CYBER-SECURITY—RED HERRING OR RED ALERT?

With all the high profile data breaches lately (Target, Chase, Michael’s Stores, American Express etc.), it was inevitable that FINRA and the SEC, along with the State regulators, would not only talk about cyber-security and issue notices and rules regarding it, but would also make it a priority. They now have and you better be ready.

On April 15, the SEC Office of Compliance Inspections and Examinations (OCIE) published a risk alert on cyber-security. The tone of the alert is ominous to say the least:

“OCIE’s cyber-security initiative is designed to assess cyber-security preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following: the entity’s cyber-security governance, identification and assessment of cyber-security risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber-security threats.”

There is no doubt that cyber-security is lacking in the financial services industry and that clients’ data may certainly be at risk. However, an initiative like this spells trouble, in the form of extra work and costs, for the industry as a whole. For evidence of that, simply review the appendix to the alert that provides a sample document/examination request that will be used by the SEC. As you read through the items, try and figure out how your firm would answer if asked. Please don’t assume this will be limited to the selected 50 broker/dealers and investment advisers because it won’t be. FINRA already included cyber-security in its 2014 exam priorities and issued a Targeted Exam Letter in January of this year. State regulators never like to be late on an issue so expect inquiries from them either directly or during upcoming exams.

With so much regulatory focus on this issue, what should small and medium investment advisers and broker/dealers? If you’ve ruled out opening a restaurant in the Bahamas, we recommend the following steps:

1. Do a risk assessment of your current cyber-security. Meet with the principals of your firm and review the appendix as a group answering as many questions as possible. If you have IT department or consultant, they should participate. If you have an outside compliance consultant, they should be there as well;
2. Produce an action plan related to how you will bridge the gaps you have identified. If your IT and/or compliance consultant hasn’t been involved yet, get them involved during this step. You will need to rank the risks by severity and also do a cost analysis for each as these solutions can sometimes be quite expensive;
3. Implement your plan. Documentation of the solutions you identify and implement is critical if you are called to defend your measures prior to full implementation. This is a developing area that is being emphasized but the regulators, believe it or not, will often take into account risk identification and solution design and not just demand total compliance day one. Waiting for them to come in and tell you what to do is not the best option;
4. Update your Compliance Manual and/or Written Supervisory Procedures. These updates will certainly not be as detailed as your IT plan but should reflect the systems and solutions you have implemented. At a minimum, annual updates are required.

Cyber-security is and should be serious business. Red Oak Compliance Solutions stands ready to assist you in your efforts to evaluate your risks and implement solutions. Please call us at 888.302.4594 or email us at info@redoakcompliance.com to discuss these important issues.

Firm to Pay $3.75 Million Fine for Failing to Store Emails in Proper Format

Barclays Capital Inc. self-reported to FINRA that it failed to preserve electronic business-related records in non-rewritable, non-erasable format (also referred to as “Write-Once, Read-Many” or “WORM” format). Specifically, Barclays reported that it failed to retain countless attachments to emails sent through Bloomberg L.P., and failed to retain approximately 3.3 million instant messages (“IMs”) communicated through Bloomberg.

Although Barclays performed conformance testing and validation in connection with its records management program, the testing did not focus on the format in which the records were being stored or software malfunction. The firm relied on a software program to save the electronic messages for retrieval, but there was a configuration error with the program that was not detected for three years which failed to associate attachments with subsequently processed emails that included the same attachment, and rather saved the attachments as parsed text, which was not WORM compliant. Barclays estimated it generated 500,000 emails on a daily basis. Since the software program was functioning according to its default settings (which were improperly configured), no alerts were generated indicating that the program had malfunctioned. IMs were not saved into their database due to a similar software program malfunction.

As related to these issues, Barclays failed to establish and maintain an adequate Written Supervisory Procedures compliance document along with an adequate system to avoid such failures. Further, the firm did not have an individual or group at the Firm that was responsible for preparing Written Supervisory Procedures aimed at WORM compliance, and did not have auditing specifically designed to verify WORM compliance. Written Supervisory Procedures must be reasonably designed to achieve compliance with applicable securities laws and regulations.

Due to these failures and violations stated above of Exchange Act Rule 17a-4, NASD Rules 3110 and 2110 and FINRA Rules 4511 and 2010, in December 2013 Barclays agreed to pay the $3.75 million dollar fine, and Censure.

Further information on this settlement of the alleged rule violations is accessible by clicking here.

Necessary Preparation for NFA Exams

Without proper preparation and an adequate compliance program, the National Futures Association (NFA) Exam can be burdensome and lead to NFA disciplinary action. Beginning in 2013, many investment advisers to registered funds and controlled foreign corporations (CFCs) are now required to register as commodity pool operators (CPOs) and become members of the NFA. The NFA will examine a newly registered CPO within the first year and other CPOs every three to five years; though CPOs may be examined more frequently as deemed necessary based on NFA review of assets under management, financial statements, advertising materials, and customer complaints.

The NFA sometimes makes a surprise on-site visit, but usually the NFA contacts the CPO by phone two weeks prior to the on-site examination of the CPO and then sends an initial document request list. This list usually requests the CPO’s (1) CFTC compliance policies and procedures, financial records, organizational documents, investor records, performance advertising (2) lists of: principals and associated persons, sub-advisers and other fund service providers, futures commission merchants, swap dealers, and (3) trade blotter, a list of securities held by each fund, and a description of brokerage arrangements.

The NFA staff will then take a week or so to conduct an on-site review of the CPO’s business and investment activities, and will focus on the review of: (1) the CPO’s compliance policies and procedures; and the resulting CPO’s compliance with rules and procedures including NFA rules, CFTC’s Harmonization Rules, recordkeeping, reporting, etc., (2) the CPO’s annual self-examination process (3) CPO advertising materials, and (4) proper registration of CPO employees. If the NFA determines the CPO is potentially violating NFA rules, a written report will be issued and ultimately an enforcement action by complaint may be issued to the CFO.

CPOs should be prepared for a possible NFA examination at any time, by maintaining updated compliance documents, conducting the annual self-examination, and conducting a mock NFA examination. Once the CPO becomes aware of a pending NFA examination, the CPO should contact a consultant with expertise about the NFA’s examination process and have the consultant review information and documents before submittal to the NFA. The consultant should review e-mails and other communications. Whether or not to divulge information that may be protected by attorney-client privilege should be determined on a case-by-case basis. A log of documents provided to NFA staff should be maintained. The CPO should contact its external auditor, as accounting issues may arise during examination. The CPO should advise employees about the NFA staff’s visit, and designate a senior officer to serve as an “exam liaison” with the NFA staff and advise the other employees the “exam liaison” will provide all the information to NFA staff and should be present during any discussions and interviews with NFA staff. All questions and document requests/submittals should be directed through the “exam liaison”. NFA staff should be provided with workspace and a pleasant work environment, as well as prompt responses to assure integrity and competence of the CPO.