Subject to Inquiry

Subject to Inquiry

THE LATEST ON GOVERNMENT INQUIRIES AND ENFORCEMENT ACTIONS

Government Investigations and White Collar Litigation Group
Financial Institution Regulation

Ready or Not, Prepare to Start Answering Questions About Reg BI Compliance

By Emily P. Gordy, Cheryl Haas, Alexander Madrid and Aline McCullough

On June 5, 2019, the SEC adopted Regulation Best Interest (“Reg BI”), which requires broker-dealers and associated persons to make recommendations regarding securities transactions (or investments involving securities) that are in the “best interest” of their retail clients. The SEC also adopted Form CRS, requiring broker-dealers and investment advisers to provide a brief relationship summary to retail investors, and issued two pieces of guidance regarding investment advisory activities. This Alert focuses largely on Reg BI. While the compliance deadline for Reg BI and Form CRS is not until June 30, 2020, firms should be prepared to shortly begin answering questions from regulators regarding their Reg BI implementation efforts.

Reg BI

Overview

Reg BI has four broad requirements or “Obligations:” (a) a Disclosure Obligation, which generally requires disclosure of relevant facts, (b) a Care Obligation, which generally requires the exercise of reasonable diligence and care, (c) a Conflict of Interest Obligation, which generally requires the implementation of policies and procedures to disclose and/or eliminate conflicts of interest and (d) a Compliance Obligation, which generally requires the implementation of Reg BI policies and procedures.

In order to comply with Reg BI, firms should review and update their procedures, update account information where necessary, evaluate current conflicts of interest, and train registered representatives, supervisors, and compliance personnel on the SEC’s new standard.

Potential Pitfalls – Watch Out

While we will not attempt here to capture all of the issues that firms must address in implementing Reg BI and Form CRS, we identify below certain potential pitfalls in Reg BI compliance. In particular, there are areas in Reg BI that may look very familiar to concepts with which firms are already familiar. Do not be fooled. There are critical differences.

  1. Recommendations: “Strategies,” “hold recommendations,” and “account recommendations” are all concepts that have existed, at a minimum, since FINRA Rule 2111 and the ensuing guidance was issued. Note, however, that in the Reg BI context, there can be an “implicit hold” recommendation when, for instance, the firm or associated person agrees to perform account monitoring services (i.e., silence can be a recommendation). Furthermore, if there is no agreement to perform account monitoring, but the associated person voluntarily undertakes such a review, that is not considered account monitoring but any recommendation arising from that review will be subject to the best interest standard.
  2. Dual Registrants: There are a number of nuances to consider when appropriately implementing Reg BI when the firm and/or the associated person is a dual investment adviser/broker-dealer registrant. Because Reg BI will only apply to the broker-dealer activities of a dual registrant firm, it will be important and potentially challenging for firms to clearly identify the activities that are subject to Reg BI.
  3. Disclosure: There are several questions that a firm/individual must consider when approaching the Reg BI disclosure obligations. For example, (a) how is the disclosure accomplished and when (i.e., at or before the recommendation)?, (b) to what extent will Form CRS disclosures satisfy the disclosure obligations?, (c) what is a material conflict of interest?, (d) are oral disclosures ever okay and if so, what are the requirements?, and (e) can the firm or individual refer to myself as an “advisor” or “adviser?”.
  4. Care Obligation: At first glance, the components of the Care Obligation look a lot like the three components of the Suitability Obligation in FINRA Rule 2111. However, while, like FINRA Rule 2111, there is a reasonable basis requirement, a customer specific requirement, and a quantitative (number of transactions) requirement, Reg BI requires much more than FINRA Rule 2111. In particular: (a) Firm must exercise reasonable diligence and skill to understand the potential risks, rewards, and costs (this includes assessing incentives, expected returns, and other factors), (b) With regard to the specific retail customer for whom the recommendation is made, the firm and associated person must have a reasonable basis to believe that the recommendation is in the customer’s best interest AND that it does not place the firm’s interest ahead of the customer, and (c) If a series of transactions is recommended, that strategy must be in the best interest of the customer and, with regard to this obligation, the biggest difference is that the series of transactions is evaluated without regard to whether the associated person exercises actual or de factor control over the account.
  5. Conflict of Interest Obligation: Under Reg BI, firms are required to have written policies and procedures that not only ensure disclosure conflicts of interest but that (a) Identify and disclose or eliminate conflicts, (b) Identify and mitigate conflicts creating an incentive to place interests ahead of the customer, (c) Identify and disclose if there is a limited product menu, and (d) Identify and eliminate certain sales contests, quotas, bonuses and non-cash compensation that are based on specific products or types to be sold within a specific time period.
  6. Compliance Obligation: This Obligation mandates that firms establish, maintain, and enforce written policies and procedures designed to achieve compliance with Reg BI. Because firms are very familiar with requirements to adopt compliance policies and procedures, particularly broker-dealer firms complying with FINRA Rule 3110, they may be inclined to not take this obligation as seriously as some of the others. However, the Compliance Obligation is a reminder that: (a) It is critical that this compliance program be reviewed periodically to assess whether changes are needed and (b) The SEC takes its policy and procedure requirements very seriously. In the past, in the broker-dealer context, FINRA has handled enforcement of policy and procedure deficiencies, because the SEC’s supervision cases were based on actual failures to supervise as opposed to procedural deficiencies. This Obligation provides a clear avenue for the examination and enforcement staff to take action if there a compliance program and procedural failures. Firms can expect that the SEC Staff will not be silent where compliance programs do not adequately address Reg BI.
  7. Firm Obligations vs. Individual Obligations: In the release adopting Reg BI, the SEC Staff emphasizes that the Conflict of Interest and Compliance Obligations apply only to firms, while the Care and the Disclosure Obligations apply to both the firms and the associated persons. With respect to the Conflict and Disclosure Obligations, a firm has responsibility for developing, maintain, and enforcement written policies and procedures, the firm must be vigilant in reasonably exercising those responsibilities. We have seen many cases in recent years where the regulators have brought enforcement actions against those with the same responsibilities when the program had material failures or gaps.                 

