Cyber Crackdown on Email

The Securities and Exchange Commission sanctioned three broker-dealer/investment advisers for failures in their cybersecurity policies and procedures that resulted in email account takeovers. Each of the firms was using cloud-based email accounts that were hacked. The three firms had not mandated multi-factor authentication for access to the email accounts.

The SEC claimed failure under Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”). The Safeguards Rule requires financial institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. Those policies and procedures have be reasonably designed to

  1. Ensure the security and confidentiality of customer information;
  2. Protect against anticipated threats or hazards to the security or integrity of customer information; and
  3. Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

The SEC did not claim that any customers were harmed, money stolen, or any malicious use of the compromised information. The SEC claimed that the firms failed to design and enforce written cybersecurity policies in a sufficient manner as it related to cloud-based email accounts. The firms either did not require multi-factor authentication or failed to completely implement multi-factor authentication.

Simple takeaway from these actions: If you firm is using web-based email system, mandate multi-factor authentication.

Sources:

The One with Trading in Foreign Currency when There is No Money

Minnesota residents Jason Dodd Bullard and Angela Romero-Bullard raised millions from investors, mostly friends and family, and said it would be used to trade foreign currencies. Instead, the Securities and Exchange Commission claims that the two diverted the money to other uses and falsified account statements. In the classic Ponzi scheme fashion, they used new investors’ money to pay redemptions by earlier investors.

The two produced false account statements for over 14 years. Although the account statements showed good returns, in reality the two had suffered large losses. In October, the two sent an investor a statement showing a balance of over $1.4 million. Unfortunately, the two only had $30,000 in the trading accounts.

The two told some investors that they were not required to be registered with any government agency. They told other investors that they were registered. In response to one investor’s redemption request they told the investor that the withdrawal request had to be approved by regulators. FYI: redemption requests do not have to be approved by government financial regulators.

Instead of investing in foreign currencies, the SEC claims that the two diverted the cash to other businesses they owned, including a horse racing stable, a limousine service and a fitness studio.

Sources:

Compliance Bricks and Mortar for September 10

Return Time.
Back to the office.
Back to school for the kids.
And back to blogging more regularly.

These are some of the compliance-related stories that recently caught my attention.


In Silicon Valley, Criminal Prosecutors See No Evil
by David Stretifeld
The New York Times

Federal prosecutors in Northern California took on only 57 white-collar crime cases in the 2020 fiscal year, down from 94 in 2019, according to researchers. Although 2021 is likely to show a rebound, the total will still be far below the heyday of prosecutorial action in 1995, when 350 cases were brought.

https://www.nytimes.com/2021/09/07/technology/in-silicon-valley-criminal-prosecutors-see-no-evil.html

Debevoise & Plimpton on the Latest Round of SEC Cybersecurity Enforcement Actions
By Avi Gesser, James Pastore and Mengyi Xu
The CLS Blue Sky Blog

On August 30, 2021, the SEC filed settled enforcement actions against three groups of broker-dealers and investment advisers for failing to protect confidential customer information in violation of Rule 30(a) of Regulation S-P (the “Safeguards Rule” or “Rule”). One group of the entities was also found to have violated Section 206(4) of the Advisers Act and Rule 206(4)-7, by allegedly providing misleading information in its breach notification to customers. These actions, which were announced just two weeks after the SEC imposed a $1 million civil penalty for an issuer’s allegedly misleading data breach disclosures in connection with a public company’s filings, demonstrate the agency’s increased efforts to enforce its cyber priorities, as we noted in July 2021 with the First American settlement.

https://clsbluesky.law.columbia.edu/2021/09/07/debevoise-plimpton-on-the-latest-round-of-sec-cybersecurity-enforcement-actions

Madoff Victims Get Second Crack at Citigroup’s $343 Million
By Bob Van Voris
Bloomberg

The U.S. Court of Appeals in New York on Monday reinstated a suit against Citi by Irving Picard, the trustee charged with recovering money for Madoff’s victims, over funds transferred to the bank. Picard claimed Citi failed to act on red flags concerning Madoff, but a bankruptcy court dismissed the suit, finding the trustee had not shown the bank acted with “willful blindness” to possible fraud.

The appeals court said “willful blindness” was the wrong standard to apply and the burden of proof shouldn’t have been on Picard. The ruling revived similar claims for $213 million from Legacy Capital Ltd., a British Virgin Islands corporation that invested solely with Madoff, and a $6.6 million claim against Khronos LLC, which provided accounting services to Legacy.

https://www.bloomberg.com/news/articles/2021-08-30/madoff-victims-get-second-crack-at-citigroup-s-343-million?

Bitcoin Uses More Electricity Than Many Countries. How Is That Possible?
By Jon Huang, Claire O’Neill and Hiroko Tabuchi
Illustrations by Eliana Rodgers
The New York Times

[C]onsider this: The process of creating Bitcoin to spend or trade consumes around 91 terawatt-hours of electricity annually, more than is used by Finland, a nation of about 5.5 million.

That usage, which is close to half-a-percent of all the electricity consumed in the world, has increased about tenfold in just the past five years.

https://www.nytimes.com/interactive/2021/09/03/climate/bitcoin-carbon-footprint-electricity.html

SoFi, when the “Fi” stands for “fine”

SoFi Wealth, the robo-adviser ran into trouble when it substituted third-party ETFs with SoFi-sponsored ETFs in its platform.

According to the SEC order, SoFi Wealth failed to provide its clients with full and fair disclosure of its conflicts of interest relating to the transactions, including that it:

  1. SoFi had a preference for placing clients into SoFi’s newly-created proprietary ETFs rather than third-party ETFs, and SoFi’s economic interest in these proprietary ETFs presented a conflict of interest for SoFi Wealth,
  2. SoFi was investing client assets in these proprietary ETFs to help market the SoFi brand as having a broader array of services and products than previously offered, and
  3. SoFi intended to use client assets to capitalize the new SoFi ETFs with significant investment on their second day of trading, making the ETFs more liquid and favorable to the market.

It’s not that an adviser can’t us its own funds or ETFs in client portfolios. It just needs to properly disclose the conflict. SoFi did not.

SoFi’s compliance group probably should have read the J.P. Morgan case from 2015. Morgan got in trouble for having a preference for investing client assets in proprietary funds and not disclosing the conflict.

The complaint once again has the SEC quibbling over the use of the word “may.” The disclosure said that SoFi would select a mix of ETFs “that represent the broad asset allocation determined by these strategies, which may include ETFs for which SoFi is the sponsor.” The SEC issue was that the SoFi investment committee had already approved the replacement of third-party ETFs with SoFi ETFs. I hate that the SEC quibbles over the use of “may.” I don’t see how the word “may” really changes anything in the disclosure.

The big problem was that SoFi replaced the ETFs in client accounts. That means it sold the old choice and had the client buy the new one. No big deal in IRAs. But it is a big deal in taxable accounts. It triggered over $1.3 million in taxable gains for the clients and offered no material benefit to the client.

All the benefit ran to SoFi whose ETFs were now bigger and more liquid.

SoFi had sweetened the pot by waiving the expense fees of the ETF. Again good for the ETF holders, but it would take some time to make up for the taxable gain.

Some compliance lessons. Be careful using the word “may” in disclosures. Don’t replace third-party choices with proprietary choices in taxable accounts unless you also disclose the tax issue.

Sources:

General Solicitation and Placement Agent Agreements

D.H. Hill Securities got hit with a FINRA penalty for violating the private placement offering rules. FINRA concluded that D.H. Hill did not have a pre-existing, substantive relationships with several investors in an offering. This was a breach of the Rule 502(c)

The key point from the settlement was that the D.H. Hill began participating in the private placement offerings before creating a substantive relationship with the individuals. The “pre-existing” standard was not there because D.H. Hill started selling to them without establishing the relationship.

FINRA cites two ways for a broker-dealer to create a pre-existing, substantive relationship:

  1. through a previous investment in securities offered through the broker-dealer
  2. through submission and approval of an investor qualification questionnaire

FINRA is making it clear that its easier to sell private placements to the existing client base than reaching out for new investors.

Question 256.29 makes this even clearer:

Question: What makes a relationship “pre-existing” for purposes of demonstrating the absence of a general solicitation under Rule 502(c)?

Answer: A “pre-existing” relationship is one that the issuer has formed with an offeree prior to the commencement of the securities offering or, alternatively, that was established through either a registered broker-dealer or investment adviser prior to the registered broker-dealer or investment adviser participation in the offering. See, e.g., the E.F. Hutton & Co. letter (Dec. 3, 1985). [August 6, 2015]

Of course, the big question is long between the initial contact and screening before a relationship becomes pre-existing?

