cause marketplace confusion as well.  Continue reading

The SEC, on June 5th, adopted a comprehensive set of rules and interpretations that will have a profound effect on the brokerage and advisory industries going forward, first and foremost by revising the standard-of-conduct applicable to broker-dealers and their registered representatives in dealings with retail customers. Even casual observers will likely be familiar with the various proceedings just concluded at the SEC, which resolve debates that have raged in the investment industry for decades as to the need to align the higher fiduciary “standard-of-conduct” applicable to investment advisers with the lesser suitability standard applicable to broker-dealers. While the June 5th releases do not equalize the two standards—as many commentators would have desired—they do significantly raise the standard applicable to broker-dealers from suitability to “best interests.” The SEC’s releases number four separate documents, each covering a distinct aspect of the standard-of-conduct controversy, and run over 1200 pages. Accordingly, this note will seek to identify the major headlines from the various releases. Look for future writings, wherein we will explore the nuances of the June 5th releases in greater detail.

As noted, the SEC released a package of Final Rules and Interpretive Releases comprising four separate components: (1) Final Rules implementing Regulation Best Interest (“Reg BI”), the new enhanced standard for brokers; (2) Final Rules implementing a new Form CRS Relationship Summary (“Form CRS”), a new disclosure document applicable to both brokers and advisers (that, for advisers, will function as a new Part 3 to Form ADV); (3) an Interpretive Release clarifying the SEC’s views of the fiduciary duty that investment advisers owe to their clients; and (4) an Interpretive Release intended to more clearly delineate when a broker-dealer’s performance of advisory activities causes it to become an investment adviser within the meaning of the Advisers Act. All four components of the regulatory package were approved by a 3-1 vote of the SEC’s Commissioners, with Commissioner Robert Jackson being the sole dissenter.

While the June 5th releases are the culmination of a decades-long controversy, they are the proximate result of a formal rulemaking commenced on April 18, 2018, at which time the SEC published initial proposed versions of Reg BI, Form CRS and the advisory interpretations. The Final Rules for Reg BI and Form CRS will become effective 60 days after they are formally published in the Federal Register; however, firms will be given a transition period until June 30, 2020 to come into compliance. The two Interpretive Releases will become effective upon formal publication.  Continue reading

The North American Securities Administrators Association—also known as “NASAA”—a cooperative association consisting of the chief securities regulators for each of the 50 United States, as well as Canadian and Mexican jurisdictions, has recently voted to adopt a model information security rule. NASAA’s new model information security rule could—if widely implemented by the individual NASAA Member jurisdictions—ultimately have a broad impact on the compliance programs of state-registered investment advisers.

Among its many roles as a confederation of individual regulators, NASAA frequently drafts and circulates “model rules” to its Members, who eventually vote on and adopt these draft rules for use by the various Member jurisdictions. A “model rule” is a familiar regulatory tool, which essentially provides a template upon which laws, rules, and other regulations can be drafted. For example, many of the individual states’ securities acts are variants of the Uniform Securities Act of 2002, a model act created by a group of legal scholars, regulators and veteran attorneys. NASAA’s new model rule is just such a template for regulators. Individual states and other jurisdictions may—at their discretion—adopt it in whole, in part, or not at all. That said, we believe that, especially given the growing importance of cybersecurity issues, it will be used more likely than not as the states come around to developing rules to parallel those already in place at the federal (SEC) level.  Continue reading

In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.

OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.

This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections. Continue reading

A recent settled SEC Order with Wedbush Securities, Inc., a dually-registered investment adviser and broker-dealer, has resulted in a censure and $250,000 fine against that firm. The genesis of this rather harsh result is what the SEC alleges to be the firm’s lack of an ability to follow-up on obvious compliance “red flags” that, in this case, pointed to an extensive and long-running “pump and dump” scheme involving one of the firm’s registered representatives. Indeed, as noted by Marc P. Berger, Director of the SEC’s New York Regional Office, “Wedbush abandoned important responsibilities to its customers by looking the other way in the face of mounting evidence of manipulative conduct.”

The SEC’s regulatory requirements compel broker-dealers to adopt policies and procedures that are sufficiently tailored to determine whether their associated persons are violating the securities laws and to prevent them from violating the securities laws. Broker-dealers are also compelled to ensure that these policies and procedures are sufficiently implemented to discover and prevent securities law violations. Continue reading

Recognizing the “swiftly developing” digital asset marketplace—a loosely defined sector encompassing cryptocurrencies, virtual coins or tokens (including Initial Coin Offerings or “ICOs”), and other blockchain-related financial assets—the SEC’s Division of Investment Management (the “Division”) has commenced an open-ended request for public comment on how such crypto-assets impact its decades-old Advisers Act Custody Rule (Advisers Act Rule 206(4)-2). The Division’s request for comment comes in the form of a March 12, 2019 letter to the Investment Adviser Association (“IAA”), a lobbying/trade group representing the investment advisory industry.

