Advisers Beware: FBI “Operation WireWire” Shows Firms Increasingly Being Targeted Using SEC Filings
CSS has observed more and more investment advisers falling victim to Business Email Compromise, or “BEC” schemes over the past year. Unfortunately, they are in good company, as the trend is consistent with a worldwide increase in such attacks by increasingly skilled hacker networks around the world.
On June 10, 2018, the FBI announced in a press release that it had coordinated with the U.S. Department of Justice and international authorities over the course of six months to cripple an international hacker network, ending in the arrest of 74 people across the U.S., Nigeria, Canada, Mauritius, and Poland. According to the FBI, the hackers used publicly available information including data from SEC filings to target key employees at firms. Social media sites also include a wealth of information useful in performing reconnaissance on a target, including identification of which employees are in which roles, and with which business partners they are connected. Furthermore, an investment adviser’s own website may include specific information about which IT vendor the firm is using to host its website, which vendor is used for a client or investor portal, and in which portfolio companies the private equity firms may have invested.
The scam has numerous variations but generally works like this:
- Information is combed from SEC filings, social media sites, firm websites, and other public sources to identify target employees
- The information is then used to create very targeted spear-phishing attacks against C-suite and other key employees at firms, with the ultimate goal of inducing the target into entering their email credentials into a fake web form. In some cases, the hackers have registered fake domains and websites that appear similar to the real websites. Often, the spear phishing email induces the target to enter credentials under the guise of updating a password to improve security or to access a file shared by a trusted third party.
- Once the hackers have obtained the email credentials, they log into the employee’s business email account. There, they peruse information in emails to paint a picture of the parties with whom you regularly communicate and style of grammar.
- The hackers then create email rules wiEthin the email account settings to forward a copy of inbound and outbound emails to the hackers’ own email addresses. In some instances, the hackers also direct communications involving certain third parties into hidden or infrequently accessed sub-folders in the account’s inbox. This way, the hacker can use the employee’s business email account to communicate with the employee’s contacts, and the employee is none the wiser because he or she can still access the email account and nothing nefarious appears in the regular inbox or outbox.
- The hackers then induce either the email account owner, or a trusted contact of the email account owner, to wire money to the hacker, or in some cases to a “money mule” through whom the funds pass and who gets to keep a small fraction of the money.
CSS has observed hackers going so far as to mimic not only invoices from vendors, but also to mimic capital call notices, open accounts at custodians to direct the money there and quickly liquidating and closing the accounts.
According to the Internet Crime Complaint Center (IC3), BEC schemes have resulted in over $3.7 billion in losses since it began tracking the schemes, and this number only reflects those scams which have been reported.
The FBI has a useful infographic about BEC schemes available here: https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise
Helpful Tips
- Conduct regular phishing testing of your staff to remain vigilant. Please contact us for more information about Shield, featuring our phishing testing service complete with detailed reporting.
- Include social engineering in the scope of your compliance training.
- Be wary of email requests to click links or enter information. You can hover over the email link to see if it points to a legitimate URL, or visit the website yourself by typing in the known URL directly.
Deputy Attorney General Rod Rosenstein Discusses Compliance Program Effectiveness
The embattled U.S. Deputy Attorney General Rod Rosenstein recently spoke to compliance pros at the 2018 Annual Conference for Compliance and Risk Professionals. Bulleted below are some of the statements from his keynote speech, which evidence the view from near the top of the Department of Justice:
- As to what it means to have a culture of compliance, he gave details: “Employees should be trained and encouraged to think about compliance issues in making business decisions.” “In a company with an effective and adequate compliance program, the legal, compliance, and audit departments are not the only repositories of professionals monitoring and evaluating what the business does. “Compliance should not be treated as separate and distinct from other business goals.”
- He emphasized the importance of “precision” and “close reading,” as “the future of a business may turn on a seemingly minor detail. Obsessing over details is part of our job.”
- He stressed the societal implications, for example: “Our society cannot permanently endure” without “the fiduciary principle,” “the principle of trusteeship.”
- He talked about fiscal value: “When a company creates and fosters a culture of compliance, it creates value. Compliance is an investment.” Compliance “makes companies more valuable and less likely to encounter unanticipated costs that may result from protracted investigations and penalties.”
