SEC Investment Adviser Exam Priorities for 2015€¦ · services provided, and disclosures made...
39
SEC Investment Adviser Exam Priorities for 2015 Presented by Bryan Hill on February 12, 2015
Transcript of SEC Investment Adviser Exam Priorities for 2015€¦ · services provided, and disclosures made...
SEC Investment Adviser Exam Priorities for 2015
Presented by Bryan Hill on February 12, 2015
Today’s Presentation SlidesAre Available Online:
www.RIA-Compliance-Consultants.com/ExamPriorities2015.html
Presentation Disclosures• RIA Compliance Consultants, Inc. is not a law firm and does not provide legal services or legal advice. A consulting
relationship with RIA Compliance Consultants, Inc. does not provide the same protections as an attorney-client relationship.
• This presentation is offered for educational purposes only and should not be considered an engagement with RIA Compliance Consultants, Inc.. This presentation should not be considered a comprehensive review or analysis of the topics discussed today. These materials are not a substitute for consulting with an attorney or compliance consultant in a one-on-one context whereby all the facts of your situation can be considered in their entirety.
• Despite efforts to be accurate and current, this presentation may contain out-of-date information. Additionally, RIA Compliance Consultants, Inc. will not be under an obligation to advise you of any subsequent changes.
• Information provided during this presentation is provided "as is" without warranty of any kind, either express or implied, including, without limitation, warranties and merchantability, fitness for a particular purpose, or non-infringement. RIA Compliance Consultants, Inc. assumes no liability or responsibility for any errors or omissions in the content of the presentation.
• There is no guarantee or promise that concepts, opinions and/or recommendations discussed will be favorably received by any securities regulator or result in a certain outcome.
• Communication with today’s webinar presenter is not protected by attorney-client privilege. Please keep questions during this seminar in a hypothetical form. This seminar session and/or the presentation materials may be recorded, copied and/or shared with third parties and/or posted to our public website.
Agenda• Dual BD/RIA or RR/IAR – Fees v. Commissions• Suitability of Fee Arrangement Recommendation• 401k Rollovers• Suitability of Interest Rate-Sensitive Securities• Abusive Algorithms• Recidivist Rep• Branch Offices• Cybersecurity Best Practices
SEC Examination Priorities for 2015:http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf
FINRA Examination Priorities for 2015:https://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p602239.pdf
Dual RIA/BD or IAR/RRFees v. Commissions
• SEC: Dual Registered IAR/RR Facing Conflict of Interest When Recommending Fee v. Commission Accountshttp://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf
• SEC Requiring in Response to Exam Findings:o Full Disclosure of Conflict & Financial Incentiveso Written Policies & Procedures for Determining Whether
Commission Based B/D or Fee Based RIA Arrangement Is More Suitable for a Client
o Documentation of Client’ Suitability of B/D or RIA Arrangement
SEC Exam ExampleFees v. Commissions
• SEC Asserts Dual RIA/BD Failed to Act in Clients’ Best interest. • Dual RIA/BD Placed Clients in Fee-Based Advisory Accounts When
Client Allegedly Would Have Been Better off in Commission-Based Brokerage Accounts.
• SEC Requiring Dual RIA/BD:o Review All Advisory Accounts and Identify Accounts with Insufficient
Activity and Services to Support Advisory Fee;o Consider Whether Appropriate to Reimburse Overcharged Clients; ando Provide the SEC with Documentation Supporting Reimbursements and
Copies of Disclosures Made to Clients.
SEC Exam ExampleFees v. Commissions
SEC Broke Down Advisory Accounts as Follows:• SEC Categorized Accounts by Level of Activity During 24 Month Period:
o Accounts with 10 – 15 Transactions in Each Account;o Accounts with 5 – 10 Transactions in Each Account;o Accounts with 1 – 5 Transactions in Each Account; ando Accounts with 0 Transactions in Each Account.
• SEC Calculated Amount of Advisory Fees Charged During 24 Month Period.
• SEC Compared Advisory Fees to RIA/BDs Highest Published Commission Rate of $75 plus $0.05 per Share.
• SEC Concluded RIA/B/D Placed “X” Clients in Advisory Accounts that Appear Not to Be in Best Interest of Such Clients Since Clients Would Have Paid $500,000 Less in Compensation During the 24 Month Period if Handled through BD as Commission Accounts.
