december 2014

I n s i d e t h i s i s s u e2015 Top 10 Cybersecurity Resolutions .........3 for the New Year

Are You Ready for Your Annual Review?.......6

Charting the SEC’s Next Move .......................12in Muniland

FINRA’s New Consolidated .............................15Supervision Rules

Hedge Fund Due Diligence: ...........................20A Continuous Process

Simons Says ........................................................22SEC Agency Financial Report - 2014 in Review

NSCP CURRENTS

DECEMBER 20142

2015 Top 10 Cybersecurity Resolutions for the New YearBy Brian Rubin, Sam Casey, and Charlie KrulyPage 3

Are You Ready for Your Annual Review?By Mark Berman and David BergPage 6

Charting the SEC’s Next Move in MunilandBy Gregg L. Bienstock Esq.Page 12

FINRA’s New Consolidated Supervision RulesBy Hank SanchezPage 15

Hedge Fund Due Diligence: A Continuous ProcessBy Dave BanerjeePage 20

Simons SaysSEC Agency Financial Report - 2014 in ReviewBy Tim SimonsPage 22

New MembersPage 23

Table of Contents

registration is open! 2015 NSCP regional Conference Schedule

--------------------------------------------------------------------------Toronto, ON :: March 4, 2015 :: Club at St. Andrews

Anaheim, CA :: March 12, 2015 :: Sheraton Park Hotel - Anaheim Resort

Atlanta, GA :: March 24, 2015 :: Kilpatrick Townsend & Stockton LLP

St. Louis, MO :: April 9, 2015 :: DoubleTree Hotel St. Louis at Westport

New York, NY :: April 28, 2015 :: AMA Conference Center

Chicago, IL :: May 7, 2015 :: Federal Reserve Bank

NSCP CURRENTS

DECEMBER 2014 3

2015 Top 10 Cybersecurity Resolutions for the New YearBy Brian Rubin, Sam Casey, and Charlie Kruly

Every January 1, countless individuals make New Year’s resolutions, most of which, we’re willing to bet, do not involve cybersecurity. However, with cybersecurity on the hit

parades of both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA),1 chief compliance officers (CCOs) of broker-dealers and investment advisers might want to add cybersecurity issues to their New Year’s resolutions for 2015.

1. Get Organized.

After finishing your New Year’s resolution to organize your desk (at least enough to see its top), consider organizing your firm’s policies and procedures to address cybersecurity-related issues. (Of course, if you’ve already addressed such issues, you may want to review them anyway to make sure they are keeping up with the changing landscape—or cyberscape, if you prefer—as discussed below.) These steps might include writing and enforcing reasonable policies and procedures to detect, address, and remediate breaches. FINRA and the SEC have brought cases against firms for falling short in this regard. For example:

• The SEC has brought several cases against firms that failed to follow up on cybersecurity shortcomings that the firms learned of through breaches or regular audits.2

1 As every reader of this periodical likely knows, over the past year, the SEC and FINRA have been conducting sweep exams on cybersecurity issues. See National Exam Program Risk Alert: OCIE Cybersecurity Initiative, at 3 (Apr. 15, 2014) [hereinafter SEC Cybersecurity Sweep], available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf (SEC’s cyberexam sweep);.FINRA, Targeted Exam Letters: Re: Cybersecurity (Jan. 2014), available at http://www.finra.org/industry/regulation/guidance/targetedexaminationletters/p443219. In addition, reports indicate that FINRA intends to ring in the New Year by “intensify[ing] its scrutiny of cybersecurity practices at brokerage firms in 2015.” See Suzanne Barlyn, Wall St watchdog to bolster reviews of brokerage cybersecurity, ReuteRs (Oct. 29, 2014), available at http://www.reuters.com/article/2014/10/29/finra-cybersecurity-examinations-idUSL1N0SO2AO20141029.2 See, e.g., Exchange Act Release No. 64220, Admin. Proc. File No. 3-14328, at 3 (Apr. 7, 2011) (finding that a former CCO aided and abetted a firm’s violation of Regulation S-P), available at http://www.sec.gov/litigation/admin/2011/34-64220.pdf; Exchange Act Release No. 60733, Admin. Proc. File No. 3-13631, at 2, 4 (Sept. 29, 2009) (finding that the firm violated Regulation S-P), available at http://www.sec.gov/litigation/

ABOUT THE AUTHORS

Brian Rubin is a partner at Sutherland.  http://www.sutherland.com/People/Brian-L-Rubin.  He can be reached at brian.rubin@sutherland.com.

Sam Casey is an associate at Sutherland.  http://www.sutherland.com/People/Samuel-J-Casey.  He can be reached at sam.casey@sutherland.com.

Charlie Kruly is an associate at Sutherland.  http://www.sutherland.com/People/Charles-M-Kruly.  He can be reached at charlie.kruly@sutherland.com.

The authors would like to thank former Sutherland associate Amanda Powell for her assistance with drafting this article.

• The SEC fined a firm $100,000 for, among other violations, not auditing the computer security measures employed by registered representatives at the firm’s branch offices.3

• FINRA fined a firm $375,000 for, among other things, failing to review server logs to detect unauthorized network access or intrusions.4

CCOs may also want to help ensure that their firms’ cybersecurity policies and procedures address administrative and physical steps to help prevent a data breach, as required under SEC Regulation S-P (the Safeguards Rule).5 Cyberpolicies that go beyond purely technical safeguards may help firms comply with the Safeguards Rule and may help decrease the likelihood of cyber-attacks from a wider variety of sources. While malicious or criminal attacks cause the plurality of data breaches (42 percent), the majority of breaches are non-nefarious: 30 percent of breaches are caused by human error and 29 percent of breaches are caused by system glitches.6

In addition, CCOs may want to create a cyber-incident response plan so that their firms are prepared if a breach occurs. Once the response plan is created, a CCO may want to regularly test it (just like your New Year’s resolution to regularly check the batteries in your smoke detectors). (Oops—do you need to add “check smoke detector batteries” to your New Year’s resolutions?)

2. Learn Something New by Doing Crossword Puzzles Performing Risk Assessments.

Consider conducting adequate self-assessments of your cybersecurity readiness. FINRA has recommended that firms “should consider . . . at a minimum . . . whether the [firm] is conducting, or should conduct, periodic audits to detect potential vulnerabilities in its systems and to ensure that its systems are, in practice, protecting customer records and information from unauthorized access.”7 FINRA’s point is important because cybersecurity compliance is not static; what may have been state-of-the-art at one time (like 8 track tapes) (or, for the younger generation, cell phones that only made phone calls), could well be out of date by the time an attack hits. The SEC recognized as much in 2008 when it proposed amending Regulation S-P to “set

admin/2009/34-60733.pdf.3 Exchange Act Release No. 60733, Admin. Proc. File No. 3-13631, at 2 (Sept. 29, 2009), available at http://www.sec.gov/litigation/admin/2009/34-60733.pdf.4 FINRA Letter of Acceptance, Waiver and Consent No. 2008015299801, at 2-3 (Apr. 9, 2010) (finding that the firm violated Regulation S-P and NASD Rules 3010(a) and (b)), available at http://disciplinaryactions.finra.org/.5 Regulation S-P requires, among other things, that firms establish and enforce written policies and procedures reasonably designed to keep customer records and information confidential and to secure and protect such information from unauthorized access. See 17 C.F.R. § 248.30(a).6 2014 Cost of Data Breach Study: Global Analysis, The Ponemon Institute, Sponsored by IBM (May 2014) [Ponemon Study] at 8, available at http://www-935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf. 7 NASD Notice to Members 05-49 at 4 (July 2005), available at http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p014772.pdf.

NSCP CURRENTS

DECEMBER 20144

forth more specific requirements for safeguarding information and responding to information security breaches.”8 As the SEC noted at the time, “some firms do not regularly reevaluate and update their safeguarding programs to deal with . . . increasingly sophisticated methods of attack.”9

3. Read more.

Once you’ve finished your New Year’s resolution of expanding your mind by reading War and Peace (and other classics you just haven’t had time to get around to like Graham and Dodd’s Security Analysis), consider reading more about cybersecurity issues. You and your friends such as the Chief Technology Officer, the Chief Information Officer, and in-house counsel may want to set your news alerts beyond your favorite football team and celebrities (like Warren Buffett), by adding terms like “cybersecurity,” “data breach,” and “S-P.” If you’re really looking to read more (and impress your friends at the office New Year’s party) take a crack at reading the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity,10 which the SEC relied on when it conducted its recent cybersecurity sweep exam.11

4. Save Money.

To save money in the long term, think about dealing with cybersecurity issues before a breach or regulatory investigation occurs. While cybersecurity issues will likely cost you one way or another, the costs will probably be less if they’re invested on the front-end rather than in cleaning up a breach. Post-breach costs could include multiple high-cost items such as a regulatory penalty, a forensic examination, notification of and follow-up with third parties, credit or identity monitoring, public relations, and legal defense.12

These costs can add up: in 2014, the average total cost of a U.S. company’s data breach was more than $5.85 million.13 However, a “strong security posture” may lessen a firm’s financial exposure. For example, one study suggests that “[c]ompanies that had a strong security posture at the time of the data breach could reduce the average cost-per-record by $14.14 to $131.86” and that “[c]ompanies that had an incident response plan in place also reduced the average cost per record by $12.77.”14

5. Stay Fit and Healthy.

Take steps to keep your cyberspace healthy and protect against data breaches. There are a number of sources you can look to for guidance to try to be healthy (and we’re not talking about Chuck Norris and Christie Brinkley) (well, not just them, anyway). For example, the Securities Industry and Financial Markets Association

8 See Proposed Amendment to Regulation S-P, Release No. 34-57427; IC-2712; File No. S7-06-08 (Mar. 4, 2008) at 1, available at https://www.sec.gov/rules/proposed/2008/34- 57427.pdf. The Commission ultimately did not enact its proposed Regulation S-P amendment.9 Id. at 11.10 NatioNal iNstitute of staNdaRds aNd techNology, Framework for Improving Critical Infrastructure Cybersecurity, (Feb. 12, 2014), available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.11 See SEC Cyersecurity Sweep, at 3.12 Tim Stapleton, Zurich General Insurance, Data Breach Cost: Risk, Costs, and Mitigation Strategies for Data Breaches, at 2-6, (2012), available at http://www.zurichna.com/internet/zna/sitecollectiondocuments/en/products/securityandprivacy/data%20breach%20costs%20wp%20part%201%20(risks,%20costs%20and%20mitigation%20strategies).pdf. 13 Ponemon Study, supra note 2, at 6.14 Robert P. Hartwig & Claire Wilkinson, iNsuRaNce iNfoRmatioN iNstitute, Cyber Risks: The Growing Threat at 15 (June 2014), available at http://www.iii.org/sites/default/files/docs/pdf/paper_cyberrisk_2014.pdf., (citing Ponemon Study).

(SIFMA) recently issued its Small Firms Cybersecurity Guidance, which provides an “action item checklist” that identifies several steps that small firms can take to protect against data breaches.15 Despite the name of the guidance, its lessons can apply to firms of all sizes.16 SIFMA has suggested that, at a minimum, firms consider the following:

• Applying strict and robust password security items.17 Certain firms that failed to heed this advice have been sanctioned, including in the following actions:

• The SEC ordered a firm to pay a $275,000 penalty for, among other things, failing to take corrective measures in response to an internal audit finding that the firm’s password protection for its proprietary trading system did not meet industry standards for “strong” password protection because, for example, the firm did not require (a) a minimum password length; (b) a complex password involving an alphanumeric/special character combination; (c) expiration of passwords after a specified period of time; and (d) automatic lockout after failed login attempts.18

• FINRA fined a firm $175,000 for, among other things, failing to protect a firm database containing non-public information by allowing the use of a generic user name (“Administrator”) and password (“password”).19

• Ensuring that only authorized individuals have access to a firm’s systems and data.20 The SEC has also indicated it is interested in what protection, if any, firms have in place to prevent unauthorized access to customers’ online accounts and how firms monitor for unauthorized activity on their systems.21

• Using an application “whitelist” to help ensure that only “trusted software” is executed on firm operating systems.22

• Securing standard operating systems so the firm is not operating on “unsupported or outdated operating systems.”23

• Making software updates automatic and “spot-check[ing] that updates are applied frequently.”24

• Creating a back-up of data in the event a cyber-attack causes the loss or destruction of data. To do so, SIMFA suggests that firms use “cloud or physical external hard-drive backup systems.”25

15 SIFMA, Small Firms Cybersecurity Guidance: How Small Firms Can Better Protect Their Businesses (July 2014), available at http://www.sifma.org/issues/operations-andtechnology/cybersecurity/guidance-for-smallfirms [hereinafter SIFMA Cybersecurity Guidance]. 16 See Brian Rubin, Shanyn Gillespie & Charlie Kruly, Eight Days a Week and Eight Ways to Reboot Your Cybersecurity Program; How All Firms Can Benefit from SIFMA’s New Cybersecurity Guidance, Bloomberg BNA – Securities Regulation & Law Report (September 26, 2014), available at http://www.sutherland.com/portalresource/lookup/poid/Z1tOl9NPluKPtDNIqLMRV56Pab6TfzcRXncKbDtRr9tObDdEnC3DmW3!/fileUpload.name=/PDFArtic.pdf. 17 Id. at 6. 18 Exchange Act Release No. 58515, Admin. Proc. File No. 3-13181, at 4-5 (Sept. 11, 2008),available at http://www.sec.gov/litigation/admin/2008/34-58515.pdf.19 FINRA Letter of Acceptance, Waiver and Consent No. 2007009780901, at 2-3, 7 (Apr. 28,2009), available at http://disciplinaryactions.finra.org/.20 SIFMA Cybersecurity Guidance at 3. 21 See SEC Cybersecurity Sweep, supra note 1 at 4-6.22 SIFMA Cybersecurity Guidance at 3. 23 Id.24 Id.25 Id.

NSCP CURRENTS

DECEMBER 2014 5

6. Keep harmful things out of your system by installing antivirus, email, and website filters.

Year after year, one of the most common New Year’s resolutions is to quit smoking. While a nicotine addict may have trouble keeping the harmful substance out of her body, a firm has tools at its disposal to help protect against invasions into its cyberspace: antivirus software and web security software. One of SIMFA’s action items is to maintain “[u]pdated anti-virus software, in addition to web security software,” and to train personnel to exercise “personal vigilance against suspicious emails and attachments.” This resolution should (hopefully) come as no surprise; many firms already maintain current antivirus software as a standard protective measure. (Indeed, in a recent cybersecurity survey, the North American Securities Administrators Association found that 97 percent of small, state-registered investment advisers used antivirus software, while 87 percent took the additional step of having antivirus software “installed on all computers, tablets, smartphones, or other electronic devices used to access client information.”26

Firms should be aware that FINRA and the SEC have brought enforcement actions against firms that failed to carry out these steps. For example:

• The SEC ordered a firm to pay a $100,000 penalty because, among other things, its procedures recommended—but did not require—that antivirus software be installed on registered representatives’ computers.27

• FINRA fined a firm $450,000 based, in part, on its failure to (a) require that field representatives install anti-virus software on their computers; and (b) review such computers to verify the installation of the antivirus software.28

7. Control Your Mobile Device.

While the typical resolution may be to limit one’s use of mobile-device screen time, firms may want to resolve to tackle mobile device security. Indeed, SIMFA’s final action item is for firms to “[e]nsure that mobile devices are secure with passwords and [that] data is encrypted in the event of a loss.” Consistent with that analysis, in 2011, FINRA fined a firm $300,000 for, among other things, not requiring that information stored in a laptop be encrypted.29

8. Maintain Healthy Relationships.

One overriding theme from past New Years is that it’s good to make new friends (and keep the old ones). Nowadays, that could mean maintaining healthy relationships with vendors that have access to your firm’s sensitive information. Indeed, as part of its cybersecurity exam, the SEC asked firms how they manage cyber-risk from their vendors—for example, whether firms audit their vendors’ cybersecurity practices and use contractual provisions allocating cybersecurity-related risk.30 States have expressed similar

26 NoRth am. sec. admiN. assoc., Compilation of Results of a Pilot Survey of Cybersecurity Practices of Small and Mid-Sized Investment Adviser Firms (Sept. 2014)at 15, available at http://www.nasaa.org/wp-content/uploads/2014/09/Cybersecurity-Report.pdf [hereinafter NASAA Cybersecurity Survey]. Surveyed firms “average three employees and two investment adviser representatives.” Id.27 Exchange Act Release No. 60733, Admin. Proc. File No. 3-13681, at 2, 4 (Sept. 29, 2009), available at http://www.sec.gov/litigation/admin/2009/34-60733.pdf.28 FINRA Letter of Acceptance, Waiver and Consent No. 2009018720501, at 4-5 (Feb. 16, 2011), available at http://disciplinaryactions.finra.org/.29 Letter of Acceptance, Waiver and Consent No. 2009019893801, at 10 (Nov. 21, 2011) (finding that the firm violated the Safeguard Rule and NASD Rule 3010), available at http://disciplinaryactions.finra.org/.30 See SEC Cybersecurity Sweep, supra note 1 at 4-5.

concerns and some have enacted regulations to address them. Massachusetts, for example, requires entities that “own or license” personal information about Massachusetts residents to: (a) take “reasonable steps to select and retain” vendors “that are capable of maintaining appropriate security measures” and (b) incorporate data security requirements in vendor contracts. In light of these issues, firms may want to consider getting to know their vendors’ cybersecurity practices and possibly adding cybersecurity risk allocation provisions to their vendor contracts.

9. Get Involved In The Community.

So, maybe you didn’t get invited to SEC Chair Mary Jo White’s New Year’s Eve party. (Don’t feel bad—we’re still waiting for our invitation. Hmmm . . . maybe our cyberdog deleted our e-vite.) Don’t let this stop you from getting more involved in the (cyber) community. Consider participating in industry-wide initiatives to combat cybersecurity threats. For example, the Federal Financial Institutions Examination Council (FFIEC) recommends that financial institutions participate in its Financial Services Information Sharing and Analysis Center (FS-ISAC) to help its efforts to identify, respond to and mitigate cybersecurity threats and vulnerabilities.31 Also, think about getting involved in securities-related industry groups that address cybersecurity issues, such as the NSCP.

10. Be Less Stressed.

Your resolution to relax by jetting away to the Bahamas is all well and good, but for an easier way of lessening your anxiety, consider obtaining specialized insurance to put you and your firm at ease about the costs of a potential data breach. Traditional insurance plans may not cover much of the costs associated with a data breach, and surveys indicate there is a growing trend of companies purchasing cyber-liability insurance.32 The following types of insurance coverage may be available:

• Loss/Corruption of Data;• Business Interruption;• Liability (breach of privacy due to theft of data, virus or

computer attack causing financial loss to third parties, failure of security causing network system to be unavailable to third parties, etc.);

• D&O/Management Liability; • Cyber-Extortion;• Crisis Management;• Criminal Rewards;• Data Breach;• Identity Theft;• Social Media/Networking; and• Cloud Computing.33

When you pop the champagne and begin a rousing rendition of Auld Lang Syne at the office’s New Year’s party, you don’t want your staff singing “should cybersecurity be forgot and never brought to mind.” Following these 10 resolutions in the coming year may help ensure that your non-public information stays non-public information and that your firm stays off the SEC’s and FINRA’s “naughty lists.”34

31 Federal Financial Institutions Examination Council, FFIEC Releases Cybersecurity Assessment Observations, Recommends Participation in Financial Services Information Sharing and Analysis Center (Nov. 3, 2014). “The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.” Id. 32 iNsuRaNce iNfoRmatioN iNstitute, Cyber Risks: The Growing Threat (June 2014), available at http://www.iii.org/sites/default/files/docs/pdf/paper_cyberrisk_2014.pdf. 33 Id. 34 While this is really more of a Christmas thing than a New Year’s thing, you get the idea.

NSCP CURRENTS

DECEMBER 20146

Are You Ready for Your Annual Review?*By Mark Berman and David Berg

* This article is a shortened version of a more extensive piece prepared by the authors. The full version of the article is available at: http://www.compliglobe.com/articles/articles.html.

Each January, the thoughts of every chief compliance officer of an SEC registered investment adviser (“RIAs”) should be turning to his or her firm’s annual review. January, February

and March are the traditional months for performing this not-less-than-annual event.1

Every RIA must amend and file the annual amendment to its Form ADV Part 1 and Part 2A within 90 calendar days after year-end, deliver or offer to deliver to its clients Form ADV Part 2A and Part 2B, and send its clients the Regulation S-P Privacy Notice within 120 days after year-end (if applicable).

Rule 206(4)-7 under the Investment Advisers Act of 1940 (“Advisers Act”) requires that every RIA must adopt and implement written policies and procedures (“WPPs”) reasonably designed to prevent violations of the Advisers Act and the rules thereunder.

The SEC expects that the risks to the firm of violating the Advisers Act and the rules thereunder will be recorded in a Compliance Risk Inventory (“CRI”).

Form ADV Part 2A requires that an adviser disclose its material conflicts of interest and the means to address them. These should be recorded in the RIA’s conflicts log with the conflicts of interest policy.

Why a CRI and a conflicts log? The CRI and the conflicts log entries form the basis of the RIA’s WPPs, validated by monitoring and forensic testing. An RIA must ensure that its WPPs address Advisers Act requirements (and other relevant provisions of law) and the risks and conflicts in the RIA’s business – the “reasonably designed” language in Rule 206(4)-7. The SEC made this clear to RIAs when it adopted Rule 206(4)-7.2 Not doing it means inadequate WPPs and is a sure route to an enforcement action, as several RIAs have found.3

Seven tasks in a short period of time? You as the CCO have ongoing responsibilities. Conducting an annual review, reviewing the CRI and conflicts log, updating and filing two major disclosure

1 Rule 206(4)-7 under the U.S. Investment Advisers Act of 1940 requires SEC registered investment advisers to conduct an annual review.2 “Compliance Programs of Investment Companies and Investment Advisers”, Advisers Act Release 2204, 68 F.R. 74714 (24 December 2003) (“Compliance Release”).3 See e.g. Western Asset Management Company, Admin Proc 3-15689 (27 January 2014) (“WAM”).

documents and delivering two other documents may seem like a big and time-intensive task. In reality, with proper planning it is manageable and achievable within a relatively short time-frame.

2015 is nearly upon us. What will you as CCO do to achieve these deadlines? Plan now and lay the groundwork for your annual review to take place early in the New Year for your annual review to succeed. You would be wise to conduct your annual review as a “mock SEC examination”.

In this article, we will show you how to achieve your goals.

Adequacy and effectiveness

An annual review is a review and analysis of the adequacy and effectiveness of your WPPs. You must document your results under Advisers Act Rule 204-2(a)(17) and keep these for five years, the first two years in your office.

The annual review includes the output of the monitoring and testing completed and what was done with the results, any changes made during the year to the business and the compliance program, developments in the markets and legal and regulatory requirements and how they were dealt with (whether they were worked into the compliance program or, if not, why).

The annual review is not a “yes, we have it” or a “tick the box” exercise

The individual(s) that conducts the review must bring together all of the materials that comprise the SEC compliance program, including the results of testing and monitoring, and evaluate them carefully, free from influence and with adequate resources. The review must include not only the current WPPs but all changes to these during the year – documenting when and why these changed. It should include all regulatory filings including Form ADV and, if necessary, any Form PF, Form 13F, Schedule 13G and Form 13H filed or amended. The purpose of the review is not to record that the compliance program was examined; it is to measure adequacy and effectiveness.

ABOUT THE AUTHORS

Mark Berman, is the founder of CompliGlobe, www.compliglobe.com. He can be reached at berman@compliglobe.com

David Berg, is a consultant with CompliGlobe, www.compliglobe.com. He can be reached at berg@compliglobe.com

NSCP CURRENTS

DECEMBER 2014 7

Ask: when our business, relevant laws or rules and regulations or clients changed, what did we do? How adequate and effective were our WPPs and, if they were not, what did we change and how?

It is a good idea to map the methodology and findings of the current annual review to the previous annual review. Unaddressed items, outliers and patterns are a regulatory hot spot.

Although not a requirement of Rule 206(4)-7, the results of the review should be given to the RIA’s board of directors and senior management for their consideration. Issues arising from the review should be addressed as a matter of priority.

What is not an annual review?

You should not send your WPPs to a law firm for updating. You should not conduct a “tick the box” exam (we have this, we have that; we did this, we did that). If you are a member of a group that has two or more RIAs, do not have another entity include you in its annual review – do your own and keep your own records. You should not compare points in your WPPs against lists of key policies and procedures. You should not compare your WPPs against those of another RIA who you think matches your profile or “did OK in an SEC examination”. You should not use a service provider that is unfamiliar and inexperienced in the intricacies and nuances of SEC practice – actual, demonstrated SEC experience and knowledge is a prerequisite.

What policies and procedure should be reviewed?

When the SEC adopted Rule 206(4)-7, it noted the following key areas where an RIA should have policies and procedures:

• Portfolio management processes, including allocation of investment opportunities among clients consistency of portfolios with client investment objectives, disclosures and applicable regulatory restrictions;

• Trading practices, including procedures by which the RIA satisfies its best execution obligation, uses client brokerage to obtain research and other services (“soft commissions”) and allocates aggregated trades among clients;

• Proprietary trading of the RIA and personal trading activities of “access persons” – proprietary trading by an affiliate is attributable to the RIA;

• The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements;

• Safeguarding client assets;

• The accurate creation of required records and their maintenance in a way to secure them from unauthorized alteration or use and protects them from untimely destruction;

• Marketing advisory services, including the use of solicitors;

• Processes to value client holdings and assess fees based on those valuations;

• Safeguards for the privacy protection of client records and information; and

• Business continuity plans.

How do I document my annual review?

There is no SEC approved checklist. A good idea is to identify your policies and procedures, and key legal and regulatory requirements on a spreadsheet and leave columns to review your results. Remember, again, that ticking the box is not adequate – write down in some detail how or why a policy or procedure is or is not adequate and effective.

What are your options for an annual review?

You can conduct your annual review any way you prefer, as long as you complete, document and record it properly. Your choices are:

• Concentrated annual review – once a year;

• Rolling topical review – pick one or two topics each month and review them; or

• Event-driven review – when a compliance event occurs or a law or rule or regulation or the business changes, review the policies and procedures in question.

For the newly registered RIA, the first annual review is to be completed after it has been operating as an SEC registered investment adviser for one year.

An RIA that has not been registered with the SEC for a full year should conduct an interim “SEC mock examination” to help ensure that it has implemented its policies and procedures in a proper manner.

Code of Ethics

An annual review is a prime time to review your code of ethics. Take all code of ethics matters that have arisen during the year and review these at this time. Consider what occurred and what needs to be changed or addressed and take appropriate action if required.

Linking the annual review to the Form ADV annual amendment

Reviewing WPPs, the CRI and the conflicts log in the annual review also helps to validate Form ADV and Regulation S-P Privacy Notice disclosure and prepare the annual amendments.

Preparing your annual Form ADV Parts 1, 2A and 2B updates are not a weekend or a “save it for a quiet day” exercise. This requires time, attention, having all of the relevant information in hand, doing a thorough assessment (this links the annual review to the Form ADV review) and getting it right. Conducting a good annual review will generate the information that you need to help ensure your Form ADV update accurately reflects your business.

NSCP CURRENTS

DECEMBER 20148

Consider Item 2 of Form ADV 2A, “material changes.” The instructions read, “If you are amending your brochure for your annual update and it contains material changes from your last annual update, identify and discuss those changes on the cover page of the brochure or on the page immediately following the cover page… .”

As you approach your annual review, keep in mind that the SEC charges you to consider “significant compliance events, changes in business arrangements and regulatory developments.” To address compliance events, review the results of your monitoring and forensic testing, breaches log and trade errors log and any deficiency letters or other feedback from regulatory examinations during the year and ensure you probe any shortcomings uncovered in those processes. Build time into the calendar to review the areas that had the most problems the prior year. Not addressing previously identified issues is a bright red flag for even the most junior SEC examiner.

Test improvements. The SEC’s Office of Compliance Examinations and Examinations (“OCIE”), which conducts examinations, will expect you to have what they term a “Compliance Issues Log: A record of any non-compliance with the Adviser’s Code of Ethics and of any action taken as a result of such non-compliance.” Also called a “breaches log,” this chronicles missteps that have been uncovered, whether by your monitoring and testing, an admission or otherwise. OCIE examiners will want to see what you have done to identify and correct issues and improve your compliance program as a result, and how you will ensure that future violations do not occur. Not finding issues or ignoring them when they arise is a serious matter.

Your “changes in business arrangements” and reactions to significant regulatory developments may form the basis of your response to Item 2. Item 6 is “performance-based fees and side-by-side management.” The instructions make this sound complicated, but basically it requires you to identify the risks and conflicts that arise if you have clients who pay you incentive compensation alongside clients who do not pay such fees. The concern, as will be obvious to all, is that your firm might give its performance fee clients benefits ranging from well performing IPO allocations to an unjustified share of winning trades. It is up to you to spot this and take steps to prevent it.

Controlling for factors like client restrictions, which will affect returns, analyze the performance of incentive-fee paying and non-incentive fee paying accounts managed according to the same investment style. Also, compare the performance of all accounts eligible to participate in IPOs. You should understand the reasons why certain clients performed significantly better or worse than average, then determine if inappropriate favoritism is an element.

Use your annual review to prepare meaningful, proven answers to your Form ADV, and make sure that your disclosures are synchronized with your practices.

Do not ignore or fight findings, or fire the messenger. When the annual review is completed, address the issues found so that they do not occur again. This is also a learning exercise. During an SEC examination, OCIE will want to see your annual reviews and any report prepared by a service provider/consultant and will want to know why valid findings were ignored or challenged or the messenger given a hard time.

Regular testing is key – how else could an RIA validate its WPPs?

Just as regular checking and preventative maintenance helps reduce unexpected auto repair bills, administering properly your SEC compliance program helps eliminate the possibility of shocking discoveries during your annual review or in an SEC examination. A well-designed and maintained program will mean that your annual review is not a once-a-year peek at the program that turns up embarrassing issues, gaps or cries of “how did I miss that?!” Monitoring and testing is the key to validate a compliance regime, as well as the CCO’s formula for a good night’s sleep.

When the SEC examines you, they will want to see the output of monitoring and compliance testing, including any compliance reviews, quality control analyses, surveillance and/or forensic or transactional tests performed. This should include significant findings, both positive and negative, of such testing and information about corrective or remedial actions taken regarding these findings.

“Forensic” testing is generally understood to be testing that looks for patterns or outliers over time. The SEC memorialized the concept in the adopting release for the compliance rule. As the SEC noted: “[w]here appropriate, advisers’ policies and procedures should employ, among other methods of detection, compliance tests that analyze information over time in order to identify unusual patterns, including, for example, an analysis of the quality of brokerage executions for the purpose of evaluating the adviser’s fulfillment of its duty of best execution… .”

“Transactional” tests look at a specific act to determine if it was compliant. For instance, a transactional review might consider whether, on a given purchase of a privately-offered security for his own account, an employee had obtained clearance as required by the firm’s policies. Another forensic test, “10 up and 10 down”, compares how the 10 best and worst performing purchases or

Announcing ACA’s 2015

COMPLIANCE CONFERENCE SERIES

For information on exhibiting or sponsorship opportunities, or to sign up for our mailing list for conference updates, contact Sue Parsons at

(973) 631-1085 or by email sparsons@acacompliancegroup.com.

We look forward to seeing you there.

SPRING 2015APRIL 22-24, 2015

JW MARRIOTT MARQUIS / MIAMI, FL

FALL 2015OCTOBER 28-30, 2015

HYATT REGENCY SCOTTSDALE RESORT & SPA AT GAINEY RANCH / SCOTTSDALE, ARIZONA

14553_ACA_Ad_Resize.indd 1 11/24/14 11:07 AM

NSCP CURRENTS

DECEMBER 2014 9

recommendations performed in light of similarly situated accounts (strategy, etc.) and helps identify instances of favoritism – giving higher paying clients better stock picks inconsistent with the allocation policy of fair and equal treatment.

CCOs should spend time with the business and operations, seeing what is actually happening; this is sometimes dubbed “observational testing.” Sit on the trading floor for a few hours each week, ask questions and ensure that you understand everyone’s roles. Make sure that you have mapped critical operational processes; for instance, the lifecycle of a trade from the research team-generated idea through settlement. Use this to confirm that WPPs are addressing issues. For example:

• Compare what portfolio managers and traders actually do when they seek best execution – are they following the steps outlined in the WPPs and the Form ADV Part 2A?

• Are portfolio managers documenting pre-trade allocation (splits) before placing an order?

• Are personal account trades mirroring client trades?

• Are required records being maintained as required?

Test early and often. Use forensic, transactional and observational testing regularly. Compile, use and update a compliance calendar. This list is a resource that plots compliance chores for the year (everyone will have responsibilities under this) and it should be full of daily (e.g. email review), weekly, monthly, quarterly and annual reviews. Test now and your annual review will be less painful.

Mind the gap analysis

You should be creative and use a variety of test types during your annual review. Always probe for inconsistencies, unexplainable items and gaps. One good tool for an annual review is a gap analysis. This is a deficiency assessment that identifies the disconnects/inconsistencies between the requirements the compliance program should be meeting and where things actually stand. Test for gaps between Advisers Act requirements and what you say you do (in, for instance, your WPPs and your disclosures). Then, test for the differences between what you say you do and what you actually do in practice. We use these to help take new registrants through the registration process, for annual reviews, mock regulatory examinations and “health checks.”

A good broom catches all the dust

We mentioned above a list of critical areas to be reviewed. But just as an attentive cleaner dusts under the bed, the competent and knowledgeable CCO will leave no compliance stone unturned. Here is a final to-do list as a reminder:

Have you reviewed your offering materials to ensure they are current and disclose risks and conflicts of interest?

Are you current with your regulatory filings, home country and SEC?

• Have you reviewed the effectiveness of your anti-money laundering program?

• Have you conducted compliance training this year? Don’t forget to train your people on misuse of material non-public information, false rumors and market manipulation, the pitfalls involved with making campaign contributions and other

topical matters.

• Why not conduct an all-hands compliance meeting (remote offices can participate via video conference) in which colleagues are encouraged to ask questions and make suggestions?

• If required, have you sent your Regulation S-P privacy notice to clients that are “consumers”?

• Have you evaluated your service providers recently? Third-party oversight is a must, as is the independent verification of trades, cash and assets held by custodians and other key data. When the SEC shows up, they’ll want to see: “The names and location of all service providers and the services they perform and for both affiliated and unaffiliated providers, information about the due diligence process to initially evaluate and monitor thereafter the work provided and how potential conflicts and information flow issues are addressed.”

• Due-diligence questionnaires and inspecting reports, like a SOC 1 Report, can be effective elements of a service provider assessment. Visit the location where work is performed and conduct a substantive review.

Business continuity

Test your data backups by recovering files. Test your phone tree. Ensure your BCP actually works.

An independent perspective is a good thing if used wisely

Some RIAs engage a consultant to conduct the annual review, often as a mock SEC exam. This is when a third-party firm sends a team of experienced and SEC knowledgeable compliance specialists to simulate an SEC examination. This gives you an independent view of your compliance program, if the firm conducting the review specializes in this area. Law firms might help, but as they practice law in only one area and for one jurisdiction they do not have first-hand compliance experience. When in doubt, use the experts, particularly those with SEC experience and a track record.

Your perspective should be “what does the SEC expect?” and not “what is the law in this area?”.

How your annual review prepares you for your SEC examination

How will the CCO gather and produce the reams of information when the SEC calls and gives two weeks to gather and submit specified documents in advance of an examination?

Had the RIA and CCO been prepared, the exam would be handled with a degree of confidence. The key is conducting an annual review as if it were an OCIE examination.

• Keep a current OCIE examination document request (we can supply you with one) and ensure that you have all of the requested documents, perform required tasks and monitor and test.

• Document all findings and address each.

• Leverage the gap analysis that you used for your SEC registration.

• Ensure that your WPPs reflect the risks in the CRI and the conflicts and the means to address them in the conflicts log.

