SEC Alerts Investors, Industry on Cybersecurity

Washington D.C., Feb. 3, 2015 —The Securities and Exchange Commission today released publications that address cybersecurity at brokerage and advisory firms and provide suggestions to investors on ways to protect their online investment accounts.“Cybersecurity threats know no boundaries.  That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC,” said SEC Chair Mary Jo White.  “Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”One publication, a Risk Alert from the SEC’s Office of Compliance Inspections and Examinations (OCIE), contains observations based on examinations of more than 100 broker-dealers and investment advisers.  The examinations focused on how these firms:

  • Identify cybersecurity risks
  • Establish cybersecurity policies, procedures, and oversight processes
  • Protect their networks and information
  • Identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors
  • Detect unauthorized activity

“Our examinations assessed a cross-section of the industry as a way to inform the Commission on the current state of cybersecurity preparedness,” said OCIE Director Andrew Bowden.  “We hope that investors and industry participants will also benefit from what we have learned.”

The second publication, an Investor Bulletin issued by the SEC’s Office of Investor Education and Advocacy (OIEA), provides core tips to help investors safeguard their online investment accounts, including:

  • Pick a “strong” password
  • Use two-step verification
  • Exercise caution when using public networks and wireless connections

“As investors increasingly use web-based investment accounts, it is critical that they take steps to safeguard those accounts,” said OIEA Director Lori J. Schock.  “This bulletin provides everyday investors with a set of useful tips to help protect themselves from cyber-criminals and online fraud.”


SEC to Conduct “Presence Exams” on Never-Examined Advisors

Exam chief Bowden expects SEC exam priorities list to be released next week

The Securities and Exchange Commission will conduct “presence” exams of never-examined advisors this year, and will also focus its exam efforts in three areas: protecting investors, particularly those in or near retirement; market structure issues like cybersecurity; and using data analytics to identify those engaged in illegal activity, the agency’s exam chief, Andrew Bowden, said Wednesday.

Speaking Wednesday at the Practising Law Institute’s Hedge Fund Compliance & Regulatory Challenges 2015 conference in New York, Bowden said that he expects the SEC’s exam priorities list to be released next week, and that the SEC’s Office of Compliance, Inspections and Examinations will “expand” the presence exams it used to examine newly registered private fund advisors to never-examined advisors.

More On Legal & Compliance

from The Advisor’s Professional Library

  • Use and Misuse of Social Media Social media is an inexpensive and effective way to communicate with established and prospective clients.  Nevertheless, when RIAs utilize social media to promote their advisory practices, they risk compliance problems for their firms.
  • Nothing but the Best Execution Along with the many other fiduciary obligations owed by RIAs, firms owe a duty to seek best execution of clients’ transactions.  If they fail to do, RIAs violate Section 206 of the Investment Advisers Act.

The Financial Industry Regulatory Authority released its exam priorities letter Tuesday.

OCIE announced last February that it would zero in on advisors who have never been examined and conducted an exam sweep of such advisors through its Never-Examined Advisor Initiative. The initiative was directed at never-examined advisors registered with the SEC for three or more years.

Bowden said in September that advisors in the never-examined advisor category total about 1,000, and that 225 firms have been examined thus far, with “more [exams] underway.”

The Dodd-Frank Act, passed in 2010, required advisors to many private funds to register with the SEC by March 30, 2012. OCIE announced in October 2012 that it would be conducting “presence” exams of private fund advisors.

Excluded from the never-examined advisor initiative, however, was advisors to private funds, which are being examined pursuant to the “Presence Exam” initiative launched in October 2012.

Under the presence exams for private fund advisors, which are more narrowly focused than a traditional exam, Bowden said Wednesday that examiners performed close to 400 exams, “the number we wanted,” which satisfied OCIE’s goal of examining 25% of the new private fund registrants by the end of 2014.

“We will expand that [presence exam] process to other segments,” Bowden said Wednesday. “We have a similar initiative for never-examined advisors in 2015; we are going to try and get out to a number of those advisors” in 2015.

Bowden said the presence exams, which typically take two-thirds of the time of a typical exam and zero in on specific issues, helped to “inform future initiatives,” which includes the agency focusing heightened scrutiny on alternative mutual funds.

Alternative mutual funds, Bowden said, are “where the money is going,” and of the more than 500 funds that now exist, “nearly half of them have been around for three years or less.” The “newness” of the funds as well as the fact that some of the funds have been launched by those who are in the private fund arena, and “may not have experience with alternative strategies,” warrants heightened scrutiny of this area, he said.

Source:  Waddell, Melanie, Think Advisor, January 7, 2015

Proposed Rule To Require Investment Advisors to Adopt Business Continuity and Succession Plans

The North American Securities Administrators Association (NASAA) has proposed a model rule requiring investment advisers to create and implement written procedures to address business continuity and succession planning in the event of the owner’s and other key personnel’s untimely departure or incapacitation or a natural disaster

The proposal seeks to ensure that advisers (especially small firms) fulfill their responsibilities under state securities laws to maintain business continuity, protect clients from interruptions in an investment adviser’s business, and mitigate client harm in the event of a significant business interruption. While the proposal is still in the commentary period, it is fully expected that it will become a regulatory requirement in 2015 and waiting until it is required could prove disastrous for your firm.

