Conflicts of Interest | cybersecurity | FINRA Rule Changes | Mutual Funds | Regulatory Deadlines | SEC News | Seniors and Vulnerable Investors

SEC and OCIE Reach Out to B-Ds; Regulators Warn Firms to Use Enhanced Security on Cloud Storage; SEC’s War on “May” Continues, and Oklahoma Gets Schooled on Cybersecurity Risks: Regulatory Update for June 2019

SEC Tackles Cloud Service Providers

For Investment Advisers and Broker-Dealers:  SEC Actions

SEC announces 2019 CCO Outreach program details:

  • The 2019 National Compliance Outreach Program for Broker-Dealers, co-sponsored by the SEC and FINRA, will be held in Chicago on June 27, 2019. Registration opened on April 16, 2019, and is limited to 250 in-person attendees.  See here for details, including a link to a live webcast for those unable to attend.
  • The 2019 Investment Adviser and Investment Company CCO National Outreach Program is underway through a series of regional meetings. Sessions are filling quickly as attendance is limited, but the Chicago meeting will also be available via live webcast.  See here for details.  Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

SEC Warns Advisers and B-D’s to Use the Bells and Whistles provided by Cloud-Based Storage Solutions; Follows up with Sweep:  The SEC continues to scrutinize how investment advisers and broker-dealers protect client information and recently turned its focus to cloud-based storage solutions in its most recent risk alert.  Interestingly, OCIE highlights the fact that many of these storage solutions have features to enhance security that firms have failed to set up appropriately.  OCIE also included samples of effective practices, such as policies and procedures designed to support the initial installation, on-going maintenance, and regular review of the storage systems.  OCIE also recommended that firms set basic standards for security configuration and schedule periodical maintenance of the systems. The SEC is following up this risk alert by conducting a sweep, asking firms about their use of cloud storage providers.  Contributed by Jaqueline M. Hummel, Partner and Managing Director.

Protecting Our Senior and Vulnerable Investors:  This initiative is spreading like wildfire throughout the regulatory agencies and state jurisdictions.  States are adopting new legislation every month, and firms are working hard to improve their processes for protecting clients.  One of my favorite, go-to resources is a web-page dedicated to senior issues from the law firm of Bressler, Amery & Ross, P.C.  The firm has created an interactive 50 State Statute Survey map that should be referenced in every firm’s procedures manual.  Given the rapidly changing regulatory landscape for protecting senior and vulnerable investors, firms must review the applicable state legislation with each instance of potential exploitation.  The following are additional resources for your consideration:

Contributed by Rochelle A. Truzzi and Cari A. Hopfensperger, Senior Compliance Consultants.

For Broker-Dealers:  FINRA Actions 

Don’t Forget to Register:  Firms that handle orders in NMS Stocks, OTC Equity Securities, or Listed Options will be subject to the CAT NMS Plan (Consolidated Audit Trail) reporting requirements, no exceptions.  FINRA issued Regulatory Notice 19-19 to remind firms that registration with FINRA CAT LLC is due by June 27, 2019.   Under the CAT NMS Plan, firms may self-report data to the Consolidated Audit Trail, use a 3rd party vendor to report on their behalf, or use a combination of the two reporting methods.   All subject firms must register, regardless of their reporting method(s).  Registration is easy and must be completed on-line through the CAT NMS Plan website.  FINRA hosted an industry webinar on March 19th and established a web page regarding the consolidated audit trail.  Bookmark the Consolidated Audit Trail website for information on future developments and the Plan timeline.  Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.