NSCP CURRENTS

DECEMBER 201410

A good way to prepare is to take the “30 minute” test: in this time, gather and analyze your breaches log, the trade errors log, the results of the two most recent annual reviews and the code of ethics reports and review.

The arrival of the documentation list and notice of an examination is no cause for alarm if you and your firm have conducted yourself honestly and ethically and prove that you have a “reasonably designed” compliance program. You would do well to use your annual review to ensure that you will be able to respond expeditiously to such a document request list when one finally arrives.

In an examination, the SEC “follows the money” and looks to confirm whether the RIA told the truth and is doing what it said it would do.4 The SEC examines a number of key areas of activities.

• Weaknesses in compliance and controls.

• The business model (revenue streams, profit centers, products, business plans).

• Affiliations and conflicts of interest.

• Safe-keeping of clients’ assets (custody).

• Undisclosed compensation arrangements.

• Deal allocations among clients.

• Brokerage arrangements and trading.

• Code of ethics and personal account dealing.

• Valuation of clients’ positions and fee calculations.

• Marketing and promotional activities.

A document request list contains nearly everything that an RIA must have in order to satisfy its Advisers Act requirements. For instance, it will ask for results from forensic testing, advertising compliance cleared and the CRI – which is referred to as “a current inventory of the Adviser’s compliance risks that forms the basis for its policies and procedures, including any changes made to the inventory and the dates of the changes.” As noted previously, every RIA requires one to be able to establish that its WPPs are “reasonably designed” (in the words of the compliance rule). We note the impact of WAM where the SEC cited language from the Compliance Release as a “warning shot” to RIAs who did not complete a CRI and conflicts log and use them to design and implement written policies and procedures “reasonably designed”:

“Rule 206(4)-7 requires investment advisers to “[a]dopt and implement written policies and procedures reasonably designed to prevent violation” of the Advisers Act and its rules. The Commission has stated that an adviser’s failure “to have adequate compliance policies and procedures in place will constitute a violation of our rules independent of any other securities law violation.” [Compliance Release, 68 F.R. 74714, at 74715]. The Compliance Release further provides that “[t]he policies and procedures should be designed to prevent violations from occurring, detect violations that have

4 “CCOs and SEC Examinations”, a one-half day workshop, London, 16 October 2014; Paula Drake, Chief Counsel, Office of Compliance Inspections and Examinations, SEC; Dan Kahl, Assistant Director for Investment Adviser Regulation, Division of Investment Management, SEC; and Mark Berman, CompliGlobe Ltd.

occurred, and correct promptly any violations that have occurred.” 68 F.R. 74714, at 74716. The Compliance Release also states that “[e]ach adviser, in designing its policies and procedures, should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations, and then design policies and procedures that address those risks.”” 5

Under the risk-based examination system the SEC employs, an RIA is expected to constantly be evaluating and responding to the specific risks and conflicts it faces and adopt and implement bespoke WPPs. “Off the shelf ” materials are not only discouraged but might result in an enforcement referral. Make sure that your WPPs reflect who and what you are, your risks and conflicts and be specific. No one wants to have the SEC open an adviser’s compliance manual in an examination to discover the documents are emblazoned with “These Policies and Procedures have been created using the Compliance Consultant Inc.’s Compliance Manual Wizard” or contain materials not relevant to its business or are inconsistent, old or outdated and refer to persons who no longer work for the RIA.

You have only to review the above quote from WAM to see why a CRI is needed.

By the same token, not identifying all of your material conflicts of interest and the means to address them and disclosing them in your Form ADV Part 2A may be actionable. Identify material conflicts, the effect(s) that they have on the adviser and its clients and the means to resolve them. Form ADV Part 2A disclosure must be sufficiently clear and concrete so that a reasonable prospect or client understands clearly the conflict and how it is addressed. Keep in mind that an RIA may be sued if its disclosures are materially incorrect, in particular, there is a material omission, such as an undisclosed conflict of interest. See e.g. SEC v. Gabelli, 2011 WL 3250556 (2d Cir. 1 August 2011). Also, an RIA may be sued for failure to disclose conflicts and using “may” or “might” language. See e.g. Robare Group Ltd, Admin Proc 3-16047 (2 September 2014).

Conclusion

Your annual review need not be an unpleasant experience. An annual review is that time to prove you are in compliance with Advisers Act requirements and are prepared for your SEC examination. Use a document request list as a key resource, and use your WPPs to form the basis of your monitoring and testing. Each policy and procedure should be tested to ensure that it is adequate and effective. If the WPPs say that you’re to do something, make sure you do it as specified. If things have changed during the year and you did not amend the WPPs as developments occurred, amend them now. Be skeptical. Make sure that you leave no loose ends or accept explanations that, on reflection, don’t wash. And don’t forget to get out and about and ask your supervised persons what’s working and what’s not in your WPPs.

Use your annual review to prepare for the day the SEC visits. Develop a CRI and conflicts log that form the basis for your WPPs. Review them often and give this special consideration in your annual review.

Be proud of your SEC compliance program and your firm will be proud of you.

5 WAM, page 6 and 7, para. 23., citing “Compliance Programs of Investment Companies and Investment Advisers”, Advisers Act Release 2204, 68 FR 74714, 74715 (24 December 2003).

NSCP CURRENTS

DECEMBER 2014 11

What does the SEC want you to review?In the article, we listed the key policies and procedures the SEC’s expects RIAs to include in their compliance program, and in turn, review at least annually. This is a baseline, minimum set of considerations. In the following table, the first column shows what to review, while the right side suggests a test that might help with testing an element contained in that guidance.

FOCUS AREA SAMPLE TESTPortfolio management, including the allocation of investment opportunities among clients and the consistency of portfolios with clients’ investment objectives, disclosures and regulatory restrictions.

Test allocations in accounts with the same or a similar strategy.

Trading practices, including satisfying the duty to seek best execution and the use of client commissions to obtain execution research or other services.

Best execution for equities: construct a spreadsheet or database to compare execution prices against VWAP (Volume Weighted Average Price), a publicly-available metric that is the average price of trades in the security given time.

Proprietary trading of adviser and personal trading by employees.

Proprietary trading: Compare the returns of proprietary accounts versus those of employees. Understand the reasons for any outperformance.

The accuracy of disclosures made to investors, clients and regulators, including account statements and advertisements; accuracy of books and records.

Review these materials to ensure that they are materially correct. For advertising, take the material backing performance claims and use it to test those claims. Make sure there are no unsubstantiated or non-provable statements.

Safeguarding client assets from conversion or inappropriate use by advisory personnel.

Compare a sample of client custodial statements with adviser-produced statements. Review client correspondence regarding cash withdrawals.

Marketing advisory services, including the use of solicitors.

Create a grid: record that you have disclosed your use of solicitors and that your Brochure on Form ADV Part 2A and the solicitor’s disclosure document were given to all clients approached by the solicitor, etc.

Valuing client holdings and calculating fees. A useful test for valuation is to compare the price of any assets you held at fair value and disposed of with their selling prices. If there is any imbalance, reassess your valuation policies. Ensure methodologies are recorded and followed.

Protecting the privacy of client records and information.

Review your password policy and enforce complex passwords on workstations; walk around and see if workstations or trading terminals have the proper password protections installed.

Business continuity plans. Ensure that the IT department has regularly scheduled tests of the firm’s business continuity program and that IT personnel and management certify that the program is operational and functioning properly.

NSCP CURRENTS

DECEMBER 201412

Charting the SEC’s Next Move in MunilandBy Gregg L. Bienstock Esq.

2014 has been a year marked by the SEC’s increased focus on the municipal market. The SEC’s 2012 Report on the Municipal Securities Market (“2012 Report”) was the proverbial shot

across the bow. However, sandwiching the 2012 Report are several SEC actions in 2010, more than a dozen in 2013-2014 and, most recently, the MCDC initiative. All pointing to the SEC’s no nonsense approach to broader enforcement around the municipal bond market.

If you had any doubt as to whether the SEC’s focus on the municipal market was a flash in the pan, Andrew Cerseney, Director of the SEC’s Division of Enforcement, made clear that the municipal market will be the subject of increased focus by the Division of Enforcement. At SIFMA’s Annual Meeting, both Cerseney and Kent Hiteshew, Director of Treasury’s State and Local Finance Office, spoke to the SEC’s focus on the municipal market and the fact that the municipal market has not, historically, been subject to the same level of scrutiny as other areas of the financial services market.

Highlighting the importance of the 2012 Report, Hiteshew urged dealers to be familiar with the SEC’s 2012 Report and Ceresney noted, “I think it’s fair to say this is a place [the municipal market] we’re here to stay.”

This article offers perspective on where the SEC may focus next in the municipal market. On October 29, the municipal market may have been provided insight as to the answer to that question. Peter Chan, the former SEC enforcement lawyer and person most closely identified with the MCDC initiative, suggested that the SEC’s focus will turn from broker-dealer and issuer compliance with their obligations under 15c2-12 and Commission guidance regarding reasonable due diligence in underwriting to the secondary market.

Rulemaking, regulatory actions and SEC firsts in the municipal space are addressed below. The authority for SEC (v. FINRA) enforcement in the municipal space is covered and this article concludes with a review of what may be the SEC’s next enforcement focus.

Basis for the SEC’s Focus On the Municipal Market … It Seems Serious

It is worth asking “why, seemingly, overnight is the SEC focusing on the municipal market?” Start with the 2012 Report where the SEC made clear that “the mission of the SEC is to protect investors – including investors in municipal securities…” The 2012 Report highlights the process the SEC undertook to examine the municipal market highlighting that its efforts included field hearings across the US in 2010 and 2011. The field hearings invited perspective on topics that included “disclosures, accounting, pre-trade price transparency, and other investor and municipal issuer concerns.” Id. The 2012 Report “focuses on two key areas of concern … disclosure and market structure.” Thus, one can identify the significance of the focus given the process that started in 2010, culminated in the 2012 Report and has led to a flurry of activity at the MSRB (much of which is highlighted in the 2012 Report) and SEC.

Further evidence of the SEC’s focus came in the form of their March 2012 National Examination Risk Alert that focused on “Strengthening Practices for the Underwriting of Municipal Securities.” As some have opined, these two documents provide the roadmap for SEC activity.

Following the release of the above-referenced documents, there have been, in addition to enforcement actions, a number of recent “firsts” from the SEC in the municipal space as well as new and amended MSRB rules. Below we highlight some of this activity.

• Rule Making, Amendments and Clarification: Since July 1, 2012, there have been 9 new MSRB Rules and 10 amendments, including MSRB Rule G-19 (Suitability), G-47 (Time of Trade), G-48 (SMMPs) and the Best Execution rule having been submitted to the SEC for approval.1

• SEC “Enforcement Firsts” in 2013: Harrisburg (municipality charged with issuing false statements outside of bond offering documents), West Clark Community Schools (municipality charged with falsely claiming it complied with prior disclosure requirements and the underwriter for inadequate diligence), Greater Wenatchee Regional Events Center (first time SEC assessed a financial penalty against a municipal issuer).2

• MCDC Initiative: The SEC’s Division of Enforcement, in March 2014, issued the Municipal Continuing Disclosure Cooperation Initiative which provides for voluntary submissions of possible violations involving materially inaccurate statements relating to prior compliance with Rule 15c2-12. If the Division of Enforcement recommends enforcement and the Commission accepts a settlement, fines for underwriting firms can be as much as $500,000.

• In November 2014, the SEC fined 13 dealers between $54,000 and $130,000 for violating minimum denominations requirements around Puerto Rico’s $3.5 billion GO offering (MSRB Rule G-15) and have told firms to have a documented approach to monitor such activity.

• In November 2014, the SEC announced fraud charges against the City of Allen Park, Michigan, and two of its former officials—the former City Mayor and former City

1 New Rules: A-11- Assessments for Municipal Advisor Professionals; D-15- Sophisticated Municipal Market Professional; G-3- Professional Qualification Requirements; G-8- Books and Records to be Made by Brokers, Dealers and Municipal Securities Dealers; G- 9- Preservation of Records- Effective 2/24/2015; G-44- Supervisory and Compliance Obligations of Municipal Advisors- Approved 10/29/2014; G-45- Reporting Information on Municipal Fund Securities- Effective 2/24/2015; G-47- Time of Trade Disclosure; G-48- Transactions with Sophisticated Municipal Market Professionals. Amended Rules: G-7- Information Concerning Associated Persons; G- 11- Primary Offering Practices; G-14-Reports of Sales or Purchases; G-19- Suitability of Recommendations and Transactions; G-27- Supervision; G-30- Prices and Commissions; G-32- Disclosures In Connection With Primary Offerings; G-37- Political Contributions and Prohibitions on Municipal Securities Business; G-39- Telemarketing; A-12- Registration.

2 There have been a number of other important cases including, but not limited to, State of Kansas (8/14), Kings Canyon School District (7/14), City of Harvey, IL (6/14), Miami-Dade County (9/13), State of Illinois (3/13).

ABOUT THE AUTHOR

Gregg L. Bienstock is the CEO and Co-Founder of Lumesis, Inc., www.lumesis.com. He can be reached at gbienstock@lumesis.com.

NSCP CURRENTS

DECEMBER 2014 13

• Administrator. It is the first time the SEC imposed “control person” liability on a mayor, or any municipal official, under Section 20(a) of the Securities Exchange Act of 1934.

In addition to the 2012 Report, MSRB rulemaking and SEC activity, several have offered the view that this is nothing more than the once sleepy world of municipal bonds being subjected to rules the rest of the market has learned to live with. Either way, the activities of the past couple of years certainly support an air of seriousness by the SEC around protecting investors.

To round out this initial point, some have asked “why the SEC and not FINRA?” The MSRB’s website highlights “Market Regulation activities” of the MSRB and those responsible for enforcement.

On this latter point, the MSRB’s rules are enforced by the Financial Industry Regulatory Authority (FINRA) for securities firms, by bank regulatory agencies (the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation) for banks, and by the SEC for municipal advisors and all securities firms and banks.”3 Emphasis supplied.

While many market participants expect FINRA to be the primary enforcement body, the above-highlighted actions and activities demonstrate the SEC’s following-through on its 2012 Report priorities. And, it seems, where the SEC has taken action, they have done so quickly and decisively as highlighted by the minimum denomination fines and its MCDC initiative (time to submit).4 FINRA has indicated that it will not “double dip” where the SEC has taken action.

Next Focal Point (Perhaps) for the SEC

It is clear that the MSRB, FINRA and SEC are keenly interested in protecting the retail and non-sophisticated municipal market participant.

On a prospective basis, Peter Chan, in an interview with the Bond Buyer, offered that the SEC’s focus will be around secondary trades and cites “pricing and transaction costs … the quality of the dealers’ recommendations” and the importance of having a “reasonable basis to conclude the securities they recommend are good fits for the customers” as possible areas of focus. If Mr. Chan’s premonition is accurate, one can logically see the focus also including time of trade disclosure as both a stand-alone rule (MSRB Rule G-47) and because it forms part of the reasonable basis suitability rule (MSRB Rule G-19). 55

In the interview, Chan suggested that the SEC Enforcement Division will look to the anti-fraud provisions in the Federal Securities law pointing out that the same make it illegal “to commit fraud or deceit, and to make false or misleading statements, in connection with the purchase or sale of securities.” I’m sure many distinctly recall hearing Mr. Chan speak prior to the announcement of the

3 The Securities Act of 1933 and the Securities Exchange Act of 1934 were both enacted with exemptions for municipal securities except for the anti-fraud provisions of both Acts. The SEC’s investor protections efforts in the muni space has been accomplished through regulation of broker-dealers and municipal securities dealers including through Exchange Act Rule 15c2-12, Commission interpretations, enforcement of anti-fraud provisions and Commission oversight of the MSRB. 2012 Report.4 Many market participants took issue with the SEC’s not providing clarity as to the meaning of “material” for the MCDC initiative.5 For ease of reference, the areas of focus cited by Mr. Chan reference the recent clarified/amended rules around Prices and Commissions (aka Fair and Reasonable Pricing - MSRB Rule G-30), Suitability (MSRB Rule G-19) and, by reference, Time of Trade(MSRB Rule G-47).

MCDC initiative and his echoing similar sentiments regarding the making of false or misleading statements around underwriting representations. Couple this with Messrs. Cerseney and Hiteshew’s comments cited earlier and the picture begins to come into focus.

If Chan’s suspicions, which have also been highlighted by two Commissioners, are confirmed, the only question is what path the SEC will take. Will it be an MCDC-type initiative that uses the anti-fraud provisions as its driving force – come clean with all your sins of the past – or will it be more akin to the recent fines for violations of the minimum denomination rule (MSRB Rule G-15)? Perhaps we will see a similar pattern of enforcement actions followed by a focused MCDC-type initiative.

While there is logic and precedent to using the anti-fraud mechanism to pursue this potential area of enforcement focus, there is another possible avenue the SEC can pursue. This was articulated by Elaine Greenberg, former head of the SEC’s Municipal Securities Enforcement Division, commenting on the enforcement action around minimum denominations as reported by the Bond Buyer. She offered her view that the SEC, in that instance, was using a “sweep” approach targeting multiple market participants “for conduct the commission has not taken action on before.” The Bond Buyer reported that “Greenberg said the SEC likely chose not to pursue fraud charges against the dealers because the presence of a clearly applicable MSRB rule makes a much easier and swifter analysis for the enforcement lawyers. Instead of needing to prove materiality or who knew what and when, the commission only needs to show that the conduct occurred” [or did not occur]. The Bond Buyer, Experts: SEC Enforcement Action Raises Awareness, 11/4/2014.

If the SEC focuses on secondary trades and “pricing and transaction costs … the quality of the dealers’ recommendations” and the importance of having a “reasonable basis to conclude the securities they recommend are good fits for the customers” as possible areas of focus, it is worth noting that clearly applicable MSRB rules do exist and, as such, may provide an alternative approach for the SEC distinct from its MCDC initiative.

Whether it is a MCDC-like approach or a “sweep” approach, the operative questions are “what have you done in the past” and “can you support the same with more than policies and procedures?” In other words, as required by the MCDC initiative, can you prove you did what your policies and procedures said you did?

• How will you be able to prove to the SEC that there was a reasonable basis to conclude the securities were appropriate?

• Can you demonstrate what was considered or disclosed to the retail client?

If we look to the MCDC initiative as instructive, the answer, for many, was “no.” Given the extensive amount of work firms undertook to prove their diligence (which, based on the number of submissions, one can surmise there were many cases where “reasonable diligence” could not be supported with documentary proof), it appears, until recently, firms have not taken to memorializing what was actually considered to determine suitability or what material information was disclosed to the retail client.

As it relates to pricing and transaction costs, again, the SEC can point to MSRB Rule G-30 which applies to both principal and agency transactions and emphasizes the requirement of “fair and reasonable.”6 Was the pricing fair and reasonable? What was the

6 MSRB Rule G-30 provides: Principal Transactions. No broker, dealer or municipal securities dealer shall purchase municipal securities for its own account from a customer, or sell municipal securities for its own account to a customer, except at an aggregate price (including any mark-up

NSCP CURRENTS

DECEMBER 201414

mark-up? What was the transaction cost? Can you demonstrate support for the same? While FINRA has been somewhat active in its enforcement and market participants have asked for clear guidance on mark-ups (to no avail, at least formally), if Chan’s perspective is correct, the SEC may be stepping-up its oversight and enforcement.

Any discussion of fair and reasonable pricing in the municipal space would not be complete without pointing to the reality that many municipal bonds are thinly traded and that obtaining supporting data for fair and reasonable pricing is often difficult and that approaches used may be less than perfect. In this regard, the MSRB has sought to help by offering, through EMMA, its Price Discovery Tool “to find and compare trade prices of municipal bonds with similar characteristics.” Another approach employed by some market participants is the use of a pricing service to ensure, at the end of the day, the pricing was fair and reasonable.

Whether a firm uses one or both of these approaches or another, it remains to be seen if the same will be deemed effective should the SEC focus on this area. Through interactions with market participants, we know that EMMA’s Price Discovery tool, while useful to some, is not viewed as useful in identifying truly comparable securities, as it does not identify the trade date nor does it capture indicative pricing for the security of interest or comparable bonds. Some have commented that the pricing services are black box models and, in many cases, use institutional sized

or mark-down) that is fair and reasonable.

(b) Agency Transactions. (i) Each broker, dealer and municipal securities dealer, when executing a transaction in municipal securities for or on behalf of a customer as agent, shall make a reasonable effort to obtain a price for the customer that is fair and reasonable in relation to prevailing market conditions. (ii) No broker, dealer or municipal securities dealer shall purchase or sell municipal securities as agent for a customer for a commission or service charge in excess of a fair and reasonable amount.

trades as a primary factor in arriving at the valuation causing trades to be re-priced at day’s end or the following morning. In each instance, the high prevalence of institutional-sized blocks and the focus on institutional trades to derive a “price” causes these tools to miss the mark. Moreover, one can surmise the Commission has a view (perhaps based on their 2001-2011 meetings with market participants) given their ostensible interest in the area of fair and reasonable pricing, pre-trade price transparency and the pending best execution rule.

Importance of Documentation

Keeping detailed notes and documentation on what has been done and what is currently being done in support of specific regulations has never been more important to securities firms. Having written policies and procedures in place is an important first step but, often times, a firm must be able to prove and demonstrate in detail how they are addressing compliance with various rules. As an example, to pass an internal or regulatory audit, dealers need to be able to show how they are specifically informing clients of investment risks and how they are monitoring their sales teams’ compliance with the same.

Checking a box that says you communicated material information about a muni to a client isn’t the same thing as being able to prove that you did it – and that’s what the current regulatory environment requires. Whether it be the MCDC initiative, comments from market participants or those of former SEC and MSRB officials, documenting what you have done so you can prove the same to your compliance professional, auditor, FINRA or the SEC is critical.

The results of the 2014 IA Compliance Compensation Survey, sponsored by IA Watch and the National Society of Compliance Professionals, have been released.

You can visit the IA Compliance Compensation Results website here. Use the results to benchmark and compare your compensation against peers in your area, plus the top 30 most populous metropolitan regions in the U.S., such as New York, Washington, D.C., Chicago, San Francisco and nationally.

NSCP CURRENTS

DECEMBER 2014 15

FINRA’s New Consolidated Supervision RulesBy Hank Sanchez

Overview

On December 23, 2013, the SEC approved changes to the FINRA supervisory and supervision rules, and consolidated certain NYSE rules into these new rules (the “Approval Release”)1. The effective date for the new Rules is currently set at December 1, 2014.

As many in the industry know, the finalization of the rule changes was not that simple. The initial volley discussing the proposed rules was launched in May 2008 with Regulatory Notice 08-24. The proposal languished until, in September 2011, FINRA, without explanation, withdrew the initial proposal2. The proposal was resurrected on June 21, 2013, when FINRA filed with the SEC an updated version of the proposal3. There were over 570 total comments sent in to the SEC. On October 2, 2013, FINRA responded to the comments and filed an amendment to the proposed rule change4. While several comments supported the proposal, other comments discussed concerns related to such things as the definition of “covered accounts” (discussed below) and the single supervisor requirement, as well as the documentation requirements relating to customer complaints, and the additional testing required.

FINRA Regulatory Notice 14-10, released in March 2014, discusses the rule changes and should be reviewed by firms’ legal and compliance teams, as well as with the business and supervisory teams. Below is a summary of the key provisions of the new rules and a discussion of the effect of the rules on FINRA member firms. While most of the changes truly are a consolidation of existing rules, there are some things that firms should be aware of both in updating their current procedures and how they test those procedures.

