CFTC Orders Firm to Pay $1.5 Million in Connection with Phishing Cyber Breach, Cites Inadequate Cyber Training
The Commodity Futures Trading Commission (CFTC) isn’t holding back when it comes to holding firms accountable for protecting their client’s funds and information. On September 12, 2019, the CFTC issued an order bringing proceedings against a registrant to the tune of $1.5 million US relating to claims that the registrant violated Commission Regulations 166.3 and 1.55(i). Without admitting or denying the CFTC’s allegations, the registrant entered into a settlement offer.
The CFTC order cites failures to supervise adequate implementation of, and compliance by employees with, cybersecurity policies and procedures and a written information security program. Specifically, the CFTC notes inadequate supervision of policies relating to disbursement of funds by employees which contributed to the occurrence of wire fraud by cyber criminals. The wire request originated through the typical method: phishing. Through phishing emails, hackers were able to compromise a few accounts which had administrative privileges, allowing them to use that level of access to add themselves as a “delegate” to be able to see other firm email accounts. Although the firm notified the CFTC in a timely manner after learning that it allowed a fraudulent wire to go out, the CFTC took issue with the firm not disclosing the incident to its clients.
The CFTC also took the opportunity to highlight that the individuals responsible for cybersecurity at the firm, including the CCO, had “limited training in cybersecurity” and that the CCO did not have a background in cybersecurity despite being designated with responsibility to oversee the firm’s cyber training.
What this case reveals for CFTC registrants, and perhaps as a proxy for registrants with the SEC and FINRA, is that cyber is being taken seriously. In addition to the lack of training and cyber expertise by those tasked with implementing the cyber program, other issues cited include:
- The failure to tailor the information security program to the firm’s particular functions and risks (in some cases, the firm’s cyber policies quoted the rule verbatim without any modification)
- The failure to follow the firm’s incident response plan when responding to the incident
- The failure to replace a senior information security professional who departed, and instead delegating his responsibilities to others with less experience (Author’s Note: Admittedly, it is incredibly difficult to hire individuals with cyber expertise given current demand)
If you need help tailoring your information security policies and procedures, with cyber training, phishing testing or general cybersecurity strategies, visit our Shield page to see what we offer, and then contact us.
Cayman Islands Data Protection Law Nears Taking Effect
Cybersecurity regulations have landed ashore on the islands, and life is about to become anything but a beach for firms forced to comply with the Cayman Islands’ new Data Protection Law (DPL), slated to take effect September 30, 2019. With provisions largely mirroring the EU’s General Data Protection Regulation (GDPR), entities with a presence or operations in the Cayman Islands who may have found themselves not subject to the GDPR may end up needing to comply with similar requirements anyway. And that is mostly the point of such legislation, which was informed by the GDPR and intentionally based upon a similar model to provide for a standardized way for organizations to manage and protect data internationally.
The DPL is overseen by the Office of the Ombudsman, a supervisor authority in the Cayman Islands. The law applies to data controllers (entities who determine why and how data is processed) and data processors (those who do the processing) who are either established in the Cayman Islands, or who are established elsewhere but who process personal data in the Cayman Islands. Consequently, private funds organized under Cayman law or incorporated in the Cayman Islands are “established” in the Cayman Islands, even if they don’t have a physical presence there.
The Cayman DPL applies to “personal data,” meaning data relating to a living natural person or data from which the identity of such person is known or identifiable, and broadly extends to include location, IP addresses, and other identifiers. Even such information about an entity’s own employees is sufficient to bring the Cayman DPL in scope.
Similar to the GDPR, the Cayman DPL contains several overarching data protection principles, including:
- Fair and Lawful Processing – Firms must have a legal basis for the data they collect, and provide transparency about what they are collecting (e.g. hidden tracking of website cookies without consent would not be permissible)
- Purpose Limitation – Firms must disclose via a privacy notice why they need such data. Consent must be obtained for use for new purposes, although consent is not required to be obtained again if the new purposes are “compatible purposes” such as for historical research or statistical analysis.
- Data Minimization – Firms must collect the minimum data necessary for that purpose
- Data Accuracy – Firms must exercise reasonable measures to keep personal data current and to correct or remove data upon discovering it to be incorrect
- Storage Limitation – Firms must not keep data for longer than necessary (although required retention periods under other regulations can inform what a firm’s retention period should be) and firms must respond to data subject access requests to delete their data from primary and backup storage locations.
