Compliance: Challenges in Client Data, Theft, and Fiduciary Standards

By Cory Roberson, Principal at FIN Compliance and FIN Lancer

Case #1 – Custody, Theft & Client Passwords

September 21, 2018.  The Securities and Exchange Commission (“SEC”) released litigation surrounding a NY-based investment advisor charged with misappropriating approximately $378,000 from his advisory clients.

According to the SEC, the principal “misappropriated his clients' money by, among other things, obtaining internet access to his clients' brokerage accounts.” While doing so, the principal directed transfers to be made directly to his personal accounts and/or those of his affiliated businesses.  

Ultimately, the firm was slapped with fines due to improprieties made to seven clients in violation of Sections 206(1) and Sections 206(2) of the Investment Advisors Act.

Amounts - Client A/B: $110,000; Client C: $196,000, Client D: $40,000, Client E: $24,000; Client F/G: $3,800.

Tips for Compliance

Monitor client transactions and enforce procedures for staff.

Adhere to custody rule provisions (e.g. firms’ w/access to client securities/funds).

Disclose custody safeguards (e.g. firms who direct debit fees).

Do not accept password access of client brokerage accounts.

Do not allow client funds to be transferred to personal/business accounts unless its for fee billing purposes.

Disclose any conflicts of interests to clients.

Case #2 – Identity Theft, Data, and Cybersecurity

September 26, 2018.  The Securities and Exchange Commission (“SEC”) settled charges against a Midwest registered investment advisor and broker-dealer (“hybrid firm”) for $1 million due to its “failures in cybersecurity policies and procedures” that ultimately lead to numerous client identity thefts.  

According to the SEC, the firm violated the Identity Theft and Reg Flags Rule, which placed thousands of its clients’ personal identifiable information (“PII”) at risk.  Notably, this is the first enforcement case for the Identity Theft Red Flags Rule since its enactment on November 20, 2013.

During an examination, the SEC discovered that hackers impersonated contractors employed by the firm during telephone conversations over a six-day period in 2016.  In doing so, online thieves were able to reset and access account passwords for over 5,600 customers.  And shortly following, intruders used the PII to create new online customer profiles and obtain access to documents from several customers. 

Ultimately, the commission charged the large firm with a hefty fine for failures towards: (1) not applying identity theft procedures for its independent contractors, (2) not spotting the red flags in a timely fashion, and for (3) not terminating the hackers’ access to its systems.

Tips for Compliance

Monitor, update, and enforce Identity Theft (“Red Flag”) procedures (as necessary*).

Specify procedures for handling personal identifiable information (“PII”)

Disclose client data safeguards in a privacy policy.

Test cybersecurity plan/procedures for vulnerabilities.

*Reg S-ID (248.30) Procedures required for SEC Registrants

*Reg S-P (Privacy Policy notices) required for all registrants

Case #3 – State v. SEC Fiduciary Standards

  

September 27, 2018.  In the wake of the Department of Labor (“DOL Rule”) debacle, the state of New Jersey is proposing legislation to establish its own fiduciary standards.  Such moves could be problematic if other states also enact its own rules as opposed to adopting uniform standards from the Securities and Exchange Commission (“SEC”).  The proposal is slated to enter the New Jersey state register on Oct. 15^th ahead of a legislative (waiting) period for public comments.

State v. SEC v. Financial associations—The Regulatory Battlefield

Securities-related associations, such as the Financial Services Institute (“FSI”), expressed support for the revised fiduciary standard proposals drafted by the SEC.   “Did I mention we won the lawsuit,” says FSI President Dale Brown at its Forum in Salt Lake City in a joyful response to the overruling of the DOL Fiduciary Rule by 5^th Circuit Court of Appeals.  FSI was one of the major opponents to the DOL’s Fiduciary Rule.

Regulatory battles do not end with the fiduciary rule.  Some states, such as Missouri and Louisiana, are attempting to add its own rulings over the Certified Financial Planner (“CFP”) board and in using its designations’ namesake.  Currently, the CFP Board, as well as the Financial Planning Coalition, are battling such issues with the Louisiana state legislature.

Featured Service:  Compliance Management and Review system

There are three versions available including:  Free Version - for those who want to try out a limited version; Premium Version - for state-registrants with basic reporting needs, and Premium Plus Version - for SEC and State Registrants that also require an annual review.

Email Us to schedule a brief session to review needs

Compliance and Business Management

FIN Compliance (FINCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019).  Access all services on one site: FINCompliance.io.

Impact

FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.