For Investment Advisers and Broker-Dealers
DOL issues Cybersecurity Guidance. On April 14, 2021, the U.S. Department of Labor (“DOL”) Employee Benefits Security Administration (“EBSA”) issued cybersecurity guidance directed towards ERISA plan sponsors and ERISA fiduciary advisors. While the guidance appears similar to SEC’s advice, there is one noticeable difference: the DOL says firms “should” have a reliable annual third-party audit of security controls. As part of this audit, EBSA expects to see audit reports, audit files, penetration test reports, and any other analyses or reviews of cybersecurity practices. EBSA also wants documented corrections of any weaknesses identified in the independent third-party analyses. What are the implications to firms subject to this guidance? Will the DOL consider it a breach of fiduciary duty if a firm does not hire a third party to conduct an audit of its security controls? Can a firm do this assessment internally? Time will tell if this is a best practice or a requirement.
In addition to the third-party review, the DOL provided these best practices that ERISA plan service providers “should” follow:
- Implement a well-documented cybersecurity program.
- Conduct a prudent annual cybersecurity risk assessment.
- Clearly define and assign informational security roles and responsibilities.
- Establish robust access control procedures.
- Ensure that any assets or data stored in a cloud or with a third party are subject to appropriate security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Establish an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data stored and in transit.
- Implement strong technical controls that meet best security practices.
- Respond to any past cybersecurity incidents.
The DOL guidance was published in three separate pieces: Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips for Participants and Beneficiaries. Contributed by Glenn R. Skreppen, Senior Compliance Consultant.
Updates to State Senior Laws & Resources. Recent modifications to Arkansas’ state statute expand protections for investors against financial exploitation. Arkansas Code § 23-42-309 was modified as of April 1, 2021, to protect vulnerable persons in addition to persons over sixty-five years of age. The law also permits broker-dealers and investment advisers to delay transactions and disbursements if exploitation is suspected.
More states are enacting legislation to protect senior and vulnerable investors. Investment advisers and broker-dealers need to be aware of the legal requirements for each state where they do business for dealing with clients they suspect are being financially abused. Some states require mandatory reporting of suspected financial fraud against seniors and vulnerable persons. The law firm of Bressler, Amery and Ross, has created and continues to update its Senior and Vulnerable Investors Issues map, with summaries of the requirements for all 50 states. Contributed by Carolyn W. Mendelson, Senior Compliance Consultant.
Form ID Updates. New EDGAR filers with Central Index Keys (“CIKs”) from prior paper filings will no longer rely on the legacy, abbreviated “Convert Paper Only Filer” process to obtain initial EDGAR access codes. These new EDGAR users will now need to submit a Form ID and authenticating documents like all other new filers. The SEC is eliminating the legacy exception to “implement a more uniform and secure process.” The EDGAR Filer Manual has been amended to reflect this change. Contributed by Cari A. Hopfensperger, Managing Director.
For Investment Advisers
NASAA Annual Report on State Registered Advisers. In April, the North American Securities Administrators Association (NASAA) published its Investment Adviser Section Annual Report, highlighting its 2020 activities concerning state-registered advisers. In sum, the report paints a statistical picture of the average state-registered adviser in 2020, reports on a sampling of state approaches to managing through the COVID-19 pandemic, and addresses two major NASAA initiatives – the Investment Adviser Policies and Procedures Model Rule and the Investment Adviser Representative Continuing Education Model Rule.
Unsurprisingly the “average state-registered IA” continues to be a one- to two-person shop serving retail investors (81%), with advisers that are predominantly registered as investment adviser representatives (95%). Almost half are also insurance agents (48%), and more than one-third are also broker-dealer registered representatives (36%).
NASAA released two model rules in November of 2020, which are available for consideration and optional adoption by all NASAA jurisdictions. The IAR Continuing Education Model Rule would require IARs to complete 12 hours of continuing education per year, including satisfying products, practices, and ethics components. NASAA offers a FAQ for affected firms and their IARs. The IA Written Policies and Procedures Model Rule reads similarly to the SEC’s Advisers Act 204(6)-7 (the “Compliance Program Rule”), applicable to SEC-registered advisers. An accompanying Compliance Grid lists what NASAA feels are many of the most common compliance and supervision issues IAs should consider in their policies and procedures.
