cryptocurrency | FINRA Rule Changes | Mutual Fund Regulation | Privacy

OCIE Lists Privacy Blunders; SEC Explains When Digital Assets become Securities; Ohio Mandates IARs and RR to Report Elder Abuse; FINRA Gives Broker an “F” in Email Review; and Google Searches Don’t Count as Due Diligence

For Investment Advisers and Broker-DealersSEC & State Actions

Reg S-P Compliance Violations Spelled out by SEC: OCIE reviewed two years of deficiency letters and came up with a list of the most common Regulation S-P compliance issues.  The risk alert identified the following low-hanging fruit:

  • Failing to provide initial and annual notices, and providing inaccurate privacy notices.
  • Failing to include an opt-out right to clients where firms share nonpublic personal information with nonaffiliated third parties.
  • Policies and procedures that contained blank spaces or described the requirements of Rule 30(a) of Regulation S-P (the “Safeguards Rule”) without describing the firm’s processes for actually protecting client information.

The bottom line is that OCIE found advisers and broker-dealers are aware of the Safeguards Rule and Regulation S-P but have not followed up with administrative, operational and physical safeguards.  Firms also stumble when it comes to training their staff on using encryption, password protection, or other available tools to protect client information.  Some firms have also failed to address the widespread use of personal devices like laptops and cellphones for storing client information without the appropriate anti-theft safeguards.

The SEC has become increasingly concerned about cybersecurity threats, and this alert from OCIE is a clear message to firms that they need to up their game.  Investment advisers and broker-dealers should use the risk alert as a guide for improving their information security protocols.  And if you need further incentive, check out the more recent cases brought by the SEC against R.T. Jones (resulting in a $75,000 fine), Morgan Stanley (resulting in a $1 million fine) and Voya Financial Advisors, Inc. (resulting in $1 million fine). Contributed by Jaqueline M. Hummel, Partner and Managing Director.

Heads Up!  Massachusetts Amended the Data Breach Notification Law:  You may need to update your firm’s Information Security Program to address significant changes to Chapter 93H, which became effective on April 11th.    Best-practice becomes law as broker-dealers and investment advisers subject to the MA law are now required to provide a minimum of 18 months of free, third-party credit monitoring services to affected consumers when there is a breach involving social security numbers.  Also, the notification requirements have been amended to address the timing and content of the notifications provided to the Commonwealth’s Attorney General, the Office of Consumer Affairs and Business Regulation (“OCABR”), and affected consumers.  Firms can no longer delay notification until the number of affected residents is known.  Instead, they must provide additional updates as the correct information becomes available.  See House, No. 4806, Sections 8-11 for a complete list of amendments and modify your Information Security Program and notification templates accordingly.  Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.

Ohio Requires Registered Reps and Investment Adviser Reps to Report Elder Abuse.  Effective March 20, 2019, a new Ohio law took effect requiring certain financial professionals to report cases of suspected elder abuse or financial exploitation.  Specifically, Ohio Revised Code (ORC) 5101.63(A)(2)(dd), a provision within the Ohio Adult Protective Services statutes, was amended to include “a dealer, investment adviser, sales person, or investment advisor representative licensed under Chapter 1707 of the Revised Code” as mandatory reporters of known or suspected elder abuse.  Investment advisers and broker-dealers should train their representatives on how to identify and report elder abuse.  Check out the Ohio Department of Job and Family Services’ Guide to Protecting Ohio’s Elders for more information on what to look for and whom to call.   Reports can be made 24 hours a day, seven days a week by calling 1-855-OHIO-APS (1-877-644-6277).  Contributed by Jaqueline M. Hummel, Partner and Managing Director.

Photo by Bruno Aguirre on Unsplash

SEC Actions

SEC Issues Digital Asset Analysis and No-Action Letter: The evolution of capital formation, fin-tech, and market structures to include digital assets may or may not fall under the jurisdiction of the SEC.  To help industry participants determine whether a specific digital asset will be considered a security and subject to SEC jurisdiction, the SEC’s Strategic Hub for Innovation and Financial Technology (“FinHub”) published the “Framework for ‘Investment Contract’ Analysis of Digital Assets” (the “Framework”).  The authors of the guidance note that the framework “is not intended to be an exhaustive overview of the law, but rather, an analytical tool to help market participants.”

Consistent with prior SEC pronouncements, the Framework applies the Supreme Court’s Howey test for determining a transaction qualifies as an “investment contract,” which is considered a security and governed by federal securities laws.  The Framework focuses on the third and fourth prongs of the Howey test, specifically whether investors have an (i) expectation of profit (ii) in reliance on the efforts of others. On the same day that the Framework was released, the SEC’s Division of Corporate Finance issued the TurnKey Jet, Inc. No-Action Letter applying the Framework to find that tokens used to purchase services would not qualify as securities subject to SEC registration.  The model described in the no-action letter involves digital assets that would only be used on a closed private network to purchase air charter services.

The Framework and the TurnKey Jet, Inc. No-Action letter further emphasizes the limited circumstances under which a digital asset can avoid being considered as a security.  To prevent security status, the SEC wants to see that the digital assets and associated network are fully functional at the time of sale. It seems likely that many digital assets will be considered “securities” subject to registration during the fundraising stage since the efforts of a promoter will be key to the enterprise’s success and the proceeds from sales will likely be used to develop the platform.  The Framework indicates, however, that the digital asset can transform from a security to a non-security once the asset operates within a fully functioning network.  Market participants should approach selling digital assets with caution.   Contributed by Doug MacKinnon, Senior Compliance Consultant.

For Broker-Dealers:  FINRA Actions 

FINRA Issues Guidance for Communications with Customers Regarding Departing Representatives:  FINRA issued Regulatory Notice 19-10 to remind member firms that when a registered representative leaves, the firm should “promptly and clearly” notify affected customers how their accounts will continue to be serviced.  FINRA’s goal is to provide customers with timely information to make an informed decision about where to maintain their assets.  If your written supervisory procedures do not already address such communications, you should adopt and document procedures that provide prompt notification and the name and contact information of the individual(s) to whom the customer may direct questions and trade instructions, and when assigned, the name and contact information of the representative to whom the customer’s account(s) were assigned.  In addition, the firm may clarify the customer’s options to either retain the assets with the firm to be handled by the assigned representative or another representative at the firm or transfer the assets to another firm.  If the firm knows of and has consent from the departing representative, it may provide customers, upon request, with the departing representative’s business phone number, email address or mailing address. Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.

Attention Underwriting Syndicate Members who enter into Backstop Agreements:  FINRA released updates to the Interpretations on Financial and Operational Rules dealing with open contractual commitments.  A backstop agreement is an agreement between two syndicate members, the Backstop Recipient and the Backstop Provider, where the Backstop Provider agrees to deduct from its own net capital calculation any applicable open contractual commitment attributable to the Backstop Recipient.  If the backstop agreement is executed and effective before the Backstop Recipient becoming obligated to the underwriting commitment (which and requires the Backstop Provider to purchase any unsold securities allocated to the Backstop Recipient), the Backstop Recipient does not need to take a capital deduction for its share of the open contractual commitment charge.  See interpretations on Securities Exchange Act Rule 15c3-1(c)(2)(viii), page 654. Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.

FINRA Will Permit the Use of Electronic Signatures for Discretionary Accounts:  Effective May 6th, firms may accept the electronic signature of those named, associated persons authorized to exercise discretion in client accounts, to satisfy FINRA Rule 4512(a)(3) regarding customer account information.  The electronic mark must clearly identify the signatory and comply with Section 101(d) of the Electronic Signature Act by being accurate, accessible, and capable of reproduction.  Electronic records maintained in accordance with 17a-4(f) comply with 101(d) of the E-Sign Act.  Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.

For Mutual Funds: SEC Actions

SEC Issues Guidance on Mutual Fund Reporting Requirements.  The SEC recently revised its Small Entity Compliance Guide: Investment Company Reporting Modernization Rules.  The guide highlights mutual fund reporting requirements associated with Forms N-PORT and N-CEN, which replace Forms N-Q and N-SAR, respectively.  This update reflects the SEC’s interim final rule adopted in February 2019, which adjusted the timing of initial Form N-PORT filings by large and small fund complexes.  Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

Liquidity Risk Management FAQs Updated.  The SEC also recently updated its Investment Company Liquidity Risk Management Programs FAQ to address the temporary impact of an “extended holiday closure” on the liquidity classification of securities that are otherwise publicly traded.  An extended holiday closure is one that lasts seven or more calendar days.  While the SEC acknowledged that such investments do become temporarily illiquid, the related liquidity risk “differs from the liquidity risk N-LIQUID is designed to flag,” because funds can generally plan for the temporary closure ahead of the holiday.  Provided the fund’s board is notified of its plans to manage liquidity during the closure, the FAQ clarifies that the SEC “would not object if a fund does not file Form N-LIQUID for an investment that becomes illiquid solely due to the extended holiday closure.”  Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.