- He gave the “two principal questions” the DOJ asks about a company’s compliance function, when that company comes under investigation, essentially, what was the state of the compliance function at the time of the conduct; and what is its current state, after remediation.
As part of SEC exam readiness, CSS often recommends additional and direct outreach from the CCO to firm owners, other C-Suite executives, and senior management, including, for example, providing reading material for insight into regulators. Consider passing this speech up the chain or to other management members.
Cayman Islands Updates AML Regulations for Private Equity
The Cayman Islands has further bolstered its anti-money laundering (“AML”) and countering of terrorist financing (“CTF”) rules. The new AML/CTF rules become effective on May 31, 2018 and will affect, among others, unregulated investment entities—such as private equity firms—domiciled in the Cayman Islands. The deadline to appoint AML officers, however, is September 30, 2018 for existing funds and June 1, 2018 for new funds.
The new requirements include designating a Deputy Money Laundering Reporting Officer, adopting a risk-based approach towards client due diligence, conducting due diligence on new employees and using the correct sanctions list. The new rules also require the identification of beneficial owners so that the right level of due diligence can be conducted on them. Lastly, the penalties for non-compliance have been increased.
Currently, the Cayman Island Monetary Authority (“CIMA”) is developing a sector-specific Guidance Note for unregulated investment entities, but there is no indication as to when that guidance will be published. In the meantime, it would be prudent to designate a Deputy Money Laundering Reporting Officer and let Ascendant help update your policies and procedures. Click here to see if your fund is registered with CIMA.
Please contact Ascendant directly for further information.
Post written by Nick Burdman
SEC Creates Bogus ICO Site to Teach About Cryptocurrency Fraud
On May 16, 2018, the SEC’s Office of Investor Education and Advocacy launched an educational website meant to demonstrate a fraudulent initial coin offering (ICO). The website, HoweyCoins.com mimics a bogus coin offering touting a too-good-to-be-true investment opportunity. The website features several of the features common to fraudulent offerings, including promises of guaranteed returns, complex jargon, vague explanations and a countdown clock to entice participation.
“Fraudsters can quickly build an attractive website and load it up with convoluted jargon to lure investors into phony deals,” said Owen Donley, Chief Counsel of the SEC’s Office of Investor Education and Advocacy in a press release announcing the initiative.
ICOs are a new and growing part of the investing landscape. By highlighting the perils associated with these products, the SEC is reinforcing its commitment to investor protection.
Get Ready for Form ADV, Part 3: Form CRS
Are you ready for Form ADV Part 3? As if the last annual updating amendment filing was not tedious enough with all the additional information related to separately managed accounts, the process will further evolve with the SEC’s proposal for a Form ADV Part 3, also referred to as Form CRS. But don’t worry, it can only be four pages in length!
You will now be required to provide retail clients with a relationship summary that is concise and direct, by using short sentences, an active voice, and definite, concrete, everyday words. Firms would not be permitted to use legal jargon, highly technical business terms or multiple negatives. But never fear, the relationship summary can include references and links to other disclosure where interested investors can find additional information. The format is being required a certain way so that retail investors can compare these details about firms.
The relationship summary would require eight separate items covering: (i) introduction; (ii) relationships and services the firm provides to retail investors; (iii) standard of conduct applicable to those services; (iv) the fees and costs that retail investors will pay; (v) comparisons of brokerage and investment advisory services (for standalone broker-dealers and investment advisers); (vi) conflicts of interest; (vii) where to find additional information, including whether the firm and its financial professionals currently have reportable legal or disciplinary events and who to contact about complaints; and (viii) key questions for retail investors to ask the firm’s financial professional. Most importantly, all information in the relationship summary must be true and may not omit any material facts necessary to make the required disclosures not misleading. So, get ready to provide even more information to potential clients…including disciplinary information!
Investment advisers would file their relationship summaries electronically in a text-searchable format through IARD in the same manner as they currently file Form ADV Parts 1A and 2A. But do not start to draft your Form CRS just yet, as the SEC is still within the commentary period of the rulemaking and has a great deal of outstanding questions they want the industry to opine on. As highlighted in the rule proposal, the SEC is seeking guidance from the industry on many salient points, such as:
- Should firms only be required to deliver the relationship summary to retail investors?
