Compliance "Best Practices"
News, Commentary and Resources Regarding Compliance for Registered Investment Advisers

Archive for March, 2010

More on the SEC Staff Responses

Thursday, March 18th, 2010

Question: If an adviser inadvertently receives securities from a client, under the amended rule may the adviser forward the securities to the qualified custodian instead of returning the securities to the client?

Answer: No. If the adviser does not return the securities to the sender within three business days, the adviser not only has custody but has also violated the amended rule’s requirement that client securities be maintained in an account with a qualified custodian. However, the Division would not recommend enforcement action to the Commission under certain circumstances if an adviser inadvertently receives tax refunds from tax authorities, or client settlement proceeds from administrators in connection with class action lawsuits and other legal actions, or stock certificates, dividends, or evidence of new debt from issuers in connection with class action lawsuits involving bankruptcy or business reorganization, and forwards these client assets within five business days of its receipt and maintains appropriate records.

Posted in Custody | 1 Comment »

SEC Issues Staff Responses to Custody Rule

Monday, March 8th, 2010

This past Friday, the staff of the Division of Investment Management issued its much anticipated responses to questions about the amended custody rule. I will address each one in turn, but since I have been focusing on the due inquiry requirement I want to start with that first. There had been a question of how an adviser could satisfy the due inquiry requirement when clients receive their account statements from their qualified custodian by way of a download from the custodian’s web site. here is the SEC’s response:

“Advisers whose clients receive electronic statements from qualified custodians must still form a reasonable belief after due inquiry that the clients are receiving those statements. The adviser may satisfy this requirement by, for example, being copied on the email notifications of account statement postings sent to clients in addition to having access to client statements on the custodian’s website, although this is not the exclusive means of forming that reasonable belief.”

Posted in Custody | No Comments »

More News on Custody Rule & Custodians

Friday, March 5th, 2010

Apparently Fidelity is putting together a response to the “due inquiry” requirement regarding the delivery of account statements. Somehow Fidelity believes that because they are a qualified custodian that the adviser does not need to get copies of the account statement. I ask you, did Fidelity’s lawyers actually go to law school? The rule is 100% clear as to an adviser’s responsibilities. No where does it state that the qualified custodian can take responsibility for the adviser’s due inquiry.

Posted in Custody | 5 Comments »

March Compliance Training - Data Security

Wednesday, March 3rd, 2010

THE FOLLOWING IS A REPRINT OF THE U.S. COMPLIANCE CONSULTANTS MARCH 2010 COMPLIANCE TRAINING NEWSLETTER

Dear Compliance Professional:

The purpose of this compliance training material is to familiarize you with key issues regarding information security.

Overview

One of the most pressing compliance issues for investment advisers is how to satisfy SEC requirements in the area of information security. The following checklist will allow you to take measure of your advisory firm’s existing information and data security program.

While each and every of the following questions may not apply to the conduct of your advisory business, for those questions that do apply, you should be able to answer “yes”.

Information Security Checklist

1. Policy.  Has your advisory firm developed and implemented comprehensive information security policies and procedures?

__  Yes    __  No

2. Acknowledgment.  Are all employees and independent contractors required to provide written acknowledgment of their understanding and acceptance of your advisory firm’s information security policies?

__  Yes    __  No

3. Confidentiality Agreements. Are confidentiality agreements signed before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?

__  Yes    __  No

4. Physical Security. Are buildings, paper records, computer and network equipment and storage media within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?

__  Yes    __  No

5. Anti-Virus. Are all computer systems protected with up-to-date anti-virus software and other defenses against malicious software attacks?

__  Yes    __  No

6. Internet Security. Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by firewalls, intrusion detection systems, virtual private networks (or other forms of encrypted communication,) and incident response capability?

__  Yes    __  No

7. Software Patches.  Are security-sensitive software patches promptly applied to systems that are accessible to users outside of your advisory firm?

__  Yes    __  No

8. Data Protection. Is sensitive, valuable information properly protected from unauthorized access?

__  Yes    __  No

9. Business Resumption Plan. Does your advisory firm have a documented and tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?

__  Yes    __  No

10. Portable Data.   Does your advisory firm encrypt sensitive information stored on portable devices including laptop computers and smart phones?

__  Yes    __  No

11. Telecommuting. Does your advisory firm ensure the safety of sensitive client information in remote or home offices?

__  Yes    __  No

12. Data Security Breaches. Does your advisory firm have the ability to detect the unauthorized use of, or access to, sensitive client information?

__  Yes    __  No

13. Training. Does your advisory firm have a program in place for training employees on the proper use of your firm’s computer security system, and the importance of information security?

__  Yes    __  No

14. Due Diligence. Does your advisory firm conduct due diligence on the information security programs of third-party service providers?

__  Yes    __  No

Posted in Data Security | 4 Comments »