The Securities and Exchange Commission announced on July 26^th that 21 investment advisers and 6 broker-dealers have agreed to settle charges that they failed to timely file and deliver their client or customer relationship summaries to their retail investors. In the release the SEC’s Director of Enforcement, Gurbir Grewal, notes:

“Today’s cases reinforce the importance of meeting those obligations and providing retail investors with information that is intended to help them understand their relationships with their securities industry professionals.”

The penalties ranged from $10,000 to $97,523. 

The Cost of Non-Compliance

Appropriate implementation, maintenance, and distribution of a two-page document could have saved these firms the hassle and embarrassment of fines and reputational damage. At CRC, we firmly believe that the best compliance program is a proactive one; the fines above demonstrate that regulators agree. 

Our Take

Regulators have continued to display heightened focus on transparent communication and disclosure when interacting with retail investors. Recent examinations of both SEC-registered investment advisers and broker-dealers have shown a sharp emphasis on Regulation Best Interest (Reg BI) related policies and procedures, particularly regarding the content and distribution (and subsequent evidence of delivery) of Form CRS. As such, firms should ensure that the Form CRS includes all mandated language and meets formatting requirements as specified by Reg BI. A firm’s compliance policies and procedures should also accurately reflect the processes implicated by Reg BI, including the delivery of Form CRS; firms should consider testing such procedures to ensure efficacy. If you have concerns regarding your firm’s Reg BI policies and procedures, please contact your Compliance Professional at CRC, or contact CRC using the method’s listed below so that we can connect you with a member of our team. 

For more information:

 Mitch Avnet at mavnet@compliance-risk.com  or (646) 346.2468 

Kate Gibbs at kgibbs@compliance-risk.com or (781) 742.4688 

The post News Update: SEC Fines 27 Firms for Form CRS Failures appeared first on Compliance Risk Concepts.

Background & Summary

On July 8, 2019, the US Securities and Exchange Commission (SEC) issued a joint statement in conjunction with FINRA’s general counsel addressing various elements of digital currency amid request for clarity on whether broker-dealers can hold digital assets under federal securities laws. The regulator reiterated its growing concerns relative to investor protection and clarified the fact that entities seeking to participate in digital currency markets must comply with relevant securities laws. The release placed specific emphasis on compliance with the customer protection rule. While recounting the success and importance of the customer protection rule, the SEC added, "[t]his record of protecting customer assets held in custody by broker-dealers stands in contrast to recent reports of cyber theft, and underscores the need to ensure broker-dealers robust protection of customer assets, including digital asset securities."

With respect to custody and digital securities, the SEC’s statement would seem to indicate that the regulator seeks to regulate such assets as uncertificated securities (i.e. ownership is confirmed via electronic certificate rather than a physical one). As such, broker-dealers would likely need to establish custody through the use of an SEC registered transfer agent, who would also maintain applicable records relating to security ownership. The statement also seems to allude to the fact that custodying digital assets through the use of digital wallets and maintaining private keys that would be controlled by the broker dealer are unlikely to be looked upon favorably, or ultimately approved by regulators. While the tone of the statement seems to be geared towards preparing digital securities for more mainstream access (i.e., gearing it towards retail investors), the bottom line for regulators, as evidenced by this release, is customer protection. As the industry navigates the nuances of digital securities markets, it should do so through the lens of protecting against fraud, theft, or misappropriation of client funds and/or information. 

Our Take

As always, it is our position at CRC that cooperation with regulators is key for the successful operation of financial services organizations. Regulators have continued to display heightened focus on the protection of retail and senior investors. As such, digital currency in particular is a developing area where cooperative, responsible players will hold the ace. Prompt, efficient, and honest communication and responses will satisfy regulators and clients alike, while also and bringing a sense of legitimacy and scrupulousness to digital currency operations. If you would like to speak with one of our Compliance Specialists about custody implications or have any other questions regarding digital currency, please do not hesitate to contact us. 

Contact Mitch Avnet at mavnet@compliance-risk.com or (646)346-2468 for more information. 

The post News Update: SEC Issues Statement Regarding Digital Assets appeared first on Compliance Risk Concepts.

Earlier this month, FINRA and the SEC issued their exam priorities for 2015. Both agencies continue to pinpoint cybersecurity as a top priority for 2015. Although these priority letters serve as a “roadmap” highlighting areas of regulatory focus during the coming year, most firms continue to struggle in terms of how they should conduct their internal Cybersecurity Risk Assessments and evidence their diligence and vigilance with respect to this high profile industry risk.

In the wake of the many highly publicized data-breaches in 2014, our clients have reached out to us for advice and guidance in an effort to increase the overall awareness of Cybersecurity risk within their respective organizations.   Many of these clients are seeking comprehensive training and a robust framework and methodology to conduct Cybersecurity Risk Assessments on a targeted and/or enterprise basis.

Based on the risks and costs (both financial and reputational) that can result from a Cybersecurity breach, all financial services organizations, large and small must assess the following attributes:

1. Identification:  Can your organization identify the critical processes and the data that supports your business end-to-end?  Can you recognize the difference between a “breach” and an “attack”?
2. Protection:  What is your company doing to protect its critical data and the infrastructure and devices it rides on?  How quickly after an incident can your company realize that something is amiss?
3. Detection:  What mechanisms does your organization have in place to detect if something is going on with critical data, and how is that detection escalated throughout the firm?
4. Response:  How is your organization prepared to respond when Cyber incidents are detected?
5. Recovery:  How will your organization recover from a Cyber incident?   How will your company keep its great name in tact at reduced risk and quickly on the mend?

Vendors and Business Partners

In addition to the items discussed above, organizations must consider the impact of their vendors and business partners in their Cybersecurity awareness efforts.   When we look at many of the high profile breaches that occurred in 2014 – service providers to the companies we do business with were the targets of a significant portion of these attacks.   With that said, here are some of  the important questions firms must ask themselves when assessing vendor / service provider Cybersecurity risk:

• Do our business partners have good Cyber-business practices in place?     How do we know?
• Do our contracts with partners and vendors require a legal level of Cyber-diligence to get and keep our business?
• Are your business units, vendors, partners, and processes compliant with ever changing regulations, reporting requirements, and industry standards?
• Does their critical data and our critical data ever co-mingle?
  • Does our firm have on-boarding contracts, processes and training to ensure appropriate governance over our Cybersecurity risk?
  • How does our firm keep a non-tech savvy workforce well trained and ever-vigilant against Cyber threats?
  • What if you have a potential whistle-blower situation? What are our processes to handle and escalate?

The Year Ahead….

With the knowledge that FINRA and the SEC have made Cybersecurity an exam priority for the coming year, Firms should operate under the following premises:

• Assume that the criminals are already in your networks.   With this in mind, organizations should respond by proactively assessing their respective risks and creating the appropriate mitigation strategies to ensure your firm is appropriately protected.
• Multiple studies are showing that in 2014 +40% of all businesses were hacked, exploited or denied service, mainly from overseas non-state actors.   Due to the rise in the number of “network citizens” outside of the United States, this trend is only expected to continue.

According to J.R. Helmig, Founder of Leveraged Outcomes, LLC, a financial and national security consultancy, the primary point is for firms to implement solutions to meet future threats and regulations.
________________________________________________________________________________

“Too often firms spend time and resources to meet yesterday’s compliance obligation or risks. Instead, look at what the requirements and risks are going to be for the time frame when you will be implementing the solution set, otherwise you will be outdated and outgunned before the start”.
________________________________________________________________________________

How Do We “Attack” the “Attacks”?

