Header graphic for print

The BD/IA Regulator

Providing securities regulatory, enforcement and litigation trends for broker-dealers, investment advisers and investment funds

FINRA Issues its Cybersecurity Report, Providing Tools and Encouragement to Broker-Dealers

Posted in Broker-Dealer Regulation, Enforcement, FINRA Enforcement

FINRA recently issued a Report on Cybersecurity Practices (“Report”), growing out of its targeted examination of firms last year.  To issue the Report, FINRA gave careful consideration to the needs of many broker-dealers for information and the tools to combat cyber intrusions.  The Report is comprehensive, and it doesn’t shy away from delving into technical detail.  Our review of it leads us to conclude that it is a useful resource for broker-dealers looking to assess and improve their procedures for preventing a cybersecurity attack, and dealing with one if and when it comes.

At the same time, FINRA also issued guidance to enable investors to understand the state of their firms’ data protection by issuing a new Investor Alert entitled “Cybersecurity and Your Brokerage Firm.”  The Alert recommends that investors ask their firms about:  the safeguards they have in place to protect personal information and assets; the procedures the firm uses to monitor investors’ personal information; the firms’ approaches to handling cyber events; whether the firms will reimburse investors if their assets are compromised due to a cyber attack; and what measures the firms recommend investors take to personally protect their information.

FINRA’s Report (together with the SEC’s recent cybersecurity report) should provide the motivation and some of the tools needed by those broker-dealers who have put off focusing on this area to roll up their sleeves, and additional motivation will come from the firms’ own customers.

This Client Alert cannot cannot hope to summarize the 45-page Report, and we encourage those firms embarking on a cybersecurity project to read the entire Report.  Here we will point out some of the most relevant observations and recommendations in the Report, with a view to encouraging broker-dealers to review their procedures and adopt the recommendations as appropriate.

General Principles

As FINRA’s Report indicates, cybersecurity has been a regular theme in its annual Regulatory and Examination Priorities Letter since 2007, and over the years FINRA has conducted surveys and on-site reviews of firms to increase its awareness of how firms control cyber risks.  FINRA points to a variety of factors driving firms’ exposure to cybersecurity threats, including advances in technology, changes in firms’ business models, and changes in how firms use technology.  A prime example of such risks is the increased use of web-based access or mobile devices for brokerage activities.

FINRA defines “cybersecurity” as “the protection of investor and firm information from compromise through the use . . . of electronic digital media.”  “Compromise” is the loss of data confidentiality, integrity or availability.  FINRA acknowledges that there is no “one size fits all” approach, because firms come in a variety of sizes and business models, and acceptable approaches to compliance and supervision may vary widely among firms.  But at the end of the day, “firms must have appropriate risk management measures in place to address the cybersecurity-related threats they face.”

FINRA’s Report is perhaps at its most useful when it reviews practices that it observed at firms in each area discussed; these discussions will permit broker-dealers to benchmark their practices against the industry in general, and increase the urgency of improving their systems when they find that they fall short.

A more complete analysis of the Report can be found in our client alert, available here.

The Administration Proposes Imposing a Fiduciary Standard on Retirement Advisers

Posted in Broker-Dealer Regulation

Yesterday, the Obama administration called on the Department of Labor to draft rules that, in effect, would require brokers who provide retirement advice to abide by a fiduciary standard.  In a speech at an event hosted by the AARP, President Obama said that existing ERISA rules were written 40 years ago and are in need of updating.  While the President did not use the word “fiduciary” once in his speech, he did say that the proposed rules would require retirement advisers to put the best interests of clients above their own financial interests.

The President emphasized that many financial advisers seek to do the right thing for their clients, but he criticized financial advisors who receive hidden fees for steering customers into “bad retirement investments that have high fees and low returns,” or who persuade investors to roll their existing savings out of a low-fee plan into a high-cost plan.  The President emphasized that, under any new rules, financial advisors would still be fairly compensated, but that the proposal would level the playing field for “outstanding advisors out there so that they can . . . put . . . their clients first.”

At the same event, CFPB Director Richard Cordray emphasized the importance of the retirement savings market, which he stated can be “complicated and confusing.”

The Department of Labor’s proposal was previewed on Sunday by Secretary of Labor Tom Perez, and various constituent groups promptly began to voice reasons for and against the initiative.  One significant objection is that the rules might not be coordinated with existing regulations adopted by the SEC, which regulates both investment advisers and broker-dealers.  Section 913 of the Dodd-Frank Act mandated that the SEC study the standard of care applicable to investment advisers and broker-dealers and granted the SEC the authority to impose a uniform standard of conduct.  The SEC staff undertook such a study and has continued to gather and analyze data related to the efficacy of the current standards of care.  In testimony before the Senate Banking Committee last fall, however, SEC Chairperson Mary Jo White noted that a uniform fiduciary standard was not mandated by the Dodd-Frank Act.  The SEC has apparently not yet made a decision on whether, and how, to move forward with a uniform fiduciary standard rule for brokers and advisers.

