Month: October 2014

Professional Ethics at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Dorothy (Dot) C. Kelly, Director, Training & Outreach for the Professional Conduct Program, CFA Institute
Wendy L. Pirie, Director, Curriculum Projects, CFA Institute
Robert Stirling, Senior Consultant, Investment Adviser Services, NRS

According to the 2013 Edelman Trust Barometer, the Financial Services industry is the least trusted industry globally. Only 46% trust the financial services industry to do the right thing.

THE GOAL OF ETHICS EDUCATION
•To recognize that ethical issues are a normal and predictable part of life.
•To build upon a culture of compliance and develop a culture of ethical decision-making.
•To discuss approaches for dealing with ethical issues.

Economist Intelligence Unit Report: A Crisis of Culture: Valuing Ethics and Knowledge in Financial Services
Key Findings:
• 91% of financial executives support the notion that aspiring to a globally recognized set of ethical standards would make the financial services industry more resilient.
• 53% of financial services executives say strictly adhering to ethical standards inhibits career progression at their firm.

LAW versus ETHICS

Law: a clearly defined set of enforceable rules that applies to everyone. It represents a minimum level of expected conduct that everyone must observe. (CAN YOU?)

Ethics: address situations not covered by the law (relations with competitors, interpersonal relations at work) and also contributes to the creation of laws. (SHOULD YOU?)

FUNDAMENTAL ETHICAL PRINCIPLES

– Place client interests first
– Maintain independence and objectivity
– Avoid/manage conflicts of interest
– Make full and fair disclosure
– Preserve confidentiality
– Deal fairly
– Reasonable care & prudent judgment
– Maintain integrity of profession
– Promote integrity of capital markets

A FRAMEWORK FOR ETHICAL DECISION-MAKING

Identify the Issue(s):

  • Duties/Obligations
  • Conflicts of Interest
  • Relevant Facts
  • Ethical Principles

Consider:

  • Situational Influences – External & Internal
  • Alternative Actions
  • Additional Guidance

Then Act and Reflect.

WARNING PHRASES:

-Everybody else does it, so it must be okay.
-That is the way they do it at Firm X.
– If we do not do it, someone else will.
-This is the way it has always been done.
– It doesn’t really hurt anyone.
– It’s not a big deal.
– It’s not my responsibility.
– I want to be a team player; l want to be loyal.

 

 

 

Risk Management Panel at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Robert B. Hirth, Chairman, Committee of Sponsoring Organizations of the Treadway Commission
Fred Shane, Chief Risk Officer, Commonwealth Financial Network

Should CCOs be Taking on the Additional Role of a Chief Risk Officer?

It Depends, of Course
• Compliance requirements, degree of regulation, risk
• Objectives
• Complexity
• Size
• Ability to source talent
• Peer companies
• Regulatory constraints
• NO single right answer, NO one size fits all

The SEC is starting use concepts of risk measurement in their inspection program.

SEC’s “Core Initial Information Examiners Request of Investment Advisers” includes the following:

  • “On-going Risk Identification and Assessment Inventory of compliance risks that forms the basis for policies and procedures and notations regarding changes made to the inventory.
  • Documents mapping the inventory of risks to written policies and procedures.
  • Written guidance provided to employees regarding compliance risk assessment process and procedures to mitigate and manage compliance risks.”

The SEC has published an “Investment Adviser Scenario Analysis/Risk Matrix” on its web site: http://www.sec.gov/info/cco/cco_matrixguide.pdf

The SEC has also published a “Risk Inventory Guide” on its web site:  – http://www.sec.gov/info/cco/red_flag_legend_2007.pdf The Guide lists twelve categories of risks for an investment adviser. According to the SEC,

“[a]s a CCO responsible for your firm’s compliance, you should determine what risks are present and how they might affect your firm and its operations, assess whether the controls in place to manage or mitigate these risks are adequate, and make or recommend modifications to the compliance policies and procedures as necessary.”

Risk management is a bigger scope than compliance.

Risk Reporting and Tracking

Use a Risk Management Database

  • Impact Risk
  • Likelihood Risk
  • Vulnerability Risk
  • Priority Risk
  • Velocity – how fast does it happen?
  • Persistent – How long is the impact?

Internal controls – GO beyond the brute force automated systems and think of them as control activities. Meetings can be a control.

Update articulates principles of effective internal control

Control Environment

1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment

6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities

10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication

13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities

16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

Information Technology and Cybersecurity

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Ted Kobus, Baker Hostetler
Karen M. Aavik, First Niagara Financial Group
Tammy Eisenberg, CLS Bank International

In 2012 the average cost of a data breach was $5.4 million. IBM 2014 Cost of Data Breach Study

More breaches happen from lost laptops and media than third-party hackers. Malicious employees may steal information. Ill-informed employees may leave systems open inadvertently. Also keep an eye on employee’s departure. Make sure you shut down the employee’s remote access.

Malware is hard to stop, but it takes a concerted effort. Phishing and spear-phishing are more common. The attacker tries to cause you to voluntarily open a breach by giving them your account information and password.

Vendors cause a substantial portion of breaches. They may not be as careful as you. At the end of contract, you need to make sure you get the data back and they delete the information.

Data Breach Decisions

  • Is it a breach?
  • Who are the key internal personnel that should be involved in the response?
  • Do you involve law enforcement?
  •  Do you hire a forensics company?
  • Do you retain outside counsel?
  • Do you involve regulatory agencies?
  • Is crisis management necessary?
  • Do you offer credit monitoring?
  • Do you get relief from a “law enforcement” delay?

One silver lining. You will be better prepared for the next breach.

What do regulators expect?

  • Transparency
  • prompt and thorough investigation
  • Corrective action
  • appropriate and prompt notification to regulators and customers

Best practices

  • Prepare and practice a response plan
  • respond quickly
  • Bring in the right team
    • Preserve evidence
    • Contain & remediate
    • Let the forensics drive the decision-making
    • Law enforcement
    • Document analysis
    • Involve the C-suite
    • Plan for likely reaction of customers, employees, & key stakeholders
    • Mitigate harm

FTC Recommended Internal Safeguards

Over 50% of data breaches originate from inside the company.
Train and retrain all employees to:
(1) Limit access to customer information to employees who have a business reason to view;
(2) Secure deal jackets and information;
(3) Lock rooms and file cabinets;
(4) Use strong passwords on computers (and don’t share);
(5) Remove access for terminated employees;
(6) Securely dispose of customer information;
(7) Think about what data is provided to a vendor;
(8) Protect customer information.

Identity Theft Red Flag Rules

The key is to see if you are a “covered account” or “financial institution”

Policies/procedures must be based on a periodic identification of client accounts and a risk assessment of potential identity theft, including:
– account opening processes;
– account access processes; and
– previous experiences with identity theft.

The procedures must include the following four elements:
– identifying red flags;
– detecting red flags;
– responding to red flags; and
– periodically updating the program.

 

Supervision and the Urban Case, with Ted Urban

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Who better to talk about supervision than Ted Urban himself. He was the general counsel and chief compliance officer. One of the firm’s registered representatives went rogue. He and other line supervisors were charged by the SEC for failure to supervise.

Urban pushed for the registered representative to be fired, but his supervisor merely put him under special supervision.

The SEC’s theory was that Urban could affect the rep’s behavior. The SEC took the position that even if Urban’s action were not authoritative, they could be viewed as authoritative. However even though Urban recommended the firing, he did not have the power to fire.

In the administrative decision, the ALJ found that Urban was a supervisor, but that his supervision was reasonable. The charges would have been dismissed. Urban appealed the decision that he was a supervisor and the SEC appealed the decision that the supervision was reasonable.

The Commission was responsible for hearing the appeal. However, two of the commissioners recused themselves and the other two came down on opposite sides.  Urban pointed out that he had no idea why the commissioner recused themselves and there seemed to be no obvious reason why they would. (That is apart from  the commissioners being the ones to have authorized the enforcement action in the first place.)

The Urban case has been hanging over compliance officers heads. If you are considered a supervisor then you are at risk for your positions not being followed. Mr. Urban provided a prior case that dealt with CCO supervisor liability.

In Gutfreund (1992) four senior managers got together to discuss a compliance problem, they all left the room and no one did anything. The SEC took the position that all are liable, including the head of legal and compliance.  The standard was that legal and compliance can be supervisors when they have “the requisite degree of responsibility, ability or authority to affect the conduct of the employee whose behavior is at issue.”

On February 24, 2012, Commissioner Dan Gallagher gave a speech about compliance and supervision. He said the issue of when compliance equals supervision has been
raised in cases, but never answered in the “clear and definitive” manner it deserves.  The question “remains disturbingly murky.” He posed the question: how do we distinguish “robust engagement” in a culture of compliance from supervision and avoid the perverse incentives created by an overbroad definition of supervision.

SEC Examination and Enforcement Priorities

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

John Walsh, Sutherland
Karol Pollock, SEC Deputy Associate Regional Director (Exams)

Karol outlined the examination process.

1. You get a phone call. But prior to the phone call, the examiners will have done some background research, looking at the firms ADV, public website and an internet search.

