Cyber Crimes – Don’t Forget to File that SAR!
Stopping, or even slowing, the proliferation of cyber-event related criminal activities remains a chief goal in the broker-dealer and investment advisory communities. As pointed out in a 2016 advisory released by the Financial Crimes Enforcement Network (“FinCen”), “Cyber-events targeting financial institutions often constitute criminal activity and can serve as means to commit a wide range of further criminal activity.[1] The FinCen Advisory went on to provide guidance on how Bank Secrecy Act (“BSA”) regulatory requirements, including the filing of Suspicious Activity Reports (“SARs”), apply to cyber-events.
The nexus between SAR filings and cybersecurity, as well as the need for close coordination between IT and AML compliance staff, was also highlighted in remarks at a SIFMA Conference by Susan Axelrod, FINRA Executive Vice President, Regulatory Operations.[2] Axelrod reminded firms that “…in the cybersecurity area, firms are required to report patterns of intrusion on their suspicious activity reports (SARs). So, it’s essential that your cybersecurity staff remain in close contact with your AML staff.” To foster the kind of close contact recommended by Axelrod, Ascendant believes that, among other measures, AML compliance and IT staff should strongly consider performing ongoing risk assessments to identify specific cybersecurity and AML risks, and develop system countermeasures to thwart system intrusions.
SAR Reporting of Cyber-Events is Required
The FinCen Advisory noted that “cyber-events that could affect a transaction or series of transactions are reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
When determining if a cyber-event triggers a SAR filing, all available information must be evaluated to develop the fact pattern, such as the nature of the data, systems impacted and clients or firm accounts targeted. Ascendant has frequently observed that senior management, compliance, and, as applicable, in-house legal, and outside counsel, are involved in making the determination of whether to file a SAR. In deciding the monetary amount involved in the transactions or attempted transactions, the FinCen Advisory pointed out that firms “… should consider in aggregate the funds and assets involved in or put at risk by the cyber-event.”
Brief Background on SAR Filings – Who Must File:
Broker-dealers have been required to file SARs since December 30, 2002 when the Department of the Treasury (Treasury) issued new rules requiring such reports with the FinCEN, a bureau of Treasury. For investment advisers, filing SARs is voluntary, although under FinCen’s proposed AML rules, investment advisers will be required to file SARs.[3}
What are the SAR Reporting Requirements for Broker-Dealers?
A broker-dealer must report a transaction on Form SAR-SF if (a) the transaction is conducted or attempted by, at, or through a broker-dealer,[4] (b) it involves or aggregates funds or other assets of at least $5,000, and (c) the broker-dealer knows, suspects, or has reason to suspect that the transaction (or a pattern of transactions of which the transaction is a part): involves funds derived from illegal activity or is intended or conducted to hide or disguise funds or assets derived from illegal activity; is designed, whether through structuring or other means, to evade the requirements of the BSA; appears to serve no business or apparent lawful purpose or is not the sort of transaction in which the customer would be expected to engage and for which the broker-dealer knows of no reasonable explanation after examining the available facts; or involves use of the broker-dealer to facilitate criminal activity.
SAR Filings – Potential Regulatory Consequences
Under the BSA rules, FinCEN may bring an enforcement action for violations of the reporting, recordkeeping, or other requirements of the BSA, including matters relating to the filing of or the failure to file SARs. FinCEN’s Office of Enforcement evaluates enforcement matters that may result in a variety of remedies, including the assessment of civil money penalties.
FinCen has assessed penalties for the failure to file SARs in a number of enforcement cases. To illustrate, in February 2015, FinCen assessed a civil money penalty of $1.5 million against a community bank for failing to file SARs on accounts held by one of its directors, a Pennsylvania judge who was convicted of judicial corruption. In this case, the bank failed to investigate the accounts after receiving a law enforcement subpoena. More recently, in November 2017, the SEC assessed $3.5 million in penalties against a wire-house for their failure to file or timely file a number SARs from approximately March 2012 through June 2013. The majority of these involved the failure to timely file SARs on ongoing suspicious activity that continued after an initial SAR filing by the firm on related suspicious activity.