SEC Exam Example Fees v. Commissions
• Dual RIA/BD Asserted Number of Trades in Advisory Account Not Indicative of the Level of Services Since IAR Discusses Portfolio Performance with a Client and Recommend No Changes or Make a “Hold” Recommendation.
o SEC Reviewed Client Notes of IARs and Concluded Notes Were Not Distinguishable from What Is typically Maintained by RR Providing BD Services.
o SEC Assert Client Notes of IARs Did Not Show IARs Provided Continuous and Regular Monitoring and Reallocation of Advisory Accounts.
o SEC Claims Client Notes Indicated that Any Advice Was on an Intermittent or Periodic Basis and Did Not Demonstrate Continuous and Regular Advisory Services.
• Dual RIA/BD Argued Certain Advisory Accounts Were Too New to Make an Investment Recommendation.
o SEC Countered that No Advisory Fees Should Have Been Charged for the Period.
Fees v. CommissionsBest Practices
• Require Clients to Sign Disclosure Explaining Advantages & Disadvantages of Advisory Account v. Commission Account & Documenting Why Client Is Selecting Type of Account.
• Develop Exception Report to Identify Advisory Accounts with Few to No Transactions During Period.o Create Supervisory Procedure to Review Any Advisory Accounts
Showing Up on Report.o Contact IAR & Request Documentation of Continuous Supervision
within the Advisory Account.• Require IAR, Who Seeks to Manage Advisory Account, to Take
Discretion and Prepare Written Policies for Investment Selection and Monitoring.
Fees v. CommissionsBest Practices (Continued)
• Require IAR Managing Advisory Accounts to Hold Monthly Investment Committee Meetings & Document Such Meetings & Other Examples of Continuous Supervision of Accounts & Positions.
• Require IAR to Send Quarterly Performance Reports to Each Advisory Client.
• Require IAR to Pro-rate First Billing Period so Advisory Fee Doesn’t Start until Account Invested.
• Require Any IAR Who Cannot Document Continuous Supervision as Investment Manager to Use Third-Party Advisory Services.
Suitability of Fee Arrangement Recommendation
• “Where an [investment adviser firm] offers a variety of fee arrangements, [the SEC] will focus on recommendations of account types and whether they are in the best interest of the client at the inception of the arrangement and thereafter, including fees charged, services provided, and disclosures made about such relationships.”
• RCC recommends that investment adviser firm should verify and document suitability of recommended fee arrangement relative to other fee arrangements offered by the investment adviser for similar investment advisory services at inception of relationship and periodically thereafter
401k Rollovers• SEC Examining Sales Practice of RIA Targeting
Retirement-Age Workers to Roll Over Employer-Sponsored 401(k) Plan to Higher Cost Investments.
• SEC Examining Whether IARs Are Misrepresenting Professional Credentials When Recommending Roll-Overs
• SEC Examining Whether IARs Misrepresenting Benefits & Features of Individual Retirement Account.
See http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf
401k Rollovers
• Develop 401k Rollover Disclosure for Client to Signo Compares 401k Plan & IRA Regarding Issues Such as
Investment Options, Fees & Expenses, Services, Penalty-Free Withdrawals, Protection from Creditors, RMDs and Employer Stock
o Discloses RIA’s Conflicts of Interest
• Develop & Implement Supervisory Procedures for Principal to Review & Document Suitability of 401k Rollover to IRA
Interest Rate-Sensitive Fixed Income Securities
• Do any client accounts managed by the investment adviser firm have concentrated positions in products that are highly sensitive to interest rates—such as long-duration fixed income securities, high yield bonds, mortgage-backed securities, or bond funds composed of interest rate-sensitive securities?
• Need to document suitability of such interest rate-sensitive securities if interest rates changes
Abusive Algorithms
• Need surveillance system to detect whether its automated trading algorithms manipulate the markets, including through layering, spoofing, wash sales and marking the close, among other means
Recidivist Rep
• SEC will continue to use its analytic capabilities to identify individuals with a track record of misconduct and examine the firms that employ them.
• SEC exam priorities release doesn’t provide definition of recidivist rep.
• If your investment adviser firm has rep with multiple “Yes” answers to Form U4 Item 14 questions, this might constitute a recidivist rep.
Recidivist Rep - Supervision
• Need written heightened supervision plan tailored to specifically address the risks associated with the particular recidivist rep based on his or her prior misconduct and regulatory disclosures.
• Implement and document implementation of written heightened supervision plan.
