Broker Dealer Regulation | cybersecurity | Investment Adviser Regulation | Private Funds | Regulation Best Interest | Regulatory Deadlines | SEC News

Cybersecurity Alert Warns of Credential Stuffing Attacks, SEC Modernizes Accredited Investor Definition, FINRA Gateway Enhancements Continue, and ADA Compliance Considerations: Regulatory Update for October 2020

For Investment Advisers and Broker-Dealers

Cybersecurity: Multi-Factor Authentication and CAPTCHA Recommended to Combat Credential Stuffing. This Risk Alert, issued by the SEC’s Office of Compliance Inspection and Examination, raised the alarm on a recent spate of “credential stuffing” attacks on financial institutions.  Credential stuffing is a method of cyber-attack where hackers take a huge list of usernames and passwords and use large-scale automated login programs like scripts or bots to “stuff” those credentials into password protected websites, hoping to gain unauthorized access to customer accounts.  The hackers get usernames and passwords from prior data breaches (e.g. MyFitnessPal, LinkedIn, Adobe, Equifax, Twitter) that are sold on the dark web.  (Check to see if your email address has been stolen using this tool from the Hass Plattner Institute available here and the Have I Been Pwned (HIBP) website.)  The FBI sent a private security alert to the U.S. Financial Sector with a similar warning that credential stuffing attacks are on the rise in early September.

As noted in OCIE’s Risk Alert, “[s]uccessful attacks occur more often when (1) individuals use the same password or minor variations of the same password for various online accounts, and/or (2) individuals use login usernames that are easily guessed, such as email addresses or full names.”  Also, the longer passwords remain unchanged, the greater risk of a successful attack.  OCIE provided a list of practices firms use to protect client accounts:

  • Adopt Multi-Factor Authentication (“MFA”) that requires a user to employ multiple verification methods to gain access to an application or online account. In general, the more factors in this process, the more effective the approach will be at deterring an attack.
  • Because credential stuffing is driven by automated scripts or bots, use CAPTCHA, Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA are online tests that require an user to do something to prove they are human, such as identifying pictures with a specific object among a group of pictures.
  • Implement controls to prevent and detect credential stuffing attacks, like monitoring for higher-than-usual login attempts over a specific time period.
  • Perform testing to determine whether current client accounts are susceptible to credential stuffing attacks.

The days of depending solely on password protection for securing client accounts are over.  Investment advisers and broker-dealers, especially those that offer online account access to their clients, need to keep abreast of the latest threats to their clients’ assets coming from cyberspace and update their policies appropriately.  And even firms that do not offer online account access to clients are advised to talk to their clients about how they can keep their financial accounts safe by not re-using passwords, changing passwords more frequently and taking advantage of free password management applications.  Contributed by Jaqueline M. Hummel, Partner and Managing Director.

SEC Revises Definitions for Accredited Investor and Qualified Institutional Buyer. With the goal of making it easier for issuers to raise capital, the SEC adopted amendments to expand the definition of “accredited investor” in Rule 215 and Rule 501(a) of Regulation D under the Securities Act of 1933.  The amendments expand existing accredited investor categories while adding new ones.  While it remains unclear just how much larger the universe of accredited investors will become as a result of these amendments, the newly added, expanded, or clarified accredited investor categories now include (but are not limited to) those with certain professional designations or other credentials, knowledgeable employees of private funds, and family offices, LLCs and certain other entities with at least $5 million in assets.  Under the amendment, spousal equivalents may also pool their finances for the purpose of qualifying as accredited investors.  (Note – None of the entities referenced above can be formed for the purpose of acquiring the security being issued and still qualify as an accredited investor.)  Interestingly, the SEC declined to update the financial thresholds that qualify individuals as accredited investors and that have remained unchanged since their establishment in 1982.  Those thresholds stand at a net worth (excluding the value of primary residence) of $1 million or income of at least $200,000 each year for the last two years.

