Annual Privacy Notice Requirement Rule Change


On December 4, 2015, the Fixing America’s Surface Transportation Act (the FAST Act) became effective and, among other things, amended the Gramm-Leach-Bliley Act (GLBA). The FAST Act provides an exception to the annual privacy notice requirement for certain financial institutions meeting essentially just two conditions, both of which many broker/dealers and investment advisers already to meet. First, the firm must only share nonpublic personal information within the GLBA exceptions that do not have an opt-out right. These exceptions include, but are not limited to, sharing information with non-affiliated third parties for the purposes of performing services for or functions on behalf of the firm (e.g., crucial service providers like clearing firms, custodians, portfolio management systems). Second, the firm must not have changed its privacy policies or procedures with respect to the disclosures of nonpublic personal information since the last privacy notice was made to clients. If your firm meets both of these exceptions, then it no longer needs to send annual privacy notices unless there were changes to its privacy policies or in its disclosure practices for nonpublic personal information with third parties such that a consumer would have the right to opt-out.

Of course, the initial privacy notice requirement has not changed. If you’d like to discuss your particular circumstances to see whether your firm meets the conditions for the exception to the annual notice requirement, please feel free to contact me at 616-752-2526 or ddawe@wnj.com.

Cybersecurity, security breaches, and potential client identity theft concerns remain high among regulators.

Today, the Securities and Exchange Commission reported the results of its 2014 cybersecurity examination sweep of brokers-dealers and investment advisers. The SEC also warned investors about cybersecurity threats at brokerage and investment advisory firms and suggested how investors could better protect their online investment accounts.SEC Chair Mary Jo White said: “Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC.”

The SEC’s investor bulletin provides useful tips to help investors safeguard online investment accounts. Those include:

  • Pick a “strong” password
  • Use two-step verification (if available on the website)
  • Exercise caution when using public networks and wireless connections

Click here for the latest SEC information on cybersecurity.

Warner Norcross & Judd has provided extensive guidance about protecting against and preparing for cybersecurity threats. Click here to read our materials.

Contact Shane B. Hansen (616.752.2145 or shansen@wnj.com) or any other member of the Funds and Investment Services Group at Warner Norcross to learn more about how broker-dealers and investment advisers can better prepare you or your company for cyber-attacks and the regulatory requirements that may be triggers when they occur.

For Our Broker-Dealer Friends and Other Interested Persons: This Just in from FINRA: Industry-Wide Business Continuity Testing Slated for Saturday, October 25, 2014

“On Saturday, October 25, 2014, from approximately 9 a.m., Eastern Time (ET) to 1 p.m., ET, the Securities Industry and Financial Markets Association (SIFMA) will conduct an industry-wide business continuity test. The FINRA systems for reporting corporate and agency debt and securitized products transactions will be available for firms to connect and test trade reporting functions. The system will reflect a business/trade date of Saturday, October 25, 2014.

This test provides the opportunity for firms, markets and utilities to verify their ability to operate through an emergency using backup sites, recovery facilities and backup communications capabilities. The test will simulate a disaster scenario and will allow customers to use the appropriate backup connectivity method to the FINRA TRACE system.

Note: A formal FINRA test script is not available; users are encouraged to ensure connectivity and to utilize normal trade reporting functions during the test.

Additional details for the test can be found on the SIFMA website.

If you have questions, please send an email to FINRA Product Management or call (866) 899-2107.”

Our two cents: If you plan on participating, don’t forget to document the who, what, where, and when of your testing for your firm’s records.


Asked and Answered: Private Placement Sales and Tricky Trust Questions from the SEC’s Q&A’s

Broker-dealers who sell private placements often encounter tricky questions related to accredited investor status in certain transactions.  For example, a client recently asked whether an irrevocable trust with less than $5 million in assets could still be considered an accredited investor by virtue of the fact that the trustee and the beneficiary are both natural persons and meet the criteria for being accredited investors. 

First, without delving into too much detail, let’s back up a couple of steps for a quick review.  Remember that when it comes to individuals, whether as trustees, beneficiaries, or grantors, the updated Reg D Rule 501(a) generally defines an accredited investor as: (1) “any natural person whose individual net worth, or joint net worth with his/her spouse, at the time of purchase exceeds $1 million – excluding equity in the individual’s principal residence. See Rule 501(a)(5) for the particulars; (2) any natural person with individual income exceeding $200,000 in each of the last two most recent years, or joint income with a spouse exceeding $300,000 in each of the two most recent years, and has a reasonable expectation of reaching the same income in the current year; or (3) a director, executive officer or general partner of the company selling the securities, or a director, executive officer or general partner of a general partner of the company selling the securities.