Early Examination Inquiry and Potential Enforcement Implications

As the primary regulator of broker-dealers, FINRA will be tasked with the leg work of Reg BI enforcement. FINRA will likely not wait until the effective date of Reg BI these requirements to begin asking firms about their Reg BI compliance efforts. Rather, FINRA will want to ensure that its member firms are prepared for this sea change in regulatory compliance obligations and requirements.

At a recent industry conference, senior FINRA officials indicated that FINRA will begin asking member firms about their Reg BI preparation efforts as part of its examination program as soon as early next year. While officials framed these examination inquiries as designed in part to identify areas where industry participants may need additional guidance, firms must nevertheless prepare for imminent questions regarding their Reg BI implementation efforts.

Many expect that it is unlikely that FINRA and the SEC will bring formal enforcement cases against firms and individuals in the first year or so following the compliance deadline. However, if firms fail to make an effort to comply with Reg BI or disregard issues a regulator identifies in a firm during an examination or otherwise, we would expect the SEC and FINRA will not hesitate to bring enforcement actions.

Firms will not only face scrutiny from the SEC and FINRA in connection with the subject matter of Reg BI. It is expected that the states, many of which have already passed, or are in the process of passing, their own more stringent fiduciary statutes and regulations, will be more proactive on the enforcement front in this space. Regardless of where a state may be with their own legislative action in this space, they could pursue actions when firms or individual registered representatives are not complying with Reg BI obligations. Furthermore, while the Department of Labor’s Fiduciary Rule, which sought to impose a fiduciary standard of conduct for registered representatives working with retirement accounts, was vacated by the U.S. Court of Appeals for the Fifth Circuit, the DOL has indicated that they expect to issue a revised rule later this year, with changes reflecting a similar approach to Reg BI.

Legal Challenge to Reg BI

On September 9, 2019, seven states and the District of Columbia filed suit against the SEC in the U.S. District Court for the Southern District of New York. The plaintiffs essentially claim that Reg BI is too weak, alleging that it undermines what they deem to be “critical consumer protections for retail investors” and allows registered representatives to continue to give conflicted advice. The plaintiffs seek to invalidate the SEC’s rule, alleging that the SEC exceeded its authority and that Reg BI is arbitrary and capricious under the Administrative Procedures Act.

Investment Adviser Guidance

Simultaneous with its adoption of Reg BI, the SEC approved two pieces of guidance in the investment advisory regulatory sphere.

First, the SEC issued guidance to clarify when a broker-dealer’s activities may qualify under the broker-dealer exclusion from investment adviser registration, which generally exempts a firm from investment adviser registration when such broker-dealer’s activities are “solely incidental” to its broker-dealer activities. In this guidance, the SEC Staff indicates that broker-dealers who have long-term investment discretion will unlikely be able to rely on the broker-dealer exclusion.

Second, the SEC issued guidance that generally expands upon prior SEC Staff guidance regarding an investment adviser’s fiduciary duty. In particular, this guidance provides more detail regarding an investment adviser’s duties of care and loyalty.

Form CRS

Form CRS and its related rules require SEC-registered investment advisers and broker-dealers to both file with the SEC and deliver to retail investors a customer or client relationship summary that meets certain requirements, which summary is intended to assist the customer or client in making decisions regarding its relationship with the adviser or broker-dealer.

If you have not started your Reg BI compliance preparation, Start Now.

 

Financial Institution Regulation, Securities and Commodities

The More Things Change, the More They Stay the Same –Joint Statement by FINRA and the SEC on the Customer Protection Rule and Digital Asset Securities

By Molly White, Emily P. Gordy and Louis D. Greenstein

On Monday, July 8th, FINRA and the SEC took the unusual step of issuing a joint statement on broker-dealer custody of digital asset securities. In doing so, the Staffs of the SEC’s Division of Trading and Markets and of FINRA’s Office of General Counsel made clear that the SEC and FINRA will continue to apply the existing regulatory framework to the rapidly evolving world of digital assets.

