For Investment Advisers and Broker-Dealers: SEC & State Actions
Reg S-P Compliance Violations Spelled out by SEC: OCIE reviewed two years of deficiency letters and came up with a list of the most common Regulation S-P compliance issues. The risk alert identified the following low-hanging fruit:
Failing to provide initial and annual notices, and providing inaccurate privacy notices.
Failing to include an opt-out right to clients where firms share nonpublic personal information with nonaffiliated third parties.
Policies and procedures that contained blank spaces or described the requirements of Rule 30(a) of Regulation S-P (the “Safeguards Rule”) without describing the firm’s processes for actually protecting client information.
The bottom line is that OCIE found advisers and broker-dealers are aware of the Safeguards Rule and Regulation S-P but have not followed up with administrative, operational and physical safeguards. Firms also stumble when it comes to training their staff on using encryption, password protection, or other available tools to protect client information. Some firms have also failed to address the widespread use of personal devices like laptops and cellphones for storing client information without the appropriate anti-theft safeguards.
The SEC has become increasingly concerned about cybersecurity threats, and this alert from OCIE is a clear message to firms that they need to up their game. Investment advisers and broker-dealers should use the risk alert as a guide for improving their information security protocols. And if you need further incentive, check out the more recent cases brought by the SEC against R.T. Jones (resulting in a $75,000 fine), Morgan Stanley (resulting in a $1 million fine) and Voya Financial Advisors, Inc. (resulting in $1 million fine). Contributed by Jaqueline M. Hummel, Partner and Managing Director.
Heads Up! Massachusetts Amended the Data Breach Notification Law: You may need to update your firm’s Information Security Program to address significant changes to Chapter 93H, which became effective on April 11th. Best-practice becomes law as broker-dealers and investment advisers subject to the MA law are now required to provide a minimum of 18 months of free, third-party credit monitoring services to affected consumers when there is a breach involving social security numbers. Also, the notification requirements have been amended to address the timing and content of the notifications provided to the Commonwealth’s Attorney General, the Office of Consumer Affairs and Business Regulation (“OCABR”), and affected consumers. Firms can no longer delay notification until the number of affected residents is known. Instead, they must provide additional updates as the correct information becomes available. See House, No. 4806, Sections 8-11 for a complete list of amendments and modify your Information Security Program and notification templates accordingly. Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.
Ohio Requires Registered Reps and Investment Adviser Reps to Report Elder Abuse. Effective March 20, 2019, a new Ohio law took effect requiring certain financial professionals to report cases of suspected elder abuse or financial exploitation. Specifically, Ohio Revised Code (ORC) 5101.63(A)(2)(dd), a provision within the Ohio Adult Protective Services statutes, was amended to include “a dealer, investment adviser, sales person, or investment advisor representative licensed under Chapter 1707 of the Revised Code” as mandatory reporters of known or suspected elder abuse. Investment advisers and broker-dealers should train their representatives on how to identify and report elder abuse. Check out the Ohio Department of Job and Family Services’ Guide to Protecting Ohio’s Elders for more information on what to look for and whom to call. Reports can be made 24 hours a day, seven days a week by calling 1-855-OHIO-APS (1-877-644-6277). Contributed by Jaqueline M. Hummel, Partner and Managing Director.
SEC Issues Digital Asset Analysis and No-Action Letter: The evolution of capital formation, fin-tech, and market structures to include digital assets may or may not fall under the jurisdiction of the SEC. To help industry participants determine whether a specific digital asset will be considered a security and subject to SEC jurisdiction, the SEC’s Strategic Hub for Innovation and Financial Technology (“FinHub”) published the “Framework for ‘Investment Contract’ Analysis of Digital Assets” (the “Framework”). The authors of the guidance note that the framework “is not intended to be an exhaustive overview of the law, but rather, an analytical tool to help market participants.”
Consistent with prior SEC pronouncements, the Framework applies the Supreme Court’s Howey test for determining a transaction qualifies as an “investment contract,” which is considered a security and governed by federal securities laws. The Framework focuses on the third and fourth prongs of the Howey test, specifically whether investors have an (i) expectation of profit (ii) in reliance on the efforts of others. On the same day that the Framework was released, the SEC’s Division of Corporate Finance issued the TurnKey Jet, Inc. No-Action Letter applying the Framework to find that tokens used to purchase services would not qualify as securities subject to SEC registration. The model described in the no-action letter involves digital assets that would only be used on a closed private network to purchase air charter services.