Branch Offices
• SEC will focus on investment adviser firm’s supervision of reps in branch offices, including using data analytics to identify branches that may be deviating from compliance practices of the firm’s home office
• Recommend conducting an annual branch office audit and annual compliance training for every rep
• Develop exception reports to monitor activities of branch office
Not Information Security Experts• RIA Compliance Consultants Is Not Expert In
Information Security or Wire Fraud.• RIA Compliance Consultants Doesn’t Provide
Information Security Risk Assessments or Audits of Information Security Plans.
• RIA Compliance Consultants Offers Following Practices & Techniques for the Attendee to Discuss with His or Her IT & Information Security Staff or Consultants.
SEC’s Cybersecurity Request for Information
• In April 2014, SEC’s Office of Compliance Inspects and Exams Issued Risk Alert
• Initiative to Assess Cybersecurity Preparedness of Securities Industry
• Sample Request for Information Available: http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf
• SEC Cybersecurity Examination Sweep Summary:http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
Best Practices – Physical Security• Secure all entrances/exits.• Require all visitors to check-in at central location, require vendors to
present photo id, require all visitors wear guest badges and only allow visitor access to office areas with confidential client information on an escorted basis.
• Utilize secure server room or secure/lock down servers.• Utilize security service or alarm system for office during non-
business hours (if possible assign unique PINs to each employee).• Utilize recorded video surveillance
– covering at minimum entrance/exits during non-business hours– covering server(s), server room & file room (24 x 7) – store recorded video offsite or in secret location within office (not server
room)
Best Practices – Physical Security• Conduct background checks on all employees including unlicensed
staff • Require vendor’s (e.g. maintenance & janitorial services) to conduct
background checks of workers• Develop rules ensuring reasonable restrictions upon physical
access to records with confidential client information• Store records with confidential client information in locked facilities,
secure storage areas or locked files• No open files with confidential client information on desks when not
present• Require employees to secure client files at end of day• When possible, use alternatives in place of social security numbers
& account numbers
Best Practices - Physical Security• Require shredding of all paper records which reference confidential
client information. – If third-party utilized for shredding, obtain confirmation that shredding has
occurred.
• Require physical destruction of hard drives of any computers and printers before disposing of devices.
• Encourage employees to report suspicious or unauthorized use of confidential client information
Best Practices – Hardware• Inventory all physical devices
– device name & type, serial no., purchase date, user’s name and name of any other devices/networks synchronized/connected and whether device stores or has access to confidential client information
• Install and update promptly firewalls, anti-spam, malware and virus software on every server, computer, laptop, tablet and mobile telephone.
– Update security patches for operating systems.– Consider utilizing systems so that can require and monitor that all devices are
updated independent of employee.
• Utilize software for the tracking of a lost/stolen hardware.
Best Practices – Hardware• Back-up daily and store offsite any mission critical data on
hardware.• Remove/restrict/secure open UBS ports CD-Rom on hardware
– Protect against introduction of malware into system or misappropriation of confidential client info via UBS Memory Stick
Best Practices – Portable Devices• Require employees to utilize company owned portable devices to
access or store confidential client information– Prohibit or discourage use of company owned portable devices for personal use
• Require password to access, use of auto-lock (after inactivity) and encryption of portable devices with confidential client information such as laptops, tablets, mobile telephone or UBS memory stick.
• Require portable device to use secured Internet connect to access confidential client information over Internet (no free WiFi at hotel or airport).
• If possible, utilize software or features on portable device allowing for data to be wiped remotely in event lost or stolen.
• Utilize software which allows for the tracking of a lost or stolen portable device.
Best Practices - Passwords
• Require use of unique password – do not permit use of same password throughout systems.
• Require the unique password to be a non-dictionary alpha-numeric password at least 12 character/digit long (the longer, the better).
• Require re-set of password after 120 days.• Require use of encrypted password manager.• Require employees not to save passwords for auto-login via web
browser or other software.• Require employees to log out of all online accounts or applications
when no longer using or leaving the office.• Prohibit employees from writing down passwords and posting near
computer, in desk or storing in unencrypted CRM.• Train employees on correct password protocols.