By way of background, the Custody Rule sets up a number of requirements for SEC-registered investment advisers that have “custody” of a client’s funds or securities. Custody is defined as “holding, directly or indirectly, client funds or securities, or having any authority to obtain possession of them.” Notably, custody includes, among other things, any arrangement under which the adviser is authorized to withdraw client funds or securities, as well as acting as general partner, or in a comparable control position, for an investment fund. The four primary obligations of an adviser having custody are that the adviser must: (i) maintain those funds or securities with a “qualified custodian;” (ii) notify the client in writing of the qualified custodian’s name, address, and the manner in which the funds or securities are maintained; (iii) have a “reasonable basis” for believing that the qualified custodian sends an account statement, at least quarterly, to each client, identifying the amount of funds/securities and setting forth all transactions in the account; and (iv) arrange for an independent public accountant to conduct an annual surprise examination in order to verify the safekeeping of the client’s funds and/or securities. The Custody Rule provides a number of exemptions to some of the above requirements; most notably, one that allows investment fund advisers to avoid the surprise exam requirement so long as audited financial statements are distributed within 120 days of the end of the fund’s fiscal year.

In an effort to “further inform our consideration of how characteristics of digital assets impact the application of the Custody Rule,” the Division’s request for comment seeks public comment on a wide array of trenchant queries, including the following:

With annual compliance reviews in full swing this time of year, we write today to remind advisory firms to be sure to assess the sufficiency of their policies and procedures in the ever-developing area of electronic messaging.  Our note comes on the heels of a recent Risk Alert on this topic issued by the SEC’s Office of Compliance Inspections and Examinations or “OCIE,” which exhorts advisory firms to take a fresh look at their current compliance policies in light of the particular risks of non-compliance posed by the firm’s usage of electronic messaging.

“Electronic messaging,” as discussed in OCIE’s Risk Alert, refers to such mediums as text/SMS messaging, instant messaging, personal email, and personal or private messaging, but specifically excludes firm-wide email.  Notably, OCIE’s exclusion of firm email from analysis in the Risk Alert should not be read as diminishing an adviser’s compliance obligations to capture, store, and periodically review firm email communications.  Rather, as OCIE explains, “firms have had decades of experience complying with regulatory requirements with respect to firm email” and it is not as problematic from a compliance standpoint as compared to some of the newer technologies that run on third-party applications or platforms.  Continue reading

On February 4, 2019, the Commissioner of Securities of the State of Georgia and the Office of the Secretary of State announced its intent to amend the rules governing examination requirements for registered representatives of a broker-dealer and investment adviser representatives.  According to the Commissioner, the primary purposes of these amendments are to harmonize Georgia’s rules with the Financial Industry Regulatory Authority’s new rules implementing the Securities Industry Essentials (“SIE”) Exam and to update the requirements regarding examinations to applicants.  The SIE Exam, which tests a FINRA registration applicant’s knowledge of securities-related topics, was launched to simplify FINRA’s qualification examination program after the program’s efforts to address new securities products and services resulted in FINRA offering multiple exams with immense content overlap.  FINRA also launched the SIE Exam in order to provide greater consistency and uniformity to the securities industry application process.

The State of Georgia requires applicants for registration as a registered representative of a broker-dealer and/or an investment adviser representative to take certain prerequisite examinations.  Georgia Rule 590-4-5-.02 details the examination requirements for registered representatives, while Georgia Rule 590-4-4.09 details the examination requirements for investment adviser representatives.

The proposed amendments to Rule 590-4-5-.02, detailing registered representative examinations, would require an applicant applying for registration as a broker-dealer to present proof to the Commissioner that its personnel have passed at least one of a list of specified examinations within a two-year period preceding the date of the application.  The amendments also eliminate the Series 87 Research Principal Examination as a potential examination that could be passed.  The amendments also would provide that an applicant who is applying to be a registered representative would need to present the Commissioner with proof that he or she has passed the required examinations within either a two-year period immediately preceding the application date or a four-year period in the case of an applicant who has taken the SIE Exam.  The amendments also provide that the Commissioner “may reserve the right to find the applicant qualified by other examinations or significant and comprehensive experience in the securities business.”

FINRA has alerted its Member Firms to be on the watch for a fraudulent phishing email scheme targeted at compliance personnel. A phishing scheme typically uses email or some other type of electronic message to trick the recipient into clicking a malicious link or infected file attachment by mimicking a message from a trustworthy party. This particular scheme employs an email purportedly originating from an Anti-Money Laundering compliance officer at an otherwise apparently legitimate Indiana-based credit union. The email—which was received recently by a number of FINRA Member Firms—specifically targets compliance personnel by appearing to be a communication regarding an attempted transfer of money by a client of the recipient’s firm to the credit union which has been placed on hold due to concerns about potential money laundering. The scam is designed to get the recipient to open an attachment, which, according to FINRA “likely contains a malicious virus or malware designed to obtain unauthorized access to the recipient’s computer network.”

FINRA noted the following additional aspects of the fraudulent email that recipients should be alert for:

  • An otherwise legitimate reference to a provision of the USA Patriot Act allowing financial institutions to share information with each other.
  • An actual email address that appears to be from Europe, rather than the U.S.-based credit union.
  • Numerous instances of poor grammar and sentence structure.

Continue reading