Post on 21-Aug-2020
Developments in Broker-Dealer and Investment Adviser Regulation with
Compliance Officer Perspectives October 12, 2018
Moderator: Shane B. Hansen, Warner Norcross + Judd LLP
Florence Affatato, Portfolio Solutions
Kris Easter Guidroz, T. Rowe Price
Michael Hershaft, Securities and Exchange Commission
Kimberlee Levy, Concorde Holdings
Andrea McGrew, USA Financial
• SEC National Examination Priorities (2018)
• Current examination issues
• SEC Custody Rule updates
• SEC Regulation Best Interest (proposed)
• Standard of Care – DoL Rule Vacated - States
• Cybersecurity – safeguarding client information
• FINRA’s new risk-based exam program
• Seniors-Vulnerable Clients - “Trusted Contact”
• Crypto-currencies - initial coin offerings (ICOs)
Today’s hot topics . . .
Hansen – introduction 2
The Securities and Exchange Commission disclaims responsibility for any private publication or statement of
any SEC employee or Commissioner. The views expressed herein are those of the authors and do not
necessarily reflect those of the Commission, the Commissioners, or other members of the staff.
Hershaft 3
• Office of Compliance Inspections and Examinations (OCIE) (https://www.sec.gov/ocie)
• OCIE’s role – relationship with other SEC Divisions
• Examination Priorities – Five Thematic Areas• Matters of importance to retail investors, including
seniors and those saving for retirement
• Compliance and risks in critical market infrastructure
• FINRA and MSRB
• Cybersecurity
• Anti-Money laundering programs• https://www.sec.gov/about/offices/ocie/national-
examination-program-priorities-2018.pdfHershaft 4
National Exam Program (2018)
• Risk Alert: Most Frequent Best Execution Issues Cited in Adviser Exams
• https://www.sec.gov/ocie/announcement/risk-alert-most-frequent-best-execution-issues-cited-adviser-exams-1
• Risk Alert: Most Frequent Advisory Fee and Expense Compliance Issues Identified in Examinations of Investment Advisers
• https://www.sec.gov/ocie/announcement/risk-alert-advisory-fee-expense-compliance
Hershaft 5
Issues from Recent Exams - Risk Alerts
• “Best execution” – two concepts – IA vs. BD
• Mutual fund and variable annuity share classes• https://www.investor.gov/additional-resources/news-alerts/alerts-
bulletins/investor-bulletin-mutual-fund-classes
• IA fiduciary duty - share class selection
• SEC “best ex” share class enforcement • https://www.sec.gov/news/press-release/2018-62
• https://www.investor.gov/additional-resources/news-alerts/press-releases/sec-sanctions-nebraska-based-investment-adviser-best
• SEC Share Class Selection Disclosure Initiative (SCSDI)
• https://www.sec.gov/news/press-release/2018-15
• https://www.sec.gov/enforce/announcement/scsd-initiative
Guidroz – Hansen 6
Best Execution – Share Classes
• Updates to SEC DoIM Custody Rule FAQs• https://www.sec.gov/divisions/investment/imannouncemen
ts/im-info-2018-01.pdf
• Inadvertent Custody: Advisory Contract Versus Custodial Contract Authority
• https://www.sec.gov/files/2017-03/im-guidance-2017-01.pdf
• SEC Risk Alert – Custody • https://www.investor.gov/additional-resources/news-alerts/press-
releases/sec-issues-risk-alert-investor-bulletin-investment
• Custody Rule and Adopting Release• https://www.law.cornell.edu/cfr/text/17/275.206%284%29-2
• https://www.sec.gov/rules/final/2009/ia-2968.pdfHershaft 7
Custody Rule Guidance
• Broker-dealer regulation and guidance• Guide to Broker-Dealer Registration (Rev. 12/12/16)
• https://www.sec.gov/reportspubs/investor-publications/divisionsmarketregbdguidehtm.html
• SEC DoT&M guidance • https://www.sec.gov/divisions/marketreg/mrbdealers.shtml
• Investment adviser regulation and guidance• Regulation of Investment Advisers (March 2013)
• https://www.sec.gov/about/offices/oia/oia_investman/rplaze-042012.pdf
• SEC DoIM no-action letters and guidance• https://www.sec.gov/divisions/investment/guidance.shtml#
custody-investment-adviserHansen – summarize 8
SEC Reference Resources
• SEC Fast Answers - Key Topics• https://www.sec.gov/fast-answers
• SEC Small Business Compliance Guides• https://www.sec.gov/info/smallbus/secg.shtml
• Information For Small Businesses• https://www.sec.gov/smallbusiness
• OCIE Reference Resources• https://www.sec.gov/about/offices/ocie/ocie_infofor.shtml
Hansen – summarize 9
SEC Reference Resources
• Chairman Clayton - Statement Regarding SEC Staff Views (Sept. 13, 2018)
“The Commission’s longstanding position is that all staff statements are nonbinding and create no enforceable legal rights or obligations of the Commission or other parties. Statements issued by SEC staff frequently include a disclaimer underscoring the important distinction between the Commission’s rules and regulations, on the one hand, and staff views on the other.”