Second, with regard to trusts, Reg D Rule 501(a)(7) states that any trust (revocable or irrevocable) can be an accredited investor: (1) if the trust has total assets in excess of $5 million and was not formed for the specific purpose of acquiring the securities and whose investment decisions are directed by a knowledgeable person with experience in financial and business matters capable of evaluating the risks and merits of the prospective investment; or (2) a trust whose trustee is a bank.  See Rules 501(a)(1) and 506(b)(2)(ii), as well as SEC Release 33-6455 (March 3, 1983) if you want to dig deeper.

Stated differently, the question is whether the accredited status of a trustee or a beneficiary can be attributed to a small trust in order for the trust to purchase the securities that it otherwise wouldn’t be qualified to buy standing on its own merits.  Fortunately, this kind of question has come up before in SEC Q&A’s that were recently updated and posted on July 3, 2014. They follow below (with emphasis added). You can find the whole 141-page document from the SEC’s website here. It’s a compilation of updated compliance and disclosure interpretations of the rules adopted under the Securities Act, so it covers a lot of ground. 

Question 255.19

Question: May a trust qualify as an accredited investor under Rule 501(a)(1)?

Answer: Only indirectly. Although a trust standing alone cannot be accredited under Rule 501(a)(1), if a bank is its trustee and makes the investment on behalf of the trust, the trust will in effect be accredited by virtue of the provision in Rule 501(a)(1) that accredits a bank acting in a fiduciary capacity. Furthermore, a trust having a bank as a co-trustee is an accredited investor as interpreted under Rule 501(a)(1) so long as the bank is “acting” in its fiduciary capacity on behalf of the trust in reference to the investment decision and the trust follows the bank’s direction. See the Nemo Capital Partners L.P. no-action letter (Mar. 11, 1987) issued by the Division. [Jan. 26, 2009]

Question 255.20

Question: A trustee of a trust has a net worth of $1,500,000. Is the trustee’s purchase of securities for the trust that of an accredited investor under Rule 501(a)(5)?

 Answer: No. Except where a bank is a trustee, the trust is deemed the purchaser, not the trustee. The trust is not a “natural” person. [Jan. 26,2009]

 Question 255.21

Question: May a trust be accredited under Rule 501(a)(8) if all of its beneficiaries are accredited investors?

Answer: Generally, no. Rule 501(a)(8) accredits any entity if all of its “equity owners” are accredited investors. This provision does not apply to the beneficiaries of a conventional trust. The result may be different, however, in the case of certain non-conventional trusts where, as a result of powers retained by the grantors, a trust as a legal entity would be deemed not to exist. The result also would be different in the case of a business trust, a real estate investment trust, or other similar entities. Thus, where the grantors of a revocable trust are accredited investors under Rule 501(a)(5) (e.g., the net worth of each exceeds $1,000,000) and the trust may be amended or revoked at any time by the grantors, the trust as a legal entity would be deemed not to exist, and the trust would be deemed accredited, because the grantors would be deemed the equity owners of the trust’s assets. See the Lawrence B. Rabkin, Esq. no-action letter (July 16, 1982) issued by the Division. [Jan. 26, 2009]

So, unless the trustee is a bank and the bank is making the investment decision, generally the answer is negative.  However, with respect to accredited grantors who retain powers to amend or revoke a revocable trust, the answer is different since they would be treated essentially as “equity owners” under Rule 501(a)(8) and the trust would be deemed “not to exist,” thus allowing the issuer of the securities to look past the trust and rely on the accredited status of the grantor(s).

While not part of the original question, what if the grantor of an irrevocable trust is an accredited investor?  Does the same answer obtain?  Only if certain narrow conditions are met. See below for details.

Question: Are there circumstances under which the grantor of an irrevocable trust would be considered the equity owner of the trust under Rule 501(a)(8)?

Answer: The grantor of an irrevocable trust with the following characteristics could be considered the equity owner of the trust: (1) The trust was a grantor trust for federal tax purposes. The grantor was the sole funding source of the trust. The grantor would be taxed on all income of the trust during at least the first 15 years following the investment and would be taxed on any sale of trust assets during that period. During this period, all of the assets of the trust would be includable in the grantor’s estate for federal estate tax purposes. (2) The grantor was a co-trustee of the trust and had total investment discretion on behalf of the trust at the time the investment decision was made. (3) The terms of the trust provided that the entire amount of the grantor’s contribution to the trust plus a fixed rate of return on the contribution would be paid to the grantor (or his estate) before any payments could be made to the beneficiaries of the trust.  (4) The trust was established by the grantor for family estate planning purposes to facilitate the distribution of his estate. In order to effectuate the estate planning goals, the trust was irrevocable.  (5) Creditors of the grantor would be able to reach the grantor’s interest in the trust at all times.  See the Herbert S. Wander no-action letter (Nov. 25, 1983) and the Herrick, Feinstein LLP no-action letter (Jan. 5, 2001) issued by the Division. [Jan. 26, 2009]

We’ll take a look at other Reg D transaction questions in subsequent posts.

The Blue Ribbon of Stupid

At least for the recent past, this award has to go to the broker-dealer and its AML Compliance Officer (“AMLCO”) out East, who were both sanctioned by FINRA for easily avoidable AML violations. The combined fine was $200,000 with a three-month suspension for the AMLCO. Among the patterns of noncompliance with AML rules and the firm’s own written AML procedures, they ignored “red flags” of trading activity in customer accounts that were specified in their own policies and procedures. Specifically, these were customers with multiple accounts, customers with securities-related disciplinary histories who were in the process of receiving SEC sanctions, customers transacting in numerous penny stocks, and customers doing obviously questionable third-party wires related to the penny stock liquidations.

FINRA found that they turned a blind eye to the liquidations and the wiring activity, including ignoring their clearing firm’s exception reports and warning notices of unsavory clients, all of which they received throughout the period and would have easily helped them address the situation had they not ignored them. Instead, the AMLCO only looked at daily trade reports, which, barring a photographic memory, are useless to detect any long-term patterns of suspicious activity.

Additionally, even though the firm had written AML procedures to respond to FinCEN 314(a) requests, they ignored them entirely.

The firm had numerous flagrantly suspicious clients and transactions, all of which they ignored. As an example (and you can’t make this stuff up!) – an account for a citizen of India, who resided in the Philippines, whose registered agent was located in Samoa; the person with trading authority had a listed address in Panama and conducted business in Canada! From June 2008 through October 2009, the account did significant trading and wire activity related to 50 different penny stocks, deposited over 46 million shares of penny stocks, liquidated over 31 million shares, and wired out $12.5 million through 19 wires to a bank account located in Barbados, a jurisdiction where this client had no known personal connections.

Fortunately, as of now – and in spite of the fines – the firm filed the Form-BDW to withdraw from registration as a BD and go out of business.

So, what’s the takeaway from this rather obvious enforcement case? Follow your written AML compliance program policies and procedures. If you have red flag polices (and you should) make sure you follow them, and never turn a blind-eye to following up on suspicious customers and transactions until they’re resolved or shut down. File Suspicious Activity Reports whenever necessary and document your investigations along the way.

We’ll take a look at other interesting and informative enforcement actions in subsequent postings.

Important Dates re: Identity Theft Red Flag Rules of Regulation S-ID

Regulation S-ID, which we wrote about on April 15, becomes effective on May 20, 2013.  All affected firms must be in compliance with the new rules by November 20, 2013. It’s not too soon to review the impact of this new rule on your firm and amend or add policies and procedures for compliance. Feel free to contact me at ddawe@wnj.com for assistance.

SEC Adopts Identity Theft Red Flags Rules

As recently as last week, on Wednesday, April 10, the SEC adopted new Regulation S-ID, the Identity Theft Red Flag Rule (available for download by clicking here), which requires certain investment advisers (including Private Fund sponsors), broker-dealers, and mutual funds to develop and implement a written identity theft prevention program (“Program”) to detect red flags and prevent identity theft. Regulation S-ID now applies to any investment adviser that “directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.”  Lest you think that you are an adviser that doesn’t directly or indirectly hold these transaction accounts for clients because you don’t have custody of client assets but use a third-party custodian, the “SEC has concluded otherwise.” In the adopting release, the SEC makes clear that:

 “Investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions.  If such an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor.  The red flags program of a bank or other qualified custodian that maintains physical custody of an investor’s assets would not adequately protect individuals holding transaction accounts with such advisers because the adviser could give an order to withdraw assets, but at the direction of an impostor.” (Emphasis added.) 

If the adviser has authority to withdraw money from a client’s account solely to deduct its own advisory fees, then the adviser would not be deemed to hold a transaction account.  However, if the adviser has the authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions (such as, for example, by a standing letter of instruction signed by the client, or by the firm acting as the agent for the client to pass instructions on to the custodial firm so that the custodial firm effects the transfer), then the SEC would deem the adviser to hold a transaction account and thus be subject to all the rules of Regulation S-ID and to have a written Program.  

