Important Dates re: Identity Theft Red Flag Rules of Regulation S-ID

Regulation S-ID, which we wrote about on April 15, becomes effective on May 20, 2013.  All affected firms must be in compliance with the new rules by November 20, 2013. It’s not too soon to review the impact of this new rule on your firm and amend or add policies and procedures for compliance. Feel free to contact me at ddawe@wnj.com for assistance.

SEC Adopts Identity Theft Red Flags Rules

As recently as last week, on Wednesday, April 10, the SEC adopted new Regulation S-ID, the Identity Theft Red Flag Rule (available for download by clicking here), which requires certain investment advisers (including Private Fund sponsors), broker-dealers, and mutual funds to develop and implement a written identity theft prevention program (“Program”) to detect red flags and prevent identity theft. Regulation S-ID now applies to any investment adviser that “directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.”  Lest you think that you are an adviser that doesn’t directly or indirectly hold these transaction accounts for clients because you don’t have custody of client assets but use a third-party custodian, the “SEC has concluded otherwise.” In the adopting release, the SEC makes clear that:

 “Investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions.  If such an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor.  The red flags program of a bank or other qualified custodian that maintains physical custody of an investor’s assets would not adequately protect individuals holding transaction accounts with such advisers because the adviser could give an order to withdraw assets, but at the direction of an impostor.” (Emphasis added.) 

If the adviser has authority to withdraw money from a client’s account solely to deduct its own advisory fees, then the adviser would not be deemed to hold a transaction account.  However, if the adviser has the authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions (such as, for example, by a standing letter of instruction signed by the client, or by the firm acting as the agent for the client to pass instructions on to the custodial firm so that the custodial firm effects the transfer), then the SEC would deem the adviser to hold a transaction account and thus be subject to all the rules of Regulation S-ID and to have a written Program.  

Next Step: Applicable to All Investment Advisers:

The final rules under Regulation S-ID will become effective 30 days after publication in the Federal Register.  The compliance date for the final rules will be six months after their effective date.  So, it’s not too soon to start to make an assessment of whether and to what extent your investment adviser firm holds, directly or indirectly, transaction accounts with clients.

Next Step: For Investment Advisers Who Do Not Hold Client Transaction Accounts: 

If you conclude that you do not hold these kinds of accounts, then Regulation S-ID requires you to periodically reassess whether you must develop and implement a written Program.  At the very least, you will need to enhance your written compliance program policies and procedures to incorporate making this periodic assessment.  Perhaps the simplest way of doing that is by making it a component of the required annual review of your compliance program that you should already be conducting under Rule 206(4)-7 of the Advisers Act.    

Next Step:  For Investment Advisers Who Hold Direct or Indirect Client Transaction Accounts 

Begin now to inventory the types of transaction accounts you have with clients and the processes you use to make transfers of funds.  The SEC’s expectations in the adopting Release are that you will tailor your Program to the size and complexity of your firm and to the nature and scope of your transactional activities.  A “one-size-fits-all” approach, which is inherently unreasonable, won’t work.

The final rules provide direction regarding the development and administration of your Program in four areas: 

1.      The Program must be in writing and formally approved in writing by either the board of directors, an appropriate committee of the board of directors, or if the firm does not have a board, from a designated senior management employee.  This requirement highlights the responsibility of the most senior levels of management to formally approve the Program.

2.      The firm must involve the board of directors, an appropriate committee of the board, or a designated senior management employee (in the absence of a board) in the oversight, development, implementation, and administration of the Program. In many firms, that designated employee may be the Chief Compliance Officer.  That person must report to the board or other senior management, at least annually, on compliance by the firm with the Program, and the board or other senior management must approve any material changes, as necessary, to address changes in identity theft risks. 

3.      The firm must have an effective staff training program in place to implement the Program. 

4.      The firm must exercise appropriate and effective oversight of any service provider arrangements so that the firm remains legally responsible for compliance with the rules, irrespective of whether it outsources its identity theft red flags detection, prevention, and mitigation operations to a service provider.  For example, a firm that uses a service provider to open accounts on its behalf, could reserve for itself the responsibility to verify the identity of a person opening a new account, may direct the service provider to do so, or may use another service provider to verify identity.  The firm, however, remains ultimately responsible for ensuring that the activity is conducted in compliance with a Program that meets the requirements of the identity theft red flags rules.  

Four Required Program Elements

The final rules set out four elements that firms must include in their written Programs: 

1.      Relevant Red Flags Identification.  The Program’s written policies and procedures must be reasonably tailored to the firm to identify and incorporate relevant red flags.  Rather than identifying specific red flags in the rule release, the SEC provides flexibility in determining which red flags are relevant to a firm’s business.  Examples of red flags are provided in Section II of the release.  Given the changing nature of identity theft, the SEC believes that this element allows firms to respond and adapt to new forms of identity theft and risks as they arise. 

2.      Effective Detection of Red Flags.  The Program’s written policies and procedures must have reasonable policies and procedures to detect the red flags that the Program incorporates. As in Item 1 above, the SEC doesn’t mandate a specific method of detection but only provides examples of various means to detect them (cf. Section III of the guidelines).  

3.      Effective Response to Red Flags.  The Program’s written policies and procedures must have reasonable methods to respond to any red flags that are detected. The firm must be able to reasonably assess whether the red flags that are detected evidence a risk of identity theft and, if so, determine how to respond appropriately based on the degree of risk.  Section IV of the guidelines sets out a list of aggravating factors and examples that a firm should consider in determining an appropriate response.  

4.      Periodic Program Review and Updating.  The Program must have written policies and procedures to periodically update the Program (including the red flags determined to be relevant) to reflect the changes in risks to clients and to the safety and soundness of the firm from identity theft.    

It’s not too soon to start thinking about the impact of Regulation S-ID on your firm. Please feel free to contact any member of our group if you have any questions or concerns about this new regulation and its applicability to your firm.

Who Are Your Customers?

Do you know who your customers are? FINRA only provides a vague definition for the word “customer.” Under Rule 12100(i), FINRA defines “customer” only as “any person other than a broker or dealer.” Recently, however, the definