Prior to having most of its routine work suspended because of the US government partial shutdown, the Securities and Exchange Commission’s inspection unit published its 2019 examination priorities. These included reviewing the offer and sale of digital assets by registrants, cybersecurity, and anti-money laundering programs. Separately, the Financial Industry Regulatory Authority published a report of effective cybersecurity practices by members. As a result, the following matters are covered in this week’s edition of Bridging the Weeks:
OCIE noted that, in focusing on cybersecurity, it will key in on the “proper configuration of network storage devices,” information security governance, and policies and procedures concerning retail trading information security, among other matters. It will also especially review cybersecurity practices at investment advisers with multiple branch offices, as well as risk assessment, access rights and controls, vendor management, training and incident response.
OCIE additionally said that, in 2019, it will prioritize on matters important to retail investors in its examinations, such as disclosure of fees and expenses and the costs of investing, conflicts of interest, and senior investors and retirement accounts and products. It will also review compliance and risk at critical market infrastructures (i.e., clearing agencies, transfer agents and national securities exchanges) and focus on select areas and programs of the Financial Industry Regulatory Authority and the Municipal Securities Rulemaking Board.
In other legal developments regarding cryptoassets:
Compliance Weeds: The beginning of every year provides a natural opportunity for registrants to review their written policies and procedures to ensure they still reflect actual practices. It is easy, over time, for policies and procedures to go stale. Unfortunately, if something goes wrong, it will not be helpful to have actual practices that are inconsistent with written policies, or written policies that are so generic they provide no real basis for actual practices. Ensuring that policies and procedures address hot button issues identified by regulators in summaries of examination priorities – such as the OCIE’s 2019 examination priorities – is also advisable.
According to the regulators, from January 2004 through April 2017, some UBS customers maintained brokerage accounts that provided bank-like services, including authorization to move funds through wires, journals, check writing, ATM withdrawals, cash advances and ACH transfers. During this time period, however, UBS purportedly failed to detect and report suspicious activities in such accounts to FinCEN when they may have been used to move funds for shell companies involving countries UBS itself had identified as sensitive due to an increased risk of money laundering (e.g., Mexico, Venezuela and Panama), while engaging in little or no securities trading.
Moreover, UBS allegedly did not adequately monitor foreign currency-denominated wire transfers in commodities accounts and retail brokerage accounts because its surveillance system failed to capture “critical information” regarding such wires such as sender, recipient information, as well as country of origin and destination. According to FinCEN, “[t]he weaknesses in monitoring meant that it was possible for an unknown third-party residing in a country known for money-laundering risk to transfer foreign currency into a customer’s commodities account, and for that customer to then transfer these funds to another party in a country known for money-laundering risk, without the Firm’s surveillance system reviewing these transactions.”
FinCEN also claimed that, during the relevant period, UBS failed to provide adequate resources to its chief AML compliance officer and failed to have sufficient staff to review suspicious activities.
In assessing their penalties, the SEC and FinCEN particularly noted UBS’s “significant” investment in AML staffing and technology to enhance its monitoring and reporting capability.
Unrelatedly, Merrill Lynch, Pierce, Fenner & Smith, Inc., also a registered broker-dealer, agreed to pay a fine of US $5.5 million to FINRA for allegedly selling shares offered in initial public offerings to industry insiders contrary to FINRA rules from 2010 through March 2018, as well as purportedly not responding reasonably when it learned by August 2013 that the firm had repeatedly sold IPO securities to family members of Merrill Lynch financial advisors. Under a FINRA rule, a member cannot sell IPO shares to “restricted persons,” defined to include associated persons or employees of broker-dealers and immediate family members associated with a selling member. To resolve FINRA's allegations, Merrill Lynch also agreed to disgorge profits of almost US $500,000 it earned in connection with its purportedly prohibited IPO sales. (Click here to access FINRA Rule 5130.)
In October 2016, FinCEN issued an advisory stating that covered financial institutions must file a suspicious activity report following certain cyber-events. Mandatorily reportable incidents are those where a financial institution is targeted by a cyber-event where it knows, or has reason to suspect, the event “was intended, in whole or in part, to conduct, facilitate, or affect a transaction or series of transactions” that involves or aggregates or could involve or aggregate to US $5,000 or more in funds or other assets. It would not matter whether the transaction or series of transactions ended up actually occurring. (Click here for details regarding this FinCEN advisory in the article “FinCEN Issues Advisory Saying Cyber Attacks May Be Required to Be Reported Through SARs” in the October 30, 2016 edition of Bridging the Week.)
Recently, FINRA fined LPL Financial, LLC, a broker-dealer, US $2.75 million for not reporting as suspicious activities to FinCEN unsuccessful attempts by third parties to gain unauthorized access to customers’ email or brokerage accounts. According to FINRA, LPL mistakenly believed that only successful hacking incidents were subject to SAR reporting and advised its employees accordingly; however, this understanding was incorrect. As a result, FINRA concluded that LPL failed to investigate and file over 400 SARs with FinCEN from January 1, 2013, through May 31, 2016. (Click here for further details in the article “Broker-Dealer Fined US $2.75 Million by FINRA for Breakdowns in AML Program and Customer Complaint Reporting” in the November 4, 2018 edition of Bridging the Week.)
For branch offices, FINRA said that effective practices it has seen to minimize cybersecurity risks include establishing written supervisory procedures defining minimum cybersecurity controls for branches and formalizing their oversight; creating an inventory of branch-level data, as well as software and hardware assets; maintaining branch technical controls including identity and access management restrictions for salespersons and other staff to limit their access to only their own customers' data; and having a “robust” cybersecurity examination program.
For phishing, FINRA observed that some firms had express policies to address phishing; implemented email scanning and filtering to monitor and block phishing and spam; utilized especially trained staff regarding phishing, and conducted regular simulated phishing email campaigns, among other effective techniques.
FINRA noted that insider threats are a particularly heinous risk “because an insider typically circumvents many firm controls and may cause material data breaches of sensitive customer and firm data.” To mitigate against such risks, FINRA observed that some firms implemented measures to identify potentially abnormal user behavior within a firm’s network and imposed an identity and access management policy as well as heightened technical controls for individuals with privileged access to continuously align access rights to specific job functions.
FINRA said that, in issuing its “Report on Selected Cybersecurity Practices – 2018,” it was not creating any new legal requirement or changing any existing regulatory obligation.
Recently, the National Futures Association filed with the Commodity Futures Trading Commission proposed amendments to its 2016 guidance that requires all members to implement a written information systems security program to address unauthorized access or attacks on their information technology systems and how they will respond in such situations. The revised guidance is scheduled to go into effect early this year. (Click here for information on NFA’s amended ISSP requirement in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.)
Compliance Weeds: In 2015, the Securities and Exchange Commission issued a report on its own cybersecurity observations where it said that 88 percent of all broker-dealers and 74 percent of all investment advisers reported they had previously sustained cyber-attacks directly or through one or more of their vendors. Most attacks were the result of malware and fraudulent emails. According to the SEC, 54 percent of all broker-dealers and 43 percent of advisers specifically indicated they had received fraudulent emails to transfer customer funds. Where losses were sustained, 25 percent of the broker-dealers “noted that these losses were the result of employees not following the firms’ identity authentication process.”
Regrettably, it is likely not a matter of if a cyber breach may occur, but when and how severe. Financial services firms must continue their efforts to minimize the likelihood of cybersecurity breaches through periodic risk assessments, robust policies, procedures and governance, state-of-the-art technological defenses, ongoing monitoring, and employee training. Moreover, firms should develop, implement and periodically update response plans should a cyber breach occur. Unfortunately, it will.
Without admitting or denying the SEC’s charges, Wealthfront Advisers, LLC agreed to pay a penalty of US $250,000 and consented to a censure while Hedgeable, Inc. consented to a censure and a penalty of US $80,000. According to the SEC, from October 2012 through mid-May 2016, Wealthfront provided its robo-advisor clients with false statements regarding its tax-loss harvesting strategy by claiming that it would monitor client accounts for any transactions that might trigger a wash sale, an occurrence that has a negative effect on harvesting trading strategies. However, during this time, Wealthfront’s software did not monitor for such transactions, and wash sales occurred in roughly 31 percent of the firm’s tax-loss harvesting accounts. The SEC further alleged that Wealthfront violated applicable advertising and marketing regulations by using social media to promote testimonials that were made by persons who were incentivized by Wealthfront to make such statements without disclosing the financial interest of the authors.