For Hedge Fund Managers: CFTC Actions 

Help is available for understanding NFA Interpretive Notice 2-9 on Internal Controls.  The NFA has been busy making various guidance and training resources available to Member firms implementing Interpretive Notice 2-9 regarding Internal Controls.  The following list highlights recent educational opportunities and where you can find copies.

  • NFA updated its Self Examination Questionnaire to assist firms in preparing for 2-9.
  • It held a webinar designed to educate Members on their obligations under the interpretive notice.  The archived webinar and transcript are available on the NFA website.
  •  NFA’s February Member Workshops discussed the Interpretive Notice and the Workshop materials are available on NFA’s website.

Contributed by Cari A. Hopfensperger, Senior Compliance Consultant

Lessons Learned from Recent SEC and FINRA Cases

Ever Wonder What Happens if Your Firm Blows the Private Offering Exemption?   The SEC filed an administrative proceeding against Mutual Coin Fund LLC and Usman Majeed (founder) related to their sale of limited partnership interests in the fund.  The SEC claims that the fund misrepresented the amount of capital raised and did not make any reasonable effort to verify the accuracy of their financial statements before providing them to potential and actual investors.  The SEC also claimed that the fund was engaging in general solicitation and did not have substantive or pre-existing relationships with some of its investors.  As a result, the fund and Majeed submitted an offer of settlement and will relinquish all management and incentive fees earned since the fund’s inception.  Doug MacKinnon, Senior Compliance Consultant.

Google Searches and Phone Calls Don’t Count as Extensive Due DiligenceSteven Morris Bruce (“Bruce”), founder and CEO of Charter Capital Management, LLC (“CCM”), literally “phoned it in” when conducting due diligence on a Norwegian individual and his company on behalf of two private funds managed by CCM (the “CCM Funds”).  In an administrative proceeding, the SEC found that “Bruce’s due diligence consisted solely of the telephone calls with the Norwegian individual, a few Google searches, and calls to CCM’s attorneys, accounting firm (“CPA firm”), and the Funds’ administrator (who cautioned Bruce about the investment…).”  Bruce told investors that he had performed extensive due diligence and had the “buy-in” from CCM’s attorneys, its CPA firm and the fund administrator before investing $4 million of his funds’ money to the Norwegian and his company.  The SEC found these statements misleading, given the extremely limited due diligence actually performed, and the fact that the CPA firm and the CCM Funds’ administrator specifically questioned the transaction.  It didn’t help matters that Bruce had personally loaned $115,000 to the Norwegian individual and his company, which was later repaid using the proceeds of the CCM Funds’ loans.  Bruce neglected to mention this obvious conflict of interest to investors in the CCM Funds.

To settle with the SEC, Bruce reimbursed the CCM Funds with $184,540 of his own money to cover their losses.  The SEC also fined Bruce and firm $40,000 and required CCM to send all of its existing advisory clients a copy of the SEC’s order.

In a similar due diligence failure, Stanley S. Bae was barred from the industry by the SEC for fraud, because he represented to clients that an investment in a private fund was safe and profitable.  In reality, the private fund was struggling financially and unlikely to make any money.  Although the administrative order is a little fuzzy on the details, Bae had some idea that the private fund was in trouble since he had spoken to its principals. He didn’t share any of the bad news with his clients.  The SEC found that Bae had violated his fiduciary duties by failing “to use reasonable care to avoid misleading his clients and to provide them with full and fair disclosure of all material facts.” Bae was also fined $35,000.  Investment advisers cannot turn a blind eye to material information regarding investments they recommend.   Contributed by Jaqueline M. Hummel, Partner and Managing Director and Rochelle A. Truzzi, Senior Compliance Consultant.

When Absolute Power Corrupts Absolutely:  For seven years, Richard Diver was able to steal $6 million from his firm, M&R Capital Management, and its clients, to fund his lavish lifestyle.  Diver was a co-founder of the firm and its Chief Operating Officer (COO) and was responsible for managing the firm’s revenues and expenses, including payroll and client billing. He used his position to inflate his salary and by overbilling clients.  It took a phone call from a client asking about overbilling in 2018 for the firm’s CEO to finally confront Diver, who confessed. The SEC investigated and referred the case to the U.S. Attorney for the Southern District of New York, which filed criminal charges against Diver and arrested him for embezzlement.