Best Practices – WiFi Network at Office
• Use office’s WiFi network only for access to Internet– Do not access RIA’s network and do not place behind the
firewall• Give office’s WiFi network a generic name
– Name of WiFi network shouldn’t reveal firm’s identity• Require complex password to access office’s WiFi
network• Set WiFi network router at WPA2 encryption• Require pre-approval of devices on WiFi network
– IP address needs to be programmed into the router– only an option if not making available to guests
Best Practices – Network• Map all network resources, connections and data flows including where
confidential customer information is created, updated or stored).• Separated from Internet with firewalls and web filtering proxies and
monitored with anti-virus and intrusion detection systems.• Restrict an employee’s access to areas of network and confidential client
data based upon employee’s job function• Require unique (not used anywhere else), non-dictionary, long password to
access network.• Consider two-factor authentication (password plus PIN or dynamic id
number) for access to network if highly sensitive information stored there.• Set server(s)/computers to automatically require re-login after 5 minute
period of inactivity• Require employees to lock computer when stepping away from work space.• Automatically lock network access to login after multiple unsuccessful
attempts
Best Practices – Email• Prohibit emailing of any confidential client information
which is not encrypted.• If not utilizing encrypted documents/email, recommend
utilizing secured client portal to transmit any document with confidential client information.
• Using email surveillance tools – spot check whether employees complying with this requirement.
• Educate employees or risk and require them to exercise caution when opening attachments from known and unknown sources, clicking on links within emails or entering user id and passwords arrived at via clicking upon a link.
Best Practices – Cloud Computing• Require confidential client information be encrypted while in transit
to the cloud computing service provider – look for “https://” in URL.• Require cloud computing service provider to keep RIA’s data
confidential and refrain from using for its own purposes.• Require the cloud computing service provider to implement firewalls,
socket security features, electronic audit trails and intrusion-detection systems.
• Require cloud service provider to encrypt RIA’s data stored on the cloud server.
• Require cloud computing service provider to notify RIA of security breach related to RIA’s data.
• Require cloud computing service provider to notify of subpoena and refrain from producing until RIA has time to respond.
Best Practices – Cloud Computing• Require cloud computing service provider to have multiple data site
locations with automatic data replication between sites.• Require cloud computing service provider’s data site locations be
managed 365 days a year/24 hours a day by IT staff and equipped with fully redundant ISPs, networks, servers, storage power and cooing and security infrastructure.
• Require the cloud computing service provider to provide cloud computing services in accordance with SSAE 16 (formerly known as Type 2 SAS 70) standards and audit.
• Require the cloud computing service provider have business continuity and disaster recovery plan which are tested at least annually.
Best Practices – Cloud Computing• Require method for restoring data accidentally deleted.• Limit each user’s access to confidential client information based
upon job function.• Set limits on each user with respect to ability to delete and download
data & set alerts on downloads by a particular user.• Require the cloud computing service provider have business
continuity and disaster recovery plan which are tested at least annually.
• Require cloud computing service provider to return any confidential client data to investment adviser upon termination (including for failure to pay for services by investment adviser or bankruptcy of cloud computing service provider).
Best Practices - Vendors• Conduct initial due diligence of service providers to
ensure ability to protect confidential client information.• Contracts should requiring service providers to protect
confidential client information.• Obtain certification each service provider has a written
comprehensive info security program which is tested annually.
• If vendor has access to RIA’s network, RIA needs approval, logging and controls related to vendor’s access to network.
Best Practices – Terminated Employees/Vendor• Terminated employee/vendor must return all records containing
confidential client information.• Terminated employee/vendor’s physical & electronic access must
immediately be blocked.o Require terminated employee/vendor to surrender all keys, IDs & codes
that permit access to premises. Cancel/re-set any codes/PINS/passwords and re-key any locks as necessary.
o Block terminated employee’s remote access to voice mail, email & Internet
• Advise applicable clients, employees and third-parties that terminated employee/vendor is not longer affiliated with or working on behalf of RIA.
o Consult with legal counsel about how to avoid slander/defamation.
Best Practices - Testing, Due Diligence & Training
• Internally test at least annually whether employees complying with information security program.
• Engage IT consultant to conduct an information security audit or risk assessment.
• Internally test at least business continuity plan that may be activated due to cybersecurity incident.
• Conduct at least annually ongoing due diligence on cloud computing providers with confidential client information and any vendors with access to confidential client information.
• Conduct mandatory information security training for all employees at least annually.
Best Practices – Insurance Coverage
• Carefully review existing professional errors and omissions insurance for coverage and exclusions related to cybersecurity and wire fraud.– Consulting with an attorney specializing in insurance coverage
may be necessary. • Retain insurance broker to find cybersecurity insurance
policy to supplement E&O policy.– Carefully review scope of coverage and exclusions in order to
avoid lack of coverage for cybersecurity or wire fraud incident.
