May 4, 2018

SEC Action Lookup Website

The U.S. Securities and Exchange Commission ("SEC") has launched a new website [https://www.sec.gov/litigations/sec-action-look-up] to assist investors as well as recruiting advisors with a search tool to search for those individuals for which the SEC has taken action.

The website search includes individuals against whom a judgment or order has been issued by the SEC, including individuals who settled, defaulted, or contested their actions, provided a judgment or order was issued against them.

The results will not include individuals whose cases are currently pending at the trial court or those against whom no judgment or order has been issued. Results will also not include individuals named in district court actions as “relief defendants.” See https://www.sec.gov/sec-action-lookup-information for a full description.

Advisor Takeaways:

The SEC continues to try and close information gaps for investors. Compliance personnel should reference this site before hiring any supervised person. In addition, while reviewing these regulatory actions may provide some entertainment value, there are lessons to be learned. Not every action is rooted in intent. Mistakes happen and mistakes can be costly. Compliance Officers should add this resource to their toolkit.

AdvisorAssist is here to assist with any compliance or regulatory questions you may have.

March 21, 2018

5th Circuit Court Vacates DOL Rule

On March 15, 2018, the Fifth Circuit Court of Appeals ruled via split decision to “vacate” the well-publicized DOL fiduciary rule. This decision does not come as much surprise. It has long been rumored that the DOL rule was destined for failure after President Trump ordered a formal review in March 2017. Speculation by industry watchers is that the next step for the DOL rule could be the U.S. Supreme Court.

While this decision is limited in scope, it creates an opportunity for the Securities and Exchange Commission (“SEC”) to take the lead on a uniform fiduciary standard for both RIAs and broker-dealers. The SEC is the more natural choice for marrying the fiduciary standard across both RIAs and broker-dealers.

We expect the SEC to prioritize a new fiduciary rule proposal. Although the timing is uncertain, we expect to learn more prior to 2019.

What does this mean for you?

With or without the DOL, you still have a fiduciary responsibility to act in the best interest of your clients. You may not have to go to the extent of best interest contracts. However, “Know Your Clients” requirements are never going away and the regulators will always want documentation of how you operate as a fiduciary. It may still make sense to adopt some of the documentation standards of the DOL’s “Level Fee Fiduciary” when making rollover recommendations.

Contributors:

Brian Young
Brendan Furey

February 8, 2018

SEC 2018 Examination Priorities

Each year, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) communicates its examination priorities for the upcoming year. The SEC has narrowed their focus on the following common themes:(1) Retail Investors (2) Compliance and risks in critical market infrastructure (3) Cybersecurity. Based on these themes, the SEC has pinpointed several key areas of concern that will be focus areas for 2018. Some of which are similar to years past, however, continue to be a priority for the SEC. We have provided an overview below of the key topics that RIAs need to be mindful of in 2018.


Disclosure of the Costs of Investing

The SEC will focus on the calculation of fees and expenses paid to the Advisor as well as any compensation that is paid to affiliates of the Advisor.

Focus areas include:

  • Consistency of the advisory fee calculations and the advisory fee methodology disclosures.
  • If charging an asset-based fee, the consistency of the valuation of client securities and the valuation methodology disclosures.
  • Advisors that receive financial incentives to recommend mutual fund share classes (ie. high sales loads or distribution fees).
  • Client accounts that are not re-assigned to a new IAR when an employee leaves the firm.
  • Advisors that transition from commission based accounts to fee based accounts.

Electronic Investment Advice

As in prior years, the SEC will continue to focus on advisors that offer investment advice through automated programs (ie. robo-advisors).

Focus areas include:

  • Oversight of the algorithms used to generate general investment advice.
  • Marketing materials.
  • Policies and procedures related to client data protection.

Wrap Fee Programs

For advisors that charge a wrap fee (ie. fee that includes both advisory fees and execution costs), they will need to demonstrate that the wrap fee is in the best interest of the client.

Focus areas include:

  • Any conflicts of interest are disclosed.
  • Review for best execution.
  • Disclosure of execution costs with broker-dealers.

Never Before Examined Investment Advisors

Due to the large volume of newly registered advisors and the limited resources of the SEC, the SEC will continue to prioritize advisors that have “elevated risk profiles”. This likely includes advisors that fall under the scenarios outlined by the 2018 exam priorities.

Senior Investors and Retirement Accounts and Products

Advisors that provide investment advisory services to seniors and/or retirement accounts will continue to be a focus for the SEC. Advisors will need to have internal controls in place to identify and mitigate financial exploitation of seniors.