Other areas highlighted in the annual report include:
- Cybersecurity – NASAA’s Cybersecurity Checklist and Guidance for Investment Advisers addresses 89 assessment areas to help state-registered advisers manage their cybersecurity efforts and is a helpful reference for any small firm.
- Pandemic Response
- NASAA reported on its efforts to maintain open communication with state-registered advisers, primarily through alerts and advisories on critical updates, trends, and topics.
- Ohio, Arizona, Utah reported “wins” by taking their annual outreach conferences virtual in 2020. Ohio, in particular, reported that it was so successful it plans to retain a virtual component in the future.
- NASAA encourages state-registered IAs to continue to consider the fallout from the pandemic with specific emphasis on their business continuity and succession planning, cybersecurity and the protection of client information, and supervision efforts. Contributed by Cari A. Hopfensperger, Managing Director.
For Private Funds
2021 Cayman CRS (and FATCA) Updates – Do You Know Your Reporting Requirements? The Department for International Tax Cooperation (DITC) of the Cayman Islands announced that the deadline for filing the 2019 and 2020 common reporting standard compliance form (“CRS Compliance Form”) is extended to September 15, 2021. Filings are facilitated utilizing the DITC portal. The portal was offline after the original December 16, 2020, deadline passed but was back online in May.
It is important to note that the CRS Compliance Form, introduced in April 2020 via DTIC industry advisory, differs from “CRS reporting” and is in addition to the CRS reporting obligations of entities identified as financial institutions (“FIs”) and domiciled in the Cayman Islands.
The CRS Compliance Form requires entities to provide profile and financial account data and identify the responsible parties for their AML/KYC obligations and their CRS processes. The CRS process requires the entity to confirm that they have adequate procedures to meet their obligations under the CRS Regulations. Before completing the annual CRS Compliance Form, financial institutions should ensure that they are periodically reviewing their CRS policies and making any requisite updates. Additionally, firms should ensure that their AML/KYC obligations are met, whether internally or by a third party. If internal, the financial institution should have adequate resources to meet those obligations. If delegated, the firm should conduct a periodic review of the third party.
The deadline for CRS reporting and FATCA returns is July 31, 2021. The DITC portal began accepting both CRS reporting and FATCA returns in May. Additionally, if your firm formed a Cayman Islands “FI” in the calendar year of 2020, you must register that entity before processing any CRS or FATCA returns. The registration deadline was April 30, 2021. Firms that did not meet this deadline should contact the Cayman Islands DTIC for assistance. Contributed by Denise D. Alfieri, Managing Director.
Do Your Options Procedures Need Work? FINRA issued Notice 21-15 to remind broker-dealers of their obligations under Rule 2360, related to the establishment and supervision of options accounts. Introducing broker-dealers can use this checklist to help determine if their policies and procedures could use a minor upgrade. (Note: The following is not intended to be a complete list and does not guarantee compliance with all of the rules regarding option accounts.):
☐ Procedures state that options account rules apply to self-directed accounts as well as those accounts to which a registered representative makes recommendations;
☐ Procedures address the qualifications and restrictions necessary for a branch office location to conduct an options business;
☐ Procedures specifically identify the principal qualifications necessary to approve/disapprove accounts for options trading;
☐ Procedures outline the customer due diligence process, including all information that must be collected before deciding to approve/disapprove an account for options trading.
☐ Procedures identify criteria for account approval at each level of options trading.
☐ Procedures prescribe how the written approval/disapproval of an account for options trading will be documented.
☐ Procedures identify the person or entity responsible for delivering the Characteristics and Risks of Standardized Options (“ODD”) and the manner of delivery.
☐ Procedures document process related to customer account agreements and the verification of customer background and financial information.
