Double-Check the Disciplinary Response in Form CRS, Especially Checking Histories of Financial Pros
On October 8, 2020 the SEC published updated FAQs regarding the disciplinary question in Form CRS. In an unusual step, Chair Clayton joined SEC Directors Dalia Blass and Brett Redfearn in releasing a public statement about the FAQs.
The new FAQs follow the Wall Street Journal’s September 3, 2020 article titled “Financial Firms Fail to Own Up to Advisers’ Past Misdeeds.” The WSJ reported that “[a]t least 1300 brokerage and financial advisory firms incorrectly stated on the new document that neither they nor their financial professionals had legal or disciplinary histories.” Of the 6200 firms reviewed by the WSJ, 1800 other firms reported disciplinary history by answering “yes”, that the firm or its financial professionals have at least one reportable disciplinary event.
In the public statement, the SEC officials stated pointedly that RIAs and BDs cannot omit the required question, or respond based on only the disciplinary history of a firm or its financial professionals—both are required. The SEC officials stated that the agency has reviewed Form CRS filings and observed examples that did not include the disciplinary question or where “responses lacked required information or otherwise could be improved.”
According to the WSJ, 80 firms omitted the disciplinary question altogether, and that 20% of the firms reporting no disciplinary history actually had reportable history.
The SEC FAQs make clear that firms who do not have disciplinary history may not omit the question, and firms may not respond only about the firm and omit information about financial professionals.
In the FAQs, the SEC provided that “The staff would not object if [a] firm included the following concise response ‘No for our firm. Yes for our financial professionals.’ or “Firm – no.” “Financial professionals – yes.” And vice versa.
The SEC also clarified in the FAQ responses that firms may not include additional information in response to yes answers to explain the disciplinary information. Firms may however provide additional supplemental disclosure about the events, and the SEC provides examples such as Form ADV Part 2B brochure supplements or a print-out of the IAPD or BrokerCheck “Disclosures” section for the particular firm or financial professional.
Form CRS is an integral new disclosure document in the SEC’s campaign to create streamlined disclosure obligations and clear and concise information for the public to absorb. When concerns arise that firms are not meeting expectations for around such an initiative and the warning has been publicly provided, any firms that have ongoing mistakes could subject themselves to new disciplinary proceedings. Time to double-check all disciplinary responses.
For more help with Form CRS and other disclosure documents, email us at info@cssregtech.com.
Item 4. Disciplinary History
- Use the heading: “Do you or your financial professionals have legal or disciplinary history?”
- State “Yes” if you or any of your financial professionals currently disclose, or are required to disclose, the following information:
(i) Disciplinary information in your Form ADV (Item 11 of Part 1A or Item 9 of Part 2A).
(ii) Legal or disciplinary history in your Form BD (Items 11 A–K) (except to the extent such information is not released to BrokerCheck, pursuant to FINRA Rule 8312).
(iii) Disclosures for any of your financial professionals in Items 14 A–M on Form U4 (Uniform Application for Securities Industry Registration or Transfer), or in Items 7A or 7C–F of Form U5 (Uniform Termination Notice for Securities Industry Registration), or on Form U6 (Uniform Disciplinary Action Reporting Form) (except to the extent such information is not released to BrokerCheck, pursuant to FINRA Rule 8312).
- State “No” if neither you nor any of your financial professionals currently discloses, or is required to disclose, the information listed in Item 4.B.
First Charges Filed Under NYDFS Cybersecurity Regulations
On July 21, 2020, The New York State Department of Financial Services (NYDFS) filed its first charges under its Cybersecurity Regulation, 23 NYCRR Part 500 (Cybersecurity Regulation), which went into full effect March 2019. The Cybersecurity Regulation requires financial institutions regulated by the NYDFS to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of non-public information (NPI) maintained on their information systems. Covered institutions are also required to maintain policies and procedures designed to protect the privacy of consumer data they maintain.
Here is what we currently know about the NYDFS charges:
NYDFS alleges the Firm, which is one of the largest title insurance providers in the country, did not maintain internal controls adequate to protect the NPI it maintained. During a period from at least October 2014 through May 2019, millions of documents containing consumers’ sensitive personal information, including bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and drivers’ license images were allegedly exposed on the Firm’s public-facing website. NYDFS claims the vulnerability was introduced as part of an application update in May 2014 and that it remained undetected for years until it was identified during internal penetration testing conducted in December 2018[1]. The charges further allege that after the vulnerability was discovered, 1) the Firm neglected to conduct an appropriate security review and risk assessment of the security flaw and the NPI exposed, even though its internal cybersecurity team recommended conducting further investigation; 2) the vulnerability was inappropriately classified as “low” severity[2]; 3) the Firm failed to conduct a reasonable investigation into the scope and cause of the exposure; and 4) the Firm failed to investigate the vulnerability within the timeframe defined by its internal cybersecurity policies.
The Firm has stated that it “strongly disagrees” with the NYDFS charges, and a hearing has been scheduled to determine whether the alleged violations occurred and to determine whether civil monetary penalties or relief will be levied and/or provided. Each exposed record is considered a separate violation of the Cybersecurity Regulation, which carries a maximum penalty of $1,000 per record. This case shows that the NYDFS intends to aggressively pursue and enforce what it believes to be violations of its Cybersecurity Regulation.
It is important to note that even though NYFDS alleges consumer NPI was exposed, as of yet there are no allegations of a data breach nor is there any indication that any individuals have been harmed as a result of the alleged violations. In a similar case from 2015, the Securities and Exchange Commission (SEC) filed similar charges against an investment adviser for failing to adopt policies and procedures reasonably designed to protect its customer records and information; those charges were brought under Regulation S-P (the “Safeguards Rule”) [3]. In that case, the SEC claimed the adviser’s alleged failures led to the exposure of over 100,000 individuals’ personally identifiable information (PII). While the SEC acknowledged that at the time of the enforcement action there were no indications of any client having suffered financial harm as a result of the breach, the adviser was still censured and fined $75,000. It will be interesting to see how this first NYDFS case plays out, and to see how aggressive NYDFS will be with enforcement actions going forward.
To speak with one of our Cybersecurity experts on penetration testing services, dark web monitoring and assistance in compliance with NYDFS, please email cybersecurity@cssregtech.com.
[1] Penetration tests are simulated attacks on computer systems to determine whether identified vulnerabilities can be exploited and used to gain access to sensitive or confidential information.
[2] Vulnerabilities are classified into five buckets (Informational, Low, Medium, High, and Critical) based on the potential for disruption to computer systems and/or risks related to information access.
[3] Regulation S-P’s requirements for data protection are much vaguer than the requirements set forth by NYDFS, which provides much more prescriptive measures regulated firms must undertake.
From One CCO to Another: Don’t Lie to the SEC
Every once in a while, I think it’s important to get back to the basics. Since the adoption of the compliance rules in 2004, the Securities and Exchange Commission staff has repeatedly stated that the intent of the rules were not to hunt CCOs. Great pains have been made to enlist CCOs support in ensuring that advisers demonstrate a strong compliance culture. SEC actions against CCOs have been rare and usually related to clear wrongdoing, like lying to the SEC.
On September 17, 2020, the SEC took action against a dually-registered investment adviser and broker dealer and its former CCO[1] for a string of compliance failures relating to the firm’s trading practices. The firm employed an active trading strategy in which clients paid commissions on a per-trade basis (SIDE NOTE: advisers should be very careful about such arrangements as they can often conflict with an adviser’s fiduciary duty). The firm claimed to have surveillance of commission costs and turnover rates as a vital part of its compliance program. During an exam of the firm, FINRA found that the firm did not have any written procedures relating to the surveillance program and was not able to evidence any such review.
As a result of the FINRA findings, the firm amended its written procedures to include procedures related to customer transaction reviews, with the responsibility for such reviews resting with the CCO. As with most written procedures, they are only of value when followed. No such reviews were conducted and the reports that were identified to support a review didn’t even contain the necessary information.
The SEC staff later conducted a review of the firm and requested records supporting such reviews. In response to the request, the firm, through the CCO produced reports that had been altered by the CCO to give the appearance that a timely review was conducted. The CCO provided the exam staff with reports in which she “whited out” the date printed information from the report and made handwritten notations to make the review appear contemporaneous with the data. During the SEC’s enforcement investigation, the CCO again produced documents altered with white out. In her sworn testimony, the CCO finally admitted that these reports were altered. As a result, the firm was fined $1.7 million and CCO was fined and barred from the industry.
The moral of the story. DON’T. EVER. LIE. TO. THE. SEC. EVER.
To speak with one of our regulatory experts, email us at info@cssregtech.com.
[1] In re: Gilder Gagnon Howe & Co. LC and Bonnie M. Haupt; IA Release 5582; September 17, 2020.
BME s'associe au CSS pour renforcer sa suite de services réglementaires
-
BME to offer financial services firms in Spain and Portugal a multi-regulation reporting platform
-
Partnership brings a unique combination of local market presence and global coverage
BME has partnered with Compliance Solutions Strategies (CSS), a leading RegTech platform provider, to offer a global regulatory reporting solution in Spain and Portugal. The combination of BME’s local presence and expertise, together with CSS’s global Compliance-as-a-Service platform, will bring unique value to financial institutions in the Spanish and Portuguese markets.
Financial services clients will benefit from an integrated, end-to-end solution that seamlessly captures, consolidates and reports all data required for compliant transaction reporting. The multi-regulation platform also covers an expansive range of jurisdictions to help firms increase operational efficiency, gain data control and manage changes in an ever-evolving regulatory landscape.
“With this agreement, BME strengthens its range of regulatory services and takes a step forward in our goal of becoming the perfect partner for financial institutions, which can save costs using this platform, while having the guarantee of a correct execution of their regulatory reporting,” explains Berta Ares, General Manager of BME Inntech.
CSS’s CEO, Doug Morgan added that, “We are proud to collaborate with a world-class technology partner like BME in extending our market coverage into Spain and Portugal. Our shared value proposition will help financial services firms meet global mandatory regulatory reporting requirements, like MiFID II, EMIR and SFTR, while taking a more strategic approach to managing compliance.”