As noted in the Approval Release, FINRA made the changes as part of the process of consolidating its rulebook. In sum, the changes are as follows:

NEW RULE PRIOR RULE

Rule 3110 (Supervision) Replaces: Rule 3010 (Supervision)Rule 3120 (Supervisory Control System)

Replaces: Rule 3012 (Supervisory Control System)

Rule 3170 (Tape Recording of Registered Persons by Certain Firms)

Replaces: Rule 3010(b)(2) (Taping Rule)

Rule 3150 (Holding of Customer Mail)

Replaces: Rule 3110(i) (Holding of Customer Mail)

Incorporated into Rule 3110: NASD IM-1000-4 (Branch Offices and Offices of Supervisory Jurisdiction); NASD IM-3010-1 (Standards for Reasonable Review); NYSE Rule 401A (Customer Complaints); NYSE Rule 342.21 (Trade Review and Investigation)

Deleted: NYSE Rule 342 (Offices- Approval, Supervision and Control); related NYSE Rule Interpretations; (ii) NYSE Rule 343 (Offices-Sole Tenancy, and Hours) and related NYSE Rule Interpretations; (iii) NYSE Rule 351(e) (Reporting Requirements) and NYSE Rule Interpretation 351(e)/01 (Reports of Investigation); (iv) NYSE Rule 354 (Reports to Control Persons); and (v) NYSE Rule 401 (Business Conduct).

ABOUT THE AUTHOR

Henry Sanchez is the Associate Director of Oyster Consulting, LLC, www.oysterllc.com. He can be reached at hank.sanchez@oysterllc.com

NSCP CURRENTS

DECEMBER 201416

The new rules retain some of the prior requirements of NASD Rules 3010 and 3012:

• Branch inspection cycles: (3110 (c)(1)(A) through (C)); • Requiring that the person conducting branch inspections is

sufficiently independent from the branch and persons in the branch: (3110 (c)(3)(B)); and

• Procedures for the monitoring of registered representatives’ activities (3110).

Interestingly, none of the commentators to the proposed rules, and none of the FINRA discussions about the rules discuss what firms should do vis-à-vis their next 3120 Report (formerly the “3012 Report”) and the timing of the effective date of December 1st. This date is important as the common practice among firms has been to finalize the former 3012 report at or near the end of the first quarter of each calendar year, so as to do testing for the full prior calendar year. Since the requirements of new Rule 3120 will take effect on December 1st, this may create a quandary for firms5. Firms need to consider whether they should:

(a) keep the current testing and reporting cycle and test and report on the prior calendar year, including one month of the new items required in the rules; or,(b) move up the report date and do a partial year report up to November 30, thus, do testing in subsequent years for the period December through November; or,(c) do testing and reporting for a partial year, through November 30, and then do a short one month report after year-end, thus retaining the reporting period for the first quarter of the subsequent years.As odd as these alternatives may appear, this is something firms need to think about.

As more fully discussed below, the new Rules also add requirements, including:

• Special supervision for supervisory personnel, (3110(b)(6)) (eliminating the confusing prior provision regarding “heightened supervision” which required member firms to calculate whether “the branch office manager generates 20% or more of the revenue of the business units supervised by the branch office manager’s supervisor”);

• Rule 3120(b) which adds the requirement that a firm that reported $200 million or more in gross revenue on its FOCUS reports in the prior calendar year include additional content in the report it submits to senior management;

• Requirements to review transactions with a view toward detecting insider trading, as well as specific requirements related to investigating suspected insider trading and producing written reports of such investigations (3110(d)(3)(B));

• The “Limited Size and Resources” terminology in NASD Rule 3012(a)(2)(A)(ii) is replaced with 3110(c)(3)(C) which states that:• If a member determines that compliance with

paragraph (c)(3)(B) (independent inspector) is not possible either because of a member’s size or its business model, the member must document in the inspection report both the factors the member used to make its determination and how the inspection otherwise complies with paragraph (c)(1).

• Specific requirements for the annual report providing details of:

• the firm’s system of supervisory controls;• the summary of the test results and significant

identified exceptions; and,• any additional or amended supervisory

procedures created in response to the test results (3120(a)(2)).

Conflicts of Interest

In October 2013, FINRA published its Report on Conflicts of Interest (the “Conflicts Report”).6 In the Conflicts Report, FINRA noted that firms should identify and manage conflicts, and should have an inventory of conflicts specific to their firm and review the list periodically, assess risks, address the items in the firm’s policies and procedures, and surveil/test processes.

Firms should also disclose conflicts, if possible in writing, to clients. In the Conflicts Report, FINRA also laid out specific examples of conflicts-related disclosure requirements and regulatory prohibitions.

The Conflicts Report identified numerous conflicts that firms should be reviewing:

• General conflicts (such as outside activities)• Supervision and Compliance Conflicts• Research Related Conflicts• Banking and Capital Markets Conflicts• Retail and Private Wealth Conflicts• Firm/Client Conflicts• Vendor/Client Conflicts

The issue of conflicts of interest is addressed in new Rule 3110. In relation to supervision of supervisory personnel and branch office inspections, Rule 3110 indicates that firms must have in place policies and procedures reasonably designed to prevent office inspections and the supervision of supervisory personnel from being compromised by conflicts of interest. Rule 3110(a)(5) addresses one-person Offices of Supervisory Jurisdiction (“OSJs”) and requires all registered persons to be assigned to an appropriately registered representative or principal who is responsible for supervising that person’s activities. Rule 3110(b)(6)(D) requires policies and procedures reasonably designed to prevent the supervisory system from being compromised by conflicts of interest between the supervisor and supervised person, the main conflict being supervisors supervising their own activities.

In Notice 14-10, FINRA reminds firms to conduct focused reviews of one-person OSJ locations, especially in light of possible conflicts of interest that may arise. FINRA notes that it will review one-person OSJs to determine whether a firm adequately supervises these offices.

Annual Report

New Rule 3120 (Supervisory Control System) carries over the annual reporting requirement previously found in Rule 3012, commonly referred to as the “3012 Report”, and retains the requirement that the report be submitted to the firm’s senior management.

Rule 3120(b) is new and adds the requirement that a member firm that reported $200 million or more in gross revenue on its FOCUS reports in the prior calendar year must include additional content in the report it submits to senior management. The additional content includes, (where applicable to the firm):

(1) a tabulation of the reports pertaining to customer complaints and internal investigations made to FINRA during the preceding year; and

NSCP CURRENTS

DECEMBER 2014 17

(2) a discussion of the preceding year’s compliance efforts, including procedures and educational programs, in each of the following areas:

(A) trading and market activities; (B) investment banking activities; (C) antifraud and sales practices; (D) finance and operations; (E) supervision; and (F) anti-money laundering.

Firms to which Rule 3120(b) applies should look to their prior year “3012 Report” to determine whether these areas were covered; if not, the next report must include these areas. These listed areas come from NYSE Rule 342.30 (Annual Report and Certification),

Principals

New Supplementary Material .03 to Rule 3110 clearly affects the firms that utilize the “independent” model. In fact, the commentators were mostly from the independent firms7. Supplementary Material .03 to Rule 3110 states that FINRA wants each OSJ to have an “on-site” principal with a “regular and routine” physical presence at the OSJ and one or more appropriately registered representatives or principals in each non-OSJ branch office with authority to carry out the supervisory responsibilities assigned to that office by the firm. Be aware that the “on-site” requirement does not mean that the supervisory principal actually be housed on-site in each OSJ location. There is flexibility in the rule allowing a “regular and routine” physical presence. “Regular and routine” is not defined in the rule, thus firms should be able to have an off-site principal for an OSJ; however, that off-site person must be on-site on a regular basis. The firm’s procedures need to include a rationale for the off-site principal and require that person to be on-site on a defined schedule.

Note: although “Supplementary Materials” almost appear to be an add-on or afterthought, they are part of the rules and FINRA can enforce a violation of Supplementary Materials.

There is also a new presumption that, absent certain special circumstances outlined in the Rule, a single principal should not supervise more than one OSJ, as defined in Rule 3110(e)(1). Here FINRA places the burden on the firm to document and justify, in writing, why a supervisor can or must supervise more than one OSJ. FINRA states that:

In all cases where a member designates and assigns one on-site principal to supervise more than one OSJ, the member must document in the member’s written supervisory and inspection procedures the factors used to determine why the member considers such supervisory structure to be reasonable and the determination by the member will be subject to scrutiny.

Supplementary Material .03 lists a number of factors that firms must “take into consideration” (i.e., document and justify) where one supervisor will supervise more than one OSJ. Note: this list is not a comprehensive list, thus leaving firms, and FINRA examiners, flexibility to determine whether firms should have considered other factors. The factors noted are:

(a) whether the on-site principal is qualified by virtue of experience and training to supervise the activities and supervise the associated persons in each location; (b) whether the on-site principal has the capacity and time to supervise the activities and associated persons in each location; (c) whether the on-site principal is a producing registered representative;

(d) whether the OSJ locations are in sufficiently close proximity to ensure that the on-site principal is physically present at each location on a regular and routine basis; and (e) the nature of activities at each location, including size and number of associated persons, scope of business activities, nature and complexity of products and services offered, volume of business done, the disciplinary history of persons assigned to such locations, and any other indicators of irregularities or misconduct.

Under Rule 3110(b)(6)(C), supervisors can neither report to nor have their compensation or employment determined by the person whom the supervisor is supervising. This requirement, obviously, is a problem for smaller firms where the supervisory structure is such that it is inevitable that, for example, a CCO supervising the firm’s owner’s activities reports to that owner. Supplementary Material 3110.10 provides relief.

Exceptions to the requirements of Rule 3110(b)(6)(C) can be found in Supplementary Material 3110.10; those instances are generally where:

(a) the member is a sole proprietor in a single-person firm; (b) a registered person is the member’s most senior executive officer (or similar position); or (c) a registered person is one of several of the member’s most senior executive officers (or similar positions).

This is not an exclusive list. The Approval Release indicates that a firm may rely on the exception in other instances where it cannot comply because of its size or the supervisor’s position within the firm, provided the firm documents the factors used to reach its determination and how the supervisory arrangement with respect to the supervisory personnel otherwise complies with Rule 3110(a).

Branch Exams

New Rule 3110(c)(1) continues the requirement that firms inspect OSJs and supervisory branch offices no less than annually, and non-supervisory branches no less than every three years.

New Supplementary Material .13 to FINRA Rule 3110 imposes a new presumption that non-branch locations should be inspected at least every three years, even in the absence of red flags. If a firm determines to use a longer periodic inspection schedule, the firm must document in its written supervisory and inspection procedures the factors used in determining that a longer periodic inspection cycle is appropriate.

Note: “home offices” continue to be included in the periodic inspection requirements.

The firm’s written supervisory and inspection procedures must include the inspection schedule and an explanation regarding how the member determined the frequency of the examination.

As noted above, the “limited size and resources” terminology has been removed, however, Rule 3110(c)(3) retains the concept. The Rule states that where a firm determines that it cannot comply with FINRA Rule 3110(c)(3)’s general prohibitions, the firm must document both the factors the firm used to make its determination and how the inspection otherwise complies with FINRA Rule 3110(c)(1).

Rule 3110(c)(3) eliminates NASD Rule 3010(c)(3)’s restriction that a firm relying on the exception must have a principal who has the requisite knowledge to conduct the inspection, so that firms can now assign the “most appropriate person who has the requisite knowledge,” regardless of registration status, to conduct the inspection. The elimination of the principal requirement opens

NSCP CURRENTS

DECEMBER 201418

up opportunities for firms to utilize non-principals, such as internal staff or outside consultants, to conduct the inspection. The firm is still responsible for ensuring that the inspection is done according to the applicable rules and firm policies.

While there is no requirement in the new rules for firms to conduct unannounced exams, there is likely still an expectation from FINRA that firms continue to do a number of unannounced office exams. For example, the Approval Release indicates that where there are red flags, such as those identified through electronic communications reviews, red flags could be helpful in determining whether to conduct unannounced inspections. In addition, FINRA Notice 11-54 (Nov. 2011) states that “unannounced inspections are a critical element of any well designed branch office inspection program and should constitute a significant percentage of all exams conducted.” There appears to be nothing in the new rules that override this Notice and its guidance regarding firms’ branch exam programs.

Investment Banking and Securities Business8

Under Rule 3110(b)(2) a registered principal must document the review of all transactions relating to the member’s investment banking or securities business. New Supplementary Material 3110.05 states that firms should use a risk-based approach to review these transactions. For example, for the review of transactions by a registered principal may include the use of technology-based review systems with parameters designed to assess which transactions merit further review. The parameters have to be properly documented and reviewed by a principal and that the review itself has to be documented in writing.