Another objection is that the proposed rules could increase costs to investors.  President Obama, on the other hand, cited a study that showed that conflicts of interest in providing retirement advice results in losses to affected investors of 1 percent each year.

The President acknowledged the significant opposition to the proposed rules.  He signaled that his administration would be open to discussion about the rules, stating, “that’s what the comment period for the rule is all about.”

SEC Charges Alt Fund Adviser with Custody Violations

Posted in Investment Adviser Regulation, SEC Enforcement

The Securities and Exchange Commission on February 12, 2015, entered findings against an investment adviser to several alternative mutual funds for maintaining $247 million in cash collateral at broker-dealer counterparties instead of the fund’s custodial bank.  The SEC staff discovered the alleged violations during a routine examination.  Without agreeing with or denying the charges, the adviser agreed to pay a $50,000 penalty to settle the SEC’s charges.

The SEC charged that the adviser violated the custody requirements of Section 17(f)(5) of the Investment Company Act of 1940 because it did not ensure that the funds’ custodial bank maintained the cash collateral held by broker-dealer counterparties.  The cash collateral related to the funds’ investments in total-return and portfolio-return swaps.

The SEC’s order found that the investment adviser also violated Section 12 of the 1940 Act and related Rule 12b-1(h) because it failed to implement directed brokerage policies and procedures, which required the adviser to create and maintain an approved list of executing brokers for the funds, and to monitor the funds’ compliance with the directed brokerage requirements.  In addition, the SEC found that the adviser caused the managed funds to violate Rule 38a-1, the Investment Company Act compliance rule.

Our take – This settlement appears to be the fruit of the SEC’s sweep examination of alt funds.  We expect to see more similar enforcement cases.  The case reinforces the need to ensure that funds follow their established compliance policies, and to not lose sight of the basics, such as compliance with the custody rules.  In the case of this type of cash collateral, funds typically comply with the custody rules by establishing a tri-party agreement among the fund, the counterparty, and the fund custodian.

SEC Proposes Rule Requiring Hedging Disclosure

Posted in Broker-Dealer Regulation, Investment Adviser Regulation

On February 9, 2015, the Securities and Exchange Commission (the “Commission”) proposed amendments to its rules to implement Section 955 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), which added new Section 14(j) to the Securities Exchange Act of 1934, as amended (the “Exchange Act”).  Section 14(j) directs the Commission to require each issuer to disclose in any proxy or consent solicitation material for an annual meeting of the shareholders of the issuer whether any employee or member of the board of directors of the issuer, or any designee of such employee or member, is permitted to purchase financial instruments (including prepaid variable forward contracts, equity swaps, collars, and exchange funds) that are designed to hedge or offset any decrease in the market value of equity securities (1) granted to the employee or member of the board of directors by the issuer as part of the compensation of the employee or member of the board of directors; or (2) held, directly or indirectly, by the employee or member of the board of directors.  As noted in the report issued by the Senate Committee on Banking, Housing, and Urban Affairs at the time of adopting Section 955 of the Dodd-Frank Act, this additional disclosure would serve to “provide transparency” to shareholders “to know if executives are allowed to purchase financial instruments to effectively avoid compensation restrictions that they hold stock long-term, so that they will receive their compensation even in the case that their firm does not perform.”

A more complete analysis of the amendments can be found in our client alert, available here.

SEC Reports the Result of its Cybersecurity Sweep of Broker-Dealers and Investment Advisers

Posted in Broker-Dealer Regulation, Investment Adviser Regulation

An SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors, the SEC reported in a February 3, 2015 Risk Alert.

The sweep found that while the vast majority of all BDs and RIAs have adopted written information security policies, the SEC staff found some gaps in cybersecurity protection among many firms. BDs and RIAs will find the report useful reading to help them learn how they compare to their peers in their development of cybersecurity procedures. Indeed, the OCIE Risk Alert reminds firms that cybersecurity is one of OCIE’s 2015 exam priorities.

For those registered firms looking ahead to their next examination, OCIE’s release also provides a hint of how it will focus its efforts in future reviews on the adequacy of a firm’s policies and procedures.

OCIE’s examination results highlight the magnitude of the issues and challenges that firms face when establishing cybersecurity procedures. While it is not surprising that so many BDs and RIAs have experienced cyber-attacks, it is a somber reminder that systems are vulnerable. Moreover, OCIE reports that more than half of the BDs, and almost half of the RIAs they examined reported receiving fraudulent emails seeking to transfer client funds. Over a quarter of the BDs reported losses related to fraudulent emails, but no single loss in excess of $75,000.

For its sweep, OCIE examined 57 registered BDs and 49 registered RIAs in order to “discern basic distinctions among the level of preparedness of the examined firms.”

THE GOOD NEWS

OCIE reported that:

• 93 percent of BDs and 83 percent of RIAs examined have written information security policies.