The joint statement notified market participants that any entity that buys, sells, or otherwise transacts in, or effects transactions in, digital asset securities, may be subject to federal regulations, including regulations that may require them to register with the SEC as a broker-dealer and become a member of FINRA.

The joint statement focuses on the Customer Protection Rule, noting that any entity that acts as a broker-dealer must comply with that rule. The Customer Protection Rule requires broker-dealers to safeguard customers’ assets and keep them separate from the firm’s assets, which makes it more likely that a customer’s assets will be returned if the broker-dealer fails. Given the potential for cyberattacks on digital assets trading platforms, and given the way digital asset securities are issued and exchanged, the Customer Protection Rule can present challenges to broker-dealers operating in the digital asset space.

FINRA has received New Membership Applications and Continuing Membership Applications from new and existing broker-dealers that wish to engage in broker-dealer activities involving digital assets. The Applications show that broker-dealers are considering two types of business models. Some broker-dealers are considering providing non-custodial services when it comes to digital assets, which means that the broker-dealer would engage in transactions without ever taking custody of the digital assets (for example, by trade-matching or providing introductions).

Other broker-dealers are pursuing a business model that involves custodying assets. The joint statement noted that broker-dealers that wish to custody assets may find it difficult to comply with the Customer Protection Rule. Fundamentally, the unique way that digital asset securities are issued, held, and transferred makes it challenging to comply with the requirements of the Rule, which requires that a good control location is established and verified. There is an increased risk to the assets from cyberattacks and resulting fraud or theft. Further, transfers to unknown or unintended addresses may leave the broker-dealer without a means to reverse the transaction or otherwise recover the assets. The statement also acknowledges that the issues of establishing the existence of the asset, or establishing that it is in a good control location, also present challenges for the firm’s independent auditor in completing the audit and evidencing their review. The staffs of the SEC and FINRA expressed their desire to engage with market participants, as market participants continue to develop technology that might provide solutions to custody issues.

While it is unusual for the SEC and FINRA to issue joint statements, this statement is similar to other SEC pronouncements in the fintech field in that it expresses a desire to engage with, and learn from, market participants, and makes clear that the existing regulatory framework applies to this rapidly evolving field.

Financial Institution Regulation

SEC Adopts Regulation Best Interest

By Emily P. Gordy and Kiran V. Somashekara

On June 5, 2019, the Securities and Exchange Commission adopted, by a 3-1 vote, Regulation Best Interest (“Reg BI”) which, in the words of Chairman Clayton, would “substantially enhance the broker-dealer standard of conduct beyond existing suitability obligations.” The Chairman also noted: “the standard of conduct draws from key fiduciary principles and cannot be satisfied through disclosure alone.”

The Commission also passed the new Form CRS Relationship Summary and two interpretations under the Investment Advisers Act of 1940 (the “Advisers Act”). According to the Commission, the newly-adopted rules and interpretations are designed to (1) enhance and clarify the standards of conduct applicable to broker-dealers and investment advisers, (2) help retail investors better understand services offered and make informed choices regarding the relationship best suited to their needs and circumstances, and (3) foster greater consistency in the level of protections provided by each regime, particularly at the point in time that a recommendation is made.

According to the Commission, under Reg BI, broker-dealers will be required to act in the best interests of retail customers when making investment recommendations and may not put their financial interests “ahead of the interests of a retail customer when making recommendations.” Reg BI includes the following components:

  • Disclosure Obligation: Broker-dealers must disclose to retail customers the capacity in which the broker is acting, fees, the type and scope of services provided, conflicts, limitations on services and products, and whether the broker-dealer provides monitoring services.
  • Care Obligation: A broker-dealer must exercise reasonable diligence, care and skill when making a recommendation to a retail customer, with a clear understanding of potential risks, rewards, and costs associated with the recommendation.  The broker-dealer must then consider these factors in light of the retail customer’s investment profile and ensure that the recommendation is in the retail customer’s best interest, including the costs of the recommendation.
  • Conflict of Interest Obligation: The broker-dealer must establish, maintain, and enforce written policies and procedures reasonably designed to identify and, at a minimum, disclose or eliminate conflicts of interest.  Those policies and procedures must (1) mitigate conflicts that create an incentive for financial professionals to place their interests or those of the firm ahead of the customer’s interests, (2) prevent limitations on offerings from causing the firm or its financial professionals to place their interests or the interests of the firm ahead of the customer’s interest, and (3) eliminate sales contests, quotas, bonuses and non-cash compensation based on the sale of specific securities or specific types of securities within a limited period of time.
  • Compliance Obligation: Broker-dealers must establish, maintain and enforce policies and procedures reasonably designed to achieve compliance with Reg BI as a whole.

The Form CRS Relationship Summary will require SEC registered investment advisers and broker-dealers to provide retail customers straightforward and easy-to-understand information describing the nature of a customer’s relationship with their financial professional.