Some Key Takeaways (Not an Exhaustive List)
- Review your firm’s internal policies regarding SAR filings to ensure that cyber-events are covered and that a thorough process is in place to determine when SAR filings are required, i.e. in particular, when should outside counsel or, as needed, regulators and/or law enforcement, be consulted?
- Include a tailored discussion of cyber events and SAR filings in your annual AML training. As part of the training, where relevant, provide examples of AML enforcement actions where SAR issues are noted as part of the fact pattern.
- AML and IT staff should conduct a risk assessment to identify cyber and AML risks and adopt policies to mitigate such risks, such as implementing enhanced AML surveillance systems.
- Monitor the progress of FinCen’s proposed AML rules for investment advisers, as the adoption of these rules will require investment advisers to file SARs.
[1] The Financial Crimes Enforcement Network (FinCEN), a bureau of the US Treasury Department, issued an advisory, dated October 26, 2016, regarding cyber-events and crime. A cyber-event can be defined as an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.
[2] In remarks on February 9, 2017, at the Securities Industry and Financial Markets Association’s (“SIFMA”) Anti-Money Laundering and Financial Crimes Conference.
[3] On August 25, 2015, FinCEN proposed a rule requiring investment advisers to establish anti-money laundering (AML) programs and report suspicious activity to FinCEN pursuant to the Bank Secrecy Act (BSA). While the proposed rule has not yet been adopted, indications are that it will, i.e. on March 8, 2017, in statements made to the trade publication Financial Planning, a FinCen spokesman said that FinCEN is currently in the process of reviewing public comments. “The next step is to draft a final rule and, beyond that, to work with OMB on how to proceed,” the agency spokesman said.
[4] A transaction includes a deposit; a withdrawal; a transfer between accounts; an exchange of currency; an extension of credit; a purchase or sale of any stock, bond, certificate of deposit, or other monetary instrument or investment security; or any other parent, transfer, or delivery by, through, or to a broker-dealer.
DOL Rule Extension to Overlap with SEC Consideration of Fiduciary Standards
Following the Department of Labor’s November 27, 2017 announcement of an 18-month extension to the existing Fiduciary Rule transition period, the industry will enter a period of further study for proper standards for disclosure or elimination of conflicted compensation arrangements. That’s a mouthful right there.
The Obama administration’s March 31, 2017 implementation of various new prohibited transaction exemptions (PTE’s), including BIC and principal transaction exemptions, never made the finish line. Partial implementation of the rule, with implementation of impartial conduct standards, on June 9, 2017, helped the Trump Administration-led DOL delay the full measure of BIC and other PTEs until January 1, 2018.
The DOL’s November 27 announcement means we now wait until July 1, 2019 for further implementation. Chairman Jay Clayton meanwhile has the SEC’s team on track for fiduciary standard rule-making. The DOL rule cast a wide net by adding every recommendation made to an IRA or ERISA qualified account. The SEC may focus more specifically on retail clients, which the SEC has been identifying as a rule-making and examination priority. Yes, clearly there is overlap with the challenge remaining how to disclose all compensation received for financial advice and securities product sales and marketing in the retail and/or retirement asset markets.
A closing reminder that the DOL process for fiduciary standard reform started about a decade ago. It should be no surprise that this will take a long time. In the meantime, under the DOL Rule, advice to IRA account holders and qualified ERISA plans should be according to a best interest standard. Advisers should document advice and why it is in the client’s best interest in situations such as providing a recommendation to roll over assets into IRAs.
Schedule 13D/13F Clarity on ETF Issues
Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF?
Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate large blocks of equity securities of publicly held companies. Generally, under Section 13(d), any person who indirectly or directly becomes the beneficial owner of more than 5% of an issuer’s equity securities registered under Section 12 of the Exchange Act must file with the SEC a Schedule 13D within 10 days after the acquisition. A person may generally file a short‐form statement on Schedule 13G in lieu of a Schedule 13D if the filer meets certain qualifications including being a “passive investor.”
Since ETFs are structured as open-ended funds, with market makers able to create and redeem shares to satisfy market demand, the value of the shares does not materially differ from the value of the per share NAV of the Fund. The SEC’s view is that so long as there is not a material difference between the actual market price of ETFs and the NAV of the shares, there is no ability to exploit inside information. However, the SEC did state that IF ETFs begin to trade at prices that material deviate from NAV, then the relief available in the No-Action letters would no longer be available.