The addition of CSS’s platform capabilities will support BME’s position as a technological partner which provides services and solutions covering the entire financial markets value chain. BME’s RegTech solutions offering – which is the result of evaluating and adopting the best practices, trends, technologies and service models continuously demanded by the market – includes Transaction Cost Analysis (TCA), Market Quality Metrics & Best Execution Reports, SICAM (Market Abuse) and SIR (Financial Reporting).
About BME:
BME is the operator of all stock markets and financial systems in Spain. BME is a SIX Group company. It offers a wide range of products, services and trading systems based on an advanced and stable proprietary technology. The company also provides global market access systems to issuers, intermediaries and investors in Spain and at international level, with customers in Europe, America and Africa. The company is structured into six business units that represent the broadest and most varied range of products and services: Equities, Fixed Income, Derivatives, Clearing, Settlement, Market Data and Value-Added Services.
Compliance Solutions Strategies acquiert AMFINE
Combination Creates First Fully End-To-End Compliance Reporting Platform
NEW YORK, September 10, 2020 – Compliance Solutions Strategies (“CSS”), a leading RegTech platform providing technology-driven solutions which enable financial services firms to meet mandatory regulatory compliance requirements, today announced the acquisition of AMFINE (“AMFINE”), a provider of SaaS-based regulatory reporting services to European asset managers, asset servicers and insurers. With offices in Paris and Luxembourg, AMFINE serves a top-tier client base and offers a modular and multilingual solution across multiple jurisdictions for the production and distribution of documents covering the full breadth of regulatory reporting and marketing disclosure obligations.
The combination with AMFINE reinforces CSS’s position as a leading RegTech solutions provider to the investment management market with a comprehensive global offering across fund reporting, transaction reporting, investment monitoring and compliance management. Adding AMFINE’s regulatory reporting solutions, including the production of UCITS KIIDs and PRIIPs KIDs, fund prospectuses and marketing factsheets, will enable CSS to deliver a complete end-to-end fund reporting solution that is unmatched in the market, leveraging integrated data management, regulatory reporting software and document production capabilities. The acquisition also provides CSS with increased scale and reach, adding to its roster of Tier 1 clients and extending its presence and operating base in the heart of the European funds market.
The acquisition of AMFINE represents a further investment in the evolution of the CSS platform and will result in compelling strategic benefits to clients:
- Providing end-to-end management of the regulatory reporting process from data aggregation and enrichment through to document production and distribution.
- Delivering an enhanced value proposition with the necessary scope and depth to support enterprise risk control, TCO and scalability objectives.
- Creating the potential for a deeper strategic partnership by addressing a critical reporting requirement through the use of a world-class Compliance-as-a-Service (CaaS) platform.
“We’re delighted to welcome the AMFINE team to CSS as we further develop our platform and extend our market coverage,” said Doug Morgan, CEO of CSS. “AMFINE bring highly complementary product capabilities and a stellar reputation earned by helping clients manage complex reporting requirements. With both organizations sharing a strong commitment to customer success, we’re excited to work together to enhance our global regulatory reporting solution and address a broader scope of our clients’ compliance needs.”
Compliance Culture in a Bottle
What makes one firm – and the various professionals who represent it – live and breathe by the book, while others are a bunch of scofflaws? I can tell you this for sure: there is no magic potion that you can buy to embed a culture of compliance in an organization.
As cliché as it may sound, I honestly believe this starts at the top. Try as you might, if the leadership of the firm truly believes it’s OK to get a “C” in compliance (or worse!), you’re going to have a hard time moving the needle. This is where, as compliance officers, we need to dig deep into ourselves and find a salesman.
Tone at the top is critical because everything you need to do depends on their buy-in in some form or another. Need more resources to effectively implement your compliance program? Need time on the calendar for all associates to participate in training? Assistance in responding to a regulatory inquiry or examination? Recommending the firm terminate the employment of your number one salesperson because of repeated compliance breaches? For each of these, and many other challenges, you are going to need management’s buy-in.
Whether you are a large firm staffed with hundreds of compliance professionals or a dual-hatted CCO in a small shop, compliance is infinitely more effective when the head(s) of the firm are setting a good example. If the bosses take compliance seriously, day in and day out, the other employees are far more likely to take it seriously. If the bosses think it’s OK to complete attestations past the due date, don’t care if new account paperwork is incomplete, regularly suggest aggressive or inappropriate marketing tactics, it’s much more likely that others will pick up these habits. And if management does not hold employees accountable for their actions, or support you in addressing compliance breaches, recidivism will run rampant. New hires will learn bad habits, and if weeding out a bad actor isn’t important, each person hired might bring more issues that pollute the firm’s environment further.
As the steward of compliance in your organization, keep your eyes and ears open, motivate management to lead through their actions and words, and no matter what, be approachable and adaptable. Truly partner with them to help the firm achieve its goals efficiently and compliantly. That just might be the magic potion we’re all looking for.
To read the full chapter Compliance Culture in a Bottle, download The CCO’s Playbook.