• Nearly as many of the firms have written business continuity plans that address mitigating the effects of a cybersecurity incident and/or outline the firm’s plan for recovering from such an incident.

• A similar number of firms conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences.

• Almost all firms have conducted a firmwide inventory of their technology resources, including physical devices and systems, software platforms, network resources, connections to firm networks from external sources, and hardware, data, and software.

• Almost all firms use encryption.

• While 65 percent of the BDs examined offer their customers online access to account information, all of them provide their customers with information about reducing cybersecurity risk in conducting business with the firm. And, while 26 percent of RIAs that primarily advise retail clients and provide online access to account information, only three-quarters of those tell their customers how to reduce cybersecurity risks.

• Most of the BDs, and a little over half of the RIAs use published cybersecurity risk management standards, such as those published by the National Institute of Standards and Technology.

ROOM FOR IMPROVEMENT

OCIE also reported findings that indicated that many firms still have a ways to go in developing cybersecurity procedures, or bringing their existing procedures up to snuff.

• Only 72 percent of the examined firms incorporate cybersecurity requirements into their contracts with vendors and other business parties, and only 24 percent of RIAs do so.

• Only 51 percent of firms have procedures related to information security training for vendors or business partners.

• Very few firms address how they determine whether they are responsible for client losses resulting from cyber incidents.

• A little over half of the BDs, and only 21 percent of RIAs, have cybersecurity insurance.

• Only about two-thirds of the BDs, and less than a third of RIAs, have a designated Chief Information Security Officer (CISO).

OUR TAKE

It is always helpful to use industry-wide survey-type information from a regulator to benchmark your firm against the general population of firms. Additional useful information will be available if FINRA releases the results of its separate cybersecurity survey of BDs.

It is not completely clear from the OCIE Risk Alert whether the rates of favorable performance that it found in different aspects of cybersecurity are satisfactory, or if nothing short of 100% success will do. Clearly, registered firms have come a long way, and it’s fair to ask in what areas of good cybersecurity housekeeping do the regulators expect 100 percent compliance, and in what areas are these goals more aspirational. Findings in specific exams this year will help calibrate that message; we can hope that the regulators’ exam findings will recognize that firms have come a long way, but might still need time to bring all of their procedures up to the state of the art standards.

OCIE’s Risk Alert did not indicate whether it found any lapses that could lead to enforcement proceedings or whether the staff will recommend new rules to the SEC. Stay tuned for developments in these areas.

House Passes Bill to Ease Volcker Rule and other Regulatory Requirements

Posted in Investment Adviser Regulation

The U.S. House of Representatives on January 14, 2015, voted (271-154) to pass H.R. 37, the “Promoting Job Creation and Reducing Small Business Burdens Act.  If enacted, the bill, among other things, would extend the Volcker Rule conformance date for collateralized loan obligations (CLOs) and ease requirements for investment advisers of small business investment companies (SBICs) and venture capital firms.  The bill also includes a number of measures that correct issues arising in the JOBS Act, or that otherwise are intended to promote capital formation.

Rep. Jeb Hensarling of Texas championed this bill as beginning to “get America back to work” and start growing the economy.  He said that the bill corrects some “unintended consequences” of the 2,000 page Dodd-Frank Act.

Democrats, as expected, were critical of the bill.  Rep. Maxine Waters said that the bill was intended to delay the effect of the Volcker Rule, which was designed to stop “government-supported banks from gambling with bank depositors’ money.” 

Our take.  It is encouraging to see action to reduce regulatory burden.  H.R. 37 is only a small step, and there are other aspects of the Dodd-Frank Act that Congress or the regulators should reconsider.

A more complete analysis of the bill can be found in our client alert, available here.

OCIE Publishes Exam Priorities for 2015

Posted in Investment Adviser Regulation

The National Exam Program of the SEC’s Office of Compliance Inspections and Examinations (OCIE) published its examination priorities for 2015 this week.  This year’s letter is significantly shorter than last year’s letter, and takes a more thematic, less detailed approach to the discussion of OCIE’s key focus areas.

Many of the themes in the letter are consistent with OCIE’s 2014 examination priorities as well as issues identified by the SEC staff over the course of the last year.  One notable new theme, however, is OCIE’s identification of transfer agents as “gatekeepers” that may warrant closer attention from the OCIE staff. 

OCIE also encouraged would-be whistleblowers to reach out to the staff with information about activities that may “violate the federal securities laws or otherwise [operate] to harm investors.”

OCIE identified three key areas of focus in 2015:

  • Retail investors, including retirement investing and the use of traditionally “institutional” products in the retail marketplace;
  • Market-wide risks, including structural risks and trends involving multiple firms; and
  • Data analysis, including the use of data to identify firms that appear to be involved in fraudulent or other illegal activities.

Registered investment advisers, broker-dealers, municipal advisers and transfer agents should take the time to carefully review OCIE’s letter and consider if their compliance programs adequately and appropriately address the risks identified by OCIE. 

A more complete analysis of the letter can be found in our client alert, available here.