Interestingly, the SEC only filed charges against Diver, and not against the CEO or the firm itself. The firm’s CEO, John Maloney, also served as Chief Compliance Officer and Chief Investment Officer. But in its complaint against Diver, there is no mention of the failure on the CEO’s part to discover Diver’s wrongdoing.  This may be because the firm paid back all affected clients.

The big takeaways from this case?  First, when the CCO is wearing too many hats, the compliance program will suffer.  There is no way a CEO who is also acting as CIO has time to perform routine testing and monitoring, too.  Second, higher risk activities should include a system of checks and balances. Even if you trust your COO, a second set of eyes reviewing client billing is an essential safeguard — not only to prevent fraud, but to reveal potential flaws in the process.  In the Diver case, testing by a compliance officer after the fact could have uncovered this fraud much earlier.  In this case, the COO also managed the payroll process and was able to inflate his own income for years since no one was reviewing his work.   Contributed by Jaqueline M. Hummel, Partner and Managing Director.

FINRA Gives Broker-Dealer an “F” in Email Review:  Penny-stock brokerage firm Wilson-Davis & Co., Inc. settled with FINRA for $32,500 as a result of charges that its email review process was not reasonable.  According to the Letter of Acceptance, Waiver and Consent (“AWC”), the firm’s President and Chief Compliance Officer performed email reviews every other week.  He reviewed either 100 emails selected randomly by the firm’s email vendor or “messages flagged by the email system as containing a suspicious word or phrase from a lexicon of 24 search terms created by the firm.”

FINRA pointed out the flaws in the review process.  First, the random selection of email did not take into account the individuals, branch offices, departments, or business units.  Second, the lexicon-based search was inadequate since the terms were not “comprehensive enough to yield a meaningful sample of flagged communications.”  Finally, FINRA found that “the lexicon was not based on an assessment of risk areas at the firm, nor was it reasonably tailored to the firm’s size, structure and business model.  As a result, most of the search terms resulted in an unreasonably small number of emails flagged for review. Further, two search terms generated the vast majority of the flagged emails, and at least one of those terms was ineffective because it resulted in an unreasonably high percentage of ‘false positives.’”

Although this case does not provide any details on what would have been reasonable, it seems to set a baseline for what is not.  For a firm with at least 36 registered representatives and three offices, reviewing 100 emails every two weeks just isn’t going to cut it.  And if your lexicon-based search results in “an unreasonably small number of emails” being flagged for review, or includes a term that yields a high percentage of “false positives,” then you are not on the right track.

With the explosion in the use of email, compliance officers are often looking for a needle in a haystack. Random sampling and lexicon-based searches are often inefficient, but there are few alternatives given the available tools.  So, compliance officers should periodically review the process to determine whether changes are needed in response to increases in firm size and personnel and changes to the business model.   Contributed by Jaqueline M. Hummel, Partner and Managing Director

Worth Reading: 

The First SEC Share Class Selection Disclosure Settlements: What We Learned & What’s Next?  Drinker Biddle reviews the first settlements and advises firms to review all their revenue-sharing arrangements and disclosures because the fat lady hasn’t sung yet.

New Jersey Releases Proposed Fiduciary Rule for Broker-Dealers and Investment Advisers  Kilpatrick Townsend summarizes New Jersey’s proposed fiduciary rule, which follows an increasing number of other states that are refusing to wait for SEC movement on its proposed Reg BI.  Hardin continues to follow these developments closely.

Protect Yourself and Your Firm Against Password Spray Attacks  This practical article by Hinshaw & Culbertson about a new type of cyberattack also offers updated tips for setting and maintaining strong passwords.

On the Road Again: Practical First Steps on Your Way to Compliance with the CCPA  Although the California Consumer Privacy Act (CCPA) will not take effect until 2020, Fox Rothschild LLP’s Privacy and Data Security Team presents ideas for in-scope firms to start preparing now.

2019 Mutual Funds and Investment Management Conference: Ropes & Gray published its comprehensive memorandum, which summarizes sessions held at the Investment Company Institute’s annual conference in March.

