Compliance Perfection Isn’t Realistic. Amen.
spoke at the 2016 FINRA Annual Conference in Washington, DC, on May 23 focusing on the intersection of compliance and commerce. During his speech, he points out passionately that enforcement is just a part, not the whole, of an effective regulatory program. He said:
“While regulators strive to help the industry be perfect, we know that perfection isn’t realistic. And the regulatory structure is not a failure if some enforcement is required. Each day we should count it an equal triumph when an examination or our market surveillance program identifies issues and provides guidance that allows our firms to do the right thing by their clients without the need for an enforcement action.”
We agree wholeheartedly.
Guidance, doing the right thing, understanding the regulations and building solid compliance programs are triumphs not just for the regulated firms, but also for the industry and investors alike. Building strong cultures increases revenue and preserves hard won reputations.
So, What Happens to SARs?
With investment advisers encouraged to begin filing suspicious activity reports (SARs) as soon as possible upon the issuance of the final anti-money laundering rule, some have wondered, what exactly happens with the reports after they’ve been filed?
The SEC’s Enforcement Division has an Office of Market Intelligence, which does look at closely at all of the filed reports. Within that group, there’s a Bank Secrecy Act Review Group that really focuses in further.
In a February 2015 speech by Andrew Ceresney, Director of the SEC’s Enforcement Division, he noted that this group reviews the SAR filings within two weeks:
“In the course of a year, this group reviews between 27,000 and 30,000 SARs. If a SAR is filed by a broker-dealer, that group will see it, along with any other SARs filed by any other type of financial institution about any entity, person or transaction within our jurisdiction. On average, the group reviews your SARs within two weeks of filing; researches the allegations; and passes them along to examination and enforcement staff throughout the country as relevant.”
Observations on CCO Liability
Concerns and confusion regarding CCO liability still abound. Here are a few words on the topic…
CCOs Worry About Liability Even Amidst SEC Assurances
I think it is telling that CCOs are worried about CCO liability, even with clear messaging from the SEC that the agency views CCOs as important “partners.” Our recent ComplianceCast polling revealed 89% of the CCOs attending said they are worried about liability, with a mere 11% saying they were not. Interestingly, 100% do not currently have CCO liability insurance.
Concerns Voiced about Outsourced CCOs apply Equally to “In-house” CCOs
OCIE talks about the growing trend in outsourced CCOs in its November Risk Alert, offering observations of what works and what doesn’t. And of the highlighted observations, seems to me one can apply the same considerations whether the CCO is an employee, outsourced contractor or consultant. They still must be empowered and knowledgeable, with the authority to be effective. And what about wearing multiple hats? Former Commissioner Luis Aguilar said, “The vast majority of these Enforcement cases [against CCOs] involved CCOs who “wore more than one hat…” “In fact, since the adoption of Rule 206(4)7, enforcement actions against individuals with CCO only titles and job functions have been rare. For example, over the last 11 years, the Commission brought only eight cases against such CCOs.”
Lessons Learned from CCO Enforcement Cases
It’s been said the SEC Enforcement cases against CCOs revolve around whether the CCO had responsibility to manage a specific issue and failed to perform his/her responsibilities in good faith—such as having had knowledge, and either failed to adopt policies and procedures to address them or failed to carry them out. Another case, where the CCO was not named, involved the CCO asking for additional resources. All these cases deliver a strong message to CCOs and contribute to new or continued worries about liability.
Encrypted? So What, Says Tennessee
In a first for the country’s growing body of state breach notification laws, Tennessee has recently amended its law to require notification even if the information subject to a breach was encrypted, and regardless of whether the encryption key itself was compromised.
Until now, other states have taken the position that encryption offered a “safe harbor” of sorts, under the logic that encrypted data is generally unreadable without adequate time and computing power to break the encryption.
Governor Bill Haslam enacted S.B. 2005 on March 24, 2016, amending Tennessee’s data breach statute to:
- remove the encryption caveat,
- specify a deadline for disclosing the breach as 45 days following discovery of the breach (subject to certain exceptions), and
- expanding the definition of “unauthorized person” to include “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.”
The amended data breach provisions become effective July 1, 2016.
The prevalence of cybersecurity breaches is causing many states to revisit their data breach notification statutes to protect their residents. Stay tuned for the first state to require breach notification as soon as someone thinks about breaching your data.
IAA Supports Bill to Relieve Adviser Burdens
I think the IAA Alert regarding adviser burdens that is partially excerpted below (and linked here) is the most interesting read of the month.
The issues regarding past specific recommendations and testimonials being raised in a House Sub-Committee reflect common findings we make in investment adviser compliance reviews. The additional private fund manager issues are additional minutiae about which the SEC has issued rule-making or guidance. It seems some feel those rules are not practically applied.
The IAA supports introduction of the bill, which will relieve advisers of unnecessary burdens without affecting the paramount investor protections provided by the Act. For example, the bill would:
- Eliminate the ban on advisers’ use of testimonials and references to past specific recommendations, to the extent the materials are distributed solely to certain sophisticated clients and high net worth individuals, relying instead on well-established anti-fraud standards governing such materials. The IAA has been advocating for relief on the “past specific recommendation” rule for many years.
- Offer relief from one aspect of the Custody Rule in situations involving privately offered securities where there is little risk of misappropriation by the adviser because such securities are not readily transferrable.
- Ease the recordkeeping burdens for private equity advisers where funds make infrequent and substantial investments that are supported by due diligence typically involving a huge volume of immaterial documents.
FINRA CRD System Alert
Here’s a notable change from FINRA regarding the CRD system.
Previously, a positive balance was reflected as a negative number, which created quite a bit of confusion among users. A deficient balance will now be a negative number in CRD/IARD.
We’ll have more on these changes in Ascendant’s June Alert.