Focus areas include:

  • Investment product recommendations.
  • Sales of variable insurance products.
  • Usage of target date funds.
  • Advisors that serve state and local government employees and non-profit employees (ie. 403(b) and 457 plans).

Mutual Funds and ETFs

As the primary investment products for retail clients, the SEC will focus on the types of mutual funds and ETFs recommended to clients.

Focus areas include:

  • Funds that experienced poor performance or liquidity.
  • Funds that are managed by advisors with little experience managing a fund.
  • Funds that hold securities that are difficult to value due to market stress (ie. securitized loans or mortgage backed securities).
  • Ensure that risk disclosures are provided to investors.

Cryptocurrency, Initial Coin Offerings (ICOs), Secondary Market Trading, and Blockchain

Cryptocurrency has wildly risen in popularity over the past year. The SEC will monitor this space as advisors engaged in this market continues to grow.

Focus areas include:

  • If advisors maintain controls and safeguards to protect assets from theft.
  • If advisors are providing adequate disclosures associated with the risks of these type of investments including: investment losses, trading liquidity, price volatility, and potential fraud.

Cybersecurity

Cybersecurity continues to be a priority for the SEC as we have witnessed large scale cyber attacks over the past year.

Focus areas include:

  • Governance and risk assessment.
  • Access rights and controls.
  • Data loss prevention.
  • Vendor management.
  • Training.
  • Incident response.

Please remember that OCIE and the SEC communicate these as PRIORITIES, and not an all-inclusive list of all focus areas. To read the full report, click here: "2018 National Exam Program Examination Priorities"

Contributors:

Brian Young
Conor Anderson

December 1, 2017

Three Actionable Tips to Become SEC Examination Ready

Over the summer, we heard rumblings that the SEC was conducting unannounced examinations on RIAs in the Boston area. While we have certainly seen a significant uptick in the examinations of never before examined advisors, none of which have been unannounced. Regardless if it is a routine exam or unannounced, it is best practice for advisors to stay examination ready regardless of location or if registered with the SEC or applicable State(s). As we preach to our clients, make sure you take proactive measures to become “examination ready”. Don’t wait until the SEC or a state level examiner comes knocking at your door!

Here are three (3) actionable tips to consider:

1. Customize your Compliance Program

We see far too many advisors that think they are “plain vanilla” and therefore think they can get by with a generic compliance manual (Wrong!). Most firms do not create their compliance manual from a blank page. They start with a model document to address the broad regulatory structure and industry requirements. Although, a model document is a good starting point, it does not amount to a finished product. RIAs need to know that a one-size-fits-all compliance manual does not exist and no consultant or legal resource knows the firm better than the people actually operating it on a daily basis. The creation of a firm specific compliance manual should include three broad steps:

  • Review the model document for content and applicability (ask questions).
  • Customize the model document to be firm specific, which means customize language specific to your business practice and make sure to remove language that is not relevant to your firm. Then operate your firm in a manner that is consistent with your compliance manual.
  • Regularly review, and update your compliance manual as the dynamics of the business evolve and the regulatory environment changes. A compliance manual should never be considered a final document but a current draft of a “living document”.

Always remember that SEC or State regulators expect there to be evidence to demonstrate that policies and procedures are being implemented. Simply put, if there is no evidence, it did not happen.

2. Complete an annual review of your Policies and Procedures

On an (at least) annual basis, you should complete a review of the adequacy and effectiveness of your compliance program. Ideally, the firm should conduct risk assessments of your compliance program throughout the year to test the risk controls and identify any weaknesses. If any issues are identified, make sure to take corrective action and document, document, document! If you don’t document the steps you have taken, (*in the regulator’s eyes) it never happened!

Keep in mind that an effective compliance program should identify potential risks and mitigation opportunities. If the established controls never identify a risk or a mitigation opportunity, the controls should be evaluated and potentially revised.

3. Organize your Books and Records

During the examination process, the regulators will want to complete a sampling of your books and records. You should make sure that your books and records are maintained in an organized fashion to ensure they can be readily delivered. The examination process typically starts with a document request letter including (but not limited to):

  • Financial Statements including income statements, balance sheets, and other key accounting records.
  • Client Records including a full list of current and past client accounts, supporting client agreements, profiles, investment policy statements and trade data.
  • Communications with existing or prospective clients including emails, advertisements, and social media accounts.
  • Regulatory filings and other compliance program documents including your ADV 2A/2B, compliance manual, compliance certifications, business continuity plan, code of ethics, and cyber-security policy.

This is by no means an exhaustive list, but should get you started on the right track. If you have any additional questions, please feel free to post a comment below or send an email to info@advisorassist.com.