The SEC also amended the “qualified institutional buyer” (“QIB”) definition in Rule 144A to conform to the updated accredited investor definition.  Those entities that qualify as accredited investors also qualify as QIBs, so long as they meet the $100 million threshold in owned and invested securities.

The amendments and order become effective 60 days after publication in the Federal Register.  Contributed by Doug MacKinnon, Senior Compliance Consultant.

Does your Firm Discriminate Against Americans with Disabilities? Don’t · Be · Too · Sure.  Consider the following:

  • Title III of The Americans with Disabilities Act (“ADA”), prohibits discrimination against individuals with disabilities in the full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of “public accommodation.”
  • Registered investment advisers, broker-dealers, insurance companies, and banks all fall into the definition of “public accommodation.”
  • Courts differ in their opinion as to whether Title III of the ADA is limited to physical space or if it also applies to the website of a place of “public accommodation.”  Recent cases, such as Gil v. Winn-Dixie Stores, Inc. and Robles v. Domino’s Pizzas, LLC , support the opinion that Title III applies to both physical locations and websites as places of public accommodation.
  • For a website to be ADA Title III compliant, it should meet the Web Content Accessibility Guidelines (“WCAG”) 2.1, which is a detailed list of goals and criteria that are designed to make content more accessible to persons with disabilities. The guidelines can be distilled into four main tenets, and examples of each are included: (1) Perceivable (maximize the use of headings and labels, text alternatives for non-text content, and captions and other alternatives for multimedia); (2) Operable (make all functionality available from a keyboard, avoid the use of content that causes seizures or other physical reactions and help users navigate and find content; (3) Understandable (use of readable text and content that appears and operates in a predictable way); and (4) Robust (use content that maximizes current and future features).
  • Standards for Adobe PDFs include the following standards as presented by Adobe: Searchable text, images with alternate text, use of headings, table of contents, bookmarks and tags; use of logical reading order; no background images or watermarks; table rows do not split across pages; and tab order designed to progress in a fillable document from one field to another in a logical order.

Interested in learning more?  We encourage firms to review their public accommodations, assess legal and reputational risks, and if necessary, work with a consultant that specializes in Title III ADA compliance to ensure compliance.  Contributed by Rochelle A. Truzzi, Managing Director.

Mark Your Calendars – SEC / FINRA Roundtable to Discuss Initial Form CRS & Reg BI.  The SEC Staff has set the date for a roundtable on October 26th to address the regulators’ initial observations concerning Form CRS and Regulation Best Interest (“Reg BI”).  The SEC noted in its recent press release that participants will include representatives from the Office of Compliance Inspections and Examinations (OCIE), the Division of Trading and Markets, the Division of Investment Management and FINRA.  The event will be webcast virtually on Oct. 26th from 1:00-3:00 pm ET, open to the public and recorded for future listening.  At the time of this publication, details to access the event had not yet been released. Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

BEA’s BE-180 Benchmark Survey of Financial Services Providers. Every five years, the S. Department of Commerce’s Bureau of Economic Analysis (BEA) conducts a Benchmark Survey of Financial Services Transactions between U.S. Financial Services Providers and Foreign Persons on Form BE-180 (BE-180).  Financial Services Providers include investment advisers, broker-dealers, banks, and insurers that “had either combined sales to, or combined purchases from, foreign persons of ‘Financial Services’ that exceeded $3 million during its 2019 fiscal year”.  Examples of firms that are potentially in-scope include: (i) a U.S. RIA that received management or incentive fees from a non-US client, and (ii) a U.S. fund that paid fees to a non-US investment adviser, broker-dealer and/or custodian.  Unlike some of the other types of BEA surveys, U.S. firms that meet the filing criteria are required to file a BE-180, even if the firm did not receive a request from the BEA to complete the survey.  Firms with lesser activity are only required to complete the first portion of the survey, while firms with more activity to report are required to complete the entire survey.  If filed online using the BEA’s electronic filing system, the due date is October 30, 2020, while paper filings were due September 30, 2020.  Resources, including a decision support tool to help firms determine whether filing is required, are available on the BEA’s dedicated Form BE-180 page.  Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