Your Firm’s AML Program May Require Your Attention:  FINRA reminded firms of their existing obligations under the Bank Secrecy Act to develop surveillance procedures reasonably designed to detect and trigger reporting of suspicious activities to FinCEN.  FINRA Notice 19-18 outlined the reporting requirements found under the Treasury’s SAR rule and provided an updated, non-exhaustive list of potential money laundering red flags that may apply to your firm’s business.  The original list issued by FINRA in NTM 02-21 simply enumerated 25 potential red flags.  The update list is divided into six categories and consolidates 97 examples of red flags previously issued by FINRA, the Financial Action Task Force, FinCEN, the U.S. Department of State, and the SEC.  FINRA urged firms to consider incorporating the additional red flags, as they may apply, into their AML policies and procedures that address the monitoring, investigation, and reporting of suspicious activities.  Finally, FINRA advised firms to consider emerging areas of risk, such as money laundering risks that may be associated with activity in digital assets.  Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.

Classic Role Reversal involving the Oklahoma Department of Securities:  During the month of May, the Oklahoma Department of Securities (“Department”) began notifying affected individuals, including certain registered securities representatives, of a data breach incident that occurred back in December of 2018 (see below).  According to a report published by The UpGuard Data Breach Research Team on January 19, 2019, the breach involved three terabytes of data and millions of files dating from 1986 to 2016 (UpGuard provides cybersecurity services and regularly monitors the web for public data exposures).

 

An unsecured server was discovered on December 7, 2018, by UpGuard researcher, Greg Pollock, during a routine search of the web for exposed data, and was reported to the Department on December 8.  The Department secured the exposed server the same day.  UpGuard reported “(t)he exposure was identified only one week after it showed up in Shodan’s catalog of global IP addresses[1]”  explaining that, “[s]hortening the window of exposure reduces the likelihood of other parties accessing the data and enables its owners to take responsive measures before the data is used maliciously.”  However, the Department failed to notify affected individuals for more than five months, delaying the implementation of responsive measures and exposing the affected individuals to additional risk.

Also noteworthy, UpGuard gave the Department’s website a Cyber Risk Score of 171 out of a possible 950, indicating “severe risk of breach.”  The low score was, in part, the result of the  Department’s continued use of servers well beyond their “end-of-life,” when updates to patch vulnerabilities were no longer available.  As reported by Thomas Brewster of Forbes, UpGuard identified the Department’s use of simple passwords and practice of saving encrypted documents in the same folder as decrypted versions as additional signs of weakness in the Department’s cybersecurity program.

I encourage you to use this information to strengthen your existing cybersecurity program and enhance your review of your firm’s system security measures.  Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.

For Mutual Funds: SEC Actions

Liquidity Risk Management Programs – Reminder to Small Fund Complexes:  June 1, 2019, is the date small fund complexes have been waiting for —  the deadline for fund families with less than $1 billion in assets to adopt a liquidity risk management program under Rule 22e-4 of the Investment Company Act of 1940 (the “Liquidity Rule”).  This deadline also requires appointing a Program Administrator and limiting investments in illiquid securities to 15% of the fund’s portfolio.  These same small fund families still have until December 1, 2019, to implement liquidity classifications and the elements of the liquidity rule that are related to liquidity classifications, including the establishment of a highly liquid investment minimum (or HLIM).  Given the phased-in compliance dates, we see many fund boards review liquidity risk management programs ahead of the initial June 1 compliance date, but wait to issue formal approval of these programs until closer to the December compliance date.  The SEC’s Investment Company Liquidity Risk Management Programs Frequently Asked Questions are a useful reference. Refer to our prior blog post for additional details.  Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

For Hedge Fund Managers: CFTC/NFA Actions 

CFTC Amends its Privacy Regulations.  Not to be outdone by other regulators, the CFTC recently amended its privacy regulations (CFTC Regulation 160.5) to incorporate the Fixing America’s Surface Transportation Act (“FAST Act”) amendment to the Gramm-Leach-Bliley Act (“GLB”).  In the amendment, the CFTC allows certain commodity trading advisors, commodity pool operators, retail foreign exchange dealers and futures commission merchants (“covered persons”) to avoid sending out an annual privacy notice.  More specifically, the amendment permits covered persons to skip the annual privacy notice as long as the firm’s privacy practices have not changed since the last notice was delivered to clients, and the firm only shares non-public information in limited situations.  Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

