Articles Tagged with Policies and Procedures

A new Risk Alert released by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) reminds advisers of the added compliance obligations that arise when hiring representatives carrying the baggage of reportable disciplinary histories. While by no means exhorting advisers not to hire such persons, the Risk Alert nonetheless encourages advisers to properly consider the obvious compliance risks presented by such hiring practices, and, in turn, to adopt prudent policies and procedures to address those risks.

We follow OCIE’s periodic Risk Alerts closely as they not only provide insights regarding the focus of recent OCIE examinations, but also provide insights as to what OCIE management will be directing the staff to focus on in the future. This particular Risk Alert is a read-out of the results of a recent series of OCIE exams from 2017 specifically targeting advisory firms that (i) previously employed, or currently employ, any individual with a history of disciplinary events and (ii) for the most part serve retail clients. Indeed, OCIE makes special notation of its “focus on protecting retail investors” as a genesis for both the targeted exam initiative (the “Initiative”) as well as this new Risk Alert. Accordingly, advisers with a large retail customer base should pay especially close attention to the new Risk Alert.

In conducting the Initiative, OCIE’s staff focused on three areas of interest: (i) the compliance policies and procedures put into place to specifically cover the activities of previously-disciplined individuals; (ii) the disclosures relating to previously-disciplined individuals required to be made in filings and other public documents (including advertising); and (iii) conflicts of interest implicated by the hiring of previously-disciplined individuals. With this roadmap in place, the Initiative identified a variety of observed deficiencies across a range of topics, including:

The North American Securities Administrators Association—also known as “NASAA”—a cooperative association consisting of the chief securities regulators for each of the 50 United States, as well as Canadian and Mexican jurisdictions, has recently voted to adopt a model information security rule. NASAA’s new model information security rule could—if widely implemented by the individual NASAA Member jurisdictions—ultimately have a broad impact on the compliance programs of state-registered investment advisers.

Among its many roles as a confederation of individual regulators, NASAA frequently drafts and circulates “model rules” to its Members, who eventually vote on and adopt these draft rules for use by the various Member jurisdictions. A “model rule” is a familiar regulatory tool, which essentially provides a template upon which laws, rules, and other regulations can be drafted. For example, many of the individual states’ securities acts are variants of the Uniform Securities Act of 2002, a model act created by a group of legal scholars, regulators and veteran attorneys. NASAA’s new model rule is just such a template for regulators. Individual states and other jurisdictions may—at their discretion—adopt it in whole, in part, or not at all. That said, we believe that, especially given the growing importance of cybersecurity issues, it will be used more likely than not as the states come around to developing rules to parallel those already in place at the federal (SEC) level.  Continue reading

In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.

OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.

This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections. Continue reading

The SEC’s Office of Compliance Inspections and Examinations recently conducted examinations of privacy notices and safeguarding policies of SEC-registered investment advisers and broker-dealers adopted pursuant to Regulation S-P. As a result of these examinations, the SEC issued a Risk Alert identifying common deficiencies that are important to keep in mind when adopting, implementing and reviewing compliant privacy notices and effective safeguarding policies.

Regulation S-P requires financial institutions such as investment advisers and broker-dealers to adopt written policies and procedures to safeguard nonpublic personal client information. These policies must be reasonably designed to protect the confidentiality and security of nonpublic personal client information from any anticipated threats or hazards and any unauthorized access or use. The policies should address administrative, technical, and physical safeguards.

Investment advisers and broker-dealers must also provide initial and annual privacy notices to their clients describing the types of information collected and disclosed, the types of affiliated and non-affiliated third parties the information is disclosed to and, unless exempted from the opt-out notice requirement, an explanation of the client’s right to opt out of disclosure of nonpublic personal information to a non-affiliated third party. The privacy notice should also generally describe the firm’s safeguarding policies and procedures.

The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) periodically issues “Risk Alerts” highlighting common deficiencies encountered by its staff during routine investment adviser compliance exams. These Risk Alerts serve the dual purpose of providing advisers with both useful insight into the results of recent OCIE examination activity as well as advance warning of areas that OCIE may be paying closer attention to in the future. Accordingly, a recent Risk Alert issued by OCIE details the most common deficiencies the staff has cited relating to Rule 206(4)-3 (the “Cash Solicitation Rule” or “Rule”) under the Investment Advisers Act of 1940. See National Exam Program Risk Alert, Investment Adviser Compliance Issues Related to the Cash Solicitation Rule (Oct. 31, 2018).

By way of background, the Cash Solicitation Rule prohibits SEC-registered investment advisers from paying a cash fee, directly or indirectly, to any person who solicits clients for the adviser unless the arrangement complies with a number of conditions specified in the Rule, including that the fee must be paid pursuant to a written agreement to which the adviser is a party. Notably, the Rule discerns between solicitors that are affiliated with the registered adviser versus those that are not, setting-up more comprehensive requirements for the latter third-party solicitors. For example, third-party solicitors must provide potential clients with both a copy of the adviser’s Form ADV Part II (or other applicable brochure) and a separate written solicitor’s disclosure document containing specific data about the solicitation arrangement—including the terms of the solicitor’s compensation. Moreover, with respect to third-party arrangements, the Rule obliges advisers to: (i) collect a signed and dated acknowledgment from every potential solicited client that such client has in fact received the adviser’s brochure and the solicitor’s disclosure document; and (ii) make a “bona fide effort” to ascertain whether the solicitor has complied with its duties under the Rule.

