Compliance "Best Practices"
News, Commentary and Resources Regarding Compliance for Registered Investment Advisers

Registration Transition Issue

February 4th, 2012

Many states require applicant for state registration to complete an affidavit of “no prior activity.” The choices are typically, no, you have not conducted advisory activities in this state or yes, you have conducted advisory activities in this state. If the answer is yes, they require you to list all clients and fees charges, provide copies of client agreements, etc. What these affidavits are trying to determine is whether the applicant has been providing investment advisory services absent registration. The problem is, that for transitioning advisers who have been providing services in the state under a notice filing, there is no right way to answer the question on the affidavit. You cannot answer “no” because you would be attesting to something that was not true, but if you answer “yes” you may need to provide years of information about clients and fees. Very onerous and no easy resolution in sight.

Posted in Registration Transition | No Comments »

Massachusetts Data Privacy Act

February 3rd, 2012

Please note by March 1, 2012, advisers must ensure their agreements with third-party service providers with which they share personal information meet Massachusetts Data Privacy Act (201 CMR 17) requirements.

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

Posted in Data Security, Information Security | No Comments »

New Challenges for Family Offices

February 2nd, 2012

The bombshell in the Dodd-Frank Act for family offices was the revocation of the “less-than-15-client exemption” for private investment advisers. That rule allowed single-family offices to avoid registration with the Securities and Exchange Commission under the Investment Advisers Act of 1940, and the disclosures and costs that come with it.

http://www.investmentnews.com/article/20120129/REG/301299981

Posted in Dodd Frank | No Comments »

Still No Clarity on Supervisory Responsibility

January 30th, 2012

An order by a divided Commission, late Thursday, ended the agency’s controversial action against Theodore Urban, once general counsel of the former Ferris Baker Watts LLC, a Washington, D.C.-based brokerage and investment bank, now part of RBC Wealth Management.  See the article by Reuters.

Posted in Supervisory Responsibility | No Comments »

Fraud Alert Involving E-mail Intrusions to Facilitate Wire Transfers Overseas

January 29th, 2012

20 January 2012

The FBI has observed a trend in which cyber criminals are compromising the e-mail accounts of U.S. individuals and businesses and using variations of the legitimate e-mail addresses associated with the victim accounts to request and authorize overseas transactions. The wire transfers are being sent to the bank accounts of individuals typically located domestically or in Australia and the funds are being sent directly to Malaysia. Investigations indicate that some of the money mules in the U.S. and Australia are victims of a romance scam and are asked to further transfer the funds to Malaysia. As of December 2011, the attempted fraud amounts total approximately $23 million; the actual victim losses are approximately $6 million.

This type of fraud has affected banks, broker/dealers, credit unions and other institutions. Therefore, this threat is relevant to any organization that may engage with clients through e-mail channels.

In a typical scenario, the cyber criminal will send an e-mail to a financial institution, brokerage firm employee, or the victim’s financial advisor pretending to be the victim and request the balance of the victim’s account. When the request for balance information is successful, the cyber criminal then sends another e-mail providing a reason why they can only communicate via e-mail and asks that a wire transfer be initiated on their behalf. The excuse is typically based on an illness or death in the family which prevents the account holder from conducting business as usual.

Victims

Victims of these schemes include both individuals and businesses that typically invest significant amounts of money with their financial advisor(s) or financial institution(s). The individual unauthorized wire transfers range from $17,500 to $183,000.

E-mail Addresses

Cyber criminals are using both legitimate compromised e-mail accounts and e-mail addresses that are slightly altered. In cases in which the e-mail addresses were adjusted, they were either modified via the top level domain (eg., from .com to .net) or by adding an additional letter to the user name (eg., abcd@abc.com to abcdd@abc.com). Further investigations have also revealed that the e-mail service provider name has been modified by changing a letter to a number or vice versa (eg., abc@0123.com to abc@.O123.com). The modifications can be very subtle and easily mistaken as the legitimate account holder’s official e-mail address on file. In many cases, the e- mails have originated from e-mail service providers including Yahoo, Gmail, and AOL.

Authentication

In some instances wary financial institutions or brokerage firm employees asked for a letter of payment authorization via fax, and the cyber criminals were able to produce a fax with the legitimate customer’s signature as further proof that the transaction was being requested by the bank customer. This was most likely done through extensive research of the compromised e-mail accounts in which the cyber criminals were able to obtain copies of official documents signed by the victim. Some institutions reported that the signatures resembled a “copy and paste” from a previous document.

There have been several reports connected to this scheme where the cyber criminal modified the victim’s e-mail settings to block all legitimate e-mails from the victim’s financial institution. This was accomplished either by implementing a spam rule to dump all communications from the financial institution into a spam folder or automatically deleting the communications. Either method prevents the victim from being alerted that the transaction had taken place and may provide additional time for the money to be transferred out of the account before anyone can identify the transaction as fraudulent.

Recommendation to Financial Institutions

  1. Review internal procedures to ensure payment instruction authentication and validity.
  2. Enhance internal awareness of this fraudulent activity and ALWAYS perform proper authentication of the customer and internal verification processes even if client is asking for a “rush.”
  3. Perform out-of-band authentication and verification of the payment instructions through a validated contact channel.
  4. Leverage payment instruction and transaction anomaly tools to flag suspect transactions.
  5. Use traditional security tools (DLP, spam filters, etc.) to search for e-mails with key words like “wire + funeral”, or “wire + travel,” etc. Clients and employees noted if flagged messages should then be contacted directly by other resources within your financial institution.
  1. Provide notice of this joint FBI/FS-ISAC bulletin to customers via various delivery channels, i.e., e-mail, financial institution website, branch flyers, etc.
  2. Review and implement financial institution payment instruction processes in the context of the Federal Financial Institutions Examination Council (FFIEC) Supplemental Authentication Guidance that was issued on June 28, 2011. http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf

Incident Reporting

  1. The FS-ISAC encourages member institutions to report any observed fraudulent activity through the FS-ISAC submission process and login at http://www.fsisac.com/. This can be done with attribution or anonymously and will assist other members and their customers to prevent, detect, and respond to similar attacks.
  2. The FBI encourages victims of cyber crime to contact their local FBI field office, http://www.fbi.gov/contact/fo/fo.htm, or file a complaint online at www.IC3.gov.
  3. Financial institutions’ compliance or anti-money laundering team should submit a Suspicious Activity Report (SAR) utilizing the Account Takeover guidance recently issued by the Financial Crimes Enforcement Network (FinCEN).

 

Posted in General Compliance | No Comments »

A Great Quote

January 24th, 2012

“Not all compliance failures result in fraud, but many frauds take root in compliance deficiencies,” said Robert Khuzami, Director of the SEC’s Division of Enforcement.

Posted in Best Practices | No Comments »

The States Are No Pushovers

January 20th, 2012

For advisers transitioning to state registration, be aware that states, much like the SEC, has enforcement divisions and brings enforcement actions that result in fines. Here is one from Connecticut:

Morgan Asset Management, Inc. (IARD # 111715) and Morgan Keegan & Company, Inc. (CRD # 4161) Settle Allegations Relating to Inadequate Disclosure in Fund Sales; $7,771 Fine Imposed

On December 13, 2011, the Banking Commissioner entered a Consent Order (Docket No. CO-11-7966-S) with respect to Morgan Asset Management, Inc., an investment adviser registered with the Securities and Exchange Commission, and Morgan Keegan & Company, Inc., a Connecticut-registered broker-dealer.  Morgan Asset Management, Inc. maintains its principal office at 1901 6th Avenue North, 4th Floor, Birmingham, Alabama.  Morgan Keegan & Company, Inc. is located at 50 Front Street, Morgan Keegan Tower, Memphis, Tennessee.  The Consent Order followed a multi-state investigation and related investigations conducted by the SEC and the Financial Industry Regulatory Authority (FINRA).  The investigations focused on seven proprietary mutual funds sold by Morgan Keegan to more than 30,000 account holders.  Approximately 55 investors were located in Connecticut.  Nationwide, the seven mutual funds lost approximately $1.5 billion dollars from March 31, 2007, to March 31, 2008.

In addition to citing the respondents for alleged supervisory failures, the Connecticut consent order, like those of other settling states, alleged that the respondents misled investors by failing to disclose risks regarding the affected funds and providing misleading information about securities products.  The consent order required the respondents to pay $200 million, split between an SEC Fair Fund and a States’ Fund, both for the benefit of investors.  Under the multi-state settlement, investors must file a claim with the Fund Administrator to recover damages.  The Fund Administrator (A.B. Data) may be contacted by phone (888-208-9083) or mail (Morgan Keegan Settlement Claims Administrator, c/o A.B. Data,  Ltd., PO Box 170500, Milwaukee, Wisconsin  53217-8091).  The Fund Administrator also maintains a website at www.abdataclassaction.com.

The Connecticut Consent Order also 1) directed the respondents to cease and desist from regulatory violations; 2) fined the respondents $7,771 (Connecticut’s share of the $10 million multi-state settlement); 3) prohibited the respondents from creating, offering or selling to non-institutional investors any proprietary fund for two years; 4) required Morgan Keegan & Company, Inc. to reimburse the department for the costs of a books and records examination to be conducted within 24 months; 5) required the respondents to provide their agents and investment adviser agents with compliance training for three years; and 6) incorporated the requirement from the multi-state settlement that the respondents retain an independent consultant to evaluate their supervisory and compliance procedures.

Posted in State Regulation | No Comments »

Registration Transition – Colorado

January 12th, 2012

The Colorado division of securities has posted a very helpful power point presentation on its website. It can be found here:

www.dora.state.co.us/securities/

In addition, Colorado is one of those states that has waived the registration fee for firms that are currently notice filed.

Way to go Colorado!

Posted in Risk Assessment | No Comments »

Registration Transition News – Fee Waivers

January 11th, 2012

At least a little bit of good news for transitioning advisers . . .

The following states have waived registration fees for transitioning advisers that are currently notice filed in the state:

Alabama, Arkansas, Colorado, DC, Georgia, Idaho, Illinois, Iowa, Kentucky, Maryland, Michigan, Massachusetts, Minnesota, Mississippi, New Hampshire, New Jersey, New Mexico, Oregon, Puerto Rico, Rhode Island, Vermont and Washington.

Shame on the rest of the states for not doing the same.

 

Posted in Registration Transition | No Comments »

Compliance Alert – Social Media

January 10th, 2012

Dear Compliance Professional,

Rarely do we see the SEC Office of Compliance Inspections and Examinations issue a National Examination Risk Alert. So when they do, we pay particular attention. Last week, OCIE issued just such a National Examination Risk Alert on Investment Adviser Use of Social Media.

The key takeaways from this Risk Alert are:

  • Investment advisers that use or permit the use of social media by their representatives, solicitors and/or third parties should consider periodically evaluating the effectiveness of their compliance program as it relates to social media.
  • Factors that might be considered include usage guidelines, content standard, sufficient monitoring, approval of content, training, etc.
  • Particular attention should be paid to third party content (if permitted) and recordkeeping responsibilities.

The Risk Alert offers some helpful tips on how to address the social media issue. Perhaps more importantly, it has been issued by the division of the SEC that is charged with examining your advisory firm. When OCIE issues a National Risk Alert, they are giving strong hints as to what they want to see.

Accordingly, we commend you to read the Risk Alert in its entirety. It can found via the following link:

http://www.sec.gov/about/offices/ocie/riskalert-socialmedia.pdf

 

Posted in Social Media | No Comments »

« Older Entries