DOL Weighs In With Cybersecurity Guidance, FINRA Issues Reminders on Options and Predispute Arbitration Agreements, NASAA Releases Annual State Advisers Report, Cayman Extends CRS Compliance Form Deadlines
For Investment Advisors and Broker-Dealers
DOL issues Cybersecurity Guidance. On April 14, 2021, the U.S. Department of Labor (“DOL”) Employee Benefits Security Administration (“EBSA”) issued cybersecurity guidance directed towards ERISA plan sponsors and ERISA fiduciary advisors. While the guidance appears similar to SEC’s advice, there is one noticeable difference: the DOL says firms “should” have a reliable annual third-party audit of security controls. As part of this audit, EBSA expects to see audit reports, audit files, penetration test reports, and any other analyses or reviews of cybersecurity practices. EBSA also wants documented corrections of any weaknesses identified in the independent third-party analyses. What are the implications to firms subject to this guidance? Will the DOL consider it a breach of fiduciary duty if a firm does not hire a third party to conduct an audit of its security controls? Can a firm do this assessment internally? Time will tell if this is a best practice or a requirement.
In addition to the third-party review, the DOL provided these best practices that ERISA plan service providers “should” follow:
- Implement a well-documented cybersecurity program.
- Conduct a prudent annual cybersecurity risk assessment.
- Clearly define and assign informational security roles and responsibilities.
- Establish robust access control procedures.
- Ensure that any assets or data stored in a cloud or with a third party are subject to appropriate security assessments.
- Conduct periodic cybersecurity awareness training.
- Implement and manage a secure system development life cycle (SDLC) program.
- Establish an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
- Encrypt sensitive data stored and in transit.
- Implement strong technical controls that meet best security practices.
- Respond to any past cybersecurity incidents.
The DOL guidance was published in three separate pieces: Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips for Participants and Beneficiaries. Contributed by Glenn R. Skreppen, Senior Compliance Consultant.
Updates to State Senior Laws & Resources. Recent modifications to Arkansas’ state statute expand protections for investors against financial exploitation. Arkansas Code § 23-42-309 was modified as of April 1, 2021, to protect vulnerable persons in addition to persons over sixty-five years of age. The law also permits broker-dealers and investment advisors to delay transactions and disbursements if exploitation is suspected.
More states are enacting legislation to protect senior and vulnerable investors. Investment advisors and broker-dealers need to be aware of the legal requirements for each state where they do business for dealing with clients they suspect are being financially abused. Some states require mandatory reporting of suspected financial fraud against seniors and vulnerable persons. The law firm of Bressler, Amery and Ross, has created and continues to update its Senior and Vulnerable Investors Issues map, with summaries of the requirements for all 50 states. Contributed by Carolyn W. Mendelson, Senior Compliance Consultant.
Form ID Updates. New EDGAR filers with Central Index Keys (“CIKs”) from prior paper filings will no longer rely on the legacy, abbreviated “Convert Paper Only Filer” process to obtain initial EDGAR access codes. These new EDGAR users will now need to submit a Form ID and authenticating documents like all other new filers. The SEC is eliminating the legacy exception to “implement a more uniform and secure process.” The EDGAR Filer Manual has been amended to reflect this change. Contributed by Cari A. Hopfensperger, Managing Director.
For Investment Advisors
NASAA Annual Report on State Registered Advisors. In April, the North American Securities Administrators Association (NASAA) published its Investment Adviser Section Annual Report, highlighting its 2020 activities concerning state-registered advisors. In sum, the report paints a statistical picture of the average state-registered adviser in 2020, reports on a sampling of state approaches to managing through the COVID-19 pandemic, and addresses two major NASAA initiatives – the Investment Adviser Policies and Procedures Model Rule and the Investment Adviser Representative Continuing Education Model Rule.
Unsurprisingly the “average state-registered IA” continues to be a one- to two-person shop serving retail investors (81%), with advisors that are predominantly registered as investment advisor representatives (95%). Almost half are also insurance agents (48%), and more than one-third are also broker-dealer registered representatives (36%).
NASAA released two model rules in November of 2020, which are available for consideration and optional adoption by all NASAA jurisdictions. The IAR Continuing Education Model Rule would require IARs to complete 12 hours of continuing education per year, including satisfying products, practices, and ethics components. NASAA offers a FAQ for affected firms and their IARs. The IA Written Policies and Procedures Model Rule reads similarly to the SEC’s Advisers Act 204(6)-7 (the “Compliance Program Rule”), applicable to SEC-registered advisors. An accompanying Compliance Grid lists what NASAA feels are many of the most common compliance and supervision issues IAs should consider in their policies and procedures.
Other areas highlighted in the annual report include:
- Cybersecurity – NASAA’s Cybersecurity Checklist and Guidance for Investment Advisers addresses 89 assessment areas to help state-registered advisors manage their cybersecurity efforts and is a helpful reference for any small firm.
- Pandemic Response
- NASAA reported on its efforts to maintain open communication with state-registered advisors, primarily through alerts and advisories on critical updates, trends, and topics.
- Ohio, Arizona, Utah reported “wins” by taking their annual outreach conferences virtual in 2020. Ohio, in particular, reported that it was so successful it plans to retain a virtual component in the future.
- NASAA encourages state-registered IAs to continue to consider the fallout from the pandemic with specific emphasis on their business continuity and succession planning, cybersecurity and the protection of client information, and supervision efforts.
Contributed by Cari A. Hopfensperger, Managing Director.
For Private Funds
2021 Cayman CRS (and FATCA) Updates – Do You Know Your Reporting Requirements? The Department for International Tax Cooperation (DITC) of the Cayman Islands announced that the deadline for filing the 2019 and 2020 common reporting standard compliance form (“CRS Compliance Form”) is extended to September 15, 2021. Filings are facilitated utilizing the DITC portal. The portal was offline after the original December 16, 2020, deadline passed but was back online in May.
It is important to note that the CRS Compliance Form, introduced in April 2020 via DTIC industry advisory, differs from “CRS reporting” and is in addition to the CRS reporting obligations of entities identified as financial institutions (“FIs”) and domiciled in the Cayman Islands.
The CRS Compliance Form requires entities to provide profile and financial account data and identify the responsible parties for their AML/KYC obligations and their CRS processes. The CRS process requires the entity to confirm that they have adequate procedures to meet their obligations under the CRS Regulations. Before completing the annual CRS Compliance Form, financial institutions should ensure that they are periodically reviewing their CRS policies and making any requisite updates. Additionally, firms should ensure that their AML/KYC obligations are met, whether internally or by a third party. If internal, the financial institution should have adequate resources to meet those obligations. If delegated, the firm should conduct a periodic review of the third party.
The deadline for CRS reporting and FATCA returns is July 31, 2021. The DITC portal began accepting both CRS reporting and FATCA returns in May. Additionally, if your firm formed a Cayman Islands “FI” in the calendar year of 2020, you must register that entity before processing any CRS or FATCA returns. The registration deadline was April 30, 2021. Firms that did not meet this deadline should contact the Cayman Islands DTIC for assistance. Contributed by Denise D. Alfieri, Managing Director.
Do Your Options Procedures Need Work? FINRA issued Notice 21-15 to remind broker-dealers of their obligations under Rule 2360, related to the establishment and supervision of options accounts. Introducing broker-dealers can use this checklist to help determine if their policies and procedures could use a minor upgrade. (Note: The following is not intended to be a complete list and does not guarantee compliance with all of the rules regarding option accounts.):
☐ Procedures state that options account rules apply to self-directed accounts as well as those accounts to which a registered representative makes recommendations;
☐ Procedures address the qualifications and restrictions necessary for a branch office location to conduct an options business;
☐ Procedures specifically identify the principal qualifications necessary to approve/disapprove accounts for options trading;
☐ Procedures outline the customer due diligence process, including all information that must be collected before deciding to approve/disapprove an account for options trading.
☐ Procedures identify criteria for account approval at each level of options trading.
☐ Procedures prescribe how the written approval/disapproval of an account for options trading will be documented.
☐ Procedures identify the person or entity responsible for delivering the Characteristics and Risks of Standardized Options (“ODD”) and the manner of delivery.
☐ Procedures document process related to customer account agreements and the verification of customer background and financial information.
☐ Procedures document the requirements to exercise discretionary power concerning trading option contracts in a customer account;
☐ Procedures detail specific requirements outlined in FINRA Rule 2360(b)(16)(E) when writing Uncovered Short Option Contracts, including the party responsible for delivery of the Special Statement for Uncovered Option Writers (“Special Written Statement”) and the manner of delivery.
☐ Procedures address the handling and recording of options-related complaints;
☐ Procedures require specific supervisory reviews of options accounts about:
- The compatibility of options transactions with investment objectives and the types of transactions for which the account was approved;
- The size and frequency of options transactions;
- Commission activity in the account;
- Profit of loss in the account;
- Undue concentration in any options class or classes; and,
- Compliance with the provisions of Regulation T of the Federal Reserve Board.
Firms can leverage this opportunity to review their policies and procedures and determine if they remain reasonably designed to ensure compliance with the applicable rules. Contributed by Rochelle A. Truzzi, Managing Director.
Can You Pass This Quiz Regarding the Use of Predispute Arbitration Agreements? In Regulatory Notice 21-16, FINRA reminds members of their responsibilities when using predispute arbitration agreements for customer accounts.
- FINRA Rules require customer disputes first to be arbitrated under the FINRA forum. True or False?
False. Customer disputes may be resolved through a private arbitration forum or by civil litigation. See Endnote 2 of Notice 21-16.
- When a customer signs an agreement that contains a predispute arbitration clause, agreeing to arbitrate any disputes through private arbitration, the customer waives his/her right to request arbitration at FINRA. True or False?
False. Customers do not forfeit the right to request arbitration at FINRA, despite having signed an agreement specifying another dispute resolution process. See Endnote 2 of Notice 21-16.
- Predispute arbitration agreements may not limit the ability of a party to file any claim in arbitration or court. Still, they may require arbitration hearings to be held in the state where the Firm’s main office resides. True or False?
False. A Firm cannot dictate the location of arbitration hearings as this does not comply with FINRA Rule 12213. See Endnote 6 of Notice 21-16.
- Disclosures alerting customers that the agreement contains a predispute arbitration clause must appear at which place in the agreement: (a) As a footnote at the bottom of the page where the arbitration clause appears; (b) Immediately preceding the predispute arbitration clause; (c) On the Disclosure Page of the Agreement as long as the text is prominently displayed, or (d) immediately preceding the customer signature line. Select all that apply.
(b) and (d). See FINRA Rule 2268.
- What two references must appear in any predispute arbitration disclosure that does not appear immediately preceding the arbitration clause?
The disclosure must indicate at what page and paragraph the arbitration clause is located.
- Within thirty days of signing, a copy of the agreement containing a predispute arbitration clause must be provided to the customer, who shall acknowledge receipt of the agreement or on a separate document. True or False?
True. See FINRA Rule 2268(c).
- Certified class actions may be arbitrated through the FINRA forum, but not putative class actions. True or False?
False. See FINRA Rule 2268(f).
- A firm may not limit a customer’s right from pursuing class actions in court. True or False?
True. See FINRA Rule 12204.
- What is required if a Firm wishes to modify the statute of limitations for submitting arbitration claims under the predispute arbitration clause?
A firm is not permitted to shorten or lengthen the statute of limitations to submit an arbitration claim. The Code of Arbitration Procedure for Customer Disputes grants authority to determine eligibility to the Arbitrator or Panel. See FINRA Rule 12206.
- Indemnity Provisions are permitted in predispute agreements but are limited only to recovering the firm’s legal costs resulting from the Firm’s violations of the securities laws or FINRA rules. True or False?
False. See Endnotes 17 and 18 of Notice 21-16.
If you got them all correct, congratulations! If you missed 1-2, not bad. If you missed three or more, your assignment is to read both the regulatory notice and FINRA Rule 2268 in their entirety. Or, you can call Foreside, and we will be happy to assist you with the review of your policies, procedures, and client agreements. Contributed by Rochelle A. Truzzi, Managing Director.
SEC Charges Broker-Dealer for Failing to File SARS. The SEC settled charges with GWFS Equities Inc. for failing to file suspicious activity reports (“SARs”) related to an external bad actors’ attempts to gain access to the retirement accounts of individual plan participants. During three years, GWFS filed 297 incomplete SARs related to this suspicious activity and failed to file a SAR in 130 instances. The SEC’s order finds that GWFS violated Section 17(a) of the Securities Exchange Act and Rule 17a-8 thereunder. GWFS agreed to a settlement that imposes a $1.5 million penalty, a censure, and an order to cease and desist from future violations. Contributed by Doug MacKinnon, Senior Compliance Consultant.
Worth Reading, Watching and Hearing
- The New Marketing Rule and the Seven Prohibitions: Sneaky, Sloppy, Tricky, Shifty, Iffy, Flimsy, and Dicey. Hardin Partner, Jaqueline Hummel, breaks down two core elements of the Marketing Rule – the new definition of “advertising” and the seven general prohibitions. Use this tool to help plan for implementation.
- Cryptocurrency Madness – Dogecoin Trading in 2021: How to Get a Doge in Your Pocket.
- Strategies for Maintaining Good Workplace Culture. Step back from technical compliance topics for a moment and consider the bigger picture topic of workplace culture. Morgan Lewis’ London team offers this quick read for CCO’s, who are often instrumental to this effort.
- Comparison of SEC’s Regulation Best Interest and DOL’s Final Investment Advice Class Exemption Morgan Lewis put together this excellent chart comparing the two sets of requirements.
- The SEC’s Latest Risk Alert Puts ESG Investing in the Crosshairs – Harvard Law School Forum on Corporate Governance addresses this industry hot topic.
- FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts. Regulatory Notice 21-18 dated May 12, 2021, addresses this timely risk.
- Money Stuff: Index Firm Forgot to Update XIV. Check out this Bloomberg Opinion by Matt Levine, which unpacks the SEC’s recent and unique enforcement action against an index provider.
- Taking Stock, Environmental, Social and Governance (ESG) Considerations. Eversheds Sutherland published a new ESG matrix addressing current required disclosures for different SEC-regulated entities – namely advisors, public and private funds. The introduction to the matrix notes that they will update it ongoing, so this may be a useful tool to watch.
- SEC to Reconsider Rules and Guidance Regarding Proxy Advisory Firms. Cydney Posner from the Cooley PubCo blog reports on SEC Chair Gary Gensler’s June 2 direction. The post also offers a thoughtful summary of the prior regulatory updates leading us to this latest inflection point.
Filing Deadlines and To-Do List for June 2021
- GIPS Notification Requirement: Firms opting to comply with the Global Investment Performance Standards (GIPS) must notify the CFA Institute of its claim of compliance on an annual basis. This notification is due June 30, 2021, and should be submitted by completing the appropriate online form on the CFA Institute’s website.
HEDGE/PRIVATE FUND ADVISORS
- Blue Sky Filings (Form D): Advisors to private funds should review fund blue sky filings and determine whether any amended or new filings are necessary. Generally, most states require a notice filing (“blue sky filing”) within 15 days of the first sale of interests in a fund, but state laws vary. Did you know that Hardin Compliance Consulting offers a convenient and economical blue sky filing service to help firms manage this complicated monthly task? Learn more here and give us a call to discuss your needs further. Due June 15, 2021.
- Distribute Audited Financial Statements for Private Funds for Funds of Funds: Private fund investment advisors should have their funds audited by an independent, PCAOB-registered accountant and deliver the audited financial statements to the funds’ investors within 120 days of the end of the funds’ fiscal year. The deadline for private funds that are fund of funds is 180 days of the funds’ fiscal year-end. That’s June 29, 2021, for funds with December 31 year-end.
- Annual Reports for Fiscal Year-End March 31, 2021: FINRA requires that member firms submit their annual audit reports in electronic form. Firms must also file the report at the regional office of the SEC in which the firm has its principal place of business and the SEC’s principal office in Washington, DC. Firms registered in Arizona, Hawaii, Louisiana, or New Hampshire may have additional filing requirements. Due June 1, 2021.
- Rule 17a-5 Monthly and Fifth FOCUS Part II/IIA Filings: For the period ending May 31, 2021. For firms required to submit monthly FOCUS filings and those firms whose fiscal year-end is a date other than a calendar quarter. Due June 23, 2021.
- Supplemental Inventory Schedule (“SIS”): For the month ending May 31, 2021. The SIS must be filed by a firm that is required to file FOCUS Report Part II, FOCUS Report Part IIA or FOGS Report Part I, with inventory positions as of the end of the reporting period, unless the firm has (1) a minimum dollar net capital or liquid capital requirement of less than $100,000; or (2) inventory positions consisting only of money market mutual funds. A firm with inventory positions consisting only of money market mutual funds must affirmatively indicate through the eFOCUS system that no SIS filing is required for the reporting period. Due June 28, 2021.
- SIPC-7 Assessment: For firms with a Fiscal Year-End of April 30th. SIPC members are required to file the SIPC-7 General Assessment Reconciliation Form, together with the assessment owed (less any assessment paid with the SIPC-6) within 60 days after the Fiscal Year-End. Due June 29, 2021.
- Annual Reports for Fiscal Year-End April 30, 2021: FINRA requires that member firms submit their annual reports in electronic form. Firms must also file the report at the regional office of the SEC in which the firm has its principal place of business and the SEC’s principal office in Washington, DC. Firms registered in Arizona, Hawaii, Louisiana, or New Hampshire may have additional filing requirements. Due June 29, 2021.
- SIPC-3 Certification of Exclusion from Membership: For firms with a Fiscal Year-End of May 31 AND claiming an exclusion from SIPC Membership under Section 78ccc(a)(2)(A) of the Securities Investor Protection Act of 1970. This annual filing is due within 30 days of the beginning of each fiscal year. Due June 30, 2021.
- SIPC-6 Assessment: For firms with a Fiscal Year-End of November 30th. SIPC members are required to file for the first half of the fiscal year a SIPC-6 General Assessment Payment Form together with the assessment owed within 30 days after the period covered. Due June 30, 2021.
REGISTERED COMMODITY POOL OPERATORS
- Form CPO-PQR (March 31 Quarter End): Small, Mid-Sized and Large Commodity Pool Operators are required to file NFA Form CPO-PQR quarterly with the NFA. The due date is June 1, 2021.
- Form N-MFP. Form N-MFP (Monthly Schedule of Portfolio Holdings of Money Market Funds) reports information about the fund’s holdings as of the last business day of the prior calendar month and must be filed no later than the fifth business day of each calendar month. Due date is June 7, 2021.