It’s Time to Revisit Business Continuity Planning

Hurricane Sandy tested the capabilities of contingency planning along the east coast and prompted the SEC’s National Exam Program (NEP) to review the BCPs of about 40 advisers. The NEP wanted to see how Hurricane Sandy impacted the processing of securities transactions (order taking, order entry, execution, allocation, clearance and settlement) as well as delivery of funds and securities, client relations, financial and regulatory obligations and technology.

They found that insufficiently comprehensive BCPs and those that do not provide for mobile or remote access by employees are often ineffective. BCPs that concentrate technology, facilities and operations in one geographic region were vulnerable to local and regional disruptions. BCPs that do not maintain information about suppliers and vendors including contact information were less effective in dealing with business disruptions. And do-it-yourself systems maintenance is seldom effective.

The NEP also confirmed that BCPs that have been created as a result of collaboration between compliance and all business lines and operations units tend to be more effective and those BCPs that provide employees with the ability to work remotely can be more effective than those that do not. BCPs should include an inventory of critical vendors (ranked according to risk) and questions should be asked of vendors with regards to their contingency plans. BCPs should provide for proactive initiation of backup or alternative sites and facilities and should consider locating backup or additional facilities on a different power grid or in another geographic location. And redundant or mobile connectivity to the internet is an important consideration.

The core message of the Risk Alert and the Joint Publication issued by the SEC, the Commodity Futures Trading Commission (CFTC) and the Financial Industry Regulatory Authority (FINRA) is that BCPs should be the result of careful and comprehensive planning, thorough preparation, strategic redundancy and geographic diversity applied to critical supply chain providers, good internal and external communications and testing.

To learn more please click here.

If you have any questions about this article or want to make certain your business continuity plan is up to the challenge, please call Red Oak Compliance today. We are here to help.

New SEC Rule 506(d) Disqualifying Private Placement Securities Offerings if “Bad Actors” are Involved

As of September 23, 2013, the new Securities and Exchange Commission (SEC) rule 506(d) is in effect which disqualifies Rule 506(b) and (c) private placement securities offerings if certain “bad actors” are involved, causing the private placement exemption to be lost, thus deeming the issuer to have engaged in an unregistered public offering and then giving investors the right to rescind their investment for a year. Private placement participants should amend and enforce their written policies and procedures to address this matter, as proper due diligence will be a “defense” against disqualification.

The involved applicable people that cannot meet this “bad actor” status for private placement securities officers consist of the investment managers (including sub-advisors), general partners or managing members of a fund, and their principals and officers. Other involved people include any officer involved in the private placement, the placement agent, issuer, other compensated solicitors, and each of their respective directors, executive officers, and holders of 20 percent of the voting securities of such entities.

Only “bad actors” who commit “bad acts” after September 23, 2013 are disqualified. “Bad acts” of registered representatives of broker-dealers should already be disclosed on their Central Registration Depository (CRD). Though there are some exceptions, each disqualifying bad act that constitutes a “bad actor” and the corresponding relevant look-back timeframe are as follows:

1. Regulation A bad-actor stop-orders. 5 years.
2. U.S. Postal Service false representation orders. Longer of 5 years or duration of order.
3. CFTC orders (bar or final orders) relating to violations of any law or regulation that prohibits fraudulent, manipulative or deceptive conduct. Longer of duration of final order or 10 years from final order.
5. SEC disciplinary orders for the duration of the order, which suspends or revokes such person’s registration as a broker, dealer, municipal securities dealer or investment adviser, limits such person’s activities function or operations, or bars person from association with any entity or from participating in an offering of penny stock.
6. Suspension or expulsion for the duration, from membership or association with a national securities exchange or FINRA.
7. Criminal convictions in connection with the sale of securities or making false statements to the SEC. Issuers: 5 years. All others (including issuer executive officers and directors): 10 years.
8. SEC orders prohibiting future violations of any scienter-based anti-fraud provision, including Sections 5 and 17(a) of the Securities Act, and Sections 10(b) of the Securities Exchange Act. 5 years from date of order.
9. Court orders, judgments or decrees in connection with the purchase or sale of securities or in connection with the business of an underwriter, broker, dealer, municipal securities dealer, investment advisor. 5 years.
10. Final orders of certain regulators, including state securities commissions, state banking authorities, state insurance commissions, federal banking agencies or the National Credit Union Association, which bar the person from: (a) association with an entity regulated by such commission, (b) engaging in the business of securities, insurance or banking, or (c) engaging in saving association or credit union activities. Longer of duration of final order or 10 years from final order based on violation of fraudulent, manipulative or deceptive conduct, if applicable.

