Ascendant’s Jason Morton to Speak on RegTech at Strata Data Conference
Alongside technology experts from American Express, Credit Suisse and CIBC, Ascendant’s Jason Morton will speak on developments in regulatory technology at the ‘Fintech Data Day’ at the annual Strata Data Conference on September 26, 2017 in New York. The Strata Data Conference is an annual conference for technology and business professionals who are seeking innovative and cutting-edge ways to leverage data to add value to their businesses, and Jason’s presentation will focus on challenges and opportunities for technologies to help firms and regulators detect manipulation in the markets, specifically focusing on how to leverage data to detect spoofing and layering.
Dr. Jason Morton
FINRA has defined layering as “entering limit orders with the intended effect of moving the market to obtain a beneficial execution on the other side of the market” and spoofing as the practice of “entering orders to entice other participants to join on the same side of the market at a price at which they would not ordinarily trade, and then trading against the other market participants’ orders.” Ultimately, both of these actions are attempts by traders to manipulate the price of securities by creating false representation of market interest and then directly benefiting from those false impressions.
For example, in a recently-settled CFTC enforcement case, a trader was placing spoof orders on the opposite side of the market as his ‘real’ orders for customers in order to create a false flurry of market activity regarding the securities, in this case gold and silver futures contracts. This false activity was designed to induce other market participants to fill his real orders. Once they did, he cancelled his spoof orders, which he never had any intention of filling anyway. On a number of occasions, he actually did move the market on these gold and silver contracts.
The expectation from regulators is not only that no one in your organization is committing that type of market manipulation or fraud as in this CFTC case, but also that you have adequate training, policies and controls to prevent it and good enough technology to detect it right away. This self-policing, Jason points out, has a critical dependency on a firm’s internal data-handling capabilities, but with the right technology framework, tools can detect patterns in large, structured data sets from fields like time stamps and cancellation messages and flag anomalies to compliance or risk officers to review. Jason is optimistic about the future of technology to help firms and regulators root out fraud and market manipulation in the industry, particularly in light of developments in machine learning and artificial intelligence – both key topics of discussion at Strata and internally with our own engineers: “this has the potential to unlock even higher rates of accuracy in discerning ordinary market behavior, particularly market-making behavior, from intentionally fraudulent behavior.”
Jason advises Ascendant on applied mathematics, statistics and quantitative modeling for the firm’s proprietary post-trade compliance technology suite. He is a tenured professor of Mathematics and Statistics at Pennsylvania State University and a visiting scholar in Computer Science at Harvard University. He has published papers in mathematics, mathematical finance, statistics, machine learning, computational complexity and quantum physics. His research has included factor modelling, credit derivative pricing and the foundations of deep learning. He holds a Ph.D. in Mathematics from U.C. Berkeley, an M.A. in Economics from the University of Michigan, and an A.B. from Harvard University. In addition to his academic experience, Dr. Morton worked for Credit Suisse in Mergers and Acquisitions and Technology Investment Banking, seeded hedge funds and managed an endowment.
Hurricane Season: How Does your BCM Program Stack Up?
As Hurricane Harvey touches down on U.S. soil and we hope for the safety of the millions in its path, we encourage all firms, even those outside Harvey’s path of flooding and damaging winds, to consider their BCM readiness for such an event.
Business Continuity Plans are designed to ensure firms have conducted sufficient advance preparation so as to minimize potential harm to clients or investors due to interrupted services. The SEC has made numerous statements regarding the value of BCM plans and have proposed a rule to enhance regulatory safeguards to mitigate these risks to the industry and to investors. Weather is only one of the scenarios in which a Business Continuity scenario may be required; other scenarios include cyber-attack, technology failures, departure of key personnel and other events.
A BCM plan should outline procedures to:
- Minimize the impact of the interruption as much as possible
- Sustain a minimally acceptable level of services for an extended period of time
- Return to normal business activities as quickly as possible
The reality is that in a natural disaster scenario, your personnel and clients in the immediate area of the disaster will have other considerations, most importantly their physical safety and that of their families. The U.S. government provides resources for individuals through www.ready.gov to plan ahead for such events. A BCM plan for your firm that has been thought through, well-vetted and tested can alleviate one component of the logistical stress inherent to an event like Hurricane Harvey, as well as protect your clients and investors.
And because you can’t always predict when a BCM scenario will occur, we recommend asking the following questions proactively, rather than reactively:
- Are your written policies and procedures outlining BCM plans detailed enough?
- Are your employees educated on the topic? How confident are you that they would know what to do in a BCM scenario?