• https://www.sec.gov/news/public-statement/statement-clayton-091318
• Fast Answers – “no-action letters”• https://www.sec.gov/fast-
answers/answersnoactionhtm.html
Hansen – summarize 10
Caveat – Role of staff guidance
• Commission Rulemaking - Interpretive Guidance
• Regulation Best Interest, available at: • https://www.sec.gov/rules/proposed/2018/34-83062.pdf
• Investment Adviser Interpretation, available at: • https://www.sec.gov/rules/proposed/2018/ia-4889.pdf
• Form CRS Relationship Summary, available at: • https://www.sec.gov/rules/proposed/2018/34-83063.pdf
Hershaft 11
Regulation Best Interest
• Challenges to finding a workable standard• Broker-dealer vs. investment adviser vs. insurance
• Business models – employee vs. independent
• Account types (fee vs. commission vs. wrap)
• Compensation arrangements• Fixed/project or hourly financial planning fees
• Assets under management (%)
• Commission-based sales and trails
• “Soft dollars” (research/trading support)
• Solicitor/referral fees
• Sales incentives – breakpoint tiers
• Marketing or technology support payments
• Recruiting incentives (“forgivable loans”)Guidroz – Hansen 12
Regulation Best Interest
• “Conflict of Interest Rule”• https://www.dol.gov/agencies/ebsa/laws-and-regulations/rules-and-
regulations/completed-rulemaking/1210-AB32-2
• Vacated by 5th Circuit Court of Appeals (June 21, 2018)
• Exceeded ERISA Title II statutory rulemaking authority• https://www.ca5.uscourts.gov/opinions/pub/17/17-10238-CV0.pdf
• Scope – ERISA plans, IRAs, HSAs, and similar tax-qualified accounts
• Triggered by making a “recommendation”
• Jurisdiction is by account type, not by institution type
• Imposed a new “best interest” fiduciary standard• Prohibited wide range of conflicts (e.g., compensation)
• Required a “prohibited transaction exemption” • “Best interests contract” (BIC) exemption
Hansen 13
Standard of Care – U.S. DoL Rule
• Expanded “fiduciary” definition was vacated -• Return to 1975 “five-part test” – advice for compensation
(direct or indirect) is “fiduciary” if it is:
• Regarding the value or advisability of investing in, purchasing or selling securities or other property
• Provided on a regular basis
• Pursuant to a mutual agreement or understanding
• Forming a primary basis for investment decisions; and
• Individualized based on the particular needs of the investor
• Same test regardless of the type of service provider
• Advice in an on-going brokerage relationship is likely to be viewed as “fiduciary” under this test
• Scope includes “other property” (e.g., real estate)
Hansen 14
Standard of Care – DoL “Legacy”
• DoL and IRS Temporary Enforcement Policy. . . until after regulations or exemptions or other administrative guidance has been issued, the Department will not pursue prohibited transactions claims against investment advice fiduciaries who are working diligently and in good faith to comply with the impartial conduct standards for transactions that would have been exempted in the BIC Exemption and Principal Transactions Exemption, or treat such fiduciaries as violating the applicable prohibited transaction rules.
• https://www.dol.gov/agencies/ebsa/employers-and-advisers/guidance/field-assistance-bulletins/2018-02
• Impartial conduct standard – three conditions• Act in the best interest of customers [and evidence it]
• Charge no more than reasonable compensation
• Make no misleading statements
Hansen 15
Standard of Care – DoL “Legacy”
• Nevada - Fiduciary Duty - SB 383 (2017)• Statutory standard – rulemaking is authorized
• https://www.leg.state.nv.us/Session/79th2017/Bills/SB/SB383_EN.pdf
• New Jersey plans for fiduciary rulemaking• https://nj.gov/governor/news/news/562018/approved/2018
0917c.shtml
• National Securities Markets Improvement Act (NSMIA) federal preemption scope in question
• Does not limit state anti-fraud jurisdiction
• Role of State Blue Sky Laws After the JOBS Act• http://clsbluesky.law.columbia.edu/2017/02/15/the-role-of-state-blue-sky-laws-after-
the-jobs-act-and-the-national-securities-markets-improvement-act/
Hansen – summarize 16
Standard of Care - States
• “Cybersecurity, the SEC and You”• https://www.sec.gov/spotlight/cybersecurity
Cybersecurity – SEC Resources
Hansen - introduction 17
• Observations From Cybersecurity Examinations• https://www.sec.gov/files/observations-from-cybersecurity-
examinations.pdf
• Cybersecurity: Ransomware Alert• https://www.sec.gov/files/risk-alert-cybersecurity-
ransomware-alert.pdf
Cybersecurity – SEC OCIE
Hershaft 18
• http://www.finra.org/industry/cybersecurity
Hansen – summarize 19
Cybersecurity - FINRA
• http://www.finra.org/industry/cybersecurity#checklist
Hansen – summarize 20
Cybersecurity - FINRA
• North American Securities Administrators Association (NASAA) Model Rule Proposal
• Proposed IA Model Rule for Information Security and Privacy (comments due by 11/26/18)
• http://www.nasaa.org/46030/request-for-public-comment-regarding-a-proposed-ia-model-rule-for-information-security-and-privacy-under-the-uniform-securities-acts-of-1956-and-2002/
• Vermont Cybersecurity Rule• http://www.dfr.vermont.gov/reg-bul-ord/vermont-securities-regulations
• Colorado Cybersecurity Rule• https://www.colorado.gov/pacific/dora/securities-law-rules
• Illinois Personal Information Protection Act• http://blogs.luc.edu/compliance/2017/10/05/personal-information-
protection-act-pipa-redefining-cyber-security-consumer-protection/
Hansen – summarize 21
Cybersecurity - States
• National Institute of Standards and Technology (NIST) Cybersecurity Framework
• https://www.nist.gov/cyberframework
• Federal Bureau of Investigation (FBI)• Cyber Crimes
• https://www.fbi.gov/investigate/cyber
• Reporting Cyber Crimes• https://www.fbi.gov/contact-us/field-offices
Hansen – Affatato 22
Cybersecurity – NIST – FBI
Cybersecurity – Cyber-threats
Affatato 23
Beware of thunder and lightning in the “cloud”!
