Reorganization of FINRA’s Examination Program Taking Shape
At FINRA’s recent annual conference in Washington D.C., President and CEO Robert W. Cook and Executive Vice President of Member Supervision Bari Havlik discussed, among other things, FINRA’s ongoing efforts to consolidate its Examination and Risk Monitoring Programs from three separate programs into a single one. The goal of the reorganization is to drive more effective risk monitoring by better identifying industry trends, promoting more examination consistency, eliminating duplication of examination efforts and creating a single point of accountability for the exams.
When the examination program consolidation was first announced in an October 2018 press release, FINRA noted that their examination program responsibilities were “divided among three different programs responsible for: business conduct, financial oversight and trading compliance. The consolidation will bring those programs under a single framework designed to better direct and align examination resources to the risk profile and complexity of member firms. Among other benefits, FINRA expects the new structure to increase the efficiency and effectiveness of the program.”
Also, in the October 2018 press release, Cook noted, “Our Examination and Risk Monitoring program is central to our efforts to protect investors and guard the integrity of markets. After careful consideration and extensive feedback from internal and external stakeholders, we are moving toward a program structure that is based on the firms we oversee. By directing our expertise and resources in a more tailored way, we will become more effective at examining for compliance.”
Havlik added, “Implementing a unified program structure will help make us a more agile and risk-focused regulator while focusing on enhanced training and career opportunities for our staff. We are evolving the program in a way that addresses specific feedback that we’ve received as part of FINRA360. This will be a significant undertaking that will continue through 2019, but our work is well underway. I look forward to keeping our stakeholders updated as we progress.”
The examination program integration is a result of FINRA360, FINRA’s ongoing self-evaluation and improvement initiative. At the FINRA Conference, Cook noted that one of the main goals of the FINRA360 initiative is to provide tools to member firms to help them comply with the myriad of rules facing firms. A visit to FINRA’s website reflects the ongoing success of this effort, as FINRA provides numerous tools and templates to effectively assist member firms in complying with rules and enhancing supervisory oversight on topics ranging from OFAC screening to cybersecurity checklists. (See appendix below for a link to FINRA’s list of tools and checklists reflected on their website, as well as FINRA’s examination priorities letter for 2019.)
At the FINRA Conference, for the first time, the business model categories resulting from the consolidation efforts were provided. Examination groups will be divided as follows:
Action items
First, contact your FINRA coordinator and discuss the new integrated examination program and how it will impact your firm. Second, review the many tools and checklists available on FINRA’s website to determine which ones can improve your firm’s compliance and supervisory programs. Finally, if you have not yet reviewed FINRA’s examination priorities letter for 2019, please do so ASAP, and identify any topics that are applicable to your firm’s business model and revisit your firm’s oversight in these areas.
Appendix
- http://www.finra.org/industry/tools
- https://www.finra.org/industry/2019-annual-risk-monitoring-and-examination-priorities-letter
FINRA Website Tools
- Anti-Money Laundering Template
- Books and Records Requirements Checklist for Broker Dealers
- Breakpoints Checklist and Worksheet
- Breakpoints Interest Refund Calculator
- Breakpoints Sample Written Disclosure Document
- Broker/Check Link Requirements in Rule 2210, Tools and Resources for Complying with…
- Business Continuity Planning Template
- Compliance Calendar
- Compliance Vendor Directory
- Cybersecurity Checklist
- Firm Renewal Report Job Aid
- Merger, Acquisition, and Succession Checklist
- New Account Application Template
- Office of Foreign Asset Control (OFAC) Search Tool
- Peer-2-Peer Compliance Library
- Preferred Pricing Program
- Report Center
- Weekly Update Email Archive
- Written Supervisory Procedures Checklist for Broker Dealers
- Written Supervisory Procedures Checklist for Capital Acquisition Brokers
NOTE: Links to all of those tools are available here.
Ascendant, the professional consulting services arm of CSS, provides a full range of services and solutions for broker-dealers. For more information, cliquez ici.
SEC Begins Cyber Sweep of Investment Advisers with Focus on Cloud Storage
A sweep of investment advisers is underway by the U.S. Securities and Exchange Commission, which has sent out many letters to firms over the last week requesting information about their use of cloud providers.
The move could be part of the SEC’s Phase 3 Cybersecurity Exam Initiative, and is likely related to the April Regulation S-P Risk Alert about how firms are protecting personally identifiable information (PII) they store on cloud provider systems. Relatedly, the SEC may be interested in collecting information on whether firms are disclosing cloud vendors on Form ADV Schedule D, Item 1.L.