☐ Procedures document the requirements to exercise discretionary power concerning trading option contracts in a customer account;
☐ Procedures detail specific requirements outlined in FINRA Rule 2360(b)(16)(E) when writing Uncovered Short Option Contracts, including the party responsible for delivery of the Special Statement for Uncovered Option Writers (“Special Written Statement”) and the manner of delivery.
☐ Procedures address the handling and recording of options-related complaints;
☐ Procedures require specific supervisory reviews of options accounts about:
- The compatibility of options transactions with investment objectives and the types of transactions for which the account was approved;
- The size and frequency of options transactions;
- Commission activity in the account;
- Profit of loss in the account;
- Undue concentration in any options class or classes; and,
- Compliance with the provisions of Regulation T of the Federal Reserve Board.
Firms can leverage this opportunity to review their policies and procedures and determine if they remain reasonably designed to ensure compliance with the applicable rules. Contributed by Rochelle A. Truzzi, Managing Director.
Can You Pass This Quiz Regarding the Use of Predispute Arbitration Agreements? In Regulatory Notice 21-16, FINRA reminds members of their responsibilities when using predispute arbitration agreements for customer accounts.
- FINRA Rules require customer disputes first to be arbitrated under the FINRA forum. True or False?
False. Customer disputes may be resolved through a private arbitration forum or by civil litigation. See Endnote 2 of Notice 21-16.
- When a customer signs an agreement that contains a predispute arbitration clause, agreeing to arbitrate any disputes through private arbitration, the customer waives his/her right to request arbitration at FINRA. True or False?
False. Customers do not forfeit the right to request arbitration at FINRA, despite having signed an agreement specifying another dispute resolution process. See Endnote 2 of Notice 21-16.
- Predispute arbitration agreements may not limit the ability of a party to file any claim in arbitration or court. Still, they may require arbitration hearings to be held in the state where the Firm’s main office resides. True or False?
False. A Firm cannot dictate the location of arbitration hearings as this does not comply with FINRA Rule 12213. See Endnote 6 of Notice 21-16.
- Disclosures alerting customers that the agreement contains a predispute arbitration clause must appear at which place in the agreement: (a) As a footnote at the bottom of the page where the arbitration clause appears; (b) Immediately preceding the predispute arbitration clause; (c) On the Disclosure Page of the Agreement as long as the text is prominently displayed, or (d) immediately preceding the customer signature line. Select all that apply.
(b) and (d). See FINRA Rule 2268.
- What two references must appear in any predispute arbitration disclosure that does not appear immediately preceding the arbitration clause?
The disclosure must indicate at what page and paragraph the arbitration clause is located.
- Within thirty days of signing, a copy of the agreement containing a predispute arbitration clause must be provided to the customer, who shall acknowledge receipt of the agreement or on a separate document. True or False?
True. See FINRA Rule 2268(c).
- Certified class actions may be arbitrated through the FINRA forum, but not putative class actions. True or False?
False. See FINRA Rule 2268(f).
- A firm may not limit a customer’s right from pursuing class actions in court. True or False?
True. See FINRA Rule 12204.
- What is required if a Firm wishes to modify the statute of limitations for submitting arbitration claims under the predispute arbitration clause?
A firm is not permitted to shorten or lengthen the statute of limitations to submit an arbitration claim. The Code of Arbitration Procedure for Customer Disputes grants authority to determine eligibility to the Arbitrator or Panel. See FINRA Rule 12206.
- Indemnity Provisions are permitted in predispute agreements but are limited only to recovering the firm’s legal costs resulting from the Firm’s violations of the securities laws or FINRA rules. True or False?
False. See Endnotes 17 and 18 of Notice 21-16.
If you got them all correct, congratulations! If you missed 1-2, not bad. If you missed three or more, your assignment is to read both the regulatory notice and FINRA Rule 2268 in their entirety. Contributed by Rochelle A. Truzzi, Managing Director.
Photo Credit: Photo by Content Pixie on Unsplash.