The SEC Finds Advisers Response to Phishing Attacks, a Day Late and a Dollar Short. The SEC recently cracked down on three advisory firms for failing to protect customer records and information in violation of Regulation S-P, Rule 30(a), the “Safeguards Rule” Even though there was no evidence that clients suffered any losses as a result of the hacks. The advisers, Cetera, Cambridge Investment Research, Inc., and KMS Financial Services, Inc., learned that an unauthorized third party had hacked into their cloud-based email systems and gained access to clients’ personally identifiable information (PII). After discovering the initial hack, the advisers all took action by notifying the affected clients of the breach and offering them identity theft protection services. The firms also took security measures, such as recommending that employees and independent contractors use multi-factor authentication (MFA) to access email accounts. Additional hacking attempts followed, and eventually, all of the firms required MFA for email accounts. For more details on these cases, check out our related blog post.
With the benefit of 20/20 hindsight, the SEC found that the firms failed to act quickly enough after the subsequent breaches to implement MFA across their entire organizations. They also singled out the Cetera entities for “misinforming” clients about when the breaches occurred and for not notifying them earlier. The fines ranged from $200,000 to $300,000.
The obvious lesson is that the SEC endorses the use of MFA to prevent privacy breaches, so advisers should strongly consider implementing MFA to systems containing clients’ PII. Moreover, firms need, and must follow, policies and procedures for protecting clients’ PII. This includes a process for responding to cybersecurity incidents and providing notification to affected clients promptly.
In the SEC’s view, these firms dragged their feet when faced with a clear cyber threat. But in their defense, large organizations do not move quickly. All the firms cited took additional steps to determine how the breaches occurred, which accounts were affected, and whether any clients were harmed (no known harm was identified). This analysis took time to complete, and there were undoubtedly internal discussions and consultations with outside counsel to determine the appropriate response. Moreover, creating a new process such as MFA requires determining how to implement it across the organization and ensuring that users have the appropriate tools and training to use MFA. Advisers should take note, however, that the SEC has raised the bar and expects firms to have a plan in place and respond quickly when client data is at risk. Contributed by Jaqueline Hummel, Managing Director.
Advisor Experiences the Horror of Failure to Supervise Remote IARs. Registered investment advisers that rely on independent investment adviser representatives (IARs), operating their own offices, face unique supervision challenges. The SEC’s administrative action against Horter Investment Management, LLC (“Horter”) and its principal illustrates the worst-case scenario. The firm, based in Cincinnati, primarily hired IARs with remote offices. One of those IARs, Kimm Hannan (“Hannan”), was hired despite a red flag on his Form U5. About the same time, the SEC issued a deficiency letter to Horter citing that the firm’s supervisory structure was inadequate to supervise its remote IARs. Long story short, Hannan is serving a 20-year sentence in jail for stealing more than $700,000 from clients, and now the SEC is looking at the firm and its principal.
It’s no mystery why this happened. The day after Hannan was registered with the firm, FINRA sent him a letter stating that it was initiating an inquiry regarding his conduct at his prior firm about “allegations regarding marketing materials and checks made payable to your DBA.” Horter’s compliance officer reviewed the letter and recommended that Hannan be fired, but the firm failed to follow this advice. Predictably, Hannan continued the activities that got him fired from his previous firm: soliciting clients to invest in his outside business activities (OBAs). In addition, the SEC alleges that the firm failed to adopt appropriate policies and procedures to supervise IARs, including those that required closer supervision, failed to follow up on red flags, and inappropriately delegated supervisory authority. Now the firm and its principal face a public hearing to review the allegations.
The takeaways from this case include (1) establish and follow policies and procedures to supervise the activity of IARs operating remotely, (2) establish and follow heightened-supervision procedures for IARs with black marks, (3) read and follow up on the findings from the annual review of the compliance program, and most importantly, (4) do not ignore the compliance officer’s advice. Contributed by Cari Hopfensperger, Senior Director.
Firm Principals Pay the Price for Riskless Principal Trades. The SEC settled charges with JW Korth & Company L.P. (Korth), a dually-registered investment adviser and broker-dealer, for engaging in riskless principal transactions without prior written disclosure to clients. Section 206(3) of the Advisers Act prohibits an investment adviser from acting as a principal for its own account by buying securities from, or selling them to, a client, unless the adviser provides disclosure and obtains written consent from the client before the completion of each trade. According to the SEC’s findings, Korth engaged in 201 fixed-income transactions on a riskless principal basis between March 2015 and October 2018 on behalf of nine clients, without the required written disclosure or client consent required under Section 206(3) of the Advisers Act.
The problem was that Korth’s policies and procedures addressed only principal transactions that were not riskless. Ultimately Korth was ordered to repay clients the amount it made on the transactions $50,000 and pay a civil penalty of $125,000. In addition, Korth’s managing partner and managing director, both of whom acted as Chief Compliance Officer during principal transactions (in addition to their management responsibilities), were ordered to pay civil penalties of $50,000 and $25,000, respectively, for failing to implement written policies and procedures reasonably designed to prevent violations of Section 206(3).