Many filers do not disclose cloud vendors on Form ADV, since the question asks for the location of books and records other than your office or principal place of business, and technically, records on cloud systems are accessible from a registrant’s office through a web browser. The Omgeo No-Action Letter from August 2009 permits advisers to store records in the cloud as long as the adviser can access those records from their office. Typically, we see firms disclose on the ADV the location of hard copy records, CDs, etc., at Iron Mountain or other physical storage vendors, as well as the locations of any alternate office locations at which original records are kept. Some firms do disclose cloud providers such as Global Relay, Smarsh and Mimecast, etc. although most don’t. SEC staff stated at a recent conference that it has observed an increased use of cloud providers by registrants.
Firms are using so many cloud vendors from portfolio management systems to Office365 to Dropbox to CSS’ own Ascendant Compliance Manager that the list in Section 1.L would likely be dozens of entries if every firm disclosed every location of electronic records. The SEC is interested in learning whether advisers have a handle on all the locations they are storing PII and other sensitive data. And in a new OCIE Risk Alert released May 23, 2019, “Safeguarding Customer Records and Information in Network Storage,” it is clear that the SEC is also focusing on whether advisers and broker-dealers have properly configured data storage solutions to use available security features to safeguard against unauthorized access. Maintaining a current data inventory of the locations of PII and which data is stored where, as well as conducting adequate oversight of these third party cloud providers, are essential components of a reasonably designed cybersecurity program.
CSS is currently running a “Getting Practical with Cyber” series of webinars. Our next, “In the Driver’s Seat: Your Critical Role in Cyber Resiliency,” takes place on June 11 at 2 pm ET. Register by clicking here.
For more information on how CSS can help you evaluate your cybersecurity program, visit our Shield page.
What Happens When Your CRM is Breached?
Even your client relationship management (CRM) software may not be safe from hackers. That’s the lesson some advisers are learning after an announcement by CRM vendor Redtail that it discovered in March 2019 that its cloud-based software had left some sensitive client data publicly accessible. The data left vulnerable included first names, last names, addresses, dates of birth, and Social Security numbers. Although Redtail has stated that it has subsequently removed such access, it remains to be seen whether any unauthorized access occurred during the time the data was left open to the public.
The SEC’s recent Risk Alert on Regulation S-P, issued in April 2019, highlighted that some advisers’ policies and procedures fail to address storage of personally identifiable information (PII) in a secure manner by third-party vendors and fail to identify all systems where the adviser is maintaining such PII.
If ever there was a crown jewel of investor data, an adviser’s CRM is a likely target – a treasure trove of the exact kind of information hackers find most valuable, all in a single location.
Redtail is allegedly still investigating, which reflects the inherent difficulty and the challenges vendors can face when attempting to discern the potential scope and impact of an incident. Logs become very critical to the investigation of what may or may not have been accessed and when. Conversely, the failure to maintain adequate logs can severely hamper efforts to piece together any indicators of compromise (IOC) surrounding a potential data incident.
Whether you use Redtail or another CRM, the chances are high that at least some of your client data is being stored in the cloud. Even Salesforce, a powerhouse in the CRM space, experienced an issue during a software update in June 2018 that temporarily made it possible for a programming API to allow one client to access another client’s data. It’s important to regularly review the information security safeguards your third-party vendors have in place as part of your ongoing vendor due diligence. And, recognizing that most vendors will likely experience a security issue at some point given that there is no such thing as 100% security, use those due diligence reviews as an opportunity to inquire whether the issues have been remediated and whether there is any evidence that your firm’s data specifically was part of any detected unauthorized access.
For more information about how CSS cybersecurity services can help you evaluate your risk, please visit our Shield page or contact us.
Even When SEC Rulemaking Slows, Your Compliance Manual Shouldn’t Stagnate
Maintaining tailored policies and procedures is a critical component of an adviser’s internal controls. Time and time again, we’ve heard regulators admonish the industry that off-the-shelf compliance manuals just don’t cut it.
In today’s ever-shifting regulatory environment, does your compliance manual need a reboot? Although there has not been any significant rule making over the past year, the SEC has been busy providing guidance on a wide range of compliance topics as reflected in their risk alerts, enforcement actions, and speeches. In the absence of new rules, you might believe that your policies and procedures don’t need much in the way of updating. However, the panel covering this topic at the Ascendant Compliance Solutions Strategies Spring 2019 Conference in Miami cautioned attendees about the danger of of being lulled into a false sense of security in this regard, as the SEC has been shifting its attention to some relatively new areas of compliance that should be addressed in your policies and procedures.