- Have you designated responsible parties for running BCM operations? This includes both owning the policy and running point on the day of an event.
- Do you know what you would tell employees and clients, when and how you would distribute communications? As part of your BCM plan, you can outline who is responsible for such communications and even keep drafts at the ready.
- Do you have a list of your critical vendors, and are you comfortable with their BCM procedures? Have you coordinated with them on your plans?
- If your systems at your primary office location went down, would you be able to provide any services to clients? Is the data backed up?
- When is the last time you tested your BCM procedures? If not within the last year, we highly encourage that you prioritize this.
In the event (like a hurricane or large storm) where you may have a few days notice, we recommend the following action items:
- Send out a reminder about the firm’s BCM Plan and what messages employees can expect from the firm
- Double check that the “call lists” are up to date or the call out system is functioning properly
- Double check with building management that physical safety protocols are in place and what they’re planning for the event
- Remind each employee they should have a copy of the BCM Plan at home for reference
- Remind employees that the firm will inform them about reporting to work after the event is over
Ascendant Compliance Management provides multiple services regarding Business Continuity, covering both working with you to craft policies and procedures, as well as assistance with data loss prevention, cybersecurity and testing. Contact us today to learn more.
Surprise, Surprise: SEC Conducting Unannounced Exams
The Boston Regional Office of the SEC has recently conducted roughly 20 unannounced visits to registered investment advisers in the region. This fact, confirmed during the recent meeting of the New England Broker-Dealer and Investment Adviser Association (NEBDIAA), is in keeping with the SEC’s renewed focus on a more robust examination program.
While onsite, the SEC has spoken with chief compliance officers and occasionally made document requests. Kevin Kelcourse, associate director for the SEC Boston Regional Office, has already recently confirmed that these surprise examinations are intended to catch advisers off-guard and prevent them from remedying potential violations before the SEC arrives.
During the recent NEBDIAA meeting, custody was noted as one of the focus areas of the surprise exams. There also appeared to be an early trend of examiners focusing on private equity firms as well as never-before-examined advisers.
At the moment, it is unclear whether other regional offices will follow Boston’s lead. It is important to be prepared for such an exam, though. Some steps that can be taken to ensure preparedness include:
- Preparing a PowerPoint intended to welcome the SEC and showcase the adviser’s commitment to compliance;
- Conducting a self-mock audit and identifying and locating necessary documents; and
- Prepping employees for SEC interaction.
We will continue to keep you updated as new information becomes available.
DOL Fiduciary Rule Transition Period Extension to 2019 Requested
The Secretary of Labor, Alexander Acosta, made a court filing on August 9 requesting the Transition Period and Delay of Applicability for the Department of Labor Fiduciary Rule be extended from January 1, 2018 to July 1, 2019.
This court filing included extending the deadlines for the following Prohibited Contract Exemptions:
- Best Interest Contract Exemption (PTE 2016-01): Relief for an adviser to still accept variable commissions
- Class Exemption for Principal Transactions (PTE 2016-02): Relief for an investment adviser or broker-dealer to still engage in a riskless principal or principal transaction
- PTE 84-24: Relief for an adviser to still accept third-party payments for insurance products
Per most recent guidance, firms are still expected to adhere to the Impartial Conduct Standards component of the Rule throughout the Transition Period, meaning:
- Acting in the client’s best interest
- Receiving no more than reasonable compensation
- Making no misleading statements
Given the request for an extension and other open matters concerning the Fiduciary Rule, Ascendant believes that firms will delay making any additional changes to their policies and practices until further guidance is issued.
Note that this delay comes days after a comment letter the Insured Retirement Institute (IRI) submitted in response to the Department of Labor’s request for comment in June. The IRI letter provided data that the fiduciary rule was “causing customers to lose access to valuable retirement products and services,” citing an increased number of advisers ceasing services for accounts with a small balance. Also this week, the DOL published an FAQ on the Transition Period, stating that recommending to an investor that they increase their contributions to retirement accounts does not constitute fiduciary advice, so long as they do not “include recommendations with respect to specific investment products or recommendations with respect to investment management of a particular security or other investment property.”
With the SEC also issuing a Request for Comment in June regarding Standards of Conduct for Investment Advisers and Broker-Dealers, we expect to see continued developments and cross-agency dialogue on this topic in the coming months. We will continue to keep you informed of new developments.