The NASAA’s proposal includes Model Guidance which covers a variety of issues that should be considered by investment advisers in developing business continuity and succession plans. Smaller firms should focus on the issues unique to their smaller size as well as the risks associated with their particular firm. The Model Guidance is broad and is designed to allow investment advisers to tailor their business continuity and succession plans in a manner cost-effective to their business models.   (

Compliance Advisers encourages you to read the proposed rule and to consider how an effective succession plan is necessary to protect your clients and your firm.  And, we can help.

Contact Compliance Advisers regarding your succession plan before it’s too late. We can help you prepare your own customized Disaster, Continuity or Succession plan.

New Entitlement Process for Firms Changing Their SAA

New Entitlement Process for Firms Changing Their SAA

Effective November 19, 2014, FINRA will implement new controls to enhance the security of the entitlement process for firms seeking to replace their Super Account Administrator (SAA) or update a current SAA’s information. If your firm is not seeking to change its SAA or update the name or email address of the current SAA, no action is required at this time.

Under the new entitlement process, firms must complete an Update/Replace SAA Form to replace or update the name or email address of their current SAA. This new form is not available online and must be requested by an Authorized Signatory of your organization by contacting FINRA’s Gateway Call Center.

MSRB Proposes Professional Qualification Standards for Municipal Advisors

The Municipal Securities Rulemaking Board (MSRB) today filed a proposal for approval from the Securities and Exchange Commission (SEC) to create baseline standards of professional qualification for municipal advisors.

The proposed amendments to the MSRB’s existing Rule G-3 on professional qualifications establish two classifications of municipal advisor professionals, representative and principal, with firms required to designate at least one principal to oversee the municipal advisor activities of the firm. The proposed rule change also will require each municipal advisor representative and principal to take and pass a qualification test.

FINRA Set to Intensify Scrutiny of Broker Dealer Cybersecurity Practices

FINRA to Intensify Scrutiny of Cybersecurity Practices at Brokerage Firms

November 4, 2014

By Reginald J. Brown, Zachary I. Schram, Wilmer Hale

Reuters recently reported that the Financial Industry Regulatory Authority (FINRA) “plans to intensify its scrutiny of cybersecurity practices at brokerage firms in 2015 and is hiring technology savvy examiners to help boost its efforts.” FINRA’s addition of examiners focused on cybersecurity is one of the most recent in a series of steps taken by regulators and trade groups to evaluate and harden defenses against cyber-attacks.

  • In January, FINRA issued Targeted Examination Letters to assess firms’ management of cybersecurity threats. The letters addressed:
    • approaches to information technology risk assessment;
    • business continuity plans in case of a cyber-attack;
    • organizational structures and reporting lines;
    • processes for sharing and obtaining information about cybersecurity threats;
    • understanding of concerns and threats faced by the industry;
    • assessment of the impact of cyber-attacks on the firm over the past twelve months;
    • approaches to handling distributed denial of service attacks;
    • training programs;
    • insurance coverage for cybersecurity-related events; and
    • contractual arrangements with third-party service providers.
  • In April, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” announcing steps being taken by OCIE to assess cybersecurity preparedness in the securities sector. The Risk Alert included a list of sample questions seeking information related to a wide range of cybersecurity issues, including:
    • identification of risks/cybersecurity governance;
    • protection of firm networks;
    • risks associated with remote customer access and funds transfer requests; and
    • detection of unauthorized activity.
  • In October, the Securities Industry and Financial Markets Association (SIFMA) published “Principles for Effective Cybersecurity Regulatory Guidance,” providing regulators with the industry’s perspective of how to best protect financial industry operations and clients from cyber-attacks. SIFMA’s principles include:
    • financial services cybersecurity guidance should be harmonized across agencies;
    • agency guidance must consider the resources of the firm;
    • effective cybersecurity guidance is risk-based and threat-informed; and
    • financial regulators should engage in risk-based, value-added audits instead of checklist review.
  • Yesterday, the Federal Financial Institutions Examination Council issued a summary of the results of its cybersecurity assessment of over 500 community banks and a recommendation that all regulated financial institutions join the Financial Services Information Sharing and Analysis Center.

FINRA’s effort to bolster its cybersecurity examination capability is further evidence of intense and growing concern—in Congress, and among regulators, trade groups and customers—about industry-wide vulnerabilities. In this environment, it is essential that brokerage firms be prepared for both increasingly sophisticated cyber-threats and heightened regulatory scrutiny.


SEC Publishes Frequently Asked Questions about Liability of Compliance and Legal Personnel at Broker-Dealers


Broker-dealers may choose to structure their supervisory and compliance systems in different ways. No matter which particular structure is employed, compliance and legal personnel play a critical role in efforts by broker-dealers to comply with legal and regulatory requirements through the implementation of effective systems.