This panel – consisting of Investment Adviser Association Associate General Counsel Sanjay Lamba, Greensfelder, Hemker & Gale, P.C. Officer Andrew Hartnett, and CSS Director of Retail Wealth Manager Services Korrine Kohm – engaged in a lively, hands-on and informative discussion of a wide variety of timely compliance topics, as summarized here.
Senior and Retail Clients
With the SEC and state regulators sharpening their focus on protecting retail clients, advisers need to re-evaluate their policies periodically to determine their effectiveness in the ever-changing regulatory landscape.
The panel pointed out that SEC continues to prioritize its commitment to protect retail investors, including seniors and those saving for retirement. The panel noted that the SEC is especially looking closely at products and services offered to retail investors, as well as the disclosures they receive about those investments.
To a large extent, the SEC’s focus on senior investors was summed up in remarks made by SEC Chairman Jay Clayton in June 2018 in his Opening Remarks to the Elder Justice Coordinating Council:
“At the SEC, we are very concerned about financial exploitation of our seniors. Every day, bad actors target the elder community, and we – all of us at the SEC – despise this behavior. Americans work hard and save their entire lives with the hope of living better as a result of their retirement savings. We need to do all we can to protect them while ensuring they have quality investment opportunities.”
Share Class Selection Disclosure Self-Reporting Initiative
In the share class arena, the panel discussed recent SEC examinations where the SEC asked what the adviser’s rationale was to support transactions in sampled mutual fund transactions. The panel also touched on the need for adequate disclosure in Form ADV 2A of the receipt of 12b-1 funds/revenue sharing and discussed the SEC’s enforcement actions involving settled charges against 79 investment advisers who must return more than $125 million to clients, with a substantial majority of the funds going to retail investors. These actions stem from the SEC’s Share Class Selection Disclosure Initiative, which the SEC’s Division of Enforcement announced in February 2018 in an effort to identify and promptly correct ongoing harm in the sale of mutual fund shares by investment advisers. The initiative incentivized investment advisers to self-report violations of the Advisers Act resulting from undisclosed conflicts of interest, promptly compensate investors, and review and correct fee disclosures. The SEC’s action addressed advisers who directly or indirectly received 12b-1 fees for investments selected for their clients without adequate disclosure, including disclosures that were inconsistent with the advisers’ actual practices.
As discussed in the SEC’s press release, the “SEC found that the investment advisers failed to adequately disclose conflicts of interest related to the sale of higher-cost mutual fund share classes when a lower-cost share class was available. Specifically, the SEC’s orders found that the settling investment advisers placed their clients in mutual fund share classes that charged 12b-1 fees – which are recurring fees deducted from the fund’s assets – when lower-cost share classes of the same fund were available to their clients without adequately disclosing that the higher cost share class would be selected. According to the SEC’s orders, the 12b-1 fees were routinely paid to the investment advisers in their capacity as brokers, to their broker-dealer affiliates, or to their personnel who were also registered representatives, creating a conflict of interest with their clients, as the investment advisers stood to benefit from the clients’ paying higher fees.”
Privacy Issues
The panel also covered developments relating to privacy laws, including the SEC’s Regulation S-P, GDPR, and the California Consumer Privacy Act (CCPA).
GDPR is the EU’s data protection regulation that became effective on May 25, 2018, and grants consumers the right to see (and delete) data that you maintain and contains breach notification requirements.
Under the new California law, residents of California will be able to:
- Know what personal information is being collected about them
- Access that information
- Know if their personal information is disclosed, and with whom
- Know if their personal information is sold and the right to opt out of the sale
- Receive equal service and price whether or not they exercise their privacy rights
In response to these privacy laws, the panel advised attendees to review policies and procedures and create an inventory of your consumer data – what do you keep, where is it kept, and how do you use it.
Advertising
The panel also covered advertising practices and reminded attendees that advertising deficiencies are among the most common SEC examination findings, including:
- Misleading performance
- Cherry picking investment selections
- Misleading use of third-party rankings
To address compliance concerns, reviewing your policies and procedures with an eye towards addressing the SEC’s no-action letter guidance is critical to help ensure that your marketing materials adhere to SEC guidance and capture all of the required disclosures.
Final Takeaway
Monitoring regulatory developments as they relate to your firm’s business model is critical. Keep close tabs on SEC risk alerts, examination priorities and enforcement actions to identify issues that need to be addressed or updated in your compliance manual.