Sources:

Can a Supercomputer Be a Security?

Accept at face value that Profit Connect is not a scam. That is a stretch given the purported high returns, coupled with a money back guarantee.

• 15% to 20% Fixed APR
• High-Net-Worth 30% APR
• APR is Locked-In
• 100% Money Back Guarantee

No such thing as high returns with no risk. Of course, if the returns are that good, why would the sponsor let you invest.

After going through the mumbo-jumbo on the website, I got to an interesting take on the investment structure.

“A Profit Connect Wealth Builder is not an Investment, it is a purchase of Supercomputer time (usage) and the use of an App that pays you money, for blockchain calculations delivered to a client. The blockchain client is found, managed and supported by Profit Connect. The Wealth Builder Depositor simply places a deposit for seat time and the App makes them money every month, giving you total peace of mind. All Wealth Builder APR percentages are Guaranteed and All Wealth Builders have a Lifetime Money Back Guarantee.”

They are making some claim that you are merely renting computer time. I make the logical leap that the firm is taking the position that you are not buying securities from Profit-Connect and the firm is not selling you securities. That could be true. Renting computer time to you run Bitcoin mining is probably not a security by itself.

The Securities and Exchange Commission doesn’t spend much time on this point in the complaint.

100. The investments were part of a common enterprise because both investors and Profit Connect were to make money through Profit Connect’s investments, because Profit Connect pooled all investor funds into one bank account (the Profit Connect Investor Account), and because Profit Connect used some of those funds to make payments to investors.

101. Profit Connect investors were passive investors with no involvement in Profit Connect’s investment activity.

102. Investors relied entirely on the efforts of Profit Connect, which claimed that investor money would be invested in sectors determined by Profit Connect’s proprietary “supercomputer.”

To me the Profit Connect supercomputer is like the Howey orange grove. Renting supercomputer time is analogous to renting an orange grove. But if you package that resource into someone else doing all the work with no input from you, it looks a more like a security. I can rent supercomputer time and mine bitcoins. I take the risk of valuation fluctuations, utility costs, and success rate. Profit Connect is purporting to do all that for me. I give them money, do no work, I’m not allowed to do any work, and they give me more money back. Yeah, that does sound like a security.

It seems unlikely that the Profit Connect supercomputer is a real thing. One of the firm’s principals had been previously convicted of securities fraud. The SEC alleges that the firm had no operating revenue. All of the money coming in came from “investors.” Most of the money was paid out to solicitors and to the sponsors for personal use.

Sources:

Overlooking Tax Fraud

Cases against Chief Compliance Officers catch my attention. Jack Cook is the Chief Compliance Officer of Princeton Alternative Funding. He is in the crosshairs of the Securities and Exchange Commission.

The SEC Commissioners and senior OCIE staff have usually stated three circumstances that lead to CCO liability:

  1. when the CCO is affirmatively involved in misconduct;
  2. when the CCO engages in efforts to obstruct or mislead the Commission; or
  3. when the CCO exhibits “a wholesale failure to carry out his or her responsibilities

Mr. Cook served initially as Princeton’s chief operating officer and chief compliance officer. He eventually became CEO. Even though Mr. Cook had no experience in Princeton’s alternative lending space.

The SEC accuses Mr. Cook, of creating and disseminating materially false statements to investors and potential investors that misrepresented the management of the Princeton. Mr. Cook also concealed the significant role that a principal, Mr. Burgess, who had recently been convicted of tax fraud, played in managing Princeton and its investment.

The case seems to fall squarely in circumstance 1. Mr. Cook was clearly involved in the wrongdoing. The liability is not coming from his role in compliance. The SEC is accusing Mr. Cook of being the person creating the misstatements, approving the misstatements and conveying the misstatements to investors and in marketing to potential investors.

Of course there were smoking gun emails about the involvement of Mr. Burgess in the management of Princeton.

Burgess instructed them to “[b]e careful with too much transparency as it will bite you in the ass.” He later added, “I am also NOT suggesting you lie, but don’t volunteer unless you are ask[ed] the direct question.” He then noted his apparent belief that “[y]ou cannot trust anyone, period, and good deeds do not go unpunished. He [the investor] will jerk you around on future investments, just to continue to get info out of you.” To underscore his concern, Burgess added, “I will bet you my left nut (and I like my nuts) that this [investor] comes after us and uses your words to get us. Don’t let that happen.”