Next Step: Applicable to All Investment Advisers:

The final rules under Regulation S-ID will become effective 30 days after publication in the Federal Register.  The compliance date for the final rules will be six months after their effective date.  So, it’s not too soon to start to make an assessment of whether and to what extent your investment adviser firm holds, directly or indirectly, transaction accounts with clients.

Next Step: For Investment Advisers Who Do Not Hold Client Transaction Accounts: 

If you conclude that you do not hold these kinds of accounts, then Regulation S-ID requires you to periodically reassess whether you must develop and implement a written Program.  At the very least, you will need to enhance your written compliance program policies and procedures to incorporate making this periodic assessment.  Perhaps the simplest way of doing that is by making it a component of the required annual review of your compliance program that you should already be conducting under Rule 206(4)-7 of the Advisers Act.    

Next Step:  For Investment Advisers Who Hold Direct or Indirect Client Transaction Accounts 

Begin now to inventory the types of transaction accounts you have with clients and the processes you use to make transfers of funds.  The SEC’s expectations in the adopting Release are that you will tailor your Program to the size and complexity of your firm and to the nature and scope of your transactional activities.  A “one-size-fits-all” approach, which is inherently unreasonable, won’t work.

The final rules provide direction regarding the development and administration of your Program in four areas: 

1.      The Program must be in writing and formally approved in writing by either the board of directors, an appropriate committee of the board of directors, or if the firm does not have a board, from a designated senior management employee.  This requirement highlights the responsibility of the most senior levels of management to formally approve the Program.

2.      The firm must involve the board of directors, an appropriate committee of the board, or a designated senior management employee (in the absence of a board) in the oversight, development, implementation, and administration of the Program. In many firms, that designated employee may be the Chief Compliance Officer.  That person must report to the board or other senior management, at least annually, on compliance by the firm with the Program, and the board or other senior management must approve any material changes, as necessary, to address changes in identity theft risks. 

3.      The firm must have an effective staff training program in place to implement the Program. 

4.      The firm must exercise appropriate and effective oversight of any service provider arrangements so that the firm remains legally responsible for compliance with the rules, irrespective of whether it outsources its identity theft red flags detection, prevention, and mitigation operations to a service provider.  For example, a firm that uses a service provider to open accounts on its behalf, could reserve for itself the responsibility to verify the identity of a person opening a new account, may direct the service provider to do so, or may use another service provider to verify identity.  The firm, however, remains ultimately responsible for ensuring that the activity is conducted in compliance with a Program that meets the requirements of the identity theft red flags rules.  

Four Required Program Elements

The final rules set out four elements that firms must include in their written Programs: 

1.      Relevant Red Flags Identification.  The Program’s written policies and procedures must be reasonably tailored to the firm to identify and incorporate relevant red flags.  Rather than identifying specific red flags in the rule release, the SEC provides flexibility in determining which red flags are relevant to a firm’s business.  Examples of red flags are provided in Section II of the release.  Given the changing nature of identity theft, the SEC believes that this element allows firms to respond and adapt to new forms of identity theft and risks as they arise. 

2.      Effective Detection of Red Flags.  The Program’s written policies and procedures must have reasonable policies and procedures to detect the red flags that the Program incorporates. As in Item 1 above, the SEC doesn’t mandate a specific method of detection but only provides examples of various means to detect them (cf. Section III of the guidelines).  

3.      Effective Response to Red Flags.  The Program’s written policies and procedures must have reasonable methods to respond to any red flags that are detected. The firm must be able to reasonably assess whether the red flags that are detected evidence a risk of identity theft and, if so, determine how to respond appropriately based on the degree of risk.  Section IV of the guidelines sets out a list of aggravating factors and examples that a firm should consider in determining an appropriate response.  

4.      Periodic Program Review and Updating.  The Program must have written policies and procedures to periodically update the Program (including the red flags determined to be relevant) to reflect the changes in risks to clients and to the safety and soundness of the firm from identity theft.    

It’s not too soon to start thinking about the impact of Regulation S-ID on your firm. Please feel free to contact any member of our group if you have any questions or concerns about this new regulation and its applicability to your firm.

Who Are Your Customers?

Do you know who your customers are? FINRA only provides a vague definition for the word “customer.” Under Rule 12100(i), FINRA defines “customer” only as “any person other than a broker or dealer.” Recently, however, the definition became clearer. According to the Fourth Circuit, the definition of “customer” does not include investors who initiated investments on the advice of an individual who was connected indirectly to a FINRA firm. Raymond James Financial Services, Inc. v. Cary, No. 12-1053 (4th Cir. March 9, 2013).