- Respect for the Individual’s Rights – Firms must be able to identify the data they have about an individual and all of the locations where it is stored, and be able to respond to requests from individuals about their data within 30 days (including requests to access, correct, delete, or restrict the processing or sharing of their data)
- Security, Integrity, and Confidentiality – Firms must have “appropriate technical and organizational measures” in place to protect data, including anonymizing or encrypting data where it makes sense to do so, and should conduct testing and training for staff
- International Transfers – Data transferred between the Cayman Islands and countries who are not deemed to have an adequate level of protection are prohibited. The EU GDPR is one such level of protection. Consent or contracts containing specific clauses are some of the other methods to accomplish the data transfer.
For more information and examples of the Cayman DPL as applied to different scenarios, please see the Office of the Ombudsman Guide for Data Controllers.
Firms with Cayman clients or investors should consider updating their policies and procedures to align with the Cayman DPL in advance of the September 30, 2019 effective date.
For assistance in updating your policies and procedures, please contact us to find out how our Shield cybersecurity services can help.
SEC Risk Alert Puts Spotlight on Principal Trading, Agency Cross Trades
On September 4, 2019, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued another risk alert, this time on “Investment Adviser Principal and Agency Cross Trading Compliance Issues.” While not wildly informative, the Risk Alert summarizes several issues identified during examinations of the last three years and reminds us of a few core issues regarding principal trades and agency cross trades. As with many things of SEC focus, the meat of the matter is in the timing and comprehensiveness of disclosure, such that there is consent. Remember, consent to the SEC does not exist unless it is informed and evidenced in writing.
Some key overall reminders are:
- Review Advisers Act Section 206(3) and Rule 206(3)-2, which govern
- Review Advisers Act Sections 206(1) and (3), which also govern—meaning, beyond the specific requirements for principal trades and agency cross trades, the mandate remains to provide full and fair disclosure of all material facts, including conflicts
- Consent must be obtained prior to execution of a principal or agency transaction, or after execution but prior to settlement of such transactions
- Principal trades require disclosure and consent on a transaction-by-transaction basis
- Pooled investment vehicles must be monitored for “significant ownership interests”
Some of the deficiencies cited are:
- Acting as a principal without realizing that Section 206(3) applied
- Conducting a principal transaction without meeting all the requirements of Section 206(3)
- Engaging in agency cross transactions after communicating with clients that such transactions would not occur
- Failing to produce documentation of disclosure and consent
Hopefully, this Risk Alert confirmed for you that you conduct principal trades and agency cross trades in compliance with the Advisers Act and your fiduciary duty. Consider this a great time to check for issues such as the following:
- Do the right people (compliance, traders, Investment Committee members) know which are the proprietary accounts; do you keep an up-to-date proprietary account list?
- For private fund advisers, are you up to speed on counting the ownership interests; for example, are you including all direct and indirect interests of control people and affiliates; are you including vested and retained incentive allocations?
- How, where, and when do you obtain the appropriate client consent?
- Are those ostensibly providing consent authorized to do so and are they free from conflict?
- Is your firm collecting transaction compensation or acting in a way that the SEC will perceive as acting as a broker?
- How is the compliance department reviewing principal trades and agency cross trades?
Begin at the beginning: what does your investment management contract say you will do, and what do your fund documents say you will do? If nothing else, this Risk Alert puts us all on notice that the SEC is looking at these types of transactions. If you need assistance in understanding these transactions and your obligations for such, contact us.
SEC Issues Guidance to Investment Advisers on Proxy Voting
At its August 21, 2019 Open Meeting, the Securities and Exchange Commission (“SEC”) voted 3-2 to issue guidance to assist registered investment advisers (“RIAs”) in carrying out their proxy voting responsibilities. While the guidance didn’t break a lot of new ground, it clarified the SEC’s expectations for investment advisers in voting client proxies and engaging proxy advisory firms.
As part of its fiduciary duty to its clients, an RIA who accepts the responsibility to vote proxies on behalf of its clients must make the determination that a vote is in the best interest of the client and doesn’t place the RIA’s own interest ahead of the client. Further, under Rule 206(4)-6 under the Investment Advisers Act of 1940, an RIA exercising such voting authority must, among other things, adopt and implement written policies and procedures reasonably designed to ensure that the adviser votes proxies in the best interest of its clients.
Many advisers retain proxy advisory firms to assist in the process. Proxy advisory firms provide an electronic voting platform and offer research and analysis of matters subject to a vote and make a voting recommendation on specific matters. While a proxy advisory firm may make a recommendation, the responsibility for voting in each client’s best interest still rests with the RIA.
Overview of SEC Guidance
Define Proxy Voting Responsibility in Advisory Agreement
- Specify specific parameters to determine voting activity
- Subject to full and fair disclosure
Demonstrate the Votes are in Client’s Best Interest
- Consider if different policies are needed for different clients to meet each client’s best interest obligation
- Retain records showing reasonable review of a voting matter
- Policies to identify factors to consider when more detailed analysis necessary
- Evidence that votes cast are consistent with policies and procedures
- Review adequacy of policies and procedures in annual compliance review
- Test a sample of votes cast for compliance with policy
- Sample pre-populated votes in proxy adviser’s system
- Sometimes not voting is in client’s best interest (cost to vote > benefits)
Conduct Due Diligence of Proxy Advisory Firm
- Capacity and competency of firm
- Proess for seeking input from issuers and clients on policies and methodologies
- Disclosure of methodologies to RIA
- Review firm’s policies for managing conflicts
- Determine extent in which proxy firm errors or weaknesses affect research
- Effectiveness of firm policies and procedures to obtain accurate information
- RIA policies and procedures to ensure votes not based on errors or incomplete information
- Proxy advisory firm’s procedures to advise RIA of relevant business changes or issues
Separately, the SEC issued guidance regarding the applicability of proxy rules to proxy voting advice, affirming that proxy voting recommendations constitute a proxy solicitation subject to the proxy rules and that recommendations must not be false or misleading or omit to state a material fact.
Two commissioners, Robert Jackson and Allison Herren Lee, voted against the guidance citing concerns that it creates additional costs for RIAs and proxy advisory firms, the effect of which could be to disincentivize smaller advisers from voting and reduce competition in the already highly concentrated proxy advice industry.
Regulation Best Interest: Understanding the Obligations
We have been conducting roundtables and talking to industry leaders to help them identify the challenges that broker-dealers will face in implementing Regulation Best Interest, or Reg BI for short. In upcoming posts, we will provide further insight into developing a Reg BI plan.
Reg BI, applies to broker-dealers that service natural person clients and raises the standard of care by imposing a “General Obligation” to act in a retail client’s best interest and to not place its own interest ahead of its retail client. The General Obligation is satisfied only if the broker-dealer complies with four specific component obligations. Compliance with Reg BI is required by June 30, 2020.
The four component obligations define what it means to “act in the best interest” and are outlined as follows:
|
Disclosure Obligation Provide certain prescribed disclosure before or at the time of the recommendations, about the recommendation and the relationship between the retail customer and the broker-dealer. Such disclosures must address all material facts relating to the scope and terms of the relationship with the retail customer, including capacity as a broker-dealer, material fees and costs, and type and scope of services.
|
Care Obligation Exercise reasonable diligence, care and skill in making a recommendation to understand the associated potential risks rewards and costs, have a reasonable basis to believe the recommendation is in the best interest of the customer and have a reasonable basis to believe that a series of recommended transactions is not excessive.
|
|
Conflicts of Interest Obligation Establish, maintain and enforce policies and procedures reasonably designed to address conflicts of interest associated with its recommendations to retail customers. Addressing the conflict of interest obligation requires broker-dealers to identify and at a minimum disclose or eliminate, all conflicts of interest associated with such recommendations and to mitigate certain identified conflicts, assuming that those conflicts were not otherwise eliminated. |
Compliance Obligation Establish, maintain and enforce policies and procedures reasonably designed to achieve compliance with Reg BI. The SEC believes that a broker-dealer “should consider the nature of that firm’s operations and how to design such policies and procedures to prevent violations from occurring, detect violations that have occurred, and to correct promptly any violations that have occurred.”
|
In preparing for Reg BI, broker-dealers must conduct a comprehensive review of their business and client disclosures, including the development of new Form CRS. Key considerations include:
- Form CRS and other client disclosures
- Conflicts of Interest
- Product offerings
- Conflicting lines of business
- Investment recommendations
- Compensation systems
- Supervision
- Training
If you need more help on Form CRS, visit our Ultimate Guide to Form CRS page, with information about the regulation, as well as our solution.
Cannabis Cash & Federal Taxes – A Proprietary Process
Samson Williams
In order to pay federal taxes, many licensed, regulated, cannabis companies have to launder their cash. Why? Because banks will not open an account for a cannabis business due to cannabis being illegal at the federal level. How exactly then do dispensaries, cultivators, retailers, transportation and other cannabis businesses pay Uncle Sam taxes if they can’t legally open bank accounts? The answer to that is a proprietary process.
The conversation really hits home and highlights the pain point that cannabis entrepreneurs face when you consider that without a bank account, how do these small business owners do all the extravagant things that Main Street businesses need to do like:
- Pay employees
- Pay for health insurance
- Get a business loan
- Start a business line of credit
- Finance a purchase order
- Book airfare, travel, hotel, or even pay for Google Suites, Norton Anti-virus subscriptions and other online services. Surely its easy to operate a business as though its 1995 and the internet doesn’t exist, right?
- Not be targeted by thieves and organized crime for robbery, extortion and kidnapping because everyone knows you are forced to store stacks of cash because you can’t legally open a bank account
Before we get into the process of how regulations force small business owners in one of the most heavily regulated industries in America, to launder money to pay taxes, a few fun cannabis related facts:
- All businesses, regulated or illegal, have to pay taxes. Just ask Al Capone.
- Cannabis is illegal at the federal level.
- “Former 12-term congressman John Boehner of Ohio will make $20M as a board member of Acreage Holdings, a marijuana investment firm whose sale to a cannabis industry giant hinges on Mr. Boehner’s ability to persuade Congress and the federal government to legalize, or at least legitimize, marijuana.”
- In 2018, in Colorado alone, there were $1.55 billion in regulated cannabis sales. And you bet Uncle Sam got his cut.
- Cannabis compliance is the fastest growing compliance sector.
Now, to get back to the process of how one legally launders money to pay their Federal Taxes.
Step One
- Organize your business. You need to incorporate your business and comply with all local and state regulations.
- Do you need a specific license?
- What inspections are required?
- Where are cannabis operations zoned for operations in your jurisdiction?
- And other such basic business formation questions.
Step Two
- As you form your business, evaluate what your tax obligations and organizational structure should look like.
- This means you’ll talk to your lawyer, accountant/bookkeeper and tax advisor to determine, based on your jurisdiction and unique circumstances, what are the best options for you.
Step Three
- Hire a professional. This is actually step one. You’ll appreciate why you should hire a professional once you consider how setting up your business determines your tax obligations as much as what business you’re in.
Step Four
- Follow me, Samson Williams, (@HustleFundBaby) to learn more about how to set up a cannabis business and operate it in a compliant manner. I’ll be speaking at the CSS Fall 2019 Conference on cannabis compliance September 23 – 25 in Scottsdale, Arizona sharing some lessons learned from Jamaica of all places. Did you know Jamaica has quite the robust, regulated cannabis industry?
Together with you, I look forward to helping all of America’s Main Street entrepreneurs set up thriving, local businesses. I may secretly also be out to address the injustices of the War on Drugs and Mass Incarceration on Communities of Color. But we won’t tell you that until after you’ve made ungodly sums of money and are questioning whether or not you’re gonna get into heaven having made millions selling a plant that has caused the loss of freedom of literally millions of young Black men and women. #SocialJustice
Thank you for reading my article. I regularly write about technology, cannabis, crowdfunding, real estate, health and compliance investing trends on LinkedIn and for Blockchain Business Magazine. To read my future posts, simply join my network or click Follow. Also feel free to join me on Twitter, Facebook, Instagram, or YouTube.
About Samson Williams
Samson is an internationally recognized anthropologist and expert in Operations & Technology, Blockchain, Cannabis, cryptocurrencies, mobile payments, mortgage finance and organizational change management in FinTech.
Samson is ranked among the globe’s top innovative technology professionals for his cutting-edge research and applications in crowdfunding, tokenomics and digital securities. Samson is an adjunct professor at the University of New Hampshire School of Law , Columbia University and Principal consultant at Axes and Eggs. For business inquiries Samson can be reached at samson@axesandeggs.com
Samson will be speaking at the upcoming CSS Fall 2019 compliance conference during the session “RegTech Revolution,” which will explore the rapid pace of change and the intersection of technology and regulation at financial services firms.
Disclaimer: This is a guest post written by Samson Williams. The views expressed therein are the views of the author and may not reflect the opinions of CSS. This post is for informational purposes only and not for the purpose of providing legal advice.