September 25, 2024

Electronic Communications: Trending Fines in the Industry

   

Electronic Communications: Trending Fines in the Industry

As we head into the holiday season, let’s introduce a small history lesson. On December 3, 1992 the first SMS message was sent from a computer by Neil Papworth, a 22 year old engineer, to a colleague’s phone stating a simple message “Merry Christmas”. Thirty years later, we look at the wide array of communication methods available to us: email, texting, instant messaging, hundreds of applications with messaging capabilities, and video conferencing. The way we communicate is changing every day, but with those changes remain the steadfast rules of this industry - it needs to be maintained, it needs to be preserved, and it needs to be supervised.
“Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust.” Securities and Exchange Commission Chair, Gary Gensler
Over the past two years there has been a resounding increase in violations surrounding the Securities and Exchange Commission's ongoing recordkeeping initiative due to failure to preserve electronic communications. September 2024's release, twelve firms were charged $88 million for electronic communication deficiencies following August 2024's release of twenty-six firms were charged with longstanding failures by the firms and their personnel to maintain and preserve electronic communications totaling $392.75 million in civil penalties. September 2023' release announced ten firms charged for widespread and longstanding failures to maintain and preserve electronic communications, totaling $79 million in fines and penalties. September's release came on the tailwind of August 2023's release where the SEC charged eleven firms with penalties totaling $289 million. The fines and penalties from 2024 and 2023, in conjunction with the total fines and penalties from 2022, brings the tally to over $2.1 billion and over 80 enforcement actions. In reviewing these enforcement actions, the commonalities are:

  • Failure to reasonably supervise, with a view to prevent and detect violations of federal securities laws.
  • Failure to maintain and preserve business communications, whether it be internal or external communications.
  • Inadequate policies, procedures, and controls that are compliant and designed to detect and prevent violations.
RIAs have a fiduciary responsibility to their Clients, and recordkeeping has been vital to preserve that integrity. As technology continues to advance, so should the policies and procedures of every RIA to ensure all communications are being maintained. So, how does an Investment Advisor effectively mitigate their risk? Really, an Advisor has two options:
  • The Advisor opts to completely ban the use of personal devices and/or other various off-channel communication applications. Examples of certain control measures that can be put into place regarding this policy are:
    • Written policies and procedures stating that personal devices and other various off-channel communication applications can not be used for business purposes, and have supervised person’s attest to those policies.
    • Enhance review of supervised electronic communications (i.e email) to ensure that off-channel communication is not occurring with clients or members of the firm alike.
    • Provide training for all supervised person’s of the Advisor regarding what is and is not acceptable, and the ramifications for violations.
  • The Advisor opts to allow for the use of text-messaging and other electronic communication methods with appropriate policies and procedures in place. Examples of certain control measures that can be put into place regarding this policy are:
    • Written policies and procedures regarding personal devices and/or electronic communication applications may be utilized on an approved basis by the Chief Compliance Officer.
    • Advisors undergo a due diligence process for vendors they seek to utilize as part of the firm’s communication platform. This includes the reviewing the messaging platform for supervised person use, ensuring there are supervisory capabilities, and understanding the archiving set up.
    • Provide training for the supervised persons who use the platform and compliance reviewers who supervise the platform, and the ramifications for violations.
Advisors in need of a solution, should start with current vendors they utilize to determine if they can bundle their email, social media, website, and texting platforms which, in turn, streamlines supervision and cost as well.

Whether an Advisor allows the activity or not, having the appropriate testing and supervision measures in place is the best line of defense. Effective supervision, due diligence and proper training are key when it comes to mitigating risk. If you are questioning whether your supervised persons are utilizing personal text messaging or emails to communicate with clients, or that your policies, procedures, and controls are inadequate please contact us today!

September 9, 2024

SEC Marketing Rule Examination Sweep Deficiencies

 

SEC Marketing Rule Examination Sweep Deficiencies


September 9th, 2024 Update: Press Release

On September 9th, 2024 the U.S Securities and Exchange Commission (“SEC”) announced charges against nine Registered Investment Advisors (“RIAs”) for violations of the Marketing Rule as part of the SEC’s ongoing Marketing Rule Sweep Exam efforts. All nine firms agreed to settle, totaling over $1.2 million in combined damages. These actions demonstrate the SEC’s zero-tolerance policy for marketing violations. Additionally, the continuation of these sweep exams codifies the SEC’s dedication to promoting compliance and accountability, indicated Corey Schuster, Co-Chief of the SEC’s Division of Enforcement’s Asset Management Unit. 