To read the complete article, please click here.

Importance of a Robust Compliance Program in a Post-Dodd-Frank World

The SEC Associate Director of Enforcement gave a speech on October 7, 2013 concerning the importance of a robust compliance and ethics program, and the SEC’s role in supporting compliance programs. He noted how the SEC’s Whistleblower Program created under the Dodd-Frank Act in October 2013 awarded over $14 million to a single whistleblower, and stated how the purpose of this program is to bolster the private sector compliance program. He pointed out how in September 2013 JPMorgan Chase agreed to pay $920 million in total penalties in a global settlement with regulators, and acknowledged that it violated the federal securities laws, and how JPMorgan recently announced it was spending billions of dollars and hiring or focusing 5,000 people to compliance/control functions.

The Associate Director went on to emphasize the importance of empowering compliance staff, and viewing them as trusted advisors that minimize risk. The SEC considers compliance programs when they decide how to credit an internal investigation. Though the SEC discusses a company’s compliance program during settlement negotiations, the Associate Director expressed his surprise at the lack of compliance culture studies during normal times. Regulators give much more credit when it can be demonstrated that misconduct is an outlier and a compliance-driven culture, rather than as a remedial step after investors have suffered losses due to the misconduct. The SEC’s 2001 Seaboard Release Framework laid out a framework which rewards the role of self-policing compliance programs that help ferret out misconduct, whereas the SEC considers a company’s compliance program as a factor in charging decisions, since the actions of compliance programs make it more likely the problem is caught early. To read the full speech please click here.

If you have any questions about this article or want to make certain your compliance program will stand up to an audit, please call Red Oak Compliance today. We are here to help.

Advisory Firms Sanctioned for Compliance Program Deficiencies

On October 23rd, as part of the SEC’s Compliance Program Initiative, the SEC has announced the sanctioning of three advisory firms and their officers. All three firms have agreed to settlements and to hire compliance consultants. The SEC National Exam Director Andrew Bowden stated “After SEC examiners identified significant deficiencies, these firms did little or nothing to address them by the next examination. Firms must fix deficiencies identified by our examiners.”

The SEC sanctioned Modern Portfolio Management and its owners G. Thomas Damasco II and Bryan Ohm for a total of $175,000 in penalties, due to failure to complete annual compliance reviews in 2006 and 2009, and for misleading statements in their investor brochure and website.

The SEC sanctioned Equitas Capital Advisors LLC, Equitas Partners LLC, owner David S. Thomas Jr., and former chief compliance officer Stephen Glisclair for a total of $225,000 in penalties, for failing to adopt and implement written compliance policies and procedures and conduct annual compliance reviews, as well as making misleading disclosures and inadvertent overbilling. The Equitas firms made false and misleading disclosures about conflicts of interest, compensation, and historical performance. To read the full story please click here.

If you have any questions about this article or want to make certain your compliance policies and procedures will stand up to an audit, please call Red Oak Compliance today. We are here to help.

Investment Adviser Fined By SEC After Hacker Uses E-Mail To Steal Client Funds

We have seen this happen too many times in the last 5 years and hate to see good intensions hurt the firm and the client. This is a valuable lesson in safeguarding your client’s assets, even if it may inconvenience them. The Securities and Exchange Commission has fined a large Massachusetts advisor, GW & Wade, $250,000 for improper custody controls after a hacker used a client's e-mail to have more than a quarter million transferred to a foreign bank.

GW & Wade had many clients sign blank letters of authorization so that when it needed to transfer funds it could do so without obtaining the client's signature. In some other cases, GW & Wade cut out signatures from previously executed letters of authorization and pasted them on new ones, the SEC said.

The practice enabled an individual to commit fraud against one of their clients. The individual hacked into a client's email account in June 2012 and sent e-mails to GW & Wade instructing them to wire funds to a foreign bank. The individual said he needed the funds that day, but was unable to call in for verification due to being in a meeting, at a funeral, etc.

Since GW & Wade had pre-signed letters of authorization and did not have procedures to confirm the identity of the transfer requests, the funds were wired without the client's knowledge or authorization.

The fraud wasn't discovered until three separate wires totaling $290,000 had been sent to a foreign bank. Even though GW & Wade compensated the client for all the losses, they were still negligent and the SEC fined them and required them to hire an outside consultant to review all their compliance policies.

We understand the desire to help the client out and not inconvenience them, however, in today’s world, you have to verify that you are actually doing what the client asked not what the hacker wants.

To read the full story, please click here.

If you have any questions about this article or want to make certain your compliance policies and procedures will stand up to an audit, please call Red Oak Compliance today. We are here to help.