Liability for failure to supervise is a facts and circumstances determination. The purpose of these FAQs is to provide staff guidance to consider in assessing whether particular facts and circumstances result in potential supervisory liability for broker-dealers’ compliance and legal personnel.1 The Exchange Act does not presume that a broker-dealer’s compliance or legal personnel are supervisors solely by virtue of their compliance or legal functions.2 Rather, the question is whether compliance or legal personnel have supervisory authority over business units or other personnel outside the compliance and legal departments as could be the case, for example, if a chief executive or operating officer also is the firm’s chief compliance officer. Supervisory authority also can be implicitly delegated to, or assumed by, compliance or legal personnel.

The Commission has stated that ultimately the responsibility for a broker-dealer’s compliance resides with its chief executive officer and senior management.4 When Commission staff seeks to bring legal actions for failure to supervise, our focus is on the roles and responsibilities of the respective parties. As a general matter, the staff does not single out compliance or legal personnel. Rather we encourage compliance officers and other compliance and legal personnel to take strong and vigorous action regarding indications of misconduct.

Responses to Frequently Asked Questions

Question 1.

Is a chief compliance officer or any other compliance or legal personnel a supervisor of broker-dealer business personnel solely by virtue of the compliance or legal position?

Continue reading SEC Publishes Frequently Asked Questions about Liability of Compliance and Legal Personnel at Broker-Dealers

SEC’s No. 1 priority is more adviser examinations

by admin on May 17, 2013

SEC's No. 1 priority is more adviser examinationsThe Securities and Exchange Commission‘s top priority is to increase the number of investment adviser examinations it handles every year. How to go about doing that is another question.

“Significant additional coverage is essential if investors are to be appropriately protected,” SEC Chairman Mary Jo White told lawmakers today, pointing out that in fiscal 2012, the agency examined only 8% of registered investment advisers, who now number about 11,000.

After the hearing at the House Financial Services Committee, Ms. White told reporters that the SEC is agnostic about outsourcing adviser regulation to an industry-funded self-regulatory organization.

“What needs to happen is, there needs to be more examination coverage of investment advisers,” Ms. White said, reiterating her main point to lawmakers. “The SEC’s not taken a position on whether that should be through an SRO or additional funding for the SEC. I don’t have a conclusion on that today.”

Source: InvestmentNews

Securities Industry Expert Witness

Compliance Advisers has expanded its services to include Securities Industry Expert Witness services.

After over 2 decades in the industry, Compliance Advisers found that people and companies of any size in the securities and investment industry require testimonies from experts in the field. The field is constantly changing and any case can gain strength and breadth from the words of a reputable and educated testimony.

The best part about Expert Witness services from Compliance Advisers is the range of services you can use. From consultation to review, drafting and testimony, Compliance Advisers will walk you through the process easily and thoroughly.

The areas of expertise include: Broker/Dealer Compliance;  Investment Adviser Compliance; Investment Company Compliance; Net Capital Compliance; Securities Rules & Regulations.

Call Now to get started.

Every case is different and we understand that you need a careful eye and attention to detail. We know that your time is of the essence.

So let’s get started today!

Call 303 795 0400


Compliance Advisers Inc -- Customized Compliance Solutions

While the SEC missed its end-of-the-year deadline for issuing rules for what has become known as “Crowdfunding” of new companies, FINRA has proactively attempted to temporarily fill the regulatory void, by issuing a voluntary form for prospective funding portals.

A mandate for such Crowdfunding structures, aimed at increasing small business investment by easing securities regulations, was laid out in the Jumpstart Our Business Startups (“JOBS”) Act, signed into law in April 2012.   According to George Smaragdis, FINRA’s Director of Media Relations, “FINRA is committed to ensuring that the capital-raising objectives of the JOBS Act are advanced in a manner consistent with Congressional intent and investor protection.”

Those who intend to launch such a portal — which would offer equity in return for individual investments in start-up companies — can use the form to voluntarily submit information to FINRA that will assist FINRA in its understanding of and rulemaking efforts related to Crowdfunding and funding portals.


Debate continues to rage about the potential value of expanding Crowdfunding into the world of issuing securities. The technique has been explosively popular for the funding of charitable endeavors or artistic projects, and many start-ups have used it to draw funding for individual project development — in some cases, to jaw-dropping success.   But the use of Crowdfunding for securities is seen by many as a source of enormous regulatory problems and potential for fraudulent activities.  As a result, much consideration is being given to understanding the funding portal business model in anticipation of new forthcoming rules and regulations.


FINRA’s new form asks applicants to disclose several items, including information about the principals in the portal and whether they have been accused of securities violations or serious crimes.  The form also asks prospective portals for information regarding its ownership, funding, management, business model and relationships.

The information provided at this early stage will not be binding.  FINRA has indicated that information voluntarily provided regarding portal business models will be accorded strict confidence and provide helpful insights toward a better understanding of the funding portal community in its efforts to develop rules specific to funding portals.   Once the SEC has adopted funding portal rules, FINRA says it will issue a final funding portal application for FINRA regulation.


If you intend to act as a Funding Portal under the JOBS Act, contact us for Guidance regarding submission of the Interim Funding Portal Form and registration with FINRA as a Funding Portal.

Customized Compliance Solutions