Professional Ethics at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Dorothy (Dot) C. Kelly, Director, Training & Outreach for the Professional Conduct Program, CFA Institute
Wendy L. Pirie, Director, Curriculum Projects, CFA Institute
Robert Stirling, Senior Consultant, Investment Adviser Services, NRS

According to the 2013 Edelman Trust Barometer, the Financial Services industry is the least trusted industry globally. Only 46% trust the financial services industry to do the right thing.

THE GOAL OF ETHICS EDUCATION
•To recognize that ethical issues are a normal and predictable part of life.
•To build upon a culture of compliance and develop a culture of ethical decision-making.
•To discuss approaches for dealing with ethical issues.

Economist Intelligence Unit Report: A Crisis of Culture: Valuing Ethics and Knowledge in Financial Services
Key Findings:
• 91% of financial executives support the notion that aspiring to a globally recognized set of ethical standards would make the financial services industry more resilient.
• 53% of financial services executives say strictly adhering to ethical standards inhibits career progression at their firm.

LAW versus ETHICS

Law: a clearly defined set of enforceable rules that applies to everyone. It represents a minimum level of expected conduct that everyone must observe. (CAN YOU?)

Ethics: address situations not covered by the law (relations with competitors, interpersonal relations at work) and also contributes to the creation of laws. (SHOULD YOU?)

FUNDAMENTAL ETHICAL PRINCIPLES

– Place client interests first
– Maintain independence and objectivity
– Avoid/manage conflicts of interest
– Make full and fair disclosure
– Preserve confidentiality
– Deal fairly
– Reasonable care & prudent judgment
– Maintain integrity of profession
– Promote integrity of capital markets

A FRAMEWORK FOR ETHICAL DECISION-MAKING

Identify the Issue(s):

  • Duties/Obligations
  • Conflicts of Interest
  • Relevant Facts
  • Ethical Principles

Consider:

  • Situational Influences – External & Internal
  • Alternative Actions
  • Additional Guidance

Then Act and Reflect.

WARNING PHRASES:

-Everybody else does it, so it must be okay.
-That is the way they do it at Firm X.
– If we do not do it, someone else will.
-This is the way it has always been done.
– It doesn’t really hurt anyone.
– It’s not a big deal.
– It’s not my responsibility.
– I want to be a team player; l want to be loyal.

 

 

 

Risk Management Panel at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Robert B. Hirth, Chairman, Committee of Sponsoring Organizations of the Treadway Commission
Fred Shane, Chief Risk Officer, Commonwealth Financial Network

Should CCOs be Taking on the Additional Role of a Chief Risk Officer?

It Depends, of Course
• Compliance requirements, degree of regulation, risk
• Objectives
• Complexity
• Size
• Ability to source talent
• Peer companies
• Regulatory constraints
• NO single right answer, NO one size fits all

The SEC is starting use concepts of risk measurement in their inspection program.

SEC’s “Core Initial Information Examiners Request of Investment Advisers” includes the following:

  • “On-going Risk Identification and Assessment Inventory of compliance risks that forms the basis for policies and procedures and notations regarding changes made to the inventory.
  • Documents mapping the inventory of risks to written policies and procedures.
  • Written guidance provided to employees regarding compliance risk assessment process and procedures to mitigate and manage compliance risks.”

The SEC has published an “Investment Adviser Scenario Analysis/Risk Matrix” on its web site: http://www.sec.gov/info/cco/cco_matrixguide.pdf

The SEC has also published a “Risk Inventory Guide” on its web site:  – http://www.sec.gov/info/cco/red_flag_legend_2007.pdf The Guide lists twelve categories of risks for an investment adviser. According to the SEC,

“[a]s a CCO responsible for your firm’s compliance, you should determine what risks are present and how they might affect your firm and its operations, assess whether the controls in place to manage or mitigate these risks are adequate, and make or recommend modifications to the compliance policies and procedures as necessary.”

Risk management is a bigger scope than compliance.

Risk Reporting and Tracking

Use a Risk Management Database

  • Impact Risk
  • Likelihood Risk
  • Vulnerability Risk
  • Priority Risk
  • Velocity – how fast does it happen?
  • Persistent – How long is the impact?

Internal controls – GO beyond the brute force automated systems and think of them as control activities. Meetings can be a control.

Update articulates principles of effective internal control

Control Environment

1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Risk Assessment

6. Specifies suitable objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change

Control Activities

10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures

Information & Communication

13. Uses relevant information
14. Communicates internally
15. Communicates externally

Monitoring Activities

16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies

Information Technology and Cybersecurity

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Ted Kobus, Baker Hostetler
Karen M. Aavik, First Niagara Financial Group
Tammy Eisenberg, CLS Bank International

In 2012 the average cost of a data breach was $5.4 million. IBM 2014 Cost of Data Breach Study

More breaches happen from lost laptops and media than third-party hackers. Malicious employees may steal information. Ill-informed employees may leave systems open inadvertently. Also keep an eye on employee’s departure. Make sure you shut down the employee’s remote access.

Malware is hard to stop, but it takes a concerted effort. Phishing and spear-phishing are more common. The attacker tries to cause you to voluntarily open a breach by giving them your account information and password.

Vendors cause a substantial portion of breaches. They may not be as careful as you. At the end of contract, you need to make sure you get the data back and they delete the information.

Data Breach Decisions

  • Is it a breach?
  • Who are the key internal personnel that should be involved in the response?
  • Do you involve law enforcement?
  •  Do you hire a forensics company?
  • Do you retain outside counsel?
  • Do you involve regulatory agencies?
  • Is crisis management necessary?
  • Do you offer credit monitoring?
  • Do you get relief from a “law enforcement” delay?

One silver lining. You will be better prepared for the next breach.

What do regulators expect?

  • Transparency
  • prompt and thorough investigation
  • Corrective action
  • appropriate and prompt notification to regulators and customers

Best practices

  • Prepare and practice a response plan
  • respond quickly
  • Bring in the right team
    • Preserve evidence
    • Contain & remediate
    • Let the forensics drive the decision-making
    • Law enforcement
    • Document analysis
    • Involve the C-suite
    • Plan for likely reaction of customers, employees, & key stakeholders
    • Mitigate harm

FTC Recommended Internal Safeguards

Over 50% of data breaches originate from inside the company.
Train and retrain all employees to:
(1) Limit access to customer information to employees who have a business reason to view;
(2) Secure deal jackets and information;
(3) Lock rooms and file cabinets;
(4) Use strong passwords on computers (and don’t share);
(5) Remove access for terminated employees;
(6) Securely dispose of customer information;
(7) Think about what data is provided to a vendor;
(8) Protect customer information.

Identity Theft Red Flag Rules

The key is to see if you are a “covered account” or “financial institution”

Policies/procedures must be based on a periodic identification of client accounts and a risk assessment of potential identity theft, including:
– account opening processes;
– account access processes; and
– previous experiences with identity theft.

The procedures must include the following four elements:
– identifying red flags;
– detecting red flags;
– responding to red flags; and
– periodically updating the program.

 

Supervision and the Urban Case, with Ted Urban

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

Who better to talk about supervision than Ted Urban himself. He was the general counsel and chief compliance officer. One of the firm’s registered representatives went rogue. He and other line supervisors were charged by the SEC for failure to supervise.

Urban pushed for the registered representative to be fired, but his supervisor merely put him under special supervision.

The SEC’s theory was that Urban could affect the rep’s behavior. The SEC took the position that even if Urban’s action were not authoritative, they could be viewed as authoritative. However even though Urban recommended the firing, he did not have the power to fire.

In the administrative decision, the ALJ found that Urban was a supervisor, but that his supervision was reasonable. The charges would have been dismissed. Urban appealed the decision that he was a supervisor and the SEC appealed the decision that the supervision was reasonable.

The Commission was responsible for hearing the appeal. However, two of the commissioners recused themselves and the other two came down on opposite sides.  Urban pointed out that he had no idea why the commissioner recused themselves and there seemed to be no obvious reason why they would. (That is apart from  the commissioners being the ones to have authorized the enforcement action in the first place.)

The Urban case has been hanging over compliance officers heads. If you are considered a supervisor then you are at risk for your positions not being followed. Mr. Urban provided a prior case that dealt with CCO supervisor liability.

In Gutfreund (1992) four senior managers got together to discuss a compliance problem, they all left the room and no one did anything. The SEC took the position that all are liable, including the head of legal and compliance.  The standard was that legal and compliance can be supervisors when they have “the requisite degree of responsibility, ability or authority to affect the conduct of the employee whose behavior is at issue.”

On February 24, 2012, Commissioner Dan Gallagher gave a speech about compliance and supervision. He said the issue of when compliance equals supervision has been
raised in cases, but never answered in the “clear and definitive” manner it deserves.  The question “remains disturbingly murky.” He posed the question: how do we distinguish “robust engagement” in a culture of compliance from supervision and avoid the perverse incentives created by an overbroad definition of supervision.

SEC Examination and Enforcement Priorities

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference.

John Walsh, Sutherland
Karol Pollock, SEC Deputy Associate Regional Director (Exams)

Karol outlined the examination process.

1. You get a phone call. But prior to the phone call, the examiners will have done some background research, looking at the firms ADV, public website and an internet search.

2. You get a document request. The examiners will try to tailor it to the particular firm. A quick response is a good sign. A delay in getting materials is a red flag.

3. After the exam you will get a summary letter. This used to be called the deficiency letter. The SEC may go back to calling it a deficiency letter.

4. Post exam the examiners will work with the Division of Investment Management. The goal is to get a bigger enforcement footprint.

OCIE has expanded its mission. It is not a branch of enforcement. It acts as the eyes and ears of the Commission. It’s the first to see new trends. It also comments on rulemakings.

Here is a preview of the 2015 exam priorities. These are not final yet, but are likely to end up in this year’s disclosure.

Perennial priorities

  • Safety of client assets and custody
  • Conflicts inherent in IA firms
  • Marketing and performance disclosure

Initiatives

  • Never before examined
  • Fixed income investment companies. The SEC is looking ahead to rising interest rates. The SEC wants to make sure these investment products are making proper disclosures about what may happen with rising rates.
  • Private fund advisers. The exam staff finds them “interesting.” There is a clash with organizations that are not used to regulatory exams.
  • Retirement vehicles and rollovers
  • Dual registrants. Is each side aware of the different compliance requirements. BDs “gone wild” when they switch to IA and are no longer oppressed by the FINRA manual.

Potential New Initiatives

  • ETFs – They increasing have a narrow niche and increasing complexity. The SEC wants to make sure that there are proper disclosures and sales suitability,
  • Accuracy of ADV. The SEC is seeing adviser inflate assets to stay registered with the SEC and avoid the transfer to state regulation.
  • False Addresses. The SEC is seeing adviser use a false Wyoming address to get SEC registration.
  • Proxy adviser. Reviewing recommendations and voting for investors.

There was a discussion of the “may” versus “will” case. If you are actually doing something all the time, don’t say you may do it.

Regulatory Roundtable at the NRS Compliance Conference

IMG_2059[1]

These are my notes from the NRS Fall Compliance Conference

Lance Burkett, District Director for FINRA
Michelle Wein Layne, Regional Director for the SEC
Andrew Hartnett, Securities Commissioner in Missouri and representing NASAA

Each panel member went through list of enforcement and risk priorities that are currently high on their organization’s list.

NASAA

  • Broker Dealer Fee disclosures. There is a working group trying to come up with a model fee disclosure.
  • Model disaster recovery plan and guidelines
  • Cybersecurity
  • Senior clients – over 60% of his state investment fraud cases involve seniors

FINRA

  • Implementing a new risk-based exam program
  • “Exams that matter”
  • Suitability. Does the firm understand the product?
  • Recidivist brokers

SEC

  • Visit SEC.gov and review the rich trove of information
  • Broken windows. The SEC is not just pursuing big problems. The SEC will consider a discovery of a small problem to be an indication of undiscovered bigger problems.
  • Identify who at the firm is at higher risk for getting into trouble.
  • Cybersecurity
  • “Don’t tolerate liars, cheaters or stealers in your organization, no matter how much revenue they generate.

All mentioned a higher focus on fraud aimed at seniors. The baby boomers are rapidly becoming the retiring boomers looking to manage their assets as they enter retirement.

More than one mentioned a focus on high-yield products. They want to make sure that there is proper disclosure of the higher risks that come with the bigger coupon.

More than one mentioned a focus on ETFs. As they become more exotic, there will be a increased focus on suitability and risk disclosure.