The Commission also issued two interpretations. First, the Commission issued an interpretation that reaffirmed and clarified its views of the fiduciary duty owed by registered investment advisers to their clients. Second, the Commission issued an interpretation that more clearly defined the “solely incidental” exclusion under the Advisers Act, which delineates when a broker-dealer’s performance of advisory activities causes it to become an investment adviser. The interpretation provides practical guidance by noting that exercising investment discretion over customer accounts and account monitoring are activities that would be beyond “solely incidental” to brokerage activity.

The new measures did not pass without controversy. Commissioner Robert Jackson cast the lone dissenting vote. At the Open Meeting and in a written statement, Commissioner Jackson stated that, while he hoped the new rules would leave “no doubt that investors come first,” the newly adopted rules create a “muddled standard” and “simply do not require that investors’ interests come first.” Earlier this year, a group of former SEC economists criticized the economic analysis underlying Reg BI as “weak and incomplete” for (1) failing to properly identify the specific problem(s) to be addressed by the rule, (2) inadequately discussing existing economic literature relating to financial advising, and (3) relying too heavily on advisers disclosing material conflicts of interest “without requiring advisers to provide a single, easy-to-digest periodic the retail customer’s actual cost of managing her funds.” Investor advocacy groups have also criticized Reg BI for (1) “making it easier for brokers to advertise themselves and weaken protections that currently apply under state fiduciary standards,” and (2) failing to require the elimination of conflicts of interest or to impose a fiduciary obligation on broker-dealers.

The documentation approved by the Commission on June 5th totals more than 1,400 pages. As the industry, counsel, consultants, other regulators, and other stakeholders wade through the materials, additional assessments will be provided.

Practical Considerations

The Commissioners, the Chairman, and the staff stressed the importance of continuing to review and assess the scope of the newly-adopted requirements and to assist firms with their implementation efforts. To facilitate effective and responsive engagement, the Commission is creating an inter-Divisional Standards of Conduct Implementation Committee. The Commission encouraged firms to engage with the Committee as questions arise during implementation. The Commission also has set up a “mailbox” to receive questions by email (IABDQuestions@sec.gov).

Reg BI and Form CRS will become effective 60 days after they are published in the Federal Register, and will include a transition period until June 30, 2020.  By that date, registered broker-dealers must begin complying with Reg BI and broker-dealers and investment advisers registered with the Commission will be required to prepare, deliver to retail investors, and file a relationship summary. The interpretations will become effective upon publication in the Federal Register.

Should you wish to discuss requirements and/or implications of Reg BI, Form CRS Relationship Summary or newly issued statutory interpretations, please contact any of the authors or any of McGuireWoods’ securities enforcement and regulatory attorneys.

 

Compliance

North American Securities Administrators Association (NASAA) Releases Model Cybersecurity Rule

By Alexander Madrid, Emily P. Gordy and Cheryl Haas

On May 21, the North American Securities Administrators Association (NASAA)—an organization comprised of 67 securities regulators within the United States (all fifty states as well as districts and territories), Canada, and Mexico—released a model cybersecurity rule package governing state-registered investment advisors’ cybersecurity and privacy practices.  The model rule package, which would need to be adopted by an individual state so as to become law in that jurisdiction, provides a structure for how state-registered investment advisers must design their information security policies and procedures. Continue Reading

Energy Enforcement

FERC Rescinds Notice of Alleged Violation Policy

By Todd Mullins and Christopher McEachran

This week, the Federal Energy Regulatory Commission (“FERC”) issued an order rescinding its Notice of Alleged Violation (“NAV”) Policy. The NAV Policy was put in place by a 2009 order and authorized FERC’s Office of Enforcement Staff (“OE staff”) to ask the FERC Secretary to issue a public NAV at the stage of the investigation after the subject has had a chance to respond to OE staff’s preliminary findings. This usually happened at about the time staff sought settlement authority from the Commission in order to potentially resolve the matter. The NAV was a very short document stating that FERC staff had preliminarily determined that the named subject had violated a FERC rule, oftentimes FERC’s anti-Market Manipulation rule. FERC investigations typically begin non-publicly and frequently remain that way—especially if FERC decides not to charge subjects with violations. Often the NAV was the first public notice of the case.

The NAV Policy was initially and nominally put in place to add transparency to the process for cases that would possibly proceed past investigation and provide an opportunity for members of the public to come forward with information that might be relevant to the case and evaluate their own conduct in light of the allegations set out in the NAV. But, those theoretical benefits came at a very real price: damning public disclosure of the allegations against the subject before any adjudicative process that might allow a public defense or a settlement that would put the matter into a final context. In the ensuing years, the practice came under increasing criticism in the industry and the bar.

FERC is now abandoning this step because, per its own analysis, it has not worked out as intended. FERC last issued an NAV in April 2018, after which it announced settlements in other cases without NAVs, so it appears that in practice FERC had already abandoned its NAV Policy. After ten years of the NAV Policy in practice, FERC has concluded that “the potential adverse consequences that NAVs pose for investigative subjects are no longer justified” based on the limited information brought to FERC’s attention through the NAV process. FERC also claimed the need for publicly-supplied information has been reduced, as FERC’s own investigative methods have improved in the intervening decade through the addition of a slew of data driven analytical tools to FERC’s arsenal.

FERC’s re-visitation of this matter and change of course are, in our view, a sign that good government is at work. The publicly-issued NAV has been a major area of frustration for investigation subjects—especially those expecting to settle their cases. In practice, the NAV would issue once OE had obtained settlement authority but before any settlement had been finalized. Investigation subjects were thus forced, as a practical matter, to sit idly by while the news of their (alleged) bad acts was announced in the NAV, unable to make any public pronouncements for fear of disrupting the settlement negotiations. With the NAV step removed, subjects of an investigation will be able to announce their “positive” news of a settled (and final) investigation together with the negative news of the alleged bad acts.

Even subjects who expected they might not settle suffered—because they usually and correctly recognized that there was not a practical way to respond publicly to a very cryptic statement that had yet to be formally and fully advanced as an allegation by the Commission. Some subjects of NAVs never ended up being charged or settling so their names were needlessly publicized (as FERC’s order candidly recognized). All that will now stop. That is good.

Most subjects suffered real and lasting negative consequences from the reputational harm associated with these NAV disclosures. As against all of these downsides for subjects, FERC’s order recognizes what has long been known in inside and outside FERC: that the expected benefits of the NAV Policy never materialized. So, for companies and individuals that find themselves under investigation by FERC, this comes as welcome news. No longer will the NAV be the first public word of alleged violations unaccompanied by context-setting settlement or other expressions that can at least somewhat be influenced by the investigation subject.

Securities and Commodities

D.C. Circuit Vacates SEC Sanctions, Says Negligent Omissions Are Not ‘Willful’ Under Advisers Act

By Anitra T. Cassas, Emily P. Gordy, Cheryl Haas and Amanda J. Goldstein

On April 30, the U.S. Circuit Court of Appeals for the District of Columbia Circuit vacated a Securities and Exchange Commission order imposing sanctions. The court held that an investment advisory firm and its owners did not violate Section 207 of the Investment Advisers Act of 1930, 15 U.S.C. § 80b-7, by negligently omitting material facts from the firm’s Form ADV. (See Robare Group, Ltd., et al. v. SEC, No. 16-1453.)

In September 2014, SEC Enforcement charged the petitioners, The Robare Group and its two principals, with violations of Sections 206(1), 206(2) and 207 of the Advisers Act, alleging that they willfully failed to disclose a revenue-sharing arrangement through which the firm received compensation when its clients invested in certain mutual funds. After an administrative law judge dismissed all charges, the SEC reviewed the case de novo and determined that, while the record did not support a finding of scienter, the petitioners violated: (i) Section 206(2) of the Advisers Act by negligently failing to disclose the revenue-sharing arrangement adequately to customers and (ii) Section 207 of the Advisers Act by failing to disclose the revenue-sharing arrangement to the SEC on the firm’s Form ADVs. As a result, the SEC imposed a $50,000 civil monetary penalty on each of the petitioners.

The petitioners appealed the decision to the D.C. Circuit, arguing, inter alia, that “the Commission erred in ruling that [the petitioners] violated Section 207 of the Advisers Act by willfully omitting material information about the [revenue-sharing arrangement]” despite the lack of substantial evidence to establish that they willfully omitted material facts.

Section 207 of the Advisers Act provides the following: “It shall be unlawful for any person willfully to make any untrue statement of a material fact in any registration application or report filed with the Commission under Section 203 or 204 of the Advisers Act, or willfully to omit to state in any such application or report any material fact which is required to be stated therein” (emphasis added).

While the parties agreed that the term “willfully” in Section 207 required the petitioners to have “intentionally commit[ed] the act which constitutes the violation,” they disagreed over what constituted “the act.” Specifically, the petitioners took the position that a violation of Section 207 requires an intentional misrepresentation or omission of a material fact, whereas the SEC asserted that an adviser violates Section 207 by intentionally completing or filing a Form ADV that turns out to contain a material misrepresentation or omission.

The D.C. Circuit held that, while substantial evidence supported the SEC’s negligence-based findings with respect to the Section 206(2) violation, “the Commission’s findings of willful violations under Section 207 based on the same negligent conduct are erroneous as a matter of law.”

In agreeing with the petitioners’ reading of Section 207’s willfulness requirement, the Court stated, “Intent and negligence are regarded as mutually exclusive grounds for liability. Any given act may be intentional or it may be negligent, but it cannot be both” (with internal quotations and citations omitted). Accordingly, the Court held that, in order to violate Section 207, at least one individual must have subjectively intended to omit the material information from the Form ADV.

Thus, the D.C. Circuit found that, because the SEC found there to be no scienter, the SEC could not support a Section 207 violation by the petitioners based on the finding that they negligently omitted the revenue-sharing arrangement from the Form ADV, which did not amount to willful conduct. As a result, the Court remanded the case to the SEC to determine a suitable fine for just The Robare Group’s negligent violation of Section 206(2).