The deficiencies identified by the SEC in this tranche of enforcement cases are as follows: 

  • Disseminated content that claimed to provide “conflict-free advisory services”, which the firms were not able to substantiate.
  • Disseminated content that could not be substantiated regarding awards provided to firm principals.
  • Disseminated content that claimed to contain two testimonials, but neither came from current clients.
  • Advertised endorsements not fully disclosing that an “endorser” was a paid, non-client in videos, on social media, and on physical objects such as bags and flags.
  • Advertised third-party ratings, some of which were more than five years old, without disclosing the dates on which the ratings were given or the periods of time upon which the ratings were based.

As stated in the rule, firms are permitted to include testimonials, endorsements, and third-party ratings provided that each activity is conducted within the scope of the intentions of the Marketing Rule and adhere to the guidance provided within the Additional Resources below when drafting and reviewing marketing materials ahead of distribution. 

________________________________________________________________________________________

April 12, 2024 Update : Press Release

Five additional registered investment advisors have been added into the Marketing Rule examination sweep deficiency list, bringing the total enforcement actions to over $1 million in combined penalties.

Hypothetical performance continues to be a sore spot, as each of the Advisors advertised hypothetical performance to the general public on their website. Hypothetical performance can be enticing to both current and prospective clients, but unless the Advisor adopts and implements policies and procedures designed to ensure the performance is relevant to the financial profile and goals of the intended audience, the Advisor will be in clear violation of the Marketing Rule. This would suggest, that because an Advisor can not control the audience of public websites and social media, an Advisor should not be publishing hypothetical performance through these mediums or should only do so in a controlled environment, such as a portal to target specific investors.

Additional performance violations consisted of making false and misleading statements in advertisements, advertising misleading performance, and the inability to substantiate performance data. These violations inevitably led to record keeping violations for the Advisor. Furthermore, there was an additional violation for fail

________________________________________________________________________________________

September 11, 2023 Update: Press Release

On September 11, 2023, the SEC announced charges against nine Advisors for hypothetical performance advertising violations as part of the SEC’s initial sweep into Marketing Rule Violations. These charges related to promoting hypothetical performance on the Advisor’s websites to the general public without adopting and/or implementing policies and procedures as required by the rule. Additionally, two firms were found to have failed to retain appropriate copies of the advertisements within the Firm’s books and records. All nine firms agreed to settle, were censured, and must pay $850,000 in combined damages.

Gurbir Grewal, the SEC’s Director of the Division of Enforcement, emphasized the Commission’s view that hypothetical performance advertising poses an elevated risk to prospective investors, and the importance of firms adopting policies and procedures under the new rule to mitigate this risk. He also made it clear that until the Commission is satisfied that that is the case, they will continue their ongoing sweep to ensure investment advisor’s compliance with the Marketing Rule. AdvisorAssist reminds Advisors that the Marketing Rule is applicable to SEC-registered firms and certain State-registered firms who have adopted it. Under the rule, an Advisor is permitted to include hypothetical performance in an advertisement, provided that the Advisor:

  • Adopts policies and procedures reasonably designed to ensure that the hypothetical performance is relevant to the likely financial situation and investment objectives of the intended audience of the advertisement
  • Provides sufficient information to enable the intended audience to understand the criteria used and assumptions made in calculating the hypothetical performance
  • Provides sufficient information to enable the audience to understand the risks and limitations of using hypothetical performance to make investment decisions.
    • Important Note: Hypothetical performance should only be distributed to clients and/or prospective clients who have access to the resources to independently analyze such information and who have the financial expertise to understand the risks and limitations of such types of presentations.
  • Maintain the relevant data and documentation that supports the hypothetical performance figures presented.
This is the tenth hypothetical performance related violation the SEC has released in less than a month, the first which you can review in the AdvisorAssist blog post released in August 2023.

Marketing Rule violations were the most common deficiency in the AdvisorAssist 2023 SEC Exam Report, and considering the SEC’s stance on continuing targeted examinations, Advisors are urged to review AdvisorAssist's blog post regarding the need for a retrospective review of all marketing pieces, the AdvisorAssist SEC Sample Marketing Exam Request, and to take advantage of our Mock Examination Services should they have concerns or feel the need to enhance current procedures.

If you have any questions or concerns please contact your consultant to discuss!