In this context, OCIE cited the following as the most noteworthy deficiency areas encountered by its front-line examiners:

Oregon requires all investment advisers and broker-dealers to maintain errors and omissions insurance for at least $1 million. Under Section 59.175 “every applicant for a license or renewal of a license as a broker-dealer or state investment adviser shall file with the director proof that the applicant maintains an errors and omissions insurance policy.”  This law provides investors with recourse if they suffer losses because of an uninsured investment adviser. Presently, investment advisers in Oregon may obtain errors and omissions insurance through either the Oregon surplus lines, the Oregon risk retention markets, or both.  However, according to the Oregon Secretary of State’s Department of Consumer and Business Services, which oversees the Division of Finance and Securities Regulation, neither of those groups is “admitted” or authorized to conduct insurance business in Oregon.  As a result, the Department has decided that a temporary rule is necessary to help both Oregon investment advisers and insurance producers understand the steps they need to take to provide proof of insurance. Continue reading

On April 12, 2018, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations published a Risk Alert “providing a list of compliance issues relating to fees and expenses charged by SEC-registered investment advisers… that were the most frequently identified in deficiency letters sent to advisers.” According to OCIE, investment advisers often explain the terms of a client’s fees and expenses in their Form ADV and their advisory agreements. If an investment adviser does not follow these terms and participates in improper fee billing, that investment adviser may be violating the Investment Advisers Act of 1940. The Risk Alert is designed to compel investment advisers to evaluate their practices, as well as their policies and procedures, to help ensure compliance with the Advisers Act. Continue reading

On July 10, 2018, the Securities and Exchange Commission published five Orders Instituting Administrative and Cease-and-Desist Proceedings against two registered investment advisers, three investment adviser representatives, and Leonard S. Schwartz, a marketing consultant.  The Orders allege that the respondents violated the Investment Advisers Act’s Testimonial Rule (275.206(4)-1(a)(1)).  The SEC also alleged that another investment advisory firm, Romano Brothers & Company (“Romano Brothers”), violated the Testimonial Rule by posting two videos on YouTube featuring client testimonials. The Testimonial Rule provides that investment advisers and their representatives are forbidden from publishing, circulating, or distributing advertising materials that directly or indirectly refer to client experiences about the investment adviser and its services. The SEC considers publication of client testimonials fraudulent because testimonials typically present a biased evaluation of an investment adviser’s services. Continue reading

Investment advisers’ use of clients’ usernames and passwords to access their clients’ accounts to observe the accounts’ performance has come under scrutiny in recent years.  In February 2017, the SEC Office of Compliance Inspections and Examinations (“OCIE”) disclosed in a Risk Alert that investment advisers’ use of client usernames and passwords can create compliance issues with the Custody Rule.  According to OCIE, an investment adviser’s “online access to client accounts may meet the definition of custody when such access provides the adviser with the ability to withdraw funds and securities from the client accounts.”  Accessing a client’s account using a client’s username and password often results in an investment adviser being able to withdraw funds and securities.

The North American Securities Administrators Association (“NASAA”) has also observed in recent years that if an investment adviser logs into a client’s account using the client’s personal information, “the investment adviser is in effect impersonating this client and has the same access to the account as the client.”  As a result, a number of issues arise when investment advisers use their clients’ personal information to gain access to online accounts, including custody, recordkeeping obligations, and potential violations of user agreements. Continue reading

On April 3, 2018, the Financial Crimes Enforcement Network (“FinCEN”) published Frequently Asked Questions (“FAQs”) to help “covered financial institutions,” including broker-dealers and dually registered SEC investment advisers, better understand its new Customer Due Diligence Requirements (“CDD Rule”), which will become effective on May 11, 2018.  Other “covered financial institutions” include insured banks, commercial banks, federally insured credit unions, savings associations, trust banks or trust companies that are federally registered, and mutual funds.

The CDD Rule will require covered financial institutions to adopt written policies and procedures that are sufficiently tailored to “identify and verify beneficial owners of legal entity customers and to include such procedures in their anti-money laundering compliance program.”  A beneficial owner is defined as an individual who directly or indirectly owns 25 percent or more of a legal entity customer’s equity and a person who exercises significant control over a legal entity customer.  However, according to the FAQs, should covered financial institutions desire to gather information on individuals owning less than 25 percent of a legal entity customer, they are welcome to do so.  The FAQs also provide that covered financial institutions are required to verify beneficial owners’ identities using risk-based procedures that feature the same factors financial institutions are required to use to verify customer identities under the Customer Identification Program rules. Continue reading