SEC Cyber Sweep Highlights Areas In Need of Improvement
The results of the SEC’s second cybersecurity sweep examinations are in, and they paint a picture of an industry that has come to grips with the need to address cybersecurity risk, but where the canvas is incomplete in many respects. On August 7, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on “Observations from Cybersecurity Examinations” in which it describes its findings from examinations of 75 investment advisers and broker-dealers.
The Risk Alert is broken down into observations and issues identified at firms, including the following:
- Most advisers now address cybersecurity to some extent in their policies and conduct cybersecurity risk assessments. Reg. S-P and Reg. S-ID were mostly addressed. Policies lagged in other cyber areas.
- Half of advisers now conduct penetration tests or vulnerability scans to monitor their networks.
- Software patching has improved at firms in the last two years.
- Initial vendor due diligence by advisers has improved, although half of the advisers don’t follow up with ongoing due diligence of their vendors.
- Firms had policies on cybersecurity training for their staff but were not enforcing or tracking it.
Ascendant has noted previously that cybersecurity-related deficiencies are likely to fall in one of three buckets:
- Not having cybersecurity policies in place
- Having inadequate cybersecurity policies that have not been tailored to the firm
- Having strong cybersecurity policies but not adhering to them
The Risk Alert summarizing the Phase 2 Cyber Exams specifically confirmed these shortcomings, revealing that while most firms now have cyber policies, “a majority of the firms’ information protection policies and procedures appeared to have issues.”
It also observed several elements common to firms that had implemented robust controls, including maintenance of an inventory of data, information, and vendors, along with classification of risks and vulnerabilities; detailed cybersecurity-related instructions such as access rights related to employee onboarding and responsibilities; established and enforced access controls such as required immediate termination of access for terminated employees; mandatory information security employee training; and an engaged senior management staff that vets and approves policies and procedure.
Since its inception, Ascendant has been assisting investment advisers on Regulation S-P and business continuity issues, and since 2012 to help firms create information security policies and procedures reasonably designed and tailored to their firms.
And we are pleased to say that the issues identified in the Phase 2 cybersecurity examination summary are ones that we have helped clients of our cybersecurity services address through custom cybersecurity policies, cybersecurity testing, and training.
The SEC makes clear in the Risk Alert that cybersecurity exams are here to stay. If you’d like to see how Ascendant’s cybersecurity team can strengthen your cybersecurity program, or need help with services like cybersecurity risk assessments, vulnerability scanning, penetration testing, social engineering testing, and cyber training, please contact us.
Colorado Joins New York in Mandating Cybersecurity Controls for Financial Institutions
On the heels of the recently adopted New York State Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), Colorado has followed suit with its own set of protections. The Colorado Division of Securities has issued cybersecurity regulations applicable to broker dealers and investment advisers registered with the state, which are codified in Sections 51-4.8 and 51-4.14(IA), respectively.,
Section 51-4.14(IA) requires covered entities to establish and maintain written cybersecurity procedures reasonably designed to ensure cybersecurity. The “reasonableness” standard appears to be a sliding scale, taking into account factors such as:
- the firm’s size;
- third party vendors;
- the extent of the firm’s cyber policies, procedures, and training;
- the firm’s use of electronic communications;
- auto-lock controls for devices with access to Confidential Personal Information; and
- the firm’s process for reporting of lost or stolen devices
Factors 5 and 6 appear to be concerned with mobile devices.
The Colorado cybersecurity regulation requires two things:
- Cybersecurity included as part of the adviser’s risk assessment; and
- Written cybersecurity policies and procedures which are reasonably designed, with “reasonableness” judged on the foregoing factors, and addressing the following:
- Annual cybersecurity risk assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information
- Use of Secure Email containing Confidential PI
- Authentication practices for employee access to electronic communications, databases, and media
- Procedures for authenticating client instructions received electronically (e.g. addressing the risk of wire fraud and identity theft); and
- Disclosure to clients of the risks of using electronic communications
Colorado defines “Confidential Personal Information” to include a first name or first initial and last name, in combination with one or more items such as a social security number; driver’s license number or ID card number; account number plus security code/access code/password to gain access to the account; an individual’s digital or electronic signature, or user name / unique ID / email address plus password, access code, security questions or other authentication that would permit access to the account.
The Colorado cybersecurity regulations were adopted by the Colorado Division of Securities on May 19, 2017 and formally approved by the Colorado Attorney General on June 7, 2017. The regulations became effective July 15, 2017.
Ascendant has designed an offering which includes cybersecurity procedures, cybersecurity training, and cybersecurity testing specifically for firms impacted by the Colorado cybersecurity regulation. To learn more, contact us at info@ascendantcompliance.com.