For Investment Advisers

New WebCRD Reporting Available in FINRA Gateway.  As we mentioned in last month’s newsletter, FINRA has been overhauling the look and feel of WebCRD to provide better data integrity, overall functionality and to minimize FINRA intervention on data records.  Its rollout has occurred in phases, and the latest enhancements include dynamic reporting features that allow users to create custom reports and save them for future use.  In addition, a firm’s IT department can now access their firm’s data through the FINRA API (application programming interface).  Access to the API gives the firm flexibility to use FINRA data as they see fit.  This can be very beneficial to advisers seeking to improve data quality against internal personnel records, automate monitoring of IAR registrations against client account records and improve the annual renewal process.  Check out the FINRA site for live and recorded webinars on the different components of the revamped FINRA Gateway.  Contributed by Heather D. Augustine, Senior Compliance Consultant.

For Broker Dealers

Transitioning to FINRA Gateway: Registration and Continuing Education Applications.

  • October 5, 2020 – Form U4 Online Filing. There will be new data entry screens, more intuitive ordering of questions and enhanced validations in order to reduce filing errors.  The “Allow Rep Edits” feature will only be available through FinPro.  Registered persons (and those individuals seeking registration) will need a FinPro account.
  • October 5, 2020 – Registered representatives will be able to complete their Regulatory Element Program through FinPro or CE Online.
  • November 9, 2020 – Registered representatives and registered principals will be required to complete their Regulatory Element Program through FinPro.

For more information on FinPro, visit https://www.finra.org/registration-exams-ce/finpro.  For more information regarding transition to FINRA Gateway, go to https://www.finra.org/filing-reporting/finra-gateway/faqContributed by Rochelle A. Truzzi, Managing Director.

Lessons Learned 

SEC Nails Interactive Brokers for Repeatedly Failing to File Suspicious Activity Reports. The importance of having a strong supervision and anti-money laundering programs was evident in recent regulatory actions taken against Interactive Brokers LLC (“Interactive”).  Interactive grew rapidly from 2013 to 2018 becoming one of the larger electronic broker-dealers in the United States.  However, with that growth Interactive failed to put in place the necessary resources and to implement programs for properly surveilling hundreds of millions of dollars in wire transfers and to identify and investigate suspicious activity.  Among other things, this resulted in Interactive failing to file suspicious activity reports for certain microcap securities trades or to properly supervise employee’s handling of customer accounts.  As a result, Interactive was fined a total of $38 million by regulators (FINRA $15 million, SEC $11.5 million, CFTC $11.5 million).  The firm also had to pay an additional $706,214 in disgorgement related to the CFTC settlement.  Contributed by Doug MacKinnon, Senior Compliance Consultant.

National Financial Services Fails with Regard to Its Underwriting Activities. As compliance consultants, we are often concerned when a client engages in certain business activities on an occasional or “one-off” basis.  Why? Because those areas are ripe for mistakes, and sometimes big ones.  The activity may not seem significant and the firm may fail to properly consider the associated risks.  Often, the activity is not covered in the firm’s written compliance and supervisory procedures.  As a result, the activity falls under the radar and continues unmonitored until…  This case offers a perfect example.