Through our ongoing efforts to provide thought leadership and impactful guidance to our clients, we have spent a significant amount of time and resources contemplating the best ways for firms to assess Cybersecurity threats within their respective organizations.  Based on our research, we have determined one of the most comprehensive and current Cyber Frameworks to apply is the National Institutes of Standards and Technology (“NIST”) Critical Infrastructure and Cybersecurity (“CICS”) Framework.   NIST CICS addresses all of the FINRA and SEC Sweep letter requirements.

Incremental Tactical Wins Lead to Long Term Strategic Success

The NIST CICS Framework is very modular and can be applied incrementally as firms deem necessary and appropriate.  This allows firms to “leg-in” to a Cybersecurity framework over time with a careful, thoughtful and pragmatic approach toward addressing their risk based on the risk profile of the organization and with sensitivity to internal budgetary constraints.

Buyer Beware!

Firms must be mindful of partnering with third-party vendors / service providers that cannot show some acceptable "criteria-based" framework to assess Cybersecurity risk like NIST CICS.  Companies need the ability to look across their entire enterprise, from the board room to the shop floor, when considering Cybersecurity. Almost all we do today has some sort of Information Technology component  associated with it.  The NIST CICS framework helps companies recognize the scope and breadth of the task at hand.

How Can Compliance Risk Concepts Help?

CRC has the capability to assess all or a part of your enterprise that will meet or exceed the spirit and intent of the FINRA Sweep letter.  Based on our understanding and utilization of the NIST CICS framework, we can offer your organization a best-in-class, cost effective assessment, training, and technological suite of solutions that can be tailored to meet your company’s specific needs, requirements and budgetary constraints.

Have Questions?

Use the form below to request an exploratory conversation or in-person meeting to discuss your organizations discrete needs.

Email *

First Name *

First

Last Name *

Contact Request

Yes, please contact me

No

Phone Number

Δ

Only 1 Click Required  Processing may take up to 90 seconds

The post Cybersecurity: High Profile Exam Priority for FINRA and the SEC appeared first on Compliance Risk Concepts.

The Gift That Keeps on Giving…..

In early 2014, FINRA and SEC regulated firms caught a glimpse of regulatory focus in the form of targeted examination “sweep” letters focused on Cybersecurity.  Although these letters raised awareness of regulatory focus and concern regarding Cybersecurity within the Broker-Dealer and Investment Adviser communities – most firms are still  “in the dark” in terms of how they should conduct internal Cybersecurity Risk Assessments, ensuring they are meeting regulatory expectations if / when tasked by the FINRA or the SEC to evidence their diligence in this high profile area.

In the wake of the many highly publicized data-breaches in 2014, our clients have reached out to us for advice and guidance in an effort to increase the overall awareness of Cybersecurity risk within their respective organizations.   Many of these clients are seeking comprehensive training and a robust framework and methodology to conduct Cybersecurity Risk Assessments on a targeted and/or enterprise basis.

Based on the risks and costs (both financial and reputational) that can result from a Cybersecurity breach, all financial services organizations, large and small must assess the following attributes:

1. Identification:  Can your organization identify the critical processes and the data that supports your business end-to-end?  Can you recognize the difference between a “breach” and an “attack”?
2. Protection:  What is your company doing to protect its critical data and the infrastructure and devices it rides on?  How quickly after an incident can your company realize that something is amiss?
3. Detection:  What mechanisms does your organization have in place to detect if something is going on with critical data, and how is that detection escalated throughout the firm?
4. Response:  How is your organization prepared to respond when Cyber incidents are detected?
5. Recovery:  How will your organization recover from a Cyber incident?   How will your company keep its great name in tact at reduced risk and quickly on the mend?

Vendors and Business Partners

In addition to the items discussed above, organizations must consider the impact of their vendors and business partners in their Cybersecurity awareness efforts.   When we look at many of the high profile breaches that occurred in 2014 – service providers to the companies we do business with were the targets of a significant portion of these attacks.   With that said, here are some of  the important questions firms must ask themselves when assessing vendor / service provider Cybersecurity risk:

• Do our business partners have good Cyber-business practices in place?     How do we know?
• Do our contracts with partners and vendors require a legal level of Cyber-diligence to get and keep our business?
• Are your business units, vendors, partners, and processes compliant with ever changing regulations, reporting requirements, and industry standards?
• Does their critical data and our critical data ever co-mingle?
  • Does our firm have on-boarding contracts, processes and training to ensure appropriate governance over our Cybersecurity risk?
  • How does our firm keep a non-tech savvy workforce well trained and ever-vigilant against Cyber threats?
  • What if you have a potential whistle-blower situation? What are our processes to handle and escalate?

The Year Ahead….

As we all contemplate our priorities for 2015, we can be rest assured that Cybersecurity will continue to be a focus area for FINRA, the SEC and other regulators in the coming year.    Based on this, firms should understand the following:

• Assume that the criminals are already in your networks.   With this in mind, organizations should respond by proactively assessing their respective risks and creating the appropriate mitigation strategies to ensure your firm is appropriately protected.
• Multiple studies are showing that in 2014 +40% of all businesses were hacked, exploited or denied service, mainly from overseas non-state actors.   Due to the rise in the number of “network citizens” outside of the United States, this trend is only expected to continue.
• Change is coming.  FINRA, The SEC and other regulators are expected to require the entire Financial Services sector to assess Cyber Risk and maturity.

According to J.R. Helmig, Founder of Leveraged Outcomes, LLC, a financial and national security consultancy, the primary point is for firms to implement solutions to meet future threats and regulations.
________________________________________________________________________________

“Too often firms spend time and resources to meet yesterday’s compliance obligation or risks. Instead, look at what the requirements and risks are going to be for the time frame when you will be implementing the solution set, otherwise you will be outdated and outgunned before the start”.
________________________________________________________________________________

How Do We “Attack” the “Attacks”?

Through our ongoing efforts to provide thought leadership and impactful guidance to our clients, we have spent a significant amount of time and resources contemplating the best ways for firms to assess Cybersecurity threats within their respective organizations.  Based on our research, we have determined one of the most comprehensive and current Cyber Frameworks to apply is the National Institutes of Standards and Technology (“NIST”) Critical Infrastructure and Cybersecurity (“CICS”) Framework.   NIST CICS addresses all of the FINRA and SEC Sweep letter requirements.

Incremental Tactical Wins Lead to Long Term Strategic Success

The NIST CICS Framework is very modular and can be applied incrementally as firms deem necessary and appropriate.  This allows firms to “leg-in” to a Cybersecurity framework over time with a careful, thoughtful and pragmatic approach toward addressing their risk based on the risk profile of the organization and with sensitivity to internal budgetary constraints.

Buyer Beware!

Firms must be mindful of partnering with third-party vendors / service providers that cannot show some acceptable "criteria-based" framework to assess Cybersecurity risk like NIST CICS.  Companies need the ability to look across their entire enterprise, from the board room to the shop floor, when considering Cybersecurity. Almost all we do today has some sort of Information Technology component  associated with it.  The NIST CICS framework helps companies recognize the scope and breadth of the task at hand.

How Can Compliance Risk Concepts Help?

CRC has the capability to assess all or a part of your enterprise that will meet or exceed the spirit and intent of the FINRA Sweep letter.  Based on our understanding and utilization of the NIST CICS framework, we can offer your organization a best-in-class, cost effective assessment, training, and technological suite of solutions that can be tailored to meet your company’s specific needs, requirements and budgetary constraints.

Have Questions?

Use the form below to request an exploratory conversation or in-person meeting to discuss your organizations discrete needs.

Email *

First Name *

First

Last Name *

Contact Request

Yes, please contact me

No

Phone Number

Δ

Only 1 Click Required  Processing may take up to 90 seconds

The post Just in Time For The Holidays – The Gift of Cybersecurity Awareness appeared first on Compliance Risk Concepts.