Separately, the SEC alleged that Hedgeable, Inc. made false statements regarding the performance of its robo-advisor’s performance. According to the SEC, from 2016 until April 2017 Hedgeable created its own index to track and market the performance of its robo-advisor clients against two independent competitor robo-advisor platforms. However, said the SEC, Hedgeable’s index performance was misleading because the composite included only 4 percent of the firm’s robo-advisor clients for the relevant time period and the index was improperly calculated because the performance of the two independent robo-advisors did not utilize their actual trading models but relied on estimates of their performance.
Both Wealthfront and Hedgeable are registered with the SEC as investment advisors.
(Click here for background, on the SEC’s 2017 robo-advisor guidance in the article “SEC Division of Investment Management Issues Guidance Regarding Robo-Advisors” in the February 26, 2017, edition of Bridging the Week.)
Revised: January 15, 2019 to reflect the correct amount of the Hedgeable fine.
Additionally, OIG’s report to Congress referenced another investigation involving a “senior Government employee” where allegations of misconduct “were substantiated”; however, OIG indicated this investigation was currently confidential and provided no details in its report.
The CFTC order alleged that between September 2013 and January 2014, after the National Futures Association previously issued an order prohibiting respondents from withdrawing money from any trading accounts they controlled without NFA’s approval, Mr. Hansen caused an account to be opened in his spouse’s name. Afterwards, Mr. Hansen entered bunched orders on behalf of his customers without specifying at the time which customer accounts were associated with the trades contrary to an applicable rule (click here to access CFTC regulation, Rule 1.35(b)(5)). Subsequently, if the bunched orders were profitable, Mr. Hansen would allocate those orders to the account owned by his wife (and not to customers) and eventually transfer these profits to a joint bank account in his and his wife’s name. In 2014, Mr. Hansen and Newport agreed to withdraw their NFA membership and never reapply to resolve an NFA complaint regarding this matter (click here for details).
Brokers dealing with Mr. Hansen and Newport have also been subject to enforcement and disciplinary actions related to this matter. (For further background, click here to access the article “Introducing Broker and Principal Sanctioned by CFTC for Not Overseeing Unlawful Post-Trade Allocations of CTA Client” in the September 23, 2018 edition of Bridging the Week; here for the article “CFTC and NFA Sanction FCM for Handling of Post-Trade Allocations by Trading Manager” in the August 5, 2018, edition of Bridging the Week; and here to review the article “Former FCM Fined by CFTC and NFA for Processing CPO Client’s Unlawful Post-Trade Allocations Despite Red Flags” in the June 3, 2018 edition of Bridging the Week.)
For further information:
CFTC Inspector General Criticizes Internal Stress Testing Methodologies Squabbles:
Cherry-Picking Winning Trades as Part of Post-Trade Allocation Scheme Costs Commodity Trading Firm and Principal US $315,000 in CFTC Fine:
Company and Trader Agent Sanctioned by CBOT for Disruptive Trading:
Congressmen Propose Law to Exclude Certain Cryptoassets from the Definition of a Security: http://www.scribd.com/document/396096529/Token-Taxonomy-Act-of-2018
EC Sets Contingency Plan for No-Deal Brexit:
FINRA Publicizes Effective Practices at Members to Mitigate Cybersecurity Risks:
NY May Reconsider BitLicense:
Offer and Sale of Digital Assets and Cybersecurity Among the Focus of SEC OCIE 2019 Examination Priorities:
Related Broker-Dealers Fined US $15 Million by the SEC, FINRA and FinCEN for Alleged AML Program Deficiencies; Unrelated BD Fined US $5.5 Million for Purportedly Selling IPOs to Industry Insiders:
Robo-Advisors Sanctioned by SEC for False Disclosures:
Texas Clarifies Application of Money Transmission Requirements to Transactions Involving Virtual Currencies:
UK Bank and NY Branch Fined US $15 Million by NY DFS for Endeavoring to Identify Whistleblowers:
UK Issues Guidance on Taxation of Cryptoassets:
The information in this article is for informational purposes only and is derived from sources believed to be reliable as of January 5, 2019. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made. Views of the author may not necessarily reflect views of Katten Muchin or any of its partners or other employees.