Articles Tagged with RIA Compliance

The North American Securities Administrators Association—also known as “NASAA”—a cooperative association consisting of the chief securities regulators for each of the 50 United States, as well as Canadian and Mexican jurisdictions, has recently voted to adopt a model information security rule. NASAA’s new model information security rule could—if widely implemented by the individual NASAA Member jurisdictions—ultimately have a broad impact on the compliance programs of state-registered investment advisers.

Among its many roles as a confederation of individual regulators, NASAA frequently drafts and circulates “model rules” to its Members, who eventually vote on and adopt these draft rules for use by the various Member jurisdictions. A “model rule” is a familiar regulatory tool, which essentially provides a template upon which laws, rules, and other regulations can be drafted. For example, many of the individual states’ securities acts are variants of the Uniform Securities Act of 2002, a model act created by a group of legal scholars, regulators and veteran attorneys. NASAA’s new model rule is just such a template for regulators. Individual states and other jurisdictions may—at their discretion—adopt it in whole, in part, or not at all. That said, we believe that, especially given the growing importance of cybersecurity issues, it will be used more likely than not as the states come around to developing rules to parallel those already in place at the federal (SEC) level.  Continue reading

In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.

OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.

This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections. Continue reading

In a recent speech, an SEC Commissioner took the opportunity to voice her concern that the prevalence of non-public guidance now being conveyed by SEC staffers to certain market participants and their counsel is tantamount to what she terms “secret law” which, in her opinion, “crosses the line” of propriety.

SEC Commissioner Hester M. Peirce’s well-crafted speech, given in Washington at the recent SEC Speaks 2019 event, invokes imagery of the children’s novel The Secret Garden to posit her belief that the abundance and importance of non-public guidance being provided and relied upon by certain of the SEC’s divisions and offices has created a secret garden of its own within the SEC’s walls. As an example, she cites her hearing that “staff simply will not accept certain applications for entire categories of products or types of businesses for reasons not found in our rules.” Additionally, she notes hearing that “one particularly complex set of Commission rules does not matter much in practice because firms operate instead under a set of published and unpublished letters and other directives from staff.” She also references firms being examined “against the terms of draft no-action letters and notes of telephone calls with Commission staff.” In all of these cases, Peirce fears that the “line has been crossed” and that such activities amount to “secret law.”

That such “sub rosa guidance,” as she terms it, amounts to “secret law,” is in Peirce’s opinion undeniable. As she points out, while it is true that courts would be reluctant to defer to such staff guidance in a legal proceeding, it nonetheless does “as a practical matter, bind market participants, affecting the scope of their rights and obligations and limiting the range of permissible activities.”

The SEC’s Office of Compliance Inspections and Examinations recently conducted examinations of privacy notices and safeguarding policies of SEC-registered investment advisers and broker-dealers adopted pursuant to Regulation S-P. As a result of these examinations, the SEC issued a Risk Alert identifying common deficiencies that are important to keep in mind when adopting, implementing and reviewing compliant privacy notices and effective safeguarding policies.

Regulation S-P requires financial institutions such as investment advisers and broker-dealers to adopt written policies and procedures to safeguard nonpublic personal client information. These policies must be reasonably designed to protect the confidentiality and security of nonpublic personal client information from any anticipated threats or hazards and any unauthorized access or use. The policies should address administrative, technical, and physical safeguards.

Investment advisers and broker-dealers must also provide initial and annual privacy notices to their clients describing the types of information collected and disclosed, the types of affiliated and non-affiliated third parties the information is disclosed to and, unless exempted from the opt-out notice requirement, an explanation of the client’s right to opt out of disclosure of nonpublic personal information to a non-affiliated third party. The privacy notice should also generally describe the firm’s safeguarding policies and procedures.

A recent settled SEC Order with Wedbush Securities, Inc., a dually-registered investment adviser and broker-dealer, has resulted in a censure and $250,000 fine against that firm. The genesis of this rather harsh result is what the SEC alleges to be the firm’s lack of an ability to follow-up on obvious compliance “red flags” that, in this case, pointed to an extensive and long-running “pump and dump” scheme involving one of the firm’s registered representatives. Indeed, as noted by Marc P. Berger, Director of the SEC’s New York Regional Office, “Wedbush abandoned important responsibilities to its customers by looking the other way in the face of mounting evidence of manipulative conduct.”

The SEC’s regulatory requirements compel broker-dealers to adopt policies and procedures that are sufficiently tailored to determine whether their associated persons are violating the securities laws and to prevent them from violating the securities laws. Broker-dealers are also compelled to ensure that these policies and procedures are sufficiently implemented to discover and prevent securities law violations. Continue reading

FINRA has alerted its Member Firms to be on the watch for a fraudulent phishing email scheme targeted at compliance personnel. A phishing scheme typically uses email or some other type of electronic message to trick the recipient into clicking a malicious link or infected file attachment by mimicking a message from a trustworthy party. This particular scheme employs an email purportedly originating from an Anti-Money Laundering compliance officer at an otherwise apparently legitimate Indiana-based credit union. The email—which was received recently by a number of FINRA Member Firms—specifically targets compliance personnel by appearing to be a communication regarding an attempted transfer of money by a client of the recipient’s firm to the credit union which has been placed on hold due to concerns about potential money laundering. The scam is designed to get the recipient to open an attachment, which, according to FINRA “likely contains a malicious virus or malware designed to obtain unauthorized access to the recipient’s computer network.”