Filing Deadlines and To Do List for May 2019

INVESTMENT MANAGERS AND HEDGE/PRIVATE FUND MANAGERS

  • Form 13F: Form 13F quarterly filing is due for Q1 2019 within 45 days after the end of the calendar quarter. Due date is May 15, 2019.
  • FINRA’s 2019 Entitlement User Accounts Certification is now open and will run from April 22 to June 21, 2019.  In this annual process, Super Account Administrators (SAA) are required to re-certify active users of IARD/WebCRD and related applications and delete accounts for users who no longer need access.  Due date: June 21, 2019.

HEDGE/PRIVATE FUND ADVISORS

  • Blue Sky Filings (Form D): Advisers to private funds should review fund blue sky filings and determine whether any amended or new filings are necessary.  Generally, most states require a notice filing (“blue sky filing”) within 15 days of the first sale of interests in a fund, but state laws vary. Did you know that Hardin Compliance Consulting offers a convenient and economical blue sky filing service to help firms manage this complicated monthly task?  Learn more here and give us a call to discuss your needs further.  Due date:  May 15, 2019.
  • Form PF for Large Hedge Fund Advisers: Large hedge fund advisers must file Form PF within 60 days of each quarter end on the IARD system. Due date is May 30, 2019.

REGISTERED COMMODITY TRADING ADVISORS/cOMMODITY POOL OPERATORS

  • Form CTA-PR (March 31 Quarter End): Commodity Trading Advisors are required to file Form CTA-PR quarterly with the NFA. The due date is May 15, 2019.
  • NFA Form CPO-PQR (March 31 Quarter End): Small, Mid-Sized and Large Commodity Pool Operators are required to file NFA Form CPO-PQR quarterly with the NFA. The due date is May 30, 2019.

BROKER-DEALERS

  • Rule 17a-5 Monthly and Fifth FOCUS Part II/IIA Filings:  For the period ending April 30, 2019. For firms required to submit monthly FOCUS filings and those firms whose fiscal year-end is a date other than a calendar quarter.  Due date May 23, 2019. 
  • Supplemental Inventory Schedule (“SIS”): For the month ending April 30, 20198. The SIS must be filed by a firm that is required to file FOCUS Report Part II, FOCUS Report Part IIA or FOGS Report Part I, with inventory positions as of the end of the FOCUS or FOGS reporting period, unless the firm has (1) a minimum dollar net capital or liquid capital requirement of less than $100,000; or (2) inventory positions consisting only of money market mutual funds.  A firm with inventory positions consisting only of money market mutual funds must affirmatively indicate through the eFOCUS system that no SIS filing is required for the reporting period.  Due date May 29, 2019. 
  • Annual Audit Reports for Fiscal Year-End March 31, 2019:  FINRA requires that member firms submit their annual audit reports in electronic form.  Firms must also file the report at the regional office of the SEC in which the firm has its principal place of business and the SEC’s principal office in Washington, DC. Firms registered in Arizona, Hawaii, Louisiana, or New Hampshire may have additional filing requirements.  Due date May 30, 2019. 
  • SIPC-3 Certification of Exclusion from Membership: For firms with a Fiscal Year-End of April 30, 2019, AND claiming an exclusion from SIPC Membership under Section 78ccc(a)(2)(A) of the Securities Investor Protection Act of 1970.  This annual filing is due within 30 days of the beginning of each fiscal year. Due date May 30, 2019. 
  • SIPC-6 Assessment: For firms with a Fiscal Year-End of October 31, 2018.  SIPC members are required to file for the first half of the fiscal year a SIPC-6 General Assessment Payment Form together with the assessment owed within 30 days after the period covered. Due date May 30, 2019. 
  • SIPC-7 Assessment: For firms with a Fiscal Year-End of March 31, 2019.  SIPC members are required to file the SIPC-7 General Assessment Reconciliation Form together with the assessment owed (less any assessment paid with the SIPC-6) within 60 days after the Fiscal Year-End. Due date May 30, 2019. 

____________________________________________________________________________________

Partner with Hardin Compliance

Have a compliance question or want an independent review of your compliance program?  Hardin Compliance can help!  Call us today at 1.724.935.6770, or visit our website at www.hardincompliance.com for more information.

____________________________________________________________________________________

Hardin Compliance Consulting provides links to other publicly-available legal and compliance websites for your convenience. These links have been selected because we believe they provide valuable information and guidance.  The information in this e-newsletter is for general guidance only.  It does not constitute the provision of legal advice, tax advice, accounting services, or professional consulting of any kind.