• Voya Financial Advisors Inc. (2018)• Censure and $1 million fine by SEC
• First “red flags” rule violation case; also Reg S-P
• Cyber-intruders impersonated contractors over a six-day period calling VFA’s support line and requesting that the contractors’ passwords be reset
• Intruders created new online customer profiles to obtain unauthorized account access
• VFA also failed to apply its procedures to systems used by its independent contractor representatives
• https://www.sec.gov/news/press-release/2018-213
Affatato – summarize 24
Cybersecurity – Enforcement
• Morgan Stanley Smith Barney LLC (2016)• Violation of Reg S-P - failure to safeguard data
• Fined $1Million by SEC
• Two internal web applications or “portals” allowed employees to access customers’ information
• Firm did not restrict access based on each employee’s legitimate business need
• Firm did not audit or test authorization modules, and did it monitor or analyze employees’ portal use
• Former employee downloaded data to his server
• Personal server likely hacked with confidential data posted on the Internet for sale
• https://www.sec.gov/news/pressrelease/2016-112.htmlAffatato – summarize 25
Cybersecurity – Enforcement
• R.T. Jones Capital Equities Management (2015)
• Censured and fined $75,000 by SEC
• Breach compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of clients
• Stored PII on third party-hosted web server
• Web server was hacked rendering the PII vulnerable to theft – actual theft was not evident
• Failed to encrypt and adopt/assess policies and procedures reasonably designed to safeguard customer information, or maintain a response plan
• https://www.sec.gov/news/pressrelease/2015-202.html
Affatato – summarize 26
Cybersecurity – Enforcement
Affatato – Levy – McGrew 27
Frequent Cyber-threats
E-mail Spoofing
Phishing
E-mail Account Takeover
Malware/
Ransomware
Malicious Links
Social Engineering
• "Phishing"—fraudulent emails that steal your personal information
• Typically involve emails that falsely claim to be from brokerage firms, banks, credit card companies
• Internet auction sites, electronic payment services or some other service that you use
• Emails purporting to be from government agencies
• Made to appear genuine -• Names of real people – even people you know
• Legitimate-looking email addresses
• Authentic-looking logos and graphics
• Content from or links to bona fide websitesAffatato – Levy – McGrew 28
Cyber-crime “Social Engineering”
• “Spear Phishing” • Fake e-mail targeted to a specific individual seeking
information or access to internal systems or data
Affatato – Levy – McGrew 29
Cyber-crime “Social Engineering”
• “Spear Phishing”
Affatato – Levy – McGrew 30
Cyber-crime “Social Engineering”
• “Spear Phishing”
Affatato – Levy – McGrew 31
Cyber-crime “Social Engineering”
• “Spear Phishing”
Affatato – Levy – McGrew 32
Cyber-crime “Social Engineering”
• Regulation S-P Privacy of Consumer Financial Information
• Requires written policies and procedures reasonably designed to protect customer records and information
• https://www.sec.gov/spotlight/regulation-s-p.htm
• Regulation S-ID Identity Theft Red Flags• https://www.sec.gov/info/smallbus/secg/identity-theft-red-flag-secg.htm
• Business continuity – disaster preparedness• http://www.finra.org/industry/business-continuity-planning
• https://www.sec.gov/news/pressrelease/2016-133.html
• http://www.nasaa.org/wp-content/uploads/2011/07/NASAA-Model-Rule-on-Business-Continuity-and-Succession-Planning-with-gu....pdf
• State data breach notification laws – all 50 states• http://www.ncsl.org/research/telecommunications-and-
information-technology/security-breach-notification-laws.aspxAffatato – Levy – McGrew 33
Cybersecurity – Regulatory
• Set the stage
• Perform (or contract for) self-assessment
• Create a written cyber-action plan
• Implement and document (everything)
• Ongoing maintenance and training
• Vendor management
• Customer/client education
Affatato – Levy – McGrew 34
Cybersecurity – Preparation
• Written assessment - written plan and policies• Information governance
• Device and internet access inventory
• Internal and external systems
• Risk assessment
• Implementation/maintenance
• Vendors, support, and consulting resources
• Training
• Testing
• Incident reporting and response
• Insurance
Affatato – Levy – McGrew 35
Cybersecurity – Preparation
• FINRA360 – “comprehensive self-evaluation and organizational improvement initiative”
• 2017 Report on FINRA Examination Findings• https://www.finra.org/industry/2017-report-exam-findings
• No more “cycle” exams starting 2018!