2. You get a document request. The examiners will try to tailor it to the particular firm. A quick response is a good sign. A delay in getting materials is a red flag.

3. After the exam you will get a summary letter. This used to be called the deficiency letter. The SEC may go back to calling it a deficiency letter.

4. Post exam the examiners will work with the Division of Investment Management. The goal is to get a bigger enforcement footprint.

OCIE has expanded its mission. It is not a branch of enforcement. It acts as the eyes and ears of the Commission. It’s the first to see new trends. It also comments on rulemakings.

Here is a preview of the 2015 exam priorities. These are not final yet, but are likely to end up in this year’s disclosure.

Perennial priorities

  • Safety of client assets and custody
  • Conflicts inherent in IA firms
  • Marketing and performance disclosure

Initiatives

  • Never before examined
  • Fixed income investment companies. The SEC is looking ahead to rising interest rates. The SEC wants to make sure these investment products are making proper disclosures about what may happen with rising rates.
  • Private fund advisers. The exam staff finds them “interesting.” There is a clash with organizations that are not used to regulatory exams.
  • Retirement vehicles and rollovers
  • Dual registrants. Is each side aware of the different compliance requirements. BDs “gone wild” when they switch to IA and are no longer oppressed by the FINRA manual.

Potential New Initiatives

  • ETFs – They increasing have a narrow niche and increasing complexity. The SEC wants to make sure that there are proper disclosures and sales suitability,
  • Accuracy of ADV. The SEC is seeing adviser inflate assets to stay registered with the SEC and avoid the transfer to state regulation.
  • False Addresses. The SEC is seeing adviser use a false Wyoming address to get SEC registration.
  • Proxy adviser. Reviewing recommendations and voting for investors.

There was a discussion of the “may” versus “will” case. If you are actually doing something all the time, don’t say you may do it.

Regulatory Roundtable at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference

Lance Burkett, District Director for FINRA
Michelle Wein Layne, Regional Director for the SEC
Andrew Hartnett, Securities Commissioner in Missouri and representing NASAA

Each panel member went through list of enforcement and risk priorities that are currently high on their organization’s list.

NASAA

  • Broker Dealer Fee disclosures. There is a working group trying to come up with a model fee disclosure.
  • Model disaster recovery plan and guidelines
  • Cybersecurity
  • Senior clients – over 60% of his state investment fraud cases involve seniors

FINRA

  • Implementing a new risk-based exam program
  • “Exams that matter”
  • Suitability. Does the firm understand the product?
  • Recidivist brokers

SEC

  • Visit SEC.gov and review the rich trove of information
  • Broken windows. The SEC is not just pursuing big problems. The SEC will consider a discovery of a small problem to be an indication of undiscovered bigger problems.
  • Identify who at the firm is at higher risk for getting into trouble.
  • Cybersecurity
  • “Don’t tolerate liars, cheaters or stealers in your organization, no matter how much revenue they generate.

All mentioned a higher focus on fraud aimed at seniors. The baby boomers are rapidly becoming the retiring boomers looking to manage their assets as they enter retirement.

More than one mentioned a focus on high-yield products. They want to make sure that there is proper disclosure of the higher risks that come with the bigger coupon.

More than one mentioned a focus on ETFs. As they become more exotic, there will be a increased focus on suitability and risk disclosure.

Off to the NRS Conference

nrs conference

I’m off to sunny Scottsdale to attend my first NRS Fall Compliance Conference. If you are also attending, try to find me and I’ll buy you a cup of coffee (or at least head to the coffee urn with you).

I’m speaking on Wednesday afternoon on Issues in Private Fund Management with John Walsh, from Sutherland, and Mederic Daigneault, from NRS. It should be a good panel.

I’ll try posting my notes from some the panels during the conference.

Weekend Reading: Countdown to Zero Day

coutdown to zero dayWe were in a cyber war with Iran. Kim Zetter unravels the story of Stuxnet, the US computer attack on Iran’s nuclear program in Countdown to Zero Day.

A few months ago, I read A Time to Attack urging a US military attack on Iran. That book highlighted how Iran had been building a nuclear program for several years. That included several years of centrifuges spinning to extract enriched uranium.

It has taken so long to extract uranium because, according to Zetter, the United States has been running a sophisticated attack on the computer systems that run those centrifuges. The United States and Israel planted sophisticated tools on those computers designed to alter the speeds of the centrifuges and the flow of gas into and out of them.

We have entered an age where warfare can been broken into digital attacks and kinetic attacks. Computer geeks and fighter jocks can both engage with the enemy. Stuxnet was a replacement for dropping bombs on the enrichment facilities.