CFTC DOE Issues its First Public Enforcement Manual.  For the first time, the CFTC Division of Enforcement publicly released its enforcement manual.  In its press release, James McDonald, Enforcement Director, commented that “Our Manual aims to increase the level of clarity and transparency in our work. Clarity and transparency in our policies should promote fairness, increase predictability, and enhance respect for the rule of law.  We expect the publication of our Manual to advance these goals going forward.” Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

Lessons Learned from Recent SEC and FINRA Cases

Those who cannot remember the past are condemned to repeat it.[2]”  Do you remember the old mutual fund product shelf?  Back in the day, product sponsors would pay to be included on a broker-dealer’s product line-up.  In many cases, sponsors paying the most would be given the greatest access to the sales people.  Fast forward to today for a modern example of “pay to play” involving hedge funds at Deutsche Bank.  Deutsche Bank Trust Company Americas (“DBTCA”) agreed to a Cease and Desist Order and to pay a $500,000 penalty to the Securities and Exchange Commission (“SEC”) for violating Section 17 (a) (2) of the Securities Exchange Act of 1933.  The SEC found that DBTCA had misled investors who purchased hedge funds in advisory accounts.

It turns out that the independent, in-house research group (the “Research Group”) used by DBTCA to conduct extensive due diligence on hedge funds was pre-selecting hedge funds based on whether the funds would pay “retrocesssions,” or a portion of their management fee, to DBTCA. In essence, to be considered for the platform, the hedge fund would have to agree initially to pay retrocessions to receive a due diligence review.  (DBTCA did not charge an advisory fee on the hedge fund assets and retained final approval for the products placed on its menu.)  DBTCA did not disclose the retrocessions payments, or the fact that only funds that agreed to the payments were considered for due diligence in marketing materials.  Before signing the subscription agreement, however, clients were notified of the payments. This disclosure at the time of sale seems to have saved DBTCA from having to refund the fees to clients.

Because DBTCA failed to disclose the criteria for being considered by the Research Group, the SEC contended that its marketing materials were misleading. Also, the SEC stated DBTCA’s disclosure that hedge funds charged management fees and that DBTCA “may” receive a portion of such fees was insufficient because all the hedge funds DBTCA recommended were paying retrocessions.

The SEC has zero tolerance for undisclosed conflicts of interest resulting from compensation.  We recommend that compliance officers review financial statements to find these types of revenue streams.  We also recommend that firms establish a Conflicts of Interest Committee to review compensation arrangements.  Consider including employees from different areas of the business in the Conflicts Committee, including compliance, finance, marketing, operations, investment and product specialists to enable the flow of information and to encourage lively debate regarding conflicts of interest caused by compensation arrangements.  A Conflicts of Interest Committee can help educate its members,  document decisions and potentially prevent management from repeating mistakes from the past.  Contributed by Heather D. Augustine, Senior Compliance Consultant.

Another Tangled Web:  Scottish novelist Walter Scott said it best:  “O, what a tangled web we weave when first we practice to deceive.”  The SEC’s recent settlement with Matthew R. Rossi and SJL Capital, LLC (“SJL”) reveals a tangled web indeed.  SJL, a state-registered adviser, and Rossi, 80% owner and managing partner solely responsible for the firm’s investment decisions, were found to have misled its clients about the firm’s investment strategy and performance, hiding losses and misappropriating funds for personal benefit.  This case includes blatant fraud, starting with fabricating fake client documents to conceal major trading losses and then lying to clients about the reason for those losses.  Aside from these glaring misdeeds, this case also includes some useful lessons for advisers.

SJL offered separate accounts and a hedge fund using a similar strategy, described in the fund’s Private Placement Memorandum as “invest(ing) in a diversified portfolio consisting primarily of equity securities that are traded publicly in the U.S. markets” and leveraging a “highly successful proprietary algorithm, which … included “safety valves” or stop losses to limit downside risk”.  In reality, SJL traded unhedged options and did not employ any safety valves or stop loss limits.  When the strategy generated major losses (dropping 88% from its launch in June 2016 through August 2016, and being completely wiped out by November), SJL hid the losses by creating fake tax documents and account statements.  SJL distributed other materials to prospective investors that misrepresented fund assets and performance, such as SJL’s Form ADV Part 2A which described the algorithm as a “proprietary system of filters … proven to bring [investors] substantially higher returns.”  Throwing gasoline onto the fire, SJL continued to trade risky unhedged options, losing 70% of its remaining funds.  When questioned by clients, Rossi lied about the losses, blaming them on a nonexistent rogue trader.  Finally, after all that, Rossi convinced certain fund investors to pre-pay performance fees, which Rossi then misappropriated for his personal benefit.  The outcome: SJL and Rossi agreed to a cease and desist order.  Rossi is also barred from the industry, and SJL has since terminated its state adviser registrations.

Common-sense yet important take-away’s include:

  1. Be forthcoming and consistent when you describe your investment strategy – in fund-offering documents, Form ADV, RFP’s, other marketing materials, and in your discussions with current and prospective investors. Personally, I don’t know any clients who would be happy if they invested thinking they were getting “primarily” U.S. public equities only to find unhedged options in their accounts.
  2. Disclose, disclose, disclose. In those descriptions of your investment strategy, describe the relevant risks and the potential downsides.  Disclosure is not a cure for illegal activities, but a properly crafted disclosure can go a long way to ensuring your clients make informed decisions and to protecting your firm, especially if the strategy is inherently risky and there is a large performance downturn.
  3. Avoid subjective and promissory language. Yes, SJL had bigger problems, but its use of subjective language to describe its “highly successful” algorithm that was “proven to bring [investors] substantially higher returns”, and even referring to the algorithm as a “safety valve for downside protection” created risk for the adviser at its best, and demonstrated fraud at its worst.  Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

The War on May Continues, with Court of Appeals Finding Robare Disclosures Inadequate.  The U.S. Court of Appeals for the D.C. Circuit issued a surprising decision in the Robare Group, LTD. vs. SEC.  The Robare Group, LTD. (TRG) and its principals, Mark L. Robare and Jack L. Jones, Jr. have been fighting the SEC since 2014 when the Commission issued an order alleging that TRG’s disclosures of a revenue-sharing arrangement in its Form ADV were inadequate.  The surprise was that the court applied some common sense, rejecting the SEC’s long-standing position that “willfulness” simply means that a person acted intentionally, without being aware that his or her action violated a rule.  The court found that although the principals at TRG intentionally filed the Form ADV that omitted the required disclosures, the omission was a result of negligence.  Simply put, the court found that an act may be intentional or negligent, but it cannot be both.

On the plus side, this holding may impose a higher standard of proof on the SEC, requiring the Commission to prove intent in proceedings based on violations of law that require willful violations.  On the minus side, the court rejected TRG’s contention that it was not negligent since it met the industry’s standard of care in drafting its Form ADV disclosures. According to the court, negligence is judged against “a standard of reasonable prudence,” and not against industry standards.  The court held firm to its contention that as a fiduciary, TRG should have disclosed this obvious conflict of interest.  Contributed by Jaqueline M. Hummel, Partner and Managing Director.

”This is How We’ve Always Done it” Attitude Leads to Personal Liability for CEO and CFO/CCO for Mis-Using Private Fund Assets.  Here is yet another in a long line of SEC actions against private fund managers for misuse of fund assets.  What distinguishes this case is the fact that the SEC found the CEO and the CFO/CCO personally liable for these transgressions, requiring them to pay fines of $25,000 and $15,000, respectively.  Corinthian Capital Group, LLC (“Corinthian”) managed Corinthian Equity Fund II, LP (“CEF 2”), a private equity fund.  The SEC found that Corinthian improperly used CEF 2 assets to fund its advisory operations, caused CEF 2 to overpay organizational expenses, and failed to apply a $1.2 million fee offset due to CEF 2.  The SEC pointed the finger at CFO/CCO David G. Tahan (“Tahan”) for these misdeeds and at Peter B. Van Raalte (“Van Raalte”), Corinthian’s CEO, for failing to oversee Tahan’s work.