August 12, 2024

SEC Remains Vigilant on Share Class Selection as Deficiencies Rise

 

SEC Remains Vigilant on Share Class Selection as Deficiencies Rise 
                                                   
For over six years, mutual fund share classes have been a major risk consideration for Registered Investment Advisors (RIAs), and priority for the U.S Securities and Exchange Commission (SEC). Throughout this period, AdvisorAssist has consistently updated RIAs on the SECs’s share class selection risk priority, and subsequent disclosure Initiative. Given the SEC’s continued focus on mutual fund share class selection, we wanted to bring your attention to the increased number of RIAs receiving deficiencies for continuing to operate with lack of disclosure and/or inadequate policies and procedures regarding share class selection. As a fiduciary, an RIA can not place the Advisor’s financial interests ahead of their clients. Violations of an Advisor’s Duty of Loyalty is where regulators continue to maintain that, if the Advisor reaps financial benefit from clients, there will be regulatory action. In addition, even if the Advisor does not stand to financially benefit, under the Duty of Loyalty obligation, rendered advice needs to be in the client’s best interest. Failure to adhere to the Duty of Care and Duty of Loyalty standards, Advisors can be subject to the following disciplinary action items:
  • Cease-and-Desist Order and Censure 
  • Disgorgement and Prejudgment Interest 
  • Civil Penalties
  • Individual Liabilities 
Regardless of disciplinary actions, Advisors may be pressured by the SEC to refund clients based on perceived harm to clients, due to the Advisor not adhering to their fiduciary obligations. This can be a material financial impact on an Advisor depending on the severity of potential harm to clients, and you can review results of this financial impact from our prior Blog Posts or through the various releases of the SEC Share Class Initiative. At AdvisorAssist, we remind clients that as part of your fiduciary duty to clients, Advisors should endeavor to purchase the lowest-cost share class available when recommending a particular mutual fund. Further, Advisors must maintain policies and procedures that align with the Advisor’s actual business practice. AdvisorAssist encourages Advisors to perform forensic reviews of their share class selection policies and procedures, while periodically reviewing their mutual fund holdings. Regardless of whether a higher cost share class was purchased or transferred in, if a client is invested in a share class that is potentially not the lowest cost, there is a very important need to ensure the firm has proper documentation substantiating why the client is holding the position. If the Advisor determines and/or discovers that there is no substantive reasoning to support the holding of a higher cost share class, the Advisor should promptly begin to convert the mutual fund to its lowest cost share class. In certain instances, substantive reasoning regarding why a holding isn't converted to the lowest share class may include, but is not limited to:
  • Tax implications
  • Dollar-cost averaging
  • It does not meet the minimum investment/the fund is closed to new investors
  • Investment time horizon
  • The availability of lower share classes at the custodian
By clicking here, you will find an example of a common deficiency letter related to Share Class Selection. Should you have any current questions or concerns regarding Share Class Selection, please reach out to your Consultant.

May 21, 2024

Books and Records: Trade Affirmation, Allocations, and Confirmations

 

Books and Records: Trade Affirmation, Allocations, and Confirmations 

Contributed By - Thomas Yates
Managing Partner and Director
                                                   
The U.S Securities and Exchange Commission’s (SEC) amendments to the record-keeping requirements, Rule 275.206(4)-2, for registered investment advisors, focuses on maintaining accurate and up-to-date records of allocations, confirmations, and affirmations related to securities transactions subject to Rule 15c6-2(a) as described in our initial AdvisorAssist Blog post. AdvisorAssist has been evaluating and monitoring industry guidance and best practices, regarding the amendment, since May 2023. During our evaluation, AdvisorAssist held discussions with each custodian and/or executing broker-dealer (herein “Custodian(s)”) to understand each Custodian’s process to assist RIAs in complying with this new rule, At this time, here is a summary of what RIAs are required to do: 

Books and Records Requirement 
Advisors are required to archive:
  • Date and time stamp indicating when the trade allocation and trade affirmation occurred.
  • Details, sent or received, about each:
    • confirmation received,
    • any allocation made, and
    • each affirmation. 
The intention is to have accurate and current records for trades for securities transactions subject to Rule 15c6-2(a), as defined below. RIAs should validate and confirm that all email communications, platform instructions, or any other mode of communication related to client transactions is archived, and that RIAs are able to produce evidence of the communications and/or instructions upon request.