- Should retail investors be defined for purposes of Form CRS to include all natural persons, as proposed?
- Should we conform the definition of retail investor to the definition of retail customer as proposed in Regulation Best Interest, which would include non-natural persons who use the recommendation primarily for personal, family, or household purposes?
- Should we include any additional definitions of terms or phrases in the relationship summary?
- Will the length and presentation proposed for the relationship summary be effective for retail investors?
- Are there too few or too many items that would be required in the relationship summary?
These are just a sampling of the questions the SEC sought feedback on. In fact, there were pages and pages of questions presented in the proposal. Never fear though, as the SEC has already provided sample documents laying the foundation of what they desire to see within the relationship summary document and the format it should take.
For now, we wait for the final rule to be presented. But while you wait, maybe ask for a modest increase in your compliance budget next year! If you need supporting information to justify this increase, just reference the 40+ pages included in the proposal on the financial impact to investment advisers.
If you need more help on Form CRS, visit our Ultimate Guide to Form CRS page, with information about the regulation, as well as our solution.
For Cryptocurrency and Blockchain, a Reckoning is Coming
NOTE: Ascendant Director of Cyber IT Services E.J. Yerzak recently spoke at the AIM Summit in Abu Dhabi, a conference that targets alternative investment managers. The following is a brief summary of his key comments during his two sessions, “Primer on Crypto Currency, Distributed Ledger Technology and ICO’s,” and “Legal & Regulatory Insights/AML – Blockchain”
The author in Abu Dhabi
When it comes to cryptocurrency, we are in exciting times in that a reckoning is likely to occur soon, leading to a survival of the fittest. In 2017 and 2018, cryptocurrency and blockchain have gone from fad to mainstream, and international regulators have finally taken notice. As the number and type of cryptocurrency and blockchain investment possibilities have exploded, regulators are beginning to take action to sanction those companies engaging in unregistered offerings, and to force others to cease operations. Meanwhile, regulators from the U.S. to South Korea are starting to lay the groundwork for allowing investments in cryptocurrency that still provide them with comfort that investor risk is addressed through a combination of disclosures and controls to safeguard the integrity and security of the securities involved, and that anti-money laundering risk is addressed through “Know Your Customer” (KYC) processes. Other jurisdictions, such as Malta, appear to be positioning themselves as “crypto-friendly” to ride the wave.
Even as interest in alternative investments continues its rapid ascent, I believe a purge will occur and only a few truly viable cryptocurrencies will survive and remain of interest to mainstream investors. However, the underlying blockchain technology will play an enormous role in transforming the investment industry as we know it — everything from where your assets will be held to how they will be valued.
For now, the importance of performing thorough due diligence on the investments you are considering is paramount – weeding out the scams from the legitimate investment platforms, and then identifying those cryptocurrencies that have the most potential to retain and increase their value (which in part will be determined by those who can adapt to play by the rules and the changing regulatory environment).
The alternative investment industry cares where, and in what financial instruments, they will be permitted to invest their money and their firm’s money. Legal and regulatory developments in the Initial Coin Offering (ICO) and blockchain and cryptocurrency space will largely shape which securities remain viable and which will likely fade from existence or be forced to cease operating in, or offering to, certain jurisdictions. I believe the industry also cares about separating hype from reality, and identifying viable, valuable investment opportunities from frauds and scams looking to capitalize on the cryptocurrency buzz.
While most of the buzz in the U.S. has been around retail investors getting into cryptocurrency, the SEC is concerned with making sure investors appreciate the risks of such volatile investments and can withstand a loss, which is why certain conditions such as the accredited investor threshold are in place. The retail interest in, and demand for, cryptocurrency exposure in their portfolios may be driving a renewed look at whether many retail investors should be categorically excluded from this asset class or should be given opportunities similar to their institutional peers. Similarly, institutional investors appear to be considering exposure to this relatively new asset class for fear of missing out. Either way, it seems clear that while cryptocurrencies are here to stay, a reckoning is coming.