• Examination Findings Report will be published annually
• Examination program restructured for 2018• FINRA optimized its exam framework – risk-oriented
• Enhanced coordination among exam activities and greater integration
• Creating/implementing a "roadmap" to thoughtfully and methodically build FINRA’s future exam program structure
Affatato – Levy – McGrew 36
FINRA Risk-Based Exams
• New risk-based exam framework in 2018 • Exam depth and breadth more closely matched with risks
of the examined firm – no "one-size-fits-all" approach
• Subject to FINRA's ongoing risk monitoring, firms will continue to be examined at least once every four years
• Higher risk firms examined more frequently based on FINRA's identification and assessment of risks at each firm - riskiest firms being examined at least annually
• Framework will incorporate process improvements developed, including procedures to appropriately scope and avoid overlapping examinations
Affatato – Levy – McGrew 37
FINRA Risk-Based Exams
• FINRA's firm risk-monitoring program will support the enhanced examination framework
• FINRA implemented a Small Firm Helpline• Augment relationship with their “regulatory coordinators”
• Facilitate obtaining information from FINRA about questions and concerns
• http://www.finra.org/industry/finra-small-firm-helpline
• Leveraging exam technology to facilitate more off-site work, and more efficient, focused on-site work
• Building a uniform training program for new examiners, enhanced examiner training, improving understanding of different business models/risks
Affatato – Levy – McGrew 38
FINRA Risk-Based Exams
• Practical exam advice -• Start preparing and setting expectations for your
team and branch offices when you get the call
• Working hours before/during/after on-site portion of the exam, turnaround time on requests, level of accuracy and completeness required
• Set priorities -• E.g., “out of office” message
• Branch-level supervision for on-side branch exams
• Emphasis on team-work – exams are not just a compliance issue to deal with
• Talk to examiners early if timing is a concern
Affatato – Levy – McGrew 39
FINRA Risk-Based Exams
• (New!) FINRA Rule 2165 – Financial Exploitation of Specified Adults
• May place temporary holds on the disbursement of funds or securities if there is a reasonable belief that the customer is being financially exploited
• http://finra.complinet.com/en/display/display.html?rbid=2403&record_id=17538&element_id=12784&highlight=2165#r17538
• Amendments to Rule 4512 – Customer Account Information
• Firms must make reasonable efforts to obtain the name and contact information of a trusted contact person
• http://finra.complinet.com/en/display/display.html?rbid=2403&record_id=17537&element_id=9958&highlight=4512#r17537
• Cybersecurity - seniors-vulnerable clients targetsMcGrew – Affatato – Levy 40
Seniors and Vulnerable Clients
• Senior $afe Act (federal) (May 24, 2018)• Public Law No: 115-174, Section 303 of S.2155
• https://www.congress.gov/bill/115th-congress/senate-bill/2155/text
• “Exploitation” is the fraudulent, illegal, unauthorized, or improper act or process of an individual, including a caregiver or a fiduciary that —
• uses the resources of a senior citizen for monetary or personal benefit, profit, or gain; or
• results in depriving a senior citizen of rightful access to or use of benefits, resources, belongings, or assets
• Watered-down version of NASAA’s Model Act
Hansen – summarize 41
Seniors and Vulnerable Clients
• Qualified civil and regulatory immunity is granted if -• Senior exploitation is disclosed to a covered agency; and
• The discloser has received prescribed training -
• how to identify and report suspected exploitation; and
• need to protect customer’s privacy and respect integrity
• No required reporting or disclosure
• Covers banks, credit unions, investment advisers, broker-dealers, insurance companies and agencies
• Covers employees, representatives, and agents
• FinCEN Suspicious Activity Reporting (SARs)
Hansen – summarize 42
Seniors and Vulnerable Clients