Transactions under Rule 15c6-2(a) are “All Securities”, with certain exemptions, as follows:
  • Exempted Securities (e.g. Private Funds)
  • Government Securities
  • Municipal Securities
  • Commercial Paper
  • Bankers’ Acceptances
  • Commercial Bills
  • Security Based-Swaps
Settlement Cycle’s Impact on Process
The settlement cycle for transactions will now be reduced to one business day (T+1), which means all Custodians should be updating their process to adhere to the new settlement cycle requirement. Separately, a Custodian is mandated to maintain timestamped records of trade allocations, confirmations and affirmations, as described above. Due to this requirement placed on your Custodian, the information required for RIAs to archive should already be maintained on their respective platforms.
Furthermore, the SEC has provided commentary that RIAs may rely on third parties, e.g. Portfolio Management platforms, to maintain records on this. However, these third parties are not responsible for RIAs books and records, and while the data may exist, they can not assume responsibility on the RIA’s behalf for maintaining records. In addition, depending on the third party, data may only be readily available for a period of time that could impact the RIA’s ability to retrieve the requested data in a timely manner and may not allow for RIAs to comply with this rule.

How To Comply: Variations in Process Among Custodians
While AdvisorAssist remains in discussions with each Custodian, we also suggest that RIAs take the following steps to comply with this new rule:
  • Reach out to their Custodians and ask them the following question: Can you provide instructions on how I can download a report, at least annually, date and time stamp of all trade allocations, confirmations and affirmations?
    • Are bulk downloads available, and for what time period?
    • Is batch reporting available?
    • Is any level of automation available to our Firm for generating these items?
  • Once these reports are received, save them into a dedicated folder where all books and records are kept, and ensure that this data is backed up!
  • Use this opportunity to perform forensic testing for trade accuracy purposes, making sure trades were executed and/or allocated as intended.
  • If any transaction activity is conducted via email, make sure that emails are archived and that email communications include any confirmations or additional transaction details sent by or received from custodians and/or broker-dealers. RIAs should separately log these communications so that they can ensure timely retrieval of these records upon request from a regulator.
As we continue discussions with Custodians, and have further guidance from the SEC, we will communicate this information out. Should you have any current questions or concerns, please reach out to your Consultant.




May 20, 2024

SEC Adopts Important Rule Amendments to Regulation S-P

 

SEC Adopts Important Rule Amendments to Regulation S-P

Contributed By - Thomas Yates: Managing Partner and Director, AdvisorAssist, LLC
                          
                            
On May 15th, the U.S. Securities and Exchange Commission adopted amendments to Regulation S-P, which requires registered investment Advisors (RIAs) to adopt written policies and procedures to safeguard customer records and information (the “safeguards rule”). These amendments aim to enhance the policies and procedures of RIA’s regarding the protection of client sensitive information, especially policies on incident response, client notification, disposal of client sensitive information, and service provider due diligence.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” said SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
While AdvisorAssist, LLC and AdvisorDefense, LLC are closely monitoring how this rule will be further interpreted, we anticipate more clarity from the SEC. As feedback comes in, we will continue to analyze and formulate guidance to help ensure adherence to amendments to the Safeguards Rule. That said, here is our current synopsis:

Compliance Date 

Mandatory compliance, 60 days after posting on the federal registrar, Advisors have the following timeline to comply with the amendment:
  • Advisors with at least $1.5 billion or more in assets under management (AUM): 18 Months
  • Advisors with less than $1.5 billion in AUM: 24 Months
Enhancements to Regulation S-P

Incident Response Program - The amendment requires that Advisors adopt policies and procedures that are reasonably designed to detect, respond to, and recover from unauthorized access to, or use of, client data. Further, these policies must include the following:
  • Assessment: Advisors will evaluate the nature and scope of the breach and/or incident;
  • Containment: Implement remedial measures to prevent further incidents and/or unauthorized access; and
  • Notification: Policies must be in place to notify affected clients as soon as possible, but no later than 30 days after detection of the incident and/or breach, and ensure proper information is disclosed to the client.
Service Provider Oversight - As a component of the Incident Response Program, RIAs must implement policies and procedures designed to oversee Service Providers, through due diligence on and ongoing monitoring. The amendment defines “Service Provider” as any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution. RIAs must ensure that Service Providers have controls in place to protect against unauthorized access to, or use of, client information. Service Providers must provide notification to Advisors regarding unauthorized access to client information, as soon as possible, but no later than 72 hours after becoming aware of the breach. Customer Notification Requirement - RIAs must notify affected individuals promptly when sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notices must include:
  • Comprehensive details about the incident.
  • Specifics on the type of data that was breached.
  • Instructions for affected individuals on how to address the breach and protect themselves.
An exception to the customer notification requirements exists when an RIA can evidence that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