Firm principals should be advised – the SEC can hold you personally liable for not paying attention to securities law requirements. Contributed by Matt Giggey, Associate Director.
New Technology but Same Old Conflicts. The SEC fined robo-advisor Sofi Wealth LLC (“SoFi”) $300,000 for moving client assets out of third-party managed ETFs and into ETFs sponsored by SoFi. The SEC cited SoFi for approving the use of its own ETFs for its automated investing program without considering alternatives, failing to tell clients that SoFi would receive a portion of the advisory fees on those ETFs, and not disclosing its vested interest in the success of the ETFs. Additionally, some of SoFi’s clients ended up with capital gains from the move, which SoFi reimbursed after the SEC started its investigation.
The takeaways from SoFi’s mistakes start with a recommendation to do a global search on the Form ADV Part 2A for the word “may.” Like all those 12b-1 cases from prior years, SoFi disclosed that it “may” invest client assets in shares of SoFI’s ETFs, when that decision had already been made. Second, firms that use proprietary products should address them in their policies and procedures and make sure that there is a ton of disclosure addressing potential conflicts that using such products can raise. Finally, as fiduciaries, firms should consider whether their own products compete with others on the market based on costs, performance, and suitability. Contributed by Doug MacKinnon, Director.
“Keeping it in the Family” is a Bad Compliance Strategy. Using a private fund as the family piggy bank is never a good idea. In another involving failure to disclose conflicts of interest, the SEC brought an action against investment advisor Diastole Wealth Management, Inc. (“Diastole”), and its principal, Elizabeth Eden. Eden’s son had worked for Diastole and later left to form his own company. Diastole managed a private fund that loaned funds to Eden’s son’s company, which failed to repay. Making matters worse, some of the proceeds from the loan were used to pay off loans Diastole had previously made to the son’s company. The firm failed to adequately disclose the conflicts in its ADV Part 2A Brochure, financial statements, and investor letters. Diastole also received an “F” in complying with the Advisers Act Custody Rule by failing to deliver the fund’s audited financial statements to investors within 180 days of its fiscal year-end for three years.
A key contributor to the breakdown in this case was the fact that Eden was not only a principal owner of the RIA but also served as its President, CEO and …. CCO. Her punishment? Being banned from acting as CCO for any securities firm for a year and a $60,000 fine. Contributed by Rochelle Truzzi, Senior Director.
The First of Many Cases on Breach of Duty – IAR Fined and Suspended, and RIA is Punished for Failing to Perform Suitability Analysis. In 2019, the SEC came out with the Commission Interpretation Regarding Standard of Conduct for Investment Advisers (the “Interpretation”) discussed how advisers should meet their fiduciary obligations, defining the duty of care as an obligation to provide investment advice that is (i) in the best interest of the client” and (ii) suitable for the client. The SEC’s case against investment adviser Frontier Wealth Management and one of its investment adviser representatives (IAR) indicates the consequences of failing to meet those duties, including fines, disgorgement, and suspension from the industry.
Frontier and its IAR invested client money in a feeder fund (the “Feeder Fund”) that invested all of its assets in a private equity fund (“Fund A”). Fund A was managed by a third-party manager and used complex options strategies and synthetic futures positions to generate returns. Fund A’s private placement memorandum warned investors about its volatile nature, the possibility of losing all their capital, and imposed a $1 million minimum investment. So naturally, Frontier wanted to give retail clients access to Fund A and established the Feeder Fund to invest. The minimum investment was $100,000. Frontier received a management fee from the Feeder Fund, which was shared with Frontier’s IARs.
Predictably, Fund A lost about 35% of its value in February 2018 because of highly volatile markets, and subsequently Frontier’s investors in the Feeder Fund lost around $16 million. The SEC found that Frontier gave its IARs great latitude in selecting investments for their clients. Although the firm used an Investor Profile, a 15-question, multiple-choice questionnaire to determine a client’s investment objectives, net worth, employment status, and other information, about 40% of clients invested in the Feeder Fund did not complete this form.
Significant flaws found by the SEC included:
- Failure to assign a supervisor responsible for reviewing, monitoring, or approving IARs investment recommendations for suitability
- Failure to provide training for IARs and supervisors on the suitability of the Feeder Fund
- Failure by IARs to assess the suitability of an investment in the Feeder Fund for their clients
The SEC singled out one IAR for recommending 50 clients invest in the Feeder Fund. According to the SEC, he did not understand Fund A’s strategy, underlying investments, or associated risks and had no experience with complex products. Moreover, he could not adequately explain Fund A’s investment and risks to his clients. As a result, some of his clients were invested in the Feeder Funds despite their conservative risk profiles and investment objectives. He was personally fined $100,000 and banned from the industry for 12 months. Frontier was also fined $350,000 and required to disgorge profits due to its violations.
Advisers offering complex investment products need to ensure their IARs understand them and put guardrails around the sales activity. The SEC wants to see that firms are supervising, providing training and support to ensure IARs understand complex products and explain their risks to clients. There should be documentation to demonstrate the supervision, training, and support. Contributed by Jaqueline Hummel, Managing Director.
Worth Reading, Watching, and Hearing
Photo Credit: Photo by Szabó János on Unsplash