The two individuals received relatively small fines and no other serious punishment in this case.  Corinthian was also fined $100,000.  Similar to the Driver case discussed in the May 2019 Regulatory Update, the SEC gave credit to Corinthian for its cooperation and remedial efforts. The firm repaid the fee offset and reimbursed the expenses to the private fund in full with interest.

Reading between the lines, it appears that the CFO was simply following a prior CFO’s shoddy practices and the CEO, who should have known better, failed to review his work.  The takeaways from this case include (1) written policies and procedures regarding the classification and allocation of fund expenses can prevent misunderstandings and misuse of fund assets, and (2) supervision is vital to avoid personal liability.  In higher risk areas such as expense allocation and fee billing, a second set of eyes can help prevent mistakes and nefarious activity.   Contributed by Jaqueline M. Hummel, Partner and Managing Director.

Worth Reading 

Compliance Officers Should be Shaking in their Boots Brian Rubin and Michelle McIntyre from Eversheds Sutherland take a closer look at the SEC’s case against Thaddeus J. North and its implications for CCOs in this article for Practical Compliance & Risk Management.

Paying for RIA Referrals: State and SEC Solicitor Rules:  Chris Beach and Michael Kitces provide this great resource on the hodge-podge of rules for investment advisers.

Suspicious Activity Reports on Elder Financial Exploitation: Issues and Trends  The CFPB Office for Older Americans release an archived copy and transcript of its recent webinar, as well as a copy of its slide-deck highlighting results from its recent study of SAR reports regarding elder financial exploitation.

Speech: How we Protect Retail Investors  Check out this speech by Peter Driscoll, OCIE Director, given at the NRS Spring 2019 Compliance Conference in Orlando, Florida on April 29, 2019.  Mr. Driscoll reiterates how OCIE’s exam focus plays a vital role in protecting investors.

FYI: Is the SEC Wearing its “Reasonableness Pants”?  Check out Lorna Schnase’s thought-provoking article on her takeaways from a recent speech delivered by SEC Commissioner Hester Peirce about the Share Class Selection Disclosure Initiative.

The Cybersecurity Defense Advisors Forget  A quick reminder from Financial Planning that employees are a critical line of defense against cyber-crime and wire fraud attempts and that training is a critical tool to harness their collective efforts.

DOJ Guidance on Evaluation of Corporate Compliance Programs: Key Takeaways  McDermott Will and Emery summarizes the DOJ’s recent guidance regarding what constitutes an “effective” compliance program.  Key questions firms should ask themselves include: “1) Is the compliance program well designed? 2) Is the program being implemented effectively and in good faith? 3) Does the compliance program work in practice?”

What Your Compliance Officer Doesn’t Want You to Know  Sara Grillo of Advisor Perspectives reminds us that even old compliance dogs can learn new tricks, as long as they are open to asking for help.

Filing Deadlines and To Do List for June 2019

INVESTMENT MANAGERS AND HEDGE/PRIVATE FUND MANAGERS

  • FINRA’s 2019 Entitlement User Accounts Certification window is open through June 21, 2019. In this annual process, Super Account Administrators (SAA) are required to re-certify active users of IARD/WebCRD and related applications and delete accounts for users who no longer need access.  Due June 21, 2019.