In Cary, the individual investors sought to arbitrate claims against Raymond James Financial Services (“RJFS”), after the investors bought “allegedly fraudulent securities.” The investors had purchased securities directly from Inofin, Inc. (“Inofin”). Inofin’s president, Michael Cuomo, recruited his college roommate, Kevin Keough, a registered representative of Morgan Stanley, and David Affeldt, Keough’s friend and tax attorney, to refer investors to Inofin. Because Keough was employed by Morgan Stanley at the time, Cuomo and Keough agreed that Inofin would pay Keogh’s wife for the referrals. Affeldt and Keough’s wife agreed to equally share referral fees from Inofin.  Keough later joined RJFS, which is a FINRA member.

The investors brought claims against RJFS, which alleged violations of state securities laws, FINRA conduct rules, and that Keough assured them of their investments and sought to arbitrate their claims pursuant to FINRA Rule 12200.   Under Rule 12200 of the FINRA Code of Arbitration, a “customer” is allowed to bring arbitration proceedings against a FINRA member if the dispute arises in connection with the business activities of the member or its associated persons. 

In Cary, the investors argued that they were customers because they bought Inofin securities on the advice of an attorney who was a business and personal acquaintance of RJFS’ registered representative, Keough.  Because FINRA’s definition of “customer” is not instructive, the court, instead, relied on its previous definition of “customer” stating: “customer” means “an entity that is ‘not a broker or dealer, who purchases commodities or services from a FINRA member in the course of the member’s business activities,’ namely, ‘the activities of investment banking and the securities business.’”

The court determined that the Inofin investors had no direct customer relationship with RJFS, or the registered representative. As a result, because the investors did not purchase the securities from RJFS, did not have any accounts at RJFS, and did not have any personal contact with the registered representative, the court determined that the investors did not fall within the definition of “customer.”



Expanding Leviathan’s Reach (with apologies to Thomas Hobbes)

On Friday, January 25, 2013, FINRA posted Regulatory Notice 13-06 (the “Notice”), which serves as official notice to the broker-dealer community that effective, February 25, 2013, under amended Rule 8210, FINRA examination staff may now request, inspect, and copy books and records about the outside non-investment related business activities of a firm’s associated persons or of the firm itself.  The operative phrase in the amended rule is any information in the “possession, custody or control” of the firm or any of its associated persons.  This would appear to include any records related to such outside endeavors as real estate, accountancy, insurance, or investment advisory activities of representatives doing such business away from their member firms.

In the adopting Notice, FINRA stated that the word “control” requires firms, associated persons, and other persons subject to FINRA’s jurisdiction to provide records that they have the legal right, authority, or ability to obtain upon demand even though the records are not in the immediate possession of the person subject to the request.

The extent of FINRA’s access to records is found in the catch-all phrase “possible violations of just and equitable principles of trade” and not only violations of FINRA rules, MSRB rules, and other federal securities laws. 

Noteworthy, too, is the term, “associated persons” as used in the amended Rule. An associated person is not just a registered representative of a firm, but includes a director, partner, officer, LLC member, or any other person occupying a similar status or performing similar functions.  This also includes any natural person involved in the investment banking or securities business that is directly or indirectly controlling or controlled by a member firm, whether or not that person is registered or exempt from registration.

It’s not too soon to amend your written policies and procedures to include the wider scope of the amended rule and/or send informational notices to senior management and registered representatives of the impending change related to FINRA’s expanded authority to access records of any of their outside business activities.  

President Obama nominates Mary Jo White as SEC Chairman

Since December 2012 the Securities and Exchange Commission announced that several key regulators would be leaving including Mary Shapiro, the agency’s chairman, three division heads, general counsel and the chief of staff.  

Now it is time to rebuild the agency.  On January 24, President Barack Obama announced the nomination of the next chairman of the Securities and Exchange Commission Mary Jo White.  Ms. White was the former U.S. attorney in Manhattan and may be best known for successfully prosecuting terrorists in the 1993 World Trade Center bombing trial and helped prosecute crime boss John Gotti.  She has served as a director of the Nasdaq Stock Exchange and served on its executive, audit and policy committees. Also of note, Ms. White has represented numerous individuals and corporations facing SEC enforcement proceedings. 

Mr. Obama said “It’s not enough to change the law.  We also need cops on the beat to enforce the law,” leading to speculation that the choice of Ms. White may be a signal that the President is looking for the SEC to be more aggressive about enforcement. 

President Obama’s remarks during press conference:



Next Page »