Over a twelve-year period, National Financial Services (“NFS”) failed to satisfy its prospectus delivery obligations to investors in connection with five “at-the-market delayed shelf offerings” of FuelCell Energy, Inc.  During that time, NFS sold over 70 million shares of the issuer’s common stock, raising over $148 million without delivering final prospectuses.  With shelf offerings, the issuer is permitted to file a registration statement with the Commission that includes a “base prospectus” that omits some of the offering-specific information required in a final prospectus (e.g., type of security, manner and timing of distribution, and nature and terms of agreements with underwriters, dealers and agents).  When selling off-the-shelf securities, the issuer must file a final prospectus that discloses the required offering information that was excluded from the base prospectus.  In the case of FuelCell, no final prospectuses were ever prepared, filed, or delivered.  As it turns out, the trading desk that conducted these sales did not generally engage in underwriting activities.  In addition, NFS did not have policies and procedures to monitor the activities, or prevent, detect, or address the violations.  Making the situation worse, once aware of the situation, NFS failed to take timely or effective corrective action to prevent further violations.

It is imperative that your compliance program identifies and addresses all business activities of your firm.  Firms should pay particular attention to the policies and procedures addressing those activities that represent a small portion of revenue as these areas are often overlooked, until…   Contributed by Rochelle A. Truzzi, Managing Director.

Career Ends in Disgrace for CCO that Faked Records. Bonnie Haupt was the CCO and part-owner of Gilder Gagnon Howe & Co., LLC (GGHC), a dually registered investment adviser and broker-dealer, who has been barred from the industry and personally fined $45,000.  Her crime?  Failure to follow policies and procedures.  GGHC was examined by FINRA in late 2016.  FINRA found that because the firm actively traded client accounts and was paid on a commission basis, GGHC needed to better supervise its trading activity.  GGHC responded by adopting a process for the CCO to review turnover rates in client accounts monthly, and to escalate accounts that exceeded a 6% cost-to equity ratio to the firm’s managing members.  The SEC came onsite for an exam in late 2017 and asked to see these reviews.  The CCO produced reports that she altered by using white-out to cover up the dates the reports were printed and by making hand-written notes to make it look like she had reviewed them earlier.

The SEC’s order does not say why these reviews were not performed.  But the lessons learned are not new.  First, if you tell a regulator that you are going to do something, do it.  Second, do not adopt policies and procedures that you cannot implement.  The SEC enforces the compliance manual as if it were law, so make sure you can live up to the promises you make.  Third, do not fake records.  It is better to admit the wrong-doing than to try and cover it up.  The SEC hates devious behavior and will punish it much more forcefully than neglect of duty.  Contributed by Jaqueline M. Hummel, Partner and Managing Director.

Worth Reading

 Filing Deadlines and To-Do List for October 2020

 INVESTMENT ADVISERS

  • Form 13H: Amendment to Form 13H due promptly for advisers that already have a Form 13H filing obligation and have changes to any of the information reported. Recommended due date: October 13, 2020. (Note: Neither the SEC nor its staff has provided guidance on the definition of “promptly” for Form 13H.)

HEDGE/PRIVATE FUND ADVISERS

  • Form PF for Large Liquidity Fund Advisers: Large liquidity fund advisers must file Form PF with the SEC on the IARD system within 15 days of each fiscal quarter-end. Filing for Q3 2020 is due October 15, 2020.
  • Blue Sky Filings (Form D). Advisers to private funds should review fund blue sky filings and determine whether any amended or new filings are necessary.  Generally, most states require a notice filing (“blue sky filing”) within 15 days of the first sale of interests in a fund, but state laws vary. Did you know that Hardin Compliance Consulting offers a convenient and economical blue sky filing service to help firms manage this complicated monthly task?  Learn more here and give us a call to discuss your needs further.  Due October 15, 2020.