Contributors:

Brian Young
Dan Rome

September 13, 2017

Addressing the Equifax Breach with your Clients

If it is not yet apparent, cybersecurity is the biggest risk facing independent RIAs. When the fraud protector becomes the weakest link, it is time to take notice.

From mid-May through July 2017, the personal information of approximately 143 million consumers was exposed during a long running data breach at Equifax (one of the nation’s three major credit reporting agencies).

The personal information that was accessed during the breach included:

  • Names
  • Social Security numbers
  • Birth dates
  • Addresses
  • Driver’s license numbers
  • Credit card numbers for about 209,000 people
  • Credit dispute documents for about 182,000 people

In response to the breach, Equifax published a press release late on Thursday (9/7) announcing the breach and the availability of resources on the Equifax website, www.equifaxsecurity2017.com to protect individuals from identity theft. The site will verify who has been affected by this breach. If an individual’s information was exposed, they can receive a year of free credit monitoring and other identity theft protection services. Once they enter their name, the site will give them a date when they can come back to enroll. Affected individuals must remember to write down the date and come back to the site and click “Enroll” on that date.The deadline to enroll is November 21, 2017.

Initially, by agreeing to the terms and conditions for Equifax's monitoring, individuals were waiving key consumer rights, such as agreeing to settle disputes through arbitration and waiving the right to participate in class-action lawsuits. After the waiver of rights was exposed by the news media (see the CNBC articles linked here and here), Equifax amended its terms and conditions and issued the following FAQ: “the free credit file monitoring and identity theft protection that we are offering as part of this cybersecurity incident does not waive any rights to take legal action. We removed that language from the Terms of Use on the website, www.equifaxsecurity2017.com.”

The fact that Equifax attempted to bury arbitration clauses and class action waivers into the terms of use of the free credit file monitoring and identity theft protection creates concerns about whether their actions are about fixing the issue or purely an attempt to limit their liability. However, the free credit file monitoring and identity theft protection may make sense as a measure to mitigate some of the negative effects of the breach.

To assist your clients in protecting themselves from identity theft due to this data breach, AdvisorAssist recommends that you, as the Advisor, consider the following best practices:

  • Read through the consumer notice and related documents found at: https://www.equifaxsecurity2017.com/consumer-notice/ to determine if it makes sense for your clients to enroll in the free credit file monitoring and identity theft protection offering.
  • Monitor the accounts and financial statements that you advise on for your clients. Report to the client any potentially unusual activity.
  • Recommend that your clients change their passwords on all financial accounts.
  • Have your clients request a free credit report from all three credit bureaus at www.annualcreditreport.com.
  • Assist your client with setting up fraud alerts with the three major credit bureaus.
  • Work with the client to address any accounts that were fraudulently opened in their name.
  • If appropriate, assist your client with installing a security freeze on their credit. Please note the credit bureaus typically charge for a credit freeze. However, some states require that the fee be waived if the consumer provides a police report to the credit bureau.

Contributors:
Brian Young
Brendan Furey

August 9, 2017

SEC Risk Alert: Cybersecurity

On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) released their observations of cybersecurity preparedness from the examinations of 75 SEC registered firms, including registered investment advisors (“RIAs”). Although the OCIE noted improvements since their last cybersecurity risk alert in 2014, there is still room for improvement.

The OCIE suggests that RIAs consider the following practices to enhance their cybersecurity policies and procedures.

What you need to know:

  • Include details on how safeguards will be implemented. OCIE recommends adding safeguards that are specific to your RIAs computers and systems to your procedures.
  • Penetration tests to review the effectiveness of the firm's cybersecurity policies and procedures.
  • Security monitoring and system auditing of the firm’s cybersecurity framework. To answer questions, such as, when systems are reviewed for software updates and patches and who is responsible for conducting the reviews.
  • Tracking list of vendors and what data is stored on the vendor’s system.
  • Tracking of access rights for all employees to the systems that store client data.
  • Access controls to firm data and systems including:
    • Acceptable use policies for using the firm’s network or equipment.
    • Restrictions and controls for using mobile devices when connected to the firm systems.
    • Require third party vendors to provide logs of their activity on the firm’s network.
  • Reporting of the loss of sensitive information including who should be contacted.
  • Providing mandatory staff training of cybersecurity policies and procedures.
  • Involvement from senior management to develop and approve the firm’s policies and procedures.

If you have any questions, please schedule time with your compliance consultant to discuss your cybersecurity risks.

For full details of the risk alert:

https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf


Contributors:
Brian Young
Brendan Furey