Where a firm does not have any investment banking or securities business, the firm can include in its procedures a statement that it does not engage in the activities; however, if the firm later does anticipate engaging in the activities it must have supervisory policies and procedures established prior to engaging in the activities.9 The latter concept is not new; firms should know that for any new area of business, compliance procedures should be in place before engaging in that new business.

Insider Trading

Rule 3110(d)(3) requires member firms engaging in investment banking services to promptly conduct an internal investigation into any trades that may be insider trades to determine whether a violation occurred. This requirement is based on NYSE Rule 342.2110. “Promptly” is not defined in the rule and in instances where insider trading is suspected, firm staff should be trained to immediately escalate the matter to senior management and/or counsel. If there is an investigation by a firm during any given calendar quarter, the firm has ten business days after the end of the quarter to file with FINRA, to their Regulatory Coordinator, a written report signed by a senior officer of the firm, either hard copy or electronically, along with a copy of the firm’s policies and procedures. The report must:

• describe each internal investigation initiated in the previous calendar quarter pursuant to paragraph (d)(2), including:• the identity of the member;• the date each internal investigation commenced; • the status of each open internal investigation; • the resolution of any internal investigation reached during

the previous calendar quarter; and, With respect to each internal investigation the report shall include:

• the identity of the security, trades, accounts, associated persons of the member, or an associated person’s family members holding a covered account, under review.

If a violation was found during the firm’s investigation, the report must be filed with FINRA within five business days of completion of the internal investigation.11

Transaction Reviews

Rule 3110(d) requires firms to have a process in place “for the review of securities transactions that are reasonably designed to identify trades that may violate the provisions of the Exchange Act, the rules thereunder, or FINRA rules prohibiting insider trading and manipulative and deceptive devices.” This process must include procedures to review securities transactions in the firm’s accounts and accounts of its associated persons, accounts introduced or carried by the firm, and in “covered accounts.” “Covered accounts” are defined to include any account introduced or carried by the member that is held by:

(i) the spouse of a person associated with the member; (ii) a child of the person associated with the member or such person’s spouse, provided that the child resides in the same household as or is financially dependent upon the person associated with the member; (iii) any other related individual over whose account the person associated with the member has control; or (iv) any other individual over whose account the associated person of the member has control and to whose financial support such person materially contributes.

Communications Reviews

New Rule 3110(b)(4)12 adds a new requirement to establish procedures for review of internal communications having “a subject matter that require review under FINRA rules and federal securities laws.” Communications that are of a subject matter that require review under FINRA rules and the federal securities laws include:

• Communications between non-research and research departments concerning a research report’s contents (NASD Rule 2711(b)(3) and NYSE Rule 472(b)(3) both allow communications between investment banking and research personnel under certain prescribed circumstances);

• Certain communications with the public that require a principal’s pre-approval (FINRA Rule 2210);

• The identification and reporting to FINRA of customer complaints (FINRA Rule 4530) - Rule 3110(b)(5) also affirmatively requires firms to capture, acknowledge and respond to all written (including electronic) customer complaints (Note: this does not apply to oral complaints. Of course, for oral complaints firms should have in place a process for enabling the client to make a written submission. In addition, oral customer complaints must still be reported on Form U4 question 14I (2) and the DRP page question # 7); and

• The identification and prior written approval of changes in account name(s) (including related accounts) or designation(s) (including error accounts) regarding customer orders (FINRA Rule 4515).

New Supplementary Material .06 states that where firms employ a risk-based review of correspondence and internal communications they must decide whether additional policies and procedures are needed to review incoming and outgoing, or internal communications that fall outside of matters listed in Rule 3110(b)(4).

Where the firm’s procedures do not require all correspondence to be reviewed, (a) the procedures must provide for:

(1) the education and training of associated persons regarding the firm’s procedures governing correspondence;

NSCP CURRENTS

DECEMBER 2014 19

(2) the documentation of such education and training; and (3) surveillance and follow-up to ensure that such procedures are implemented and followed.

(b) internal communications that are not of a subject matter that require review under FINRA rules and federal securities laws are necessary for its business and structure.New Supplementary Material .08 specifically allows a supervisor to delegate review functions required under Rule 3110(b)(4) to unregistered personnel, however, the supervisor is still ultimately responsible. Firms should be careful that this function is delegated to staff that have been trained in the review process, and firms should have in place a written escalation process for communications requiring supervisory review. It is also recommended that firms have a process whereby there is testing of what the delegate has done.

Holding of Customer Mail

Rule 3150 replaces NASD Rule 3110(i) and eliminates the strict time limits in NASD Rule 3110(i). Rule 3150 generally allows a firm to hold a customer’s mail for a specific time period in accordance with the customer’s written instructions if the firm meets several conditions. The key change here is that the three month limit for mail holds is not in the new rule; there is no time period limit for holding mail under the new rule. A firm may hold mail for a customer provided that the firm:

• receives written instructions from the customer that include the time period during which the firm is requested to hold the customer’s mail. If the time period included in the customer’s instructions is longer than three consecutive months (including any aggregation of time periods from prior requests), the customer’s instructions must include an acceptable reason for the request (e.g., safety or security concerns). Convenience is not an acceptable reason for holding mail longer than three months;

• informs the customer in writing of any alternate methods, such as email or access through the firm’s website, that the customer may use to receive or monitor account activity and information and obtains the customer’s confirmation of the receipt of such information; and

• verifies at reasonable intervals that the customer’s instructions still apply.

In addition, the firm must be able to communicate, as necessary, with the customer in a timely manner during the time the firm is holding the customer’s mail to provide important account information (e.g., privacy notices, the SIPC information disclosures required by FINRA Rule 2266 (SIPC Information)). A firm holding a customer’s mail must ensure that the customer’s mail is not tampered with, held without the customer’s consent, or used by anyone at the firm in an inappropriate manner that would violate FINRA rules or the federal securities laws. Finally, firms that hold mail for extended periods may wish to put into place heightened account review procedures to ensure that nothing is taking place that the client has not approved or that the client is not aware of due to the held mail.

Tape Recording Rule

Rule 3170 reiterates NASD Rule 3010(b)(2) and includes in the definition of “tape recording” any electronic or digital recording. Specifically, the rule requires a firm to have in place written procedures regarding supervision of the telemarketing activities of all of its registered persons, including the tape recording of conversations, if the firm has hired more than a specified percentage of registered persons from firms that meet FINRA Rule 3170’s definition of “disciplined firm.” FINRA has provided a “Disciplined Firms List13” identifying those firms that meet the definition of “disciplined firm.”

Conclusion

Firms should take the time to explore all of the requirements of the new rules and to put into place changes that need to be effective on December 1st. While many of the provisions are compilations of prior iterations of rules, the nuances of the new rules must be addressed. The structural changes that some firms will need to make, due to the one supervisor per OSJ requirement, may take some time and training due to a cultural shift. Finally, firms should decide now how they will address the timing anomaly (December 1, 2014) of the new 3120 Report.

This article was originally published in the September-October 2014 issue of Practical Compliance and Risk Management for the Securities Industry, a professional journal published by Wolters Kluwer Financial Services, Inc. It is reprinted here with permission from Practical Compliance and Risk Management for the Securities Industry and Wolters Kluwer Financial Services, Inc. This article may not be further re-published without permission from Wolters Kluwer Financial Services, Inc.

--------------------------------------------------------------------

(Endnotes)1 Release No. 34-71179; File No. SR-FINRA-2013-025.2 See Exchange Act Release No. 65477 (October 4, 2011), 76 FR 62890 (October 11, 2011) (Notice of Withdrawal of File No. SR-FINRA-2011-028)3 See Exchange Act Release No. 69902 (July 1, 2013)4 See Exchange Act Release No. 70612 (October 4, 2013)5 This author has spoken with members of FINRA’s General Counsel’s office regarding the effective date issue. The staff noted that the timing issue was not brought up during the comment period and that it hadn’t been considered in the timing of the effective date. The driver behind the effective date was the SEC’s expectation of when the rule would be effective. While sympathetic to the timing concern, the staff noted that it would require an SEC filing and approval to change the effective date to January 1st. Thus, it may not be likely that the effective date will change to January 1st. 6 http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p359971.pdf 7 Among the commentators were Cetera Financial Group, Inc., Wells Fargo Advisors, LLC, and J.S. Brandenburger, Registered Principal, FSC Securities Corporation.8 The term “investment banking services” shall include, without limitation, acting as an underwriter, participating in a selling group in an offering for the issuer, or otherwise acting in furtherance of a public offering of the issuer; acting as a financial adviser in a merger or acquisition; providing venture capital or equity lines of credit or serving as placement agent for the issuer or otherwise acting in furtherance of a private offering of the issuer. Rule 3110(d)(4)(B).9 FINRA Regulatory Notice 14-10. March 2014.10 NYSE Rule 342.41 was adopted in response to Section 15(g) of the Exchange Act, which requires every registered broker or dealer to establish, maintain and enforce written policies and procedures reasonably designed to prevent the misuse of material, non-public information by the broker or dealer or any associated person of the broker or dealer. FINRA Regulatory Notice 14-10.11 FINRA’s 2014 annual Regulatory and Examination Priorities letter contains FINRA’s assessment of areas of risk and examination focus, including information-barrier policies and procedures designed to limit or restrict the flow of material, non-public information. http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p419710.pdf12 In Regulatory Notice 07-59, FINRA published guidance regarding the review and supervision of electronic communications. This guidance remains valid. 13 http://www.finra.org/Industry/Enforcement/DisciplinaryActions/TapingRule/

NSCP CURRENTS

DECEMBER 201420

Hedge Fund Due Diligence: A Continuous ProcessBy Dave Banerjee

The departure of Bill Gross from PIMCO prompted a storm of financial media reports. However, what was most noticeably absent in the reports was the decision of Pimco to withdraw

its investments in hedge funds. This decision to withdraw Pimco’s Investments in hedge funds is noteworthy given the level of attention that Pimco can afford in monitoring its investment in such pooled investment vehicles, which underscores the importance in continued due diligence in such investments.

Recently, the universe of hedge funds has grown remarkably. However, they have lagged the market in their underlying performance. Most investors are drawn to such instruments because of the performance nature of the advisors compensation, the investment methodology and often as a means to diversify their holdings from market correlation. Often times, they are also drawn by the personality of the advisor and recommendations from industry experts and media. This media attention has proven to be the reason why hedge fund investments tend to accumulate to the mean return and if not managed prudently, suffer from volatility that is detached from risk adjusted returns.

When conducting due diligence of funds, I tend to break up the process into its underlying components:

1. Preliminary due diligence, often prior to the initial investments, is focused on the following:

a. Fund structure

• The official offerings are compared to the current operations.

• A study is conducted in regards to style shift, underlying investments, hedges, valuation, custody, risks identified, liquidity and reporting.

• The fund’s agreements with the proper personnel. (LLC agreements with its managing member and with the fund’s custodian and administrator, etc.) are carefully reviewed.

• A search for any contingencies that may exist in the fund’s notes to the audited financial statements.

• An audit of the fund’s cash flow statement is conducted to determine if there are any side pocket arrangements that could impact the dilution of investors.

b. Operations:

• The fund’s administrators, third party vendors, current staff and management, regulatory compliance, systems used, business continuity plans are closely evaluated.

• Regulatory filings, such as Form ADV, FOCUS reports, audits, customer complaints, financial stability and stress tests of the fund’s balance sheet and those of the fund’s advisor and general partner are also examined.

c. Performance:

• An evaluation of the advisor’s performance being imported by his or her prior assignments and jobs, portfolio turnovers, methods used to quantify valuations, education and experience of management, conflicts, execution quality and any quantitative based “black box” models.

• A determination of the manager’s “at risk” investment in the fund both in absolute and relative terms is also made.

d. Technology:

• Given the new headlines being made on “hacks” on systems relied upon, I focus on such issues as:

• Data integration between the portfolio accounting system, partner accounting software, tax reporting, investor reporting tools, security pricing, corporate actions, rate and sub accounting systems.

• Any functions performed off-line or manually.

2. Continued due diligence, during the period of investment:

a. Valuation procedures and controls:

• Details concerning NAV calculations.

• Source of valuation and the method of such valuation.

• Verification process, controls and deadlines.

• The pricing of illiquid or complex derivatives should be reviewed to determine the data used and whether an arm’s length review was conducted.