• NASAA Model Act to Protect Vulnerable Adults from Financial Exploitation - Key Provisions
• Mandatory reporting if the firm reasonably believes that financial exploitation of an “eligible adult”
• Must promptly notify Adult Protective Services and their state securities regulator
• Third-party disclosure permitted only if previously designated by the customer
• Delayed disbursements for up to 15 business days• Permitted but must notify the person(s) authorized to
transact business on the account
• Must undertake an internal review of the suspected exploitation
Hansen – summarize 43
Seniors and Vulnerable Clients
• Qualified immunity from administrative and civil liability for the reporting, disclosure to designated third parties, and the delay of disbursements
• Adopted in 19 states• http://serveourseniors.org/about/policy-makers/nasaa-
model-act/update/
• Introduced but has not advanced in Michigan legislature
• http://legislature.mi.gov/doc.aspx?2017-SB-0346
• See also http://legislature.mi.gov/doc.aspx?2017-HB-4931
• NASAA’s Serve Our Seniors website• http://serveourseniors.org/
• Senior$afe training program for the securities industry• http://serveourseniors.org/about/industry/seniorsafe-training/
Hansen – summarize 44
Seniors and Vulnerable Clients
• Digital assets – different perspectives• A utility – a unit of stored value or exchange
• A security – initial coin offerings (ICOs)
• A “commodity”, “currency”, or “derivative” contract
• “Blockchain” (a technology) vs. “bitcoin” (a token)
• SEC – Initial Coin Offerings (ICOs)• https://www.sec.gov/ICO
• https://www.sec.gov/oiea/investor-alerts-and-bulletins/ib_coinofferings
• http://www.sec.gov/litigation/investreport/34-81207.pdf
• https://www.sec.gov/spotlight-initial-coin-offerings-and-digital-assets
• https://www.sec.gov/news/public-statement/statement-clayton-2017-12-11
• https://www.howeycoins.com/index.html
Hansen – summarize 45
Crypto-currencies – ICOs
• https://www.howeycoins.com/index.html
Hansen – summarize 46
Crypto-currencies – ICOs
• SEC – “When Howey met Gary (Plastic)”• Howey “investment contract” test
• Gary Plastic “setting/circumstances” of offer/ sale• https://www.sec.gov/news/speech/speech-hinman-061418
• Crypto-exchanges regulated as “exchanges”• https://www.sec.gov/news/public-statement/enforcement-tm-statement-
potentially-unlawful-online-platforms-trading
• Commodity Futures Trading Commission (CTFC)
• Primer on Virtual Currencies (Oct. 17, 2017)• http://www.cftc.gov/idc/groups/public/documents/file/labcftc_primercurren
cies100417.pdf
• Risks of Virtual Currency Trading (Jan. 2018)• http://www.cftc.gov/idc/groups/public/@customerprotection/documents/fil
e/customeradvisory_urvct121517.pdf
Hansen 47
Crypto-currencies – ICOs
• FINRA• ICOs: Know the risks before you buy
• http://www.finra.org/newsroom/2017/initial-coin-offerings-know-risks-you-buy
• RN 18-20 – Activities Related to Digital Assets• http://www.finra.org/industry/notices/18-20
• States – NASAA• ICOs and crypto-currencies
• http://www.nasaa.org/44836/informed-investor-advisory-initial-coin-offerings/
• http://www.nasaa.org/44848/informed-investor-advisory-cryptocurrencies/
• Operation Cryptosweep (April 2018)• http://www.nasaa.org/regulatory-activity/enforcement-legal-
activity/operation-cryptosweep/Hansen – summarize 48
Crypto-currencies – ICOs
• “Digital currency wallet” and exchange platforms• Coinbase.com
• https://www.coinbase.com/
• Circle.com exchange• https://www.circle.com/en/
• Others -• https://bitcoin.org/en/choose-your-wallet
• https://blockgeeks.com/guides/cryptocurrency-wallet-guide/
• Bitcoin Association (industry association)• http://bitcoinassociation.org/
• American Blockchain and Cryptocurrency Assn• https://www.abcaonline.org/
Hansen – summarize 49
Crypto-currencies – ICOs
• CoinMarketCap.Com
• https://cryptocurrencyfacts.com/cryptocurrency-websites/coinmarketcap/
• https://youtu.be/wpwkGeQjV2M
Hansen – summarize 50
Crypto-currencies – ICOs
• CoinMarketCap.Com
Hansen – summarize 51
Crypto-currencies – ICOs
Questions?
All 52