Articles Tagged with SEC Risk Alert

The Securities and Exchange Commission (“SEC”) recently published its sixth risk alert on cybersecurity since 2014. In this alert, the SEC focused on how its regulated firms protect themselves against ransomware risk. I previously wrote about the SEC’s last risk alert on ransomware here.

Ransomware is malware that stops a user from accessing either part or all of the data within their network or other systems until a ransom is paid. For ransomware to be effective, it must gain access to network data in some form or fashion, usually through user error, such as a user clicking a link, downloading a file, or doing something else which affirmatively provides the ransomware access to data. From there, the hacker typically encrypts data and demands payment to unencrypt it.

There are varying studies, but up to 90% of financial services firms, including investment advisers, broker-dealers and investment companies, report that they have been targeted by ransomware. The SEC also reports that these targeted attacks have gotten more sophisticated in nature over the last few years, which necessitates greater allocation of resources from firms to protect themselves.

As we mentioned in an earlier post, in April of this year the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued separate risk alerts on the subjects of Form CRS and Regulation Best Interest (Reg BI). The risk alerts were designed to provide investment advisers and broker-dealers information regarding the anticipated scope and content of the examinations OCIE will conduct following the filing deadline for Form ADV, Part 3 and following the compliance date for Regulation Best Interest. In this post we examine the new requirements regarding Form ADV, Part 3, which we will refer to as “Form CRS,” and then review the SEC’s Risk Alert relating to Form CRS. Firms seeking to comply with the new requirements should carefully review the 17-page instructions to Form CRS. The SEC has also published a helpful Small Entity Compliance Guide.

Under the new requirements, federally registered RIAs must electronically file Form CRS via the IARD system and must deliver a Form CRS to all retail investors, regardless of net worth or sophistication. Currently registered RIAs or entities who currently have pending applications to become RIAs may file their form CRS at any time, but they must file the initial CRS on or before June 30, 2020. The Form CRS may be filed as part of an initial application to register under Rule 203-1, or as an other-than-annual amendment to the Form ADV under Rule 204-1. Beginning June 30, 3020, any new application will be considered incomplete and will be rejected if it does not contain a Form CRS. Every RIA’s firm must post its Form CRS on its public website, but there is no requirement that a firm without a public-facing website must create one. Continue reading ›

A new Risk Alert released by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) reminds advisers of the added compliance obligations that arise when hiring representatives carrying the baggage of reportable disciplinary histories. While by no means exhorting advisers not to hire such persons, the Risk Alert nonetheless encourages advisers to properly consider the obvious compliance risks presented by such hiring practices, and, in turn, to adopt prudent policies and procedures to address those risks.

We follow OCIE’s periodic Risk Alerts closely as they not only provide insights regarding the focus of recent OCIE examinations, but also provide insights as to what OCIE management will be directing the staff to focus on in the future. This particular Risk Alert is a read-out of the results of a recent series of OCIE exams from 2017 specifically targeting advisory firms that (i) previously employed, or currently employ, any individual with a history of disciplinary events and (ii) for the most part serve retail clients. Indeed, OCIE makes special notation of its “focus on protecting retail investors” as a genesis for both the targeted exam initiative (the “Initiative”) as well as this new Risk Alert. Accordingly, advisers with a large retail customer base should pay especially close attention to the new Risk Alert.

In conducting the Initiative, OCIE’s staff focused on three areas of interest: (i) the compliance policies and procedures put into place to specifically cover the activities of previously-disciplined individuals; (ii) the disclosures relating to previously-disciplined individuals required to be made in filings and other public documents (including advertising); and (iii) conflicts of interest implicated by the hiring of previously-disciplined individuals. With this roadmap in place, the Initiative identified a variety of observed deficiencies across a range of topics, including:

The SEC’s Office of Compliance Inspections and Examinations recently conducted examinations of privacy notices and safeguarding policies of SEC-registered investment advisers and broker-dealers adopted pursuant to Regulation S-P. As a result of these examinations, the SEC issued a Risk Alert identifying common deficiencies that are important to keep in mind when adopting, implementing and reviewing compliant privacy notices and effective safeguarding policies.

Regulation S-P requires financial institutions such as investment advisers and broker-dealers to adopt written policies and procedures to safeguard nonpublic personal client information. These policies must be reasonably designed to protect the confidentiality and security of nonpublic personal client information from any anticipated threats or hazards and any unauthorized access or use. The policies should address administrative, technical, and physical safeguards.

Investment advisers and broker-dealers must also provide initial and annual privacy notices to their clients describing the types of information collected and disclosed, the types of affiliated and non-affiliated third parties the information is disclosed to and, unless exempted from the opt-out notice requirement, an explanation of the client’s right to opt out of disclosure of nonpublic personal information to a non-affiliated third party. The privacy notice should also generally describe the firm’s safeguarding policies and procedures.

On April 12, 2018, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations published a Risk Alert “providing a list of compliance issues relating to fees and expenses charged by SEC-registered investment advisers… that were the most frequently identified in deficiency letters sent to advisers.” According to OCIE, investment advisers often explain the terms of a client’s fees and expenses in their Form ADV and their advisory agreements. If an investment adviser does not follow these terms and participates in improper fee billing, that investment adviser may be violating the Investment Advisers Act of 1940. The Risk Alert is designed to compel investment advisers to evaluate their practices, as well as their policies and procedures, to help ensure compliance with the Advisers Act. Continue reading ›

Whether or not the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) will formally name advertising as among its priorities in 2018, it is clear from its activity and that of the Enforcement Division in 2017 that advertising should remain a concern of every registered investment adviser and chief compliance officer.

In September 2017, OCIE published a Risk Alert identifying the most common compliance issues pertaining to Rule 206(4)-1 of the Investment Advisers Act of 1940, otherwise known as the “Advertising Rule.”  An advertisement includes “any notice, circular, letter or other written communication addressed to more than one person, or any notice or other announcement in any publication or by radio or television, which offers” advice regarding securities.  The Advertising Rule forbids an investment adviser from “directly or indirectly… publishing, circulating, or distributing any untrue statement of material fact, or that is otherwise false or misleading.” Continue reading ›

Contact Information