Articles Tagged with Risk Alert

The SEC’s Office of Compliance Inspections and Examinations recently conducted examinations of privacy notices and safeguarding policies of SEC-registered investment advisers and broker-dealers adopted pursuant to Regulation S-P. As a result of these examinations, the SEC issued a Risk Alert identifying common deficiencies that are important to keep in mind when adopting, implementing and reviewing compliant privacy notices and effective safeguarding policies.

Regulation S-P requires financial institutions such as investment advisers and broker-dealers to adopt written policies and procedures to safeguard nonpublic personal client information. These policies must be reasonably designed to protect the confidentiality and security of nonpublic personal client information from any anticipated threats or hazards and any unauthorized access or use. The policies should address administrative, technical, and physical safeguards.

Investment advisers and broker-dealers must also provide initial and annual privacy notices to their clients describing the types of information collected and disclosed, the types of affiliated and non-affiliated third parties the information is disclosed to and, unless exempted from the opt-out notice requirement, an explanation of the client’s right to opt out of disclosure of nonpublic personal information to a non-affiliated third party. The privacy notice should also generally describe the firm’s safeguarding policies and procedures.

With annual compliance reviews in full swing this time of year, we write today to remind advisory firms to be sure to assess the sufficiency of their policies and procedures in the ever-developing area of electronic messaging.  Our note comes on the heels of a recent Risk Alert on this topic issued by the SEC’s Office of Compliance Inspections and Examinations or “OCIE,” which exhorts advisory firms to take a fresh look at their current compliance policies in light of the particular risks of non-compliance posed by the firm’s usage of electronic messaging.

“Electronic messaging,” as discussed in OCIE’s Risk Alert, refers to such mediums as text/SMS messaging, instant messaging, personal email, and personal or private messaging, but specifically excludes firm-wide email.  Notably, OCIE’s exclusion of firm email from analysis in the Risk Alert should not be read as diminishing an adviser’s compliance obligations to capture, store, and periodically review firm email communications.  Rather, as OCIE explains, “firms have had decades of experience complying with regulatory requirements with respect to firm email” and it is not as problematic from a compliance standpoint as compared to some of the newer technologies that run on third-party applications or platforms.  Continue reading

On April 12, 2018, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations published a Risk Alert “providing a list of compliance issues relating to fees and expenses charged by SEC-registered investment advisers… that were the most frequently identified in deficiency letters sent to advisers.” According to OCIE, investment advisers often explain the terms of a client’s fees and expenses in their Form ADV and their advisory agreements. If an investment adviser does not follow these terms and participates in improper fee billing, that investment adviser may be violating the Investment Advisers Act of 1940. The Risk Alert is designed to compel investment advisers to evaluate their practices, as well as their policies and procedures, to help ensure compliance with the Advisers Act. Continue reading

Investment advisers’ use of clients’ usernames and passwords to access their clients’ accounts to observe the accounts’ performance has come under scrutiny in recent years.  In February 2017, the SEC Office of Compliance Inspections and Examinations (“OCIE”) disclosed in a Risk Alert that investment advisers’ use of client usernames and passwords can create compliance issues with the Custody Rule.  According to OCIE, an investment adviser’s “online access to client accounts may meet the definition of custody when such access provides the adviser with the ability to withdraw funds and securities from the client accounts.”  Accessing a client’s account using a client’s username and password often results in an investment adviser being able to withdraw funds and securities.

The North American Securities Administrators Association (“NASAA”) has also observed in recent years that if an investment adviser logs into a client’s account using the client’s personal information, “the investment adviser is in effect impersonating this client and has the same access to the account as the client.”  As a result, a number of issues arise when investment advisers use their clients’ personal information to gain access to online accounts, including custody, recordkeeping obligations, and potential violations of user agreements. Continue reading

The Securities and Exchange Commission (SEC) recently issued a National Examination Risk Alert to investment advisers discussing the use of social media. Social media is becoming more widely used as a means to communicate with investors, and advisers need to ensure they are meeting their compliance requirements. The purpose of the alert is to inform advisers of ways they can improve and maintain sufficient compliance practices in using social media websites.

The SEC listed a number of issues for firms to consider as they evaluate the effectiveness of their compliance programs. Among all of the guidelines, some areas firms are encouraged to consider include:

  • Whether they want to create usage guidelines to address which social media networks are appropriate for use and restrictions which may be appropriate for each network;
  • Whether to create content standards to prohibit specific content or impose other restrictions in relation to their social media networks;
  • How their compliance or supervisory personnel can adequately monitor the sites, and how frequently they should be monitored;
  • Whether content must be pre-approved before posting to a site;
  • Whether there are adequate resources dedicated to monitor the activity adequately on the social media sites;
  • Developing criteria for allowing participation by third parties ;
  • Implementing training related to social media-related compliance practices;
  • Whether certification should be required to ensure that those individuals using the social media sites understand and are complying with the firm’s internal policies;
  • Whether to adopt policies distinguishing between personal and professional sites, possibly specifying the types of communication about the firm which are acceptable on a site not maintained by the firm; and
  • How to maintain information security.

Continue reading

The Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) recently jointly issued a Risk Alert and a Regulatory Notice on broker-dealer branch office inspections designed to help securities industry firms better supervise their branch offices, as well as to underscore the importance of that supervision.

“An effective risk based branch office inspection program is an important component of a broker-dealer’s supervisory system and, when constructed and implemented reasonably, it can better protect investors and the firm’s own interest,” stated Stephen Luparello, Vice Chairman of FINRA.

The risk alert specifically makes the following recommendations to firms, including:

  • Increasing the frequency of branch inspections, especially unannounced visits;
  • Customizing examinations to branch activity based on risk assessments;
  • Involving more senior personnel in exams;
  • Insuring that examiners have no conflicts of interest; and
  • Increasing supervision of certain offices based upon surveillance data and requiring corrective actions to address deficiencies noted.

Continue reading