Lessons Learned

The SEC staff is likely evaluating what this opinion means for its enforcement program. Specifically, there is now a significant question about whether this decision upends the long-standing SEC position that administrative proceedings can brought under Exchange Act Sections 15(b)(4) and (b)(6) and Advisers Act Sections 203(e) and (f), which also require a “willfulness” finding, based on just the barest minimum of understanding, as many have said, “not sleepwalking.” In the ubiquitous footnote included in every proceeding instituted under those sections, the SEC states:

A willful violation of the securities laws means merely “’that the person charged with the duty knows what he is doing.’” Wonsover v. SEC, 205 F.3d 408, 414 (D.C. Cir. 2000) (quoting Hughes v. SEC, 174 F.2d 969, 977 (D.C. Cir. 1949)). There is no requirement that the actor “‘also be aware that he is violating one of the Rules or Acts.’” Id. (quoting Gearhart & Otis, Inc. v. SEC, 348 F.2d 798, 803 (D.C. Cir. 1965)).

How the SEC comes out on the question of whether this is still a valid position for them to take in future settlements and litigated administrative proceedings may have a profound impact going forward.

As for the SEC’s immediate consideration for this case and other pending matters, while this finding will make it harder for the SEC to bring Section 207 in the absence of a scienter finding, negligently drafted disclosures may still subject advisers to liability under Section 206(2). Furthermore, while, as noted above, the necessary “willful” finding is a jurisdictional requirement to initiate a proceeding pursuant to Advisers Act Section 203(e), the SEC may still initiate cease-and-desist proceedings pursuant to Section 203(k) of the Advisers Act and obtain monetary penalties. Negligence is enough to bring a cease-and-desist proceeding and obtain a penalty.

In addition, the decision makes it clear that relying on industry standards does notnecessarily serve as a defense to negligence where, as the D.C. Circuit found here, The Robare Group’s principals recognized that the payment arrangement “created potential conflicts of interest and that they knew of their obligation to disclose this information to clients.” (See Robare at 12-13.) The Court determined that the numerous violations of the defendants’ fiduciary duty were unreasonable and thus negligent.

One benefit of the D.C. Circuit ruling is that it may be easier to settle a matter without a finding of willfulness, as statutory disqualification will be avoided. (A finding by the SEC that a person or firm acted willfully is a disqualifying event according to Section 3(a)(39) of the Exchange Act.)

Should you wish to discuss the D.C. Circuit’s decision, please contact one of the authors or any of McGuireWoods’ securities enforcement and regulatory attorneys.

Anti-Money Laundering, Enforcement and Prosecution Policy and Trends, Financial Institution Regulation

Suspicious Activity Monitoring and Reporting – FINRA Issues Notice Consolidating Governmental and Regulatory “Red Flag” Guidance

By Emily P. Gordy and Cheryl Haas

Enforcement actions sanctioning firms and, in a few cases, individuals for failing to investigate and report suspicious activity have been significantly on the rise. SEC, FinCEN, FINRA, and others have been active in this area, particularly with regard to trading at, by, or through the financial institution.  One critical component of a financial institution’s ability to maintain a robust anti-money laundering (“AML”) program and comply with its suspicious activity reporting (“SAR”) obligations is to ensure that the firm actively identifies and timely reviews “red flags” of potentially suspicious activity. What constitutes a “red flag” varies depending on many factors, including the firm’s business, location of the firm and customers, customer activity, and many other factors. Regulators over the years have issued guidance detailing “red flags” for potentially bad activity in an effort to assist firms in developing and enhancing their SAR reporting programs.

Consolidation of “Red Flag” Guidance or One Stop Shopping 

On May 6, FINRA published a Regulatory Notice 19-18 (the “Notice”), which aggregates federal government and other regulatory “red flag” guidance issued over the past 17 years.  Included in the Notice are the “red flags” that FINRA included in its own original notice issued in 2002, Notice to Member 02-21. FINRA issued the Notice to provide “one stop shopping” for firms searching for insights from the government and regulators on what they should monitor.  The Notice lists no fewer than 104 “red flags” compiled in five categories: customer due diligence and interactions with customers, deposits of securities, securities trading, money movements, insurance products, and a catch all (other potential red flags).

Take-Aways

  • Never static – not one-and-done. Firms need to review periodically their AML/SAR programs to assess “red flags” employed to ensure they evolve to reflect new concerns in the industry, new methods by the “bad guys” to use the financial system to engage in illegal activity, and changes at the particular firm that implicate new “red flags.”
  • Not one size fits all. Variations of firms in terms of size, business, model, products, etc. means different “red flags” will be at play.
  • Not an exhaustive list. The 104 “red flags” are examples and not a complete list.  As noted, additional “red flags” will arise based on unique facts and circumstances of the activity at issue. If something appears questionable, follow up.
  • As the slogan says: “if you see something, say something.” SAR reports are extremely valuable resources and information to law enforcement to put the investigative pieces together. The reports have led to many successful law enforcement cases, and firms remain obligated to investigate a red flag and where appropriate file a SAR report.
  • Ignore a red flag at your peril. Of course, the bottom line for financial institutions with SAR reporting obligations: failure to investigate and, if appropriate, file SAR reports exposes the firm to significant sanctions and reputational damage when a regulator identifies the “red flags” and no appropriate follow up.
Securities and Commodities

SEC OCIE Highlights Potential Deficiencies in Firm Privacy Policies

By Emily P. Gordy, Alexander Madrid and Cheryl Haas

On April 16, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert highlighting Regulation S-P compliance deficiencies and issues it found in recent examinations of broker-dealers and investment advisers. Regulation S-P is the primary SEC rule detailing the safeguards these firms must take to protect customer privacy. The Risk Alert provides an important reminder for firms to assess their supervisory and compliance programs related to Regulation S-P and make any necessary changes to strengthen those systems. Indeed, in light of the substantial fines that can accompany a finding that Regulation S-P has been violated, firms must pay careful attention to the OCIE’s guidance regarding potential pitfalls.

Regulation S-P requires broker-dealers and advisors to adopt written policies and procedures addressing the protection of customer information and records. These policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information as well as protect against unauthorized access or threats. Additionally, Regulation S-P requires firms to send customers notices regarding the firm’s privacy policies and practices (at the establishment of the customer relationship and then annually thereafter) as well as an “opt out notice” that explains to customers their right to opt out of some disclosures of their non-public information to third parties. Firms that fail to comply with Regulation S-P can be hit with substantial fines; last year the SEC fined a broker-dealer $1 million for failing to maintain adequate safeguards against identity theft.

The Risk Alert highlights examples of common deficiencies or weaknesses that OCIE staff identified related to Regulation S-P in their examinations, which serve as considerations for firms evaluating their own policies and procedures:

  • Failure to Provide Adequate Notices. Some examined firms failed to provide the notices required by Regulation S-P, whereas others provided notices that did not contain required information, such as information regarding a customer’s opt-out right.
  • Lack of Adequate Policies and Procedures. Some firms did not have adequate written policies and procedures addressing customary privacy. The OCIE noted that policies and procedures that simply restate the rules contained within Regulation S-P are insufficient; rather, these documents must actually address the administrative, technical, and physical safeguards the firm has put in place. Similarly, “off the shelf” policies and procedures—which firms sometimes buy from third party vendors—are insufficient if firms do not include detail as to how they are actually being implemented.
  • Poorly Designed or Unimplemented Policies. The OCIE observed that even where firms had written policies and procedures, in some cases they were either not actually implemented or not reasonably designed to meet the requirements of Regulation S-P. The OCIE identified specific areas where firms’ policies and procedures were either poorly designed or not implemented:
    • Personal devices. The OCIE highlighted firms whose employees regularly stored and maintained customer personally identifying information (“PII”) on their personal laptops, but whose policies and procedures did not address how to safeguard that information.
    • Email. Some firms did not have policies and procedures reasonably designed to prevent employees from regularly sending unencrypted emails containing customer PII. Other firms did have such policies but did not provide adequate training to employees or failed to monitor if their policies were actually being followed.
    • Outside Vendors. Some firms failed to follow their own policies and procedures when dealing with outside vendors. The OCIE noted firms that failed to require outside vendors to contractually agree to keep customer PII confidential, even where their own policies and procedures required such agreements.
    • Failure to Identify Systems with Customer Information. Some firms did not inventory all systems on which they maintained customer PII, which the OCIE stated could limit their ability to safeguard that information.
    • Inadequate Incident Response Plans. Some firms’ incident response plans did not address important areas such as actions required to address a cybersecurity incident and assessments of system vulnerabilities.
    • Unsecure Physical Locations and Unauthorized Access. The OCIE noted firms that stored customer PII in unsecure physical locations (such as unlocked file cabinets) as well as cases where customer login credentials had been sent to employees who were not authorized to receive that information.
    • Departed Employees. Finally, the OCIE noted instances where former employees of firms retained access rights to customer PII after their departure.

The Risk Alert serves as a timely reminder to all broker-dealers and investment advisers to review their written policies and procedures, as well as the implementation of those policies and procedures, to ensure they are compliant with Regulation S-P. The Alert also serves as a complement to FINRA’s 2018 Report on Selected Cybersecurity Practices, which set forth FINRA’s observations regarding effective practices that firms have implemented to address cybersecurity risks, including risks related to identity theft.

McGuireWoods’ experienced broker-dealer/investment adviser team will continue to monitor and report on important issues affecting the broker-dealer industry. For more information, contact the authors of this article or any member of the team.

Financial Institution Regulation, Securities and Commodities

Recent New Jersey Rule Proposal Progresses State Efforts to Impose Fiduciary Duties on Brokers

By Kiran V. Somashekara, Alexander Madrid and Amanda J. Goldstein

On April 15, the New Jersey Bureau of Securities (the “Bureau”) issued a rule proposal to establish a uniform fiduciary duty standard applicable to investment advisers, brokers-dealers and their registered representatives and agents.  Specifically, the proposed rule (N.J.A.C. 13:47A-6.4), which could take effect as early as the end of the year, will require all investment professionals registered with the Bureau to provide investment advice, recommend investment strategies, open or transfer assets to any type of account, or make the purchase, sale, or exchange of any security without regard to their company’s (or their own) interest.