FINRA noted the following additional aspects of the fraudulent email that recipients should be alert for:

  • An otherwise legitimate reference to a provision of the USA Patriot Act allowing financial institutions to share information with each other.
  • An actual email address that appears to be from Europe, rather than the U.S.-based credit union.
  • Numerous instances of poor grammar and sentence structure.

Continue reading

Demonstrating its regulatory interest in the robo adviser industry, on December 21, 2018, the Securities and Exchange Commission issued an Order Instituting Administrative and Cease-and-Desist Proceedings against Wealthfront Advisers, LLC, a registered investment adviser which uses a software-based “robo adviser” platform in servicing its clients. The action is the second case against robo advisers filed on the same day. Wealthfront submitted an offer of settlement in light of the proceeding.

According to the SEC’s Order, Wealthfront utilizes a proprietary tax loss harvesting program (“TLH”) to help its clients garner tax benefits. These tax benefits would typically come through selling assets at a loss, which could potentially be used to reduce income or gains and create a lower tax liability. From October 2012 onward, Wealthfront has featured whitepapers on its website that provide information about the TLH strategy. Continue reading

As the partial federal government shutdown, which began at midnight on December 22, 2018, now approaches its fifth week, we write to update our readers on the shutdown’s specific impact on the SEC and securities regulatory activities.  While we have previously discussed many of these points with our clients who currently have matters pending before the SEC, below is more general information regarding the SEC’s most significant functions.

The SEC was able to operate fully and conduct regular business for a limited number of days following the commencement of the general federal shutdown, but was forced to effectively close its doors on December 27, 2018.  Since then, the agency has been operating at a very minimal level with a skeleton crew of staffers able to respond to only emergency situations.  As described on the SEC’s home page, the remaining staff is available to respond only to “emergency situations involving market integrity and investor protection, including law enforcement.”  The vast majority of the SEC’s employees have been furloughed and are not reporting to work at this time.  That said, we note that a number of familiar online filing platforms, such as EDGAR, IARD, and CRD, all remain fully operable. Continue reading

On December 21, 2018, the Securities and Exchange Commission issued an Order Instituting Administrative and Cease-and-Desist Proceedings against Hedgeable, Inc., a registered investment adviser.  Hedgeable utilizes a “robo adviser” program, which it offers to individuals, small business owners, trusts, corporations, and partnerships through both its website and social media.  The SEC’s Order alleges that from about 2016 through April 2017, Hedgeable made various misleading statements in advertising and performance data.  Hedgeable submitted an offer of settlement in order to resolve the proceeding.

According to the Order, Hedgeable launched a so-called “Robo-Index” to present comparisons of its performance against that of two unaffiliated robo advisers.  These comparisons were featured on both Hedgeable’s website and various social media sites.  The SEC found that Hedgeable’s method of preparing the Robo-Index had significant material issues.  For example, the SEC found that data from 2014 and 2015 only featured data from a small pool of Hedgeable client accounts and excluded over 1,000 other client accounts.  The SEC alleged that, because of the small sample sizes, the data likely reflected “survivorship bias,” stemming from the fact that the sample size likely only contained clients who received higher than average returns compared to Hedgeable’s other clients.  The SEC also determined that Hedgeable’s calculation methods did not correctly estimate expected returns for a standard client of the other two robo advisers.  Hedgeable allegedly produced the data in the Robo-Index using estimations of the other robo advisers’ trading models rather than using the robo advisers’ actual models. Continue reading

Following several enforcement actions brought against registered investment advisers that received 12b-1 fees when institutional shares were available to be purchased in clients’ advisory accounts, in February of this year the Securities and Exchange Commission announced an initiative under which firms could self-report the receipt of “avoidable” 12b-1 fees since 2014.  Under the so-called Share Class Selection Disclosure Initiative (SCSDI), advisers who self-reported receiving 12b-1 fees under those circumstances would be subject to an SEC enforcement action but would receive favorable treatment in such a case. Such favorable treatment included no recommended civil penalties as long as the firm agreed to disgorge all avoidable 12b-1 fees received.

In order to participate in the SCSDI, however, firms were required to report to the SEC by June 12, 2018. In announcing the SCSDI, the SEC indicated that firms that did not self-report may be subjected to harsher sanctions if their practice was later discovered.

In recent weeks through information available through clearing firm data and public sources the SEC has identified RIAs that may have received 12b-1 fee but chose not to self-report. Some of these firms are receiving subpoenas or requests for information and testimony.  Whether the failure to report was justified and/or the original receipt of the 12b-1 fees were not improper are questions that the SEC Enforcement Staff will be evaluating during its investigations.  In some limited circumstance a firm might be able to justify receipt of the questioned fess, and also might be excused from or ineligible for the self-reporting initiative. Continue reading