Less than a minute after sending this email, Burgess replied to all with a single sentence stating, “Also, delete these emails please.”

Sources:

The One with TheBull

The Dark Web and bitcoin are the tools of the trade for online criminals these days. Apostolos Trovias is alleged to be one of those criminals. He operated online under the pseudonymous online avatar “TheBull”. Mr. Trovias is alleged to have engaged in a deceptive scheme to offer and sell what he called “insider trading tips” on the Dark Web, offering purchasers an unfair advantage when trading securities.

Mr. Trovias claimed that he had order-book data from a securities trading firm that was provided to him by an employee of the trading firm. This would seem to be material, nonpublic information that was supposed to be kept confidential.

If Mr. Trovias had actually acquired some or all of the tips from actual order-book data or if he had stolen the order-book data himself, then he had engaged in a fraudulent scheme to sell material, nonpublic information that he knew or was reckless in not knowing was obtained in violation of a duty of trust and confidence. That’s illegal.

If Mr. Trovias did not actually have this information, then his statements were materially false and misleading and made in furtherance of a scheme to deceive purchasers who wanted to trade on inside information. That’s also illegal.

What fascinated me about this case is that the Securities and Exchange Commission doesn’t have to prove that Mr. Trovias was actually selling or using insider information. The SEC wins either way.

Sources:

Fine Art, Money Laundering, and Influence Peddling

The Anti-Money Laundering Act of 2020 brought art dealers under the umbrella of anti-money laundering regulation. Section 6110(a) of the AML Act amends the definition of “financial institution” under the Bank Secrecy Act (BSA) to include persons “engaged in the trade of antiquities” and directs FinCEN to promulgate implementing regulations.

The value of fine art and antiquities are inherently subjective and allow for a wide range of sale prices. The good stuff also weighs significantly less than cash. A painting worth $2.5 million is easier to transport than 275 pounds of $20 bills for the equivalent value. At the freeport in Geneva, you can sell the art without even moving it or paying taxes on the gain.

Now U.S. art dealers will have to file suspicious activities reports for cash transactions.

Into this fray steps Hunter Biden, the President’s son who is looking to sell some of his paintings.

“Everyone should try pushing brushes around. And if someone wants to pay you a half-million for the results: Cash that check.”

https://www.yahoo.com/entertainment/hunter-biden-art-worth-500-110000217.html

This raises the ethical issue of buying Hunter Biden’s artwork in an attempt to influence President Biden. According to the Washington Post story, the White House is trying to craft an ethical wall around the potential purchases to keep them anonymous. It’s a bad spot to have presidential family members selling art that is highly subjective in value into a market that is under scrutiny for anti-money laundering efforts.

The best answer is to just say “no.” Wait three (or seven) years to start selling the art after President Biden is out of office. It looks terrible to be trading on his father’s name and role as president.

Sources:

How Do You Define AUM?

The Securities and Exchange Commission took a big step with private funds and setting a defined standard of Regulated Assets Under Management. There is still discretion in how different aspects are calculated. It works well for hedge funds and private equity funds. It starts breaking down as you have more alternative assets that fall outside the definition of “private fund” and “securities portfolio” that ties to the RAUM definition.

For real estate, INREV published a tool for defining Assets under Management: Assets Under Management (AUM) 2021.  

INREV interviewed a bunch of asset managers to figure out how they came up with their AUM numbers. The resulting paper summarizes the main components of AUM and options for each component. It’s not a prescriptive attempt to standardize AUM. It’s just a thought peice.

INREV came up with ten components. Each component has two to four different ways of treatment. For example, one component is the ownership of JV’s and co-investments, with these options:

  • 100% regardless of ownership
  • 100% if the asset is consolidated in the financials but ownership
  • 100% if asset mgmt services are provided for the asset, but ownership share only if not
  • % ownership share only

Of course you can argue that JVs may be treated differently than co-investments, so there could easily be more components and more options.

The INREV summary is a good way to think about it. With the ten components and each factor, that gets you to over 36,000 different ways to calculate AUM using the INREV breakdown.

Obviously, one driving factor is the “ask” accompanied by the AUM request. It means having to give a summary of what went into the AUM calculation.

Sources: