For Investment Advisers and Broker-Dealers
Cybersecurity: Multi-Factor Authentication and CAPTCHA Recommended to Combat Credential Stuffing. This Risk Alert, issued by the SEC’s Office of Compliance Inspection and Examination, raised the alarm on a recent spate of “credential stuffing” attacks on financial institutions. Credential stuffing is a method of cyber-attack where hackers take a huge list of usernames and passwords and use large-scale automated login programs like scripts or bots to “stuff” those credentials into password protected websites, hoping to gain unauthorized access to customer accounts. The hackers get usernames and passwords from prior data breaches (e.g. MyFitnessPal, LinkedIn, Adobe, Equifax, Twitter) that are sold on the dark web. (Check to see if your email address has been stolen using this tool from the Hass Plattner Institute available here and the Have I Been Pwned (HIBP) website.) The FBI sent a private security alert to the U.S. Financial Sector with a similar warning that credential stuffing attacks are on the rise in early September.
As noted in OCIE’s Risk Alert, “[s]uccessful attacks occur more often when (1) individuals use the same password or minor variations of the same password for various online accounts, and/or (2) individuals use login usernames that are easily guessed, such as email addresses or full names.” Also, the longer passwords remain unchanged, the greater risk of a successful attack. OCIE provided a list of practices firms use to protect client accounts:
- Adopt Multi-Factor Authentication (“MFA”) that requires a user to employ multiple verification methods to gain access to an application or online account. In general, the more factors in this process, the more effective the approach will be at deterring an attack.
- Because credential stuffing is driven by automated scripts or bots, use CAPTCHA, Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHA are online tests that require an user to do something to prove they are human, such as identifying pictures with a specific object among a group of pictures.
- Implement controls to prevent and detect credential stuffing attacks, like monitoring for higher-than-usual login attempts over a specific time period.
- Perform testing to determine whether current client accounts are susceptible to credential stuffing attacks.
The days of depending solely on password protection for securing client accounts are over. Investment advisers and broker-dealers, especially those that offer online account access to their clients, need to keep abreast of the latest threats to their clients’ assets coming from cyberspace and update their policies appropriately. And even firms that do not offer online account access to clients are advised to talk to their clients about how they can keep their financial accounts safe by not re-using passwords, changing passwords more frequently and taking advantage of free password management applications. Contributed by Jaqueline M. Hummel, Partner and Managing Director.
SEC Revises Definitions for Accredited Investor and Qualified Institutional Buyer. With the goal of making it easier for issuers to raise capital, the SEC adopted amendments to expand the definition of “accredited investor” in Rule 215 and Rule 501(a) of Regulation D under the Securities Act of 1933. The amendments expand existing accredited investor categories while adding new ones. While it remains unclear just how much larger the universe of accredited investors will become as a result of these amendments, the newly added, expanded, or clarified accredited investor categories now include (but are not limited to) those with certain professional designations or other credentials, knowledgeable employees of private funds, and family offices, LLCs and certain other entities with at least $5 million in assets. Under the amendment, spousal equivalents may also pool their finances for the purpose of qualifying as accredited investors. (Note – None of the entities referenced above can be formed for the purpose of acquiring the security being issued and still qualify as an accredited investor.) Interestingly, the SEC declined to update the financial thresholds that qualify individuals as accredited investors and that have remained unchanged since their establishment in 1982. Those thresholds stand at a net worth (excluding the value of primary residence) of $1 million or income of at least $200,000 each year for the last two years.
The SEC also amended the “qualified institutional buyer” (“QIB”) definition in Rule 144A to conform to the updated accredited investor definition. Those entities that qualify as accredited investors also qualify as QIBs, so long as they meet the $100 million threshold in owned and invested securities.
The amendments and order become effective 60 days after publication in the Federal Register. Contributed by Doug MacKinnon, Senior Compliance Consultant.
Does your Firm Discriminate Against Americans with Disabilities? Don’t · Be · Too · Sure. Consider the following:
- Title III of The Americans with Disabilities Act (“ADA”), prohibits discrimination against individuals with disabilities in the full and equal enjoyment of the goods, services, facilities, privileges, advantages, or accommodations of any place of “public accommodation.”
- Registered investment advisers, broker-dealers, insurance companies, and banks all fall into the definition of “public accommodation.”
- Courts differ in their opinion as to whether Title III of the ADA is limited to physical space or if it also applies to the website of a place of “public accommodation.” Recent cases, such as Gil v. Winn-Dixie Stores, Inc. and Robles v. Domino’s Pizzas, LLC , support the opinion that Title III applies to both physical locations and websites as places of public accommodation.
- For a website to be ADA Title III compliant, it should meet the Web Content Accessibility Guidelines (“WCAG”) 2.1, which is a detailed list of goals and criteria that are designed to make content more accessible to persons with disabilities. The guidelines can be distilled into four main tenets, and examples of each are included: (1) Perceivable (maximize the use of headings and labels, text alternatives for non-text content, and captions and other alternatives for multimedia); (2) Operable (make all functionality available from a keyboard, avoid the use of content that causes seizures or other physical reactions and help users navigate and find content; (3) Understandable (use of readable text and content that appears and operates in a predictable way); and (4) Robust (use content that maximizes current and future features).
- Standards for Adobe PDFs include the following standards as presented by Adobe: Searchable text, images with alternate text, use of headings, table of contents, bookmarks and tags; use of logical reading order; no background images or watermarks; table rows do not split across pages; and tab order designed to progress in a fillable document from one field to another in a logical order.
Interested in learning more? We encourage firms to review their public accommodations, assess legal and reputational risks, and if necessary, work with a consultant that specializes in Title III ADA compliance to ensure compliance. Contributed by Rochelle A. Truzzi, Managing Director.
Mark Your Calendars – SEC / FINRA Roundtable to Discuss Initial Form CRS & Reg BI. The SEC Staff has set the date for a roundtable on October 26th to address the regulators’ initial observations concerning Form CRS and Regulation Best Interest (“Reg BI”). The SEC noted in its recent press release that participants will include representatives from the Office of Compliance Inspections and Examinations (OCIE), the Division of Trading and Markets, the Division of Investment Management and FINRA. The event will be webcast virtually on Oct. 26th from 1:00-3:00 pm ET, open to the public and recorded for future listening. At the time of this publication, details to access the event had not yet been released. Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.
BEA’s BE-180 Benchmark Survey of Financial Services Providers. Every five years, the S. Department of Commerce’s Bureau of Economic Analysis (BEA) conducts a Benchmark Survey of Financial Services Transactions between U.S. Financial Services Providers and Foreign Persons on Form BE-180 (BE-180). Financial Services Providers include investment advisers, broker-dealers, banks, and insurers that “had either combined sales to, or combined purchases from, foreign persons of ‘Financial Services’ that exceeded $3 million during its 2019 fiscal year”. Examples of firms that are potentially in-scope include: (i) a U.S. RIA that received management or incentive fees from a non-US client, and (ii) a U.S. fund that paid fees to a non-US investment adviser, broker-dealer and/or custodian. Unlike some of the other types of BEA surveys, U.S. firms that meet the filing criteria are required to file a BE-180, even if the firm did not receive a request from the BEA to complete the survey. Firms with lesser activity are only required to complete the first portion of the survey, while firms with more activity to report are required to complete the entire survey. If filed online using the BEA’s electronic filing system, the due date is October 30, 2020, while paper filings were due September 30, 2020. Resources, including a decision support tool to help firms determine whether filing is required, are available on the BEA’s dedicated Form BE-180 page. Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.
For Investment Advisers
New WebCRD Reporting Available in FINRA Gateway. As we mentioned in last month’s newsletter, FINRA has been overhauling the look and feel of WebCRD to provide better data integrity, overall functionality and to minimize FINRA intervention on data records. Its rollout has occurred in phases, and the latest enhancements include dynamic reporting features that allow users to create custom reports and save them for future use. In addition, a firm’s IT department can now access their firm’s data through the FINRA API (application programming interface). Access to the API gives the firm flexibility to use FINRA data as they see fit. This can be very beneficial to advisers seeking to improve data quality against internal personnel records, automate monitoring of IAR registrations against client account records and improve the annual renewal process. Check out the FINRA site for live and recorded webinars on the different components of the revamped FINRA Gateway. Contributed by Heather D. Augustine, Senior Compliance Consultant.
For Broker Dealers
Transitioning to FINRA Gateway: Registration and Continuing Education Applications.
- October 5, 2020 – Form U4 Online Filing. There will be new data entry screens, more intuitive ordering of questions and enhanced validations in order to reduce filing errors. The “Allow Rep Edits” feature will only be available through FinPro. Registered persons (and those individuals seeking registration) will need a FinPro account.
- October 5, 2020 – Registered representatives will be able to complete their Regulatory Element Program through FinPro or CE Online.
- November 9, 2020 – Registered representatives and registered principals will be required to complete their Regulatory Element Program through FinPro.
For more information on FinPro, visit https://www.finra.org/registration-exams-ce/finpro. For more information regarding transition to FINRA Gateway, go to https://www.finra.org/filing-reporting/finra-gateway/faq. Contributed by Rochelle A. Truzzi, Managing Director.
Photo Credits: Photo by Stephanie Krist on Unsplash.