The Framework and the TurnKey Jet, Inc. No-Action letter further emphasizes the limited circumstances under which a digital asset can avoid being considered as a security. To prevent security status, the SEC wants to see that the digital assets and associated network are fully functional at the time of sale. It seems likely that many digital assets will be considered “securities” subject to registration during the fundraising stage since the efforts of a promoter will be key to the enterprise’s success and the proceeds from sales will likely be used to develop the platform. The Framework indicates, however, that the digital asset can transform from a security to a non-security once the asset operates within a fully functioning network. Market participants should approach selling digital assets with caution. Contributed by Doug MacKinnon, Senior Compliance Consultant.
For Broker-Dealers: FINRA Actions
FINRA Issues Guidance for Communications with Customers Regarding Departing Representatives: FINRA issued Regulatory Notice 19-10 to remind member firms that when a registered representative leaves, the firm should “promptly and clearly” notify affected customers how their accounts will continue to be serviced. FINRA’s goal is to provide customers with timely information to make an informed decision about where to maintain their assets. If your written supervisory procedures do not already address such communications, you should adopt and document procedures that provide prompt notification and the name and contact information of the individual(s) to whom the customer may direct questions and trade instructions, and when assigned, the name and contact information of the representative to whom the customer’s account(s) were assigned. In addition, the firm may clarify the customer’s options to either retain the assets with the firm to be handled by the assigned representative or another representative at the firm or transfer the assets to another firm. If the firm knows of and has consent from the departing representative, it may provide customers, upon request, with the departing representative’s business phone number, email address or mailing address. Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.
Attention Underwriting Syndicate Members who enter into Backstop Agreements: FINRA released updates to the Interpretations on Financial and Operational Rules dealing with open contractual commitments. A backstop agreement is an agreement between two syndicate members, the Backstop Recipient and the Backstop Provider, where the Backstop Provider agrees to deduct from its own net capital calculation any applicable open contractual commitment attributable to the Backstop Recipient. If the backstop agreement is executed and effective before the Backstop Recipient becoming obligated to the underwriting commitment (which and requires the Backstop Provider to purchase any unsold securities allocated to the Backstop Recipient), the Backstop Recipient does not need to take a capital deduction for its share of the open contractual commitment charge. See interpretations on Securities Exchange Act Rule 15c3-1(c)(2)(viii), page 654. Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.
FINRA Will Permit the Use of Electronic Signatures for Discretionary Accounts: Effective May 6th, firms may accept the electronic signature of those named, associated persons authorized to exercise discretion in client accounts, to satisfy FINRA Rule 4512(a)(3) regarding customer account information. The electronic mark must clearly identify the signatory and comply with Section 101(d) of the Electronic Signature Act by being accurate, accessible, and capable of reproduction. Electronic records maintained in accordance with 17a-4(f) comply with 101(d) of the E-Sign Act. Contributed by Rochelle A. Truzzi, Senior Compliance Consultant.
For Mutual Funds: SEC Actions
SEC Issues Guidance on Mutual Fund Reporting Requirements. The SEC recently revised its Small Entity Compliance Guide: Investment Company Reporting Modernization Rules. The guide highlights mutual fund reporting requirements associated with Forms N-PORT and N-CEN, which replace Forms N-Q and N-SAR, respectively. This update reflects the SEC’s interim final rule adopted in February 2019, which adjusted the timing of initial Form N-PORT filings by large and small fund complexes. Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.
Liquidity Risk Management FAQs Updated. The SEC also recently updated its Investment Company Liquidity Risk Management Programs FAQ to address the temporary impact of an “extended holiday closure” on the liquidity classification of securities that are otherwise publicly traded. An extended holiday closure is one that lasts seven or more calendar days. While the SEC acknowledged that such investments do become temporarily illiquid, the related liquidity risk “differs from the liquidity risk N-LIQUID is designed to flag,” because funds can generally plan for the temporary closure ahead of the holiday. Provided the fund’s board is notified of its plans to manage liquidity during the closure, the FAQ clarifies that the SEC “would not object if a fund does not file Form N-LIQUID for an investment that becomes illiquid solely due to the extended holiday closure.” Contributed by Cari A. Hopfensperger, Senior Compliance Consultant.
For Hedge Fund Managers: CFTC Actions
Help is available for understanding NFA Interpretive Notice 2-9 on Internal Controls. The NFA has been busy making various guidance and training resources available to Member firms implementing Interpretive Notice 2-9 regarding Internal Controls. The following list highlights recent educational opportunities and where you can find copies.
NFA updated its Self Examination Questionnaire to assist firms in preparing for 2-9.
It held a webinar designed to educate Members on their obligations under the interpretive notice. The archived webinar and transcript are available on the NFA website.
NFA’s February Member Workshops discussed the Interpretive Notice and the Workshop materials are available on NFA’s website.
Contributed by Cari A. Hopfensperger, Senior Compliance Consultant