BROKER-DEALERS

  • FINRA Accounting Support Fee: Quarterly invoice to support the GASB budget. Based on the municipal securities the firm reported to the MSRB. De Minimis firms (that owe less than $25) will not receive an invoice. Invoices are sent to the firm via WebCRD’s E-Bill.  Invoices typically appear in your EBill account in April, July, October and January.
  • SIPC-3 Certification of Exclusion from Membership: For firms with a Fiscal Year-End of August 31 AND claiming an exclusion from SIPC Membership under Section 78ccc(a)(2)(A) of the Securities Investor Protection Act of 1970. This annual filing is due within 30 days of the beginning of each fiscal year.  Due Date October 1, 2020.
  • Customer Complaint Quarterly Statistical Summary: For complaints received during the third Quarter. FINRA Rule 4530 requires Firms to submit statistical and summary information regarding complaints received during the quarter by the 15th day of the month following the calendar quarter.  Due October 15, 2020.
  • Quarterly FOCUS Part II/IIA Filings: For Quarter ending September 30, 2019. FINRA requires member firms to file a FOCUS (Financial and Operational Combined Uniform Single) Report Part II or IIA quarterly. Clearing firms and firms that carry customer accounts file Part II and introducing firms file Part IIA.  Due Date October 26, 2020.
  • Quarterly Form Custody: SEC requires that member firms file Form Custody under Securities Exchange Act Rule 17a-5(a)(5) for the quarter ending September 30. Due Date October 26, 2020.
  • Supplemental Statement of Income (“SSOI”): For the quarter ending September 30. FINRA requires firms to submit additional, detailed information regarding the categories of revenues and expenses reported on the Statement of Income (Loss) page of the FOCUS Report Part II/IIA. Due October 29, 2020.
  • Supplemental Inventory Schedule (“SIS”): For the month ending September 30. The SIS must be filed by a firm that is required to file FOCUS Report Part II, FOCUS Report Part IIA or FOGS Report Part I, with inventory positions as of the end of the FOCUS or FOGS reporting period, unless the firm has (1) a minimum dollar net capital or liquid capital requirement of less than $100,000; or (2) inventory positions consisting only of money market mutual funds. A firm with inventory positions consisting only of money market mutual funds must affirmatively indicate through the eFOCUS system that no SIS filing is required for the reporting period. Due October 29, 2020.
  • Annual Audit Reports for the Fiscal Year-End August 31, 2020. FINRA requires that member firms submit their annual audit reports in electronic form. Firms must also file the report at the regional office of the SEC in which the firm has its principal place of business and the SEC’s principal office in Washington, DC. Firms registered in Arizona, Hawaii, Louisiana, or New Hampshire may have additional filing requirements. Due October 30,2020.
  • SIPC-3 Certification of Exclusion from Membership: For firms with a Fiscal Year-End of September 30 AND claiming an exclusion from SIPC Membership under Section 78ccc(a)(2)(A) of the Securities Investor Protection Act of 1970. This annual filing is due within 30 days of the beginning of each fiscal year. Due October 30,2020.
  • SIPC-6 Assessment: For firms with a Fiscal Year-End of March 31. SIPC members are required to file for the first half of the fiscal year a SIPC-6 General Assessment Payment Form together with the assessment owed within 30 days after the period covered. Due October 30,2020.
  • SIPC-7 Assessment: For firms with a Fiscal Year-End of August 31. SIPC members are required to file the SIPC-7 General Assessment Reconciliation Form together with the assessment owed (less any assessment paid with the SIPC-6) within 60 days after the FYE.  Due October 30, 2020.

MUTUAL FUNDS

  • Form N-MFP.  Form N-MFP (Monthly Schedule of Portfolio Holdings of Money Market Funds) reports information about the fund’s holdings as of the last business day of the prior calendar month and must be filed no later than the fifth business day of each calendar month.  Due date is October 7, 2020.

____________________________________________________________________________________

Partner with Hardin Compliance

Have a compliance question or want an independent review of your compliance program?  Hardin Compliance can help!  Call us today at 1.724.935.6770, or visit our website at www.hardincompliance.com for more information.

____________________________________________________________________________________

Hardin Compliance Consulting provides links to other publicly-available legal and compliance websites for your convenience. These links have been selected because we believe they provide valuable information and guidance.  The information in this e-newsletter is for general guidance only.  It does not constitute the provision of legal advice, tax advice, accounting services, or professional consulting of any kind.

Photo by Stephanie Krist on Unsplash.