Life Cycle Guidance for Service Provider Due Diligence
Engaging third-party service providers to perform key functions can offer an investment adviser access to state-of-the-art technology and solutions necessary to compete in today’s environment. Before entering into service provider relationships, advisers need to understand that while the function may be outsourced, the responsibility for the function still rests with the adviser.
Firms engaging service providers need to adopt a due diligence program to evaluate the effectiveness of service providers. At the recent Ascendant Compliance Solutions Strategies 2019 Spring Conference, Jake Fechter of Buckingham Asset Management and Allison Fraser of CSS offered guidance on building a due diligence program. In their session, they offered the following life cycle of the due diligence process:
- Identify your service providers – Firms should evaluate who their current service providers are. Reviewing the firm’s disbursements can identify potential service providers
- Assess the risks to the business – For each service provider, identify what services are being performed and the risks presented. For example, consider whether the service provider has personally identifiable information about your clients and how it is protected.
- Define contract terms – In contracts, specifically identify the services to be performed, including a service level agreement identifying expected deliverables and service times.
- Conduct monitoring and oversight – Maintaining an effective relationship with your service provider and putting oversight activities in place will enable an adviser to ensure that contracted services are delivered. “Trust but verify.”
- Recordkeeping – As Allison said during the session, “document, document, document.” Maintaining records related to due diligence is critical to demonstrating that due diligence took place.
Ascendant, CSS’ compliance consulting team, provides all services necessary to meet compliance obligations, including due diligence reviews. For more information, cliquez ici.
Takeaways and Tips Related to SEC Risk Alert on Regulation S-P
On April 16, 2019, the SEC released a Risk Alert providing a list of compliance issues related to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers. As with other risk alerts, these were deficiencies noted by OCIE in regulatory examinations. Though the deficiencies were fairly common sense, the release of the risk alert should be used by compliance professionals to reevaluate current practices in place and whether now is the time to make enhancements.
Regulation S-P, among other things, requires a registrant to: (1) provide a notice to its customers that accurately reflects its privacy policies and practices no later than when it establishes a customer relationship, (2) provide a privacy notice to its customers not less than annually during the continuation of the customer relationship and (3) deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”).
Additionally, the Safeguards Rule of Regulation S-P requires registrants to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.
So, what deficiencies did the SEC find? We highlight the key items and remind you to analyze your own practices and privacy protocols to ensure you are in compliance:
- Not providing the initial, annual or opt-out notices. In addition, Registrants not doing what they say they are doing within those notices!
- Not providing an opt-out provision to the sharing of their nonpublic personal information with nonaffiliated third parties
- Lack of policies and procedures to comply Regulation S-P
- Not having reasonably designed policies to safeguard customer records and information. Here the SEC highlighted some additional matters with respect to safeguarding data:
- Personal devices – Not having policies to address client data stored on employee’s laptops, mobile devices, etc.
- Electronic communications – Not having policies that address protection of personally identifiable information (“PII”) in emails.
- Lack of training on the firm’s policies and practices.
- Unsecure Networks – Not having policies that prohibit employees from sending customer PII to unsecure locations outside firm’s networks.
- Outside vendors – Failure to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by the registrant’s policies and procedures.
- PII Inventory – Not maintaining an inventory of where PII is stored and steps to protect them.
- Incident response plans – Not addressing role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
- Unsecured physical locations – Lack of protection of documents maintained in unsecure locations, such as unlocked file cabinets.
- Login credentials – No controls over who can access the client’s login credentials and not following the policies about access controls.
- Departed employees – Not terminating access rights of employees who have departed the firm.
Here are a few key takeaways to help you ensure you have addressed these matters and strengthen your compliance program:
- Remember the importance of advising your customers of their opt-out rights.
- Ensure you implement and memorialize your policies and procedures related to administrative, technical, and physical safeguards. Reevaluate what your present policies are to ensure they are being carried out. Don’t just say you do things – DO THEM.
- Encryption, encryption, encryption! Retrain your staff on the importance of encrypting email communications when it contains PII.
- Perform surveillance of email to ensure the last bullet is being implemented.
- Have a plan and stick to it – Ensure you maintain an incident management plan, have roles assigned and ensure you are sticking to that plan in the event of a breach.
- Determine if you have client login credentials on file. If so, ensure there are controls and policies in place as to who can access this information and how it is securely maintained on your networks.
- Maintain an employee “off-boarding” checklist – When an employee departs, memorialize all the access controls that have been removed and the date it was removed.