While the proposed rule merely codifies the fiduciary duty already owed to customers by investment advisers, it would impose a heightened standard of care on broker-dealers.  Currently, broker-dealers and their representatives are subject to the suitability standard, which requires them to hold a reasonable belief that recommended transactions or investment strategies are suitable for their customers.  If the proposed rule is implemented, brokers will also owe their customers a statutory duty of care and a duty of loyalty, requiring them to make recommendations about securities and provide investment advice “without regard to the financial or any other interest of the broker-dealer, agent, adviser,” or any other third-party.

The Bureau believes the proposed uniform standard will “protect[] investors against abuses that can result when financial professionals place their own interests above those of their customers, will help to reduce confusion, and will work to foster public confidence in the financial profession,” noting that “retail investors do not understand the differences between investment advisers and broker-dealers or the standards of care applicable,” specifically in the context of dual registrants.

Additionally, in an effort to address the Bureau’s concern about incentives (i.e., sales contests), the proposed rule also creates a presumption that the duty of loyalty is breached where an investment professional offers or receives any compensation when recommending or trading in customer accounts securities that are “not the best of the reasonably available options.”

The Bureau’s rule proposal comes as other states, including Connecticut, New York, and Nevada, similarly have proposed new rules and regulations governing the conduct standards of broker-dealers and investment advisers.  The varying state-level approaches have led some financial industry groups to express concerns about “patchwork” state-level regulation and inconsistent conduct standards across state lines.  At the same time, the SEC is expected to finalize its proposed Regulation Best Interest—which would set forth a nationwide standard of conduct—this year.  The interplay between Regulation Best Interest and state-level rules—including New Jersey’s, if codified—could lead to litigation over the preemptive effect of SEC rulemaking in this arena.  Indeed, some industry groups have already argued that state-level laws imposing heightened standards of conduct create implicit or explicit recordkeeping requirements and are thus preempted by the National Securities Markets Improvement Act of 1996, which sets forth recordkeeping requirements for advisers and brokers.  As states codify laws governing brokers and advisers within their jurisdiction, these preemption arguments are likely to come to the forefront.

Practical Considerations

The Bureau is accepting written comments regarding the proposed uniform fiduciary rule through June 14, 2019.  In the meantime, firms conducting securities business in New Jersey should consider reviewing their policies and procedures to assess the need for potential enhancements in anticipation of the heightened standard of care.

Should you wish to discuss (1) the requirements and/or implications of the Bureau’s rule proposal, or (2) submitting comments on the proposal to the Bureau, please contact any of the authors or any of McGuireWoods’ securities enforcement and regulatory attorneys.

Financial Institution Regulation

FINRA Issues New Guidance Regarding Customer Communications Relating to Departing Registered Representatives

By William E. Goydan and R. Andrew Austria

As recognized by new guidance from the Financial Industry Regulatory Authority (FINRA), the departure of a registered representative often prompts customer questions about the departing representative and the continued servicing of a customer’s account. In light of the continued frequency of movement of registered representatives from, or among, member firms, FINRA issued guidance on April 5, 2019, regarding what information it expects member firms to communicate to customers upon the departure of a registered representative.

Pursuant to FINRA Regulatory Notice 19-10, FINRA expects member firms to: (1) promptly and clearly communicate to affected customers how their accounts will continue to be serviced; and (2) subject to privacy and other legal requirements, provide customers with timely and complete answers, if known, to questions about a departing representative.

Under this new guidance, FINRA expects member firms to implement policies and procedures that “assure that the customers serviced by that registered representative are aware of how their account will be serviced at the member firm, including how and to whom the customer may direct questions and trade instructions following the representative’s departure and, if and when assigned, the representative to whom the customer is now assigned at the member firm.” As with all customer communications, FINRA expects that the information provided by member firms about a departing registered representative to be fair, balanced and not misleading.

Practical Considerations

As with any new guidance, firms should review their existing policies and procedures in order to assess the need for potential enhancements. With respect to FINRA’s expectation that firms will have policies and procedures designed to promptly provide information to customers related to the continued servicing of their accounts, a firm’s existing communications program should be reviewed to ensure that all of the necessary information listed above is in fact promptly communicated to customers. Furthermore, firms should also review their policies and procedures (as well as their training programs) regarding how to respond to customer inquiries relating to a departed registered representative. In light of this new guidance, as well as a matter of risk management, firms should consider practices and procedures that ensure consistent and timely responses to customer inquiries concerning a departed registered representative and that take into account applicable privacy and other legal requirements.

While FINRA’s recent guidance will likely become a new point of contention in arbitration and litigation involving departing registered representatives, a firm’s implementation of appropriate policies and procedures will help to mitigate litigation risk, as well as related regulatory inquiries and exposure.

Should you wish to discuss the requirements and/or implications of FINRA Regulatory Notice 19-10, please contact any of the authors or any of McGuireWoods’ securities enforcement and regulatory attorneys.

We use cookies to enhance your experience of our website. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our policy.

Agree