Privacy Policy Delivery Requirements - RIAs are no longer required to deliver an annual privacy policy to clients, provided:
  • The RIA does not share nonpublic personal information with non-affiliated third parties (other than as permitted under certain enumerated exceptions, e.g., to service providers who perform services on behalf of the RIA, or as necessary to administer a transaction requested or authorized by an individual).
  • The RIA has not changed its privacy policies and practices from the policies and practices that were disclosed in the most recent privacy notice sent to individuals.
Books and Records - Maintenance of written records documenting compliance with the requirements of the Safeguards Rule and Disposal Rule.
  • Safeguards Rule: Policies and procedures to safeguard client records and information
  • Disposal Rule: Policies and procedures for the proper disposal of consumer report information in a manner that protects against unauthorized access to or use of such information
How AdvisorDefense, LLC Can Help! AdvisorDefense’s service is to provide Cybersecurity Consulting and managed security services, specifically for Registered Investment Advisors. AdvisorDefense’s CEO, Philip Coniglio, is an experienced in-house Chief Information Security Officer for multiple RIAs, and led security at one of the largest RIAs in the nation. Driven to provide cybersecurity guidance to RIAs of all sizes, AdvisorDefense can assist in the readiness for compliance with these amendments. We are currently working to further our guidance and communications on Regulation S-P and its impact on RIAs, which will include a full breakdown of requirements and guidance to adhere to the regulation, but should you have any questions, please reach out to your Consultant!



May 13, 2024

Proposed Rule: Customer Identification Program Requirements for Registered Investment Advisers and Exempt Reporting Advisers

 

Proposed Rule: Customer Identification Program Requirements for Registered Investment Advisers and Exempt Reporting Advisers

Contributed By: Gabrielle Magdziarz
                           Senior Compliance Consultant
                             AdvisorAssist, LLC

On May 13, 2024 the Securities and Exchange Commission (SEC) and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) jointly proposed customer identification program (CIP) requirements for RIAs and ERAs on the tailwind of the February 2024 proposal to designate RIAs and ERAs as “financial institutions” under the Bank Secrecy Act (BSA). If adopted, the rule will require RIAs and ERAs to implement a CIP that includes procedures for verifying the identity of each customer to the extent reasonable and practicable, and maintaining records of the information used to verify a customer’s identity. The below list is the proposed required minimum amount of client information that would be required to be collected per a CIP, however, verification methodologies may require additional documentation and data:
  1. Name – referring to the client’s full legal name, but aliases or DBAs may be required to be obtained.
  2. Date of birth for an individual or the date of formation for any person other than an Individual.
  3. Residential or business address, unless other stipulations apply as proposed.
  4. Identification number (SSN, TIN, legal identifiers) dependent upon whether the individual is domestic or foreign.
Clients will be informed of the Firm’s identity verification policies through a CIP customer notice, which may be presented on websites, in account applications, agreements, or through other written or verbal communications. The Firm must establish a reasonable belief in the true identity of its clients using either documentary or non-documentary verification methods, or a combination of both, as outlined in their risk-based procedures. Documentary methods include government-issued IDs for individuals and entity-proofing documents like certified articles of incorporation for businesses. Non-documentary methods involve checking financial statements, comparing client information against fraud databases, verifying information through third-party sources like credit reports, and checking references with other financial institutions. The Firm's verification policies must address situations where typical ID verification is challenged, such as when:
  • An individual cannot present a valid government-issued photo ID.
  • The investment advisor is unfamiliar with the presented documents.
  • The advisor does not obtain documents for verification.
  • There is no face-to-face meeting with a customer.
  • Circumstances suggest an increased risk of identity verification failure.
In such cases, the Firm's CIP (Customer Identification Program) must include procedures for handling these situations, potentially escalating to filing a Suspicious Activity Report (SAR) if a reasonable belief in the customer’s identity cannot be established. Under this proposed provision, an investment advisor would be required to retain the information obtained about a customer while the account remains open and for five years after the date the account is closed. Although there are provisions for reliance on another financial institution for all, or some, of its requirements under the regulation, the investment advisor would remain responsible for ensuring compliance and an agreement would need to be in place stating as such. FinCEN and SEC anticipate that the effective date of the proposed rule will be 60 days after adoption, and is currently in its comment period. Specifically, under this proposed rule, an investment advisor would be required to develop and implement a CIP that complies with the requirements of this section on or before six months from the effective date of the regulation, but no sooner than the compliance date of the AML/CFT Program and SAR Proposed Rule, if adopted. AdvisorAssist will continue to monitor both proposals, with the expectation that another joint effort between the SEC and FinCEN is on the way. Should you have any questions or concerns, please reach out to your Consultant.