As stated in the SEC’s Select Sector SPDR Trust No-Action Letter dated May 6, 1999, “An Insider of an open-end fund generally would not be able to exploit inside information by buying or selling shares of the fund on the basis of an anticipated change in the shares’ value because an open-end fund is required to price its shares, and effect redemptions and sales of its shares, at NAV.”
As stated in the SEC’s PDR Services Corporation No-Action Letter publicly available December 14, 1998 and referenced within the previous no-action letter: “In reaching this position, we note particularly your representation that each Fund’s Shares have traded and will continue to trade at prices that do not material deviate from NAV. If any funds’ Shares begin to trade at prices that material deviate from ANV, the relief granted in this letter would no longer be available.”
What Should Fund COOs Worry About?
Given the dramatic impending changes in regulatory reporting requirements for asset management firms, their chief operating officers, administrators and compliance officials have pretty “full plates” these days. There is no shortage of reporting issues that hedge, mutual, and exchange-traded funds must address, including more extensive requirements arising from the SEC’s modernization drive, such as forms N-PORT, N-CEN, N-LIQUID, and major changes to Form ADV. International regulators have been active as well, imposing new or revised reporting standards such as the European Union’s MiFID II and EMIR, and Switzerland’s FinfraG. These emerging developments will add to funds’ existing reporting burdens, which already include various registration requirements, disclosures of holdings and trading activity, KYC and AML reporting, tax-related reporting, and a host of other disclosures.
Much has been written by consultants, software providers and the regulators themselves about how to comply with each new or revised reporting standard. It is important, however, to take a step back and look at the bigger picture – identifying broad business concerns that are triggered by new reporting protocols. My perspective on these concerns has been shaped by my experience as a former COO of a $7 billion hedge fund, and as the founder and CEO of a successful regulatory and compliance reporting provider for investment managers…
The full article can be read by clicking here.
New Remedy Coming for SEC’s Custody Rule?
The SEC’s Custody Rule continues to be a common source of confusion and a landmine for noncompliance. Custodial paperwork has caused huge headaches for investment advisers, who are not a party to the agreement and may not even have a copy of the custodial new account paperwork. The issue with existing guidance is that it really doesn’t provide any good suggestion for how to resolve the matter. The Securities and Exchange Commission (SEC) has repeatedly indicated that getting clients and custodians to sign a letter has been their interpretation since 2003.
The Investment Adviser Association has had several meetings with the SEC to discuss this issue in hopes of finding another remedy, IAA Assistant General Counsel Laura Grossman said in a panel discussion with Charles Schwab & Co.’s Kimberly Davis and Ascendant’s Jackie Hallihan during Ascendant’s recent compliance conference. Many custodians do not want to sign the letters suggested by the SEC because they are fearful of any additional liability this may cause.
Grossman indicated during the panel that the SEC may have proposed a solution. It would like to see the following:
- The adviser sends one letter to the custodian stating, “We do not know if we have custody based on paperwork, but we don’t need it and will not act on it.” The letter doesn’t need to be signed by the Custodian; thus, it’s a one-way letter.
The adviser could also send a letter to the client stating that they don’t know if there is custody due to custodial paperwork but that they will not act on it. (The SEC hasn’t yet indicated whether this letter would need to be signed). Additionally, the SEC wants to see strong controls in place to ensure no distributions can be made.
It therefore may come down to notice plus controls: notice to the custodians and the internal controls to ensure protection of client assets.
The IAA hopes to get the SEC to opine on this as soon as possible since it will impact the ADV filings coming up for AUA filings.
SEC Issues MiFID II No-Action Relief
Some industry anxiety was assuaged on October 26 with three no-action letters that offer relief for some US regulated broker-dealers and investment advisers regarding European MiFID II regulations. The letters followed consultation with the European authorities, and are designed to address concerns that investors could lose access to valuable research.
MiFID II is a series of regulations in the EU which will replace the current Markets in Financial Instruments Directive (“MiFID”) as of January 3, 2018. The MiFID II regulatory regime is designed to increase the transparency and stability of the European capital markets. Its provisions are comprehensive and cover a large swath of activities, including:
- Research Payments: Advisers subject to MiFID II will no longer be able to accept research as a tangential benefit to trade execution services, the “soft dollar” practice which is common in the U.S. Instead, MiFID II-regulated firms will need to pay hard dollars for research, either from their own P&L or from a MiFID II regulated Research Payment Account (“RPA”).