• Managers’ experience in delivering NAV within 3 days of period end is symbiotic of their experience and talent.

b. Compliance procedures: (I derive comfort from results of SAS 70 type or similar conducted by an independent auditor)

• Regulated, unregistered and un-regulated entities.

• Results of regulatory exams, reports on code of ethics review, risk, assessment, AML independent reviews, reconciliation of custodian accounts, custody reports and surprise examinations, certified audit exceptions and management reports and disaster recovery testing.

• Staff changes (operations and support) such occurrences should be examined and reviewed for their impact on investment.

• Investor controls and communications:

• Policy and procedures related to investor accounting and reporting, including AML compliance, subscriptions, redemptions, payment processing and capital account reporting should be closely reviewed. ABOUT THE AUTHOR

Dave Banerjee is the CEO of RND Resources, www.finracompliance.com. He can be reached at dave@finracompliance.com.

NSCP CURRENTS

DECEMBER 2014 21

• Accounting and processing of investor allocations, management and incentive fee computation, hot issues and side pocket allocations, tax estimates and proxy voting are of important focus.

3. Due diligence upon exit or when the fund closes down: Often liquidly concerns of the investor, lack of opportunities in the market, systemic risk or regulatory risk will require investors to determine when and how to withdraw funds. To prepare for this the following factors should be monitored periodically:

a. Physical visits with staff and management: Any change in such visits should be researched, including location, office improvements, and changes in management lifestyle and staff morale.

b. Measure fund performance with indexes and alternatives, including liquid alternative instruments registered under the Investment Company Act.

c. Monitor media accounts, including internet blogs for customer complaints, investor review, legal incidents and labor grievances.

Hedge Funds are increasingly providing investors with the opportunity to conduct due diligence to attract funds into their portfolios. Investors should seize this as a positive sign to establish a continued communication with the advisor to such funds to protect and improve their investment in such vehicles.

SAVE THE DATE!2015 NSCP National Conference!

November 1 – 4, 2015Gaylord National Resort & Convention Center

201 Waterfront Street • National Harbor, Maryland 20745 USA

------------------------------------------------------------------------------------------

2015 NSCP Conference Sponsorship and Exhibiting Opportunities are

now available!

For more information about sponsorship (Regional and National) and Exhibiting (National only), please contact Meghan Flanagan at

860.419.5003 or via email at meghan@nscp.org

NSCP CURRENTS

DECEMBER 201422

Simons SaysSEC Agency Financial Report - 2014 in ReviewBy Tim Simons

Last week, the SEC issued its 2014 Agency Financial Report. Not exactly exciting reading, except for Management’s Discussion and Analysis (“MD&A”).

In MD&A, we can skip down to an area that directly impacts us: FY 2014 Year in Review. The examination staff conducted more than 1,850 formal examinations of registrants, an increase over each of the prior four fiscal years, and 10% of the registered investment advisers were examined. In addition to these onsite exams, the SEC’s regional offices performed thousands of desk reviews. Through these reviews, the SEC determined which firm’s documents were sufficient to conclude the examination and which firms were riskier and should be examined on site. These desk reviews have allowed the SEC to better utilize its examination staff by prioritizing registrants to be examined, whether on site or on paper. Examinations resulted in the return of more than $40 million to investors and more than $300 million in fines. Penalties and disgorgement were assessed as a result of actions involving a referral to Enforcement from an examination.

We review, with a certain amount of awe, cases that the SEC has brought against regulated entities: broker-dealers and exchanges; gatekeepers, such as attorneys and accountants; and investment advisers. Investment adviser cases included:

• Failure to maintain an adequate internal compliance system ($15 million fine and requirement to engage an independent compliance consultant);

• Concealing investor losses and cross trading to favor some clients ($17 million disgorgement, $2 million fine, and requirement to engage an independent compliance consultant);

• Failing to comply with money market fund rules (barred from advising any mutual fund, censure for portfolio manager, and $800,000 fine); and,

• Three advisers violating the custody rule (varied monetary penalties depending on the severity of the violations).

Additionally, the SEC sanctioned three advisers that failed to correct compliance deficiencies from prior examinations and hit them with financial penalties and requirements to hire compliance consultants. If the SEC determines that you don’t have the knowledge or experience necessary to correct identified deficiencies, they will require you to hire someone who can. It used to be that you were allowed three strikes before you were out, but more often recently, it’s been two strikes and you get an Enforcement referral. In FY 2014, the examination staff referred more than 200 cases to Enforcement. Many of which resulted in enforcement investigations and/or actions.

For years, the Office of Compliance Inspections and Examinations (“OCIE”) Risk Assessment and Surveillance Group (“RAS”) has aggregated and analyzed data from SEC filings to identify activity that may warrant examination. That process has expanded to collecting data from sources internal and external to the Commission including, for example, data collected by or filed with other regulators, SROs, and exchanges, as well as information registrants provide to data aggregators regarding their business activities and marketing-related efforts. This data collection has enhanced OCIE’s ability to identify operational red flags —such as firms with aberrant swings in reported assets under management, changes in key individuals, business activities and affiliates, and other possible indicia of heightened risk—but has also enabled examiners to better understand each firm’s business activities prior to conducting an examination.

In FY 2014, an OCIE team developed the National Exam Analytics Tool (“NEAT”), which enables examiners to access and systematically analyze years’ worth of a registrant’s trading data in minutes. NEAT replaced what was formerly a labor-intensive process that often consumed weeks or months of examiner time.

OCIE continues to improve its ability to assess and monitor risk. Because OCIE’s examination programs are risk based, these enhanced capabilities have enabled the programs to better allocate limited resources to high-risk firms and practices. OCIE has continued to expand the use of targeted examinations as a technique to identify and address higher risk activities such as:

• The potential misuse by mutual funds of payments to intermediaries as payment for distribution;

• The use of purported “alternative” investment strategies by registered investment companies;

• The fulfillment of fiduciary and contractual obligations by investment advisers when advising wrap fee programs;

• Compliance with exemptive orders and relevant no-action letters;

• Representations of investment advisers and sales practices when recommending to customers a movement of retirement plan assets into rollover vehicles; and,

• Cybersecurity practices of broker-dealers and investment advisers.

RAS has continued to devote resources to help guide OCIE’s risk-based examination strategy. In addition to RAS’ development of its data gathering and analytics, other examples of RAS’ efforts include:

• Close collaboration with the Regional Offices and others throughout the SEC, to focus examinations on registrants and practices that pose the greatest risk to capital markets and investors;

• Ongoing surveillance of registrants and markets and communicating risks to OCIE staff;

• Enhancing information gathering and data analysis techniques

ABOUT THE AUTHOR

Tim Simons is Senior Managing Director at Focus1 Associates. He can be reached at tim@focus1associates.com.

NSCP CURRENTS

DECEMBER 2014 23

to use information submitted by private fund advisers on Form PF, as well as information about disciplinary and employment histories of bad actors in the financial industry to utilize such intelligence to identify risks to investors and the markets.

Enforcement and OCIE will continue to build on their strong results from FY 2014 by focusing on current and emerging high-priority areas and on enhancing their use of cutting-edge technology and analytics. Enforcement’s priorities for the coming year include a continued focus on complex financial products, gatekeepers, financial reporting, market structure, insider trading, investment advisers and private funds, and municipal securities.

OCIE will:

• Continue to invest in and use data analytics that enable preemptive detection of risk and more effective identification of fraud in examinations.

• Continue to focus on issues affecting investors’ retirement accounts, including sales and marketing practices related to financial advisers’ recommendations that retirement plan assets be placed in investment vehicles offered by their firms.

• Make governance and supervision of information technology systems a priority, including operational capability, business continuity planning, and cybersecurity.

• Track individuals that have prior disciplinary histories and assess the compliance programs of firms that hire or conduct business with such individuals.

• Conduct reviews to assess implementation of compliance frameworks at Municipal Advisers in light of rules finalizing registration requirements adopted in FY 2013.

In the conclusion of the report, the SEC indicated that it believed that it “continued to achieve important results by leveraging technology, employing sophisticated data analytics, and pursuing focused rulemaking and policy initiatives, aggressive enforcement, and risk-based examinations. Through the work of its talented and dedicated staff, the SEC is committed to building on its successes in FY 2015. The Agency will continue to promote its strategic values of integrity, accountability, effectiveness, teamwork, fairness and a commitment to excellence through improving collaboration and coordination among its divisions and offices, employing new technology, and supporting the more than 4,000 talented men and women who work tirelessly to fulfill the agency’s important mission.” The SEC will continue to develop more efficient examination techniques with a more focused selection of firms to be examined, and a more focused examination whether on site or not. Be aware that some Regional Offices try to examine newly registered advisers within the first year after registration, as a sort of meet-and-greet, and to let advisers know that the SEC is “patrolling its beat.”

Remember, the SEC still has the goal of examining every adviser who has not been examined in the last five years, so if you were last examined in FY 2009, you have just been added to the list (become eligible for an exam). Of course, the good news is that if the SEC intends to conduct an on-site examination, they will generally give you two weeks notice prior to the start of the examination.

Aneidre Amerson-AllmanRegions FinancialBirmingham, AL

Linda BrownDay Hagan Asset ManagementSarasota, FL

Mark L., ButlerTennessee Association of Utility DistrictsMurfreesboro, TN

Shannon CabotAltaRock PartnersBeverly, MA

Lorenc DemikaEaton Vance ManagementWeymouth, MA

Stephen FriedmanSB Friedman Development AdvisorsChicago, IL

Gregory GuerrettazFinancial Solutions Group, Inc.Plainfield, IN

Joseph LodatoGuggenheim PartnersNew York, NY

Rosa PalominoNomura Asset Management U.S.A., Inc.New York, NY

Robin PatalonSC&H Financial Advisors, Inc.Sparks, MD

Carlos M. PortugalBayview Asset Management, LLCCoral Gables, FL

Douglas PrevezaInfinex Financial GroupMeriden, CT

Shoshana Thoma-IsgurHaynes and Boone, LLPFort Worth, TX

John Timmermann Ponder & Co.Swansea, IL

Laura VardalisBluff Dale, TX

New Members

NSCP CURRENTS

DECEMBER 201424

NSCP CURRENTSis a publication of the National Society of Compliance Professionals, Inc. 22 Kent Road, Cornwall Bridge, CT 06754 / (860) 672-0843 / publications@nscp.org

NSCP Board of Directors

Share your Expertise!If you would like to share your knowledge and/or provide “how to” advice on:

• Industry best practices• Securities regulation and its impact• Practical advice on compliance program implementation• Industry changes

NSCP would love to hear from you and your peers will appreciate your efforts.Please see our website (www.nscp.org) for submission guidelines under the Publications tab.

Judy Werner Executive Director

Lisa D. Crossley Deputy Executive Director

Adán Araujo Jasper Ridge Partners

Glen P. Barrentine Winston & Strawn LLP

Jeffrey R. Blumberg Ulmer & Berne LLP

Michelle Canela, CSCP INTECH

Kenneth M. Cherrier Waddell & Reed

Jerry C. Danielson Lincoln Financial Group

Terence Doherty Stikeman Elliott LLP

James R. Downing BMO Harris Financial Advisors

Jennifer Duggins KPMG LLP

Steve Farmer Mesirow Advanced Strategies, Inc.

Joan Hinchman Founder & Executive Director Emeritus

Timothy J. Knierim Morgan Stanley Investment Advisors

Miriam Lefkowitz Summit Financial Resources, Inc.

Lynn M. McGrade Borden Ladner Gervais LLP

Daniel A. Murphy PlanMember Securities Corporation

Manoj “Tito” Pombra Matthews International Capital Management, LLC

Adam J. Reback J. Goldman & Co., L.P.

Z. Jane Riley, CSCP The Leaders Group, Inc. / TLG Advisors, Inc.

Charles V. Senatore, CSCP Fidelity Investments

Robert S. Tull, CSCP CBRE Clarion Securities

John H. Walsh Sutherland Asbill & Brennan LLP

Tracy K. Webb, CSCP NYS Common Retirement Fund

Pamela K. Ziermann, CSCP Dougherty Financial Group LLC

Krista S. Zipfel, CSCP Advisor Solutions Group, Inc.