HEDGE/PRIVATE FUND ADVISORS

  • Blue Sky Filings (Form D): Advisors to private funds should review fund blue sky filings and determine whether any amended or new filings are necessary.  Generally, most states require a notice filing (“blue sky filing”) within 15 days of the first sale of interests in a fund, but state laws vary. Did you know that Hardin Compliance Consulting offers a convenient and economical blue sky filing service to help firms manage this complicated monthly task?  Learn more here and give us a call to discuss your needs further.  Due June 15, 2019.
  • Distribute Audited Financial Statements for Private Funds for Funds of Funds: Private fund investment advisers generally should have their funds audited by an independent, PCAOB-registered accountant and deliver the audited financial statements to the funds’ investors within 120 days of the end of the funds’ fiscal year. This deadline for private fund of funds is within 180 days of the funds’ fiscal year end. That’s June 29, 2019, for funds with December 31 year-end.

BROKER-DEALERS

  • Annual Entitlement User Account Certification:  FINRA requires firms to conduct an annual review of the FINRA application user accounts established for firm personnel and ensure that access and entitlements are appropriate for the personnel’s role and responsibilities. The certification period typically begins in early January and ends approximately 30 days later. The Super Account Administrator (“SAA”) is responsible for conducting the review, amending and deleting user accounts/entitlements as necessary, and submitting the certification through WebCRD. Only the SAA has access to this certification. Failure to complete the certification by the established deadline will result in all user accounts associated with the firm to be suspended until certification is complete. Due June 21, 2019.
  • Rule 17a-5 Monthly and Fifth FOCUS Part II/IIA Filings: For the period ending May 31, 2019. For firms required to submit monthly FOCUS filings and those firms whose fiscal year-end is a date other than a calendar quarter. Due June 25, 2019.
  • Registration with FINRA CAT LLC: All firms with Consolidated Audit Trail reporting obligations, regardless of their reporting method(s) must register with FINRA CAT LLC. Registration must be completed on-line through the CAT NMS Plan website.  See above for additional details.   Due June 27, 2019.
  • Supplemental Inventory Schedule (“SIS”): For the month ending May 31, 2019. The SIS must be filed by a firm that is required to file FOCUS Report Part II, FOCUS Report Part IIA or FOGS Report Part I, with inventory positions as of the end of the reporting period, unless the firm has (1) a minimum dollar net capital or liquid capital requirement of less than $100,000; or (2) inventory positions consisting only of money market mutual funds. A firm with inventory positions consisting only of money market mutual funds must affirmatively indicate through the eFOCUS system that no SIS filing is required for the reporting period. Due June 28, 2019.
  • SIPC-7 Assessment: For firms with a Fiscal Year-End of April 30, 2019. SIPC members are required to file the SIPC-7 General Assessment Reconciliation Form together with the assessment owed (less any assessment paid with the SIPC-6) within 60 days after the Fiscal Year-End. Due June 29, 2019.
  • SIPC-3 Certification of Exclusion from Membership: For firms with a Fiscal Year-End of May 31, 2019, AND claiming an exclusion from SIPC Membership under Section 78ccc(a)(2)(A) of the Securities Investor Protection Act of 1970. This annual filing is due within 30 days of the beginning of each fiscal year. Due June 30, 2019.
  • SIPC-6 Assessment: For firms with a Fiscal Year-End of November 30, 2018. SIPC members are required to file for the first half of the fiscal year a SIPC-6 General Assessment Payment Form together with the assessment owed within 30 days after the period covered. Due June 30, 2019

____________________________________________________________________________________

Partner with Hardin Compliance

Have a compliance question or want an independent review of your compliance program?  Hardin Compliance can help!  Call us today at 1.724.935.6770, or visit our website at www.hardincompliance.com for more information.

____________________________________________________________________________________

Hardin Compliance Consulting provides links to other publicly-available legal and compliance websites for your convenience. These links have been selected because we believe they provide valuable information and guidance.  The information in this e-newsletter is for general guidance only.  It does not constitute the provision of legal advice, tax advice, accounting services, or professional consulting of any kind.

Photo by Eberhard Grossgasteiger on Unsplash

[1] Shodan is a search engine for internet-connected devices.

[2] George Santayana