- Best Execution: MiFID I required firms to “take all reasonable steps to obtain, when executing orders, the best possible result for their clients taking into account price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order.”[1] MiFID II requires firms to take “all sufficient steps.” Firms are responsible for implementing policies and procedures to ensure that execution practices are working well and issues or deficiencies are promptly found and remediated.
- Trade and Transaction Reporting: New pre- and post‐trade reporting, along with T+1 transaction reporting, will become mandatory and will lead to new publication entities emerging as authorized APAs (Approved Publication Arrangements) to support near real‐time, post‐trade reporting. T+1 transaction reporting will operate either directly through the local National Competent Authority (NCA) or via an authorised Approved Reporting Mechanism (ARM). Where firms were previously required to submit only 24 data fields for certain financial instruments (primarily exchange-traded Equities and certain derivatives), firms are now required to submit 65 data fields across an increased universe of financial instruments. Firms trading on European trading venues are already starting to update their systems to provide such information, as well as obtaining new data such as a Legal Entity Identifier (“LEI”).
- Positionsgrenzen: Firms will be subject to limits on the maximum size of position that can be held in commodity derivatives (aggregated across trading venues and OTC).
- Product Governance: MiFID II will require firms to “act in the clients’ best interests during all stages of the life-cycle of products or services.”[2] This means the marketing and distribution of financial products to consumers will require increased disclosure, as well as in-depth analysis of “target market” for a given offering.
The no-action relief provides a path for market participants to comply with the research requirements of MiFID II in a manner that is consistent with US federal securities laws.
The three letters provide the following relief, in short summary:
- SIFMA: In a letter to the Securities Industry and Financial Markets Association, the Division of Investment Management provided temporary relief for broker-dealers that provide research services to Managers, generally, that the Division will not recommend enforcement action to the SEC if a broker-dealer provides research services that constitute investment advice. In other words, the Division will not consider those broker-dealers to be investment advisers. Without this relief, broker-dealers may have been providing investment advice and subject to regulation under the Advisers Act, when they received Research Payments. This relief is valid only for thirty months from the MiFID II implementation date, at which time we expect further guidance from the SEC.
- SIFMA Asset Management Group: In a letter to the SIFMA Asset Management Group, the Division of Trading and Markets staff stated it will not recommend enforcement action to the SEC against a money manager relying on Section 28(e) of the Exchange Act, when it complies with the MiFID II RPA requirements, in the following 4 circumstances: the money manager makes payments to executing broker-dealer out of client assets for research alongside payments to that executing broker-dealer for execution; the research payments are for research services eligible for Section 28(e)’s safe harbor; the executing broker-dealer effects the transactions for purposes of 28(e); and the executing broker-dealer is legally obligated by contract with the money manager to pay for research through the use of an RPA in connection with a CCA.
- Investment Company Institute (“ICI”): In its letter to ICI, the Division of Investment Management provided relief under the Investment Company Act of 1940 and the Advisers Act, to permit advisers subject to MiFID II to continue to aggregate client orders, where some clients may pay different amounts for research because of MiFID II requirements but all clients will receive the same average price for the security and execution costs.
We encourage all firms impacted by MiFID II to take action to ensure that any required changes to policies, procedures and internal systems are complete by the January 3, 2018 compliance date.
MiFID II Ready with CSS
CSS TradeSentry provides trading surveillance and post-trade compliance tools to perform transaction cost analysis, broker analysis, and commission testing, powered by Ascendant industry expertise and IHS Markit reference data.
Silverfinch provides regulatory data management solutions, with streams tailored for asset managers and distributors to comply with product governance requirements under MiFID II.
Advise Technologies offers global regulatory reporting solutions through its Consensus, Vault and Signal product lines, including MiFID II transaction reporting as an Approved Reporting Mechanism (ARM).
Contact us at info@ascendantcompliance.com or at (860) 435-2255 to learn more about how the CSS product suite can assist your firm in meeting its MiFID II requirements.