Zero day refers to an attack using a previously unknown computer security vulnerability. One attack detailed in Countdown to Zero Day used a “god-mode exploit” that was even more potent. For anyone involved in cybersecurity, the book may make you want to curl up in a ball and hide in the corner.

The book is well-written and well-researched. It’s always great to grab a book like this that is enjoyable to read and able to explain complicated situations.

There is a compliance and ethics side to the book and the story of stuxnet. The US government has been touting the importance of securing critical infrastructure. The Securities and Exchange Commission has firing a warning that it takes cybersecurity very seriously. But according to Zetter, the government also has a stockpile of cyber weapons designed to attack those systems. Late in the book it raises the issue of whether cyber attacks should be treated as an act of war. Should Iran be able to retaliate with conventional weapons to protect itself from cyber attacks?

The publisher kindly sent me an advance reader copy of the book in hopes of me writing a review. Countdown to Zero Day goes on sale on November 11.

Compliance Bricks and Mortar for October 24

bricks 40

These are some of the compliance-related stories that recently caught my attention.

SEC Charges Athena Capital in First HFT Case in the Corporate Crime Reporter

The Securities and Exchange Commission (SEC) has sanctioned a New York City-based high frequency trading firm for placing a large number of aggressive, rapid-fire trades in the final two seconds of almost every trading day during a six-month period to manipulate the closing prices of thousands of NASDAQ-listed stocks.

Why High-Frequency Trading Is So Hard to Regulate by Peter J. Henning in DealBook

The challenge in pursuing charges against these firms is that they are taking advantage of changes in the technology underpinning the markets to profit from quick trades, which is not illegal. But regulators can find it difficult to draw the line between acceptable trading strategies and manipulation because of the complexity of the strategies.

SEC Breaks Down FY 2014 Enforcement Results, Highlights by Bruce Carton in Compliance Week

Late last week, the SEC issued a press release summarizing its enforcement results for the agency’s fiscal year 2014, which ended September 30, 2014. The SEC emphasized that it filed a record 755 enforcement actions in FY 2014, and that these cases “included a number of first-ever cases, including actions involving the market access rule, the ‘pay-to-play’ rule for investment advisers, an emergency action to halt a municipal bond offering, and an action for whistleblower retaliation.”

Fighting Against the SEC’s Administrative Hearings

SEC Seal 2

Prior to the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Securities and Exchange Commission’s authority to impose penalties in a case brought as an administrative proceeding was restricted to regulated entities. The SEC could not impose a significant civil penalty in an administrative proceeding. That limited administrative proceedings to cease-and-desist proceedings against broker-dealers, investment advisers, and mutual funds. The alternative to the administrative brought before an SEC administrative law judge was a lawsuit brought in federal court.

Dodd-Frank changed that with its Section 929P. The SEC may now impose a civil penalty in an administrative proceeding against any person or company.

Administrative proceedings have many built-in advantages for the SEC: limited discovery, no right to a jury trial, an inherently biased administrative law judge, and a biased appeal to the SEC commissioners. The SEC has the “home court” advantage. According to a Wall Street Journal story, in the 12 months through September, the SEC won all six contested administrative hearings where verdicts were issued, but only 11 out of 18 federal-court trials.

There is an upside to the administrative proceeding. Some defendants will see it as a quicker or less costly proceeding.

One defendant thinks otherwise and has filed suit against the SEC in defense of an upcoming administrative proceeding. Joseph Stillwell runs an investment fund that is under investigation by the SEC. He received a Wells Notice and is expecting his case to end up as administrative proceeding after settlement talks have stalled.

A second defendant in a separate case also challenged an administrative proceeding. Jordan Peixoto was accused by the SEC of insider trading, but the SEC decided to use its new administrative proceeding alternative to federal court. Unlike Stillwell, Peixoto was not subject to SEC registration. The only other time the SEC has acted in this manner was with Rajat Gupta.

There is a constitutional question raised by each case. Each raises concerns about due process and presidential appointment powers. Since the SEC is an independent agency, the SEC commissioners can only be removed for good cause. The administrative judges also have tenure and can only be removed for cause. Prior federal cases have only permitted one level of tenure, not the two levels for the SEC administrative judges.

There is an ethical question. The administrative judges are appointed by the SEC and any appeal of the judges decision is appealed to the SEC commissioners. Since it takes a vote of the SEC commissioners to proceed with an enforcement action, those commissioners are hearing the appeal of the case they authorized to proceed in the first place. The judges are not held to any code of conduct or code of ethics. In the Peixoto complaint, the proceeding is called a “star chamber” where the accused is defenseless.

He also pulled up a statement by the SEC’s general counsel that called into question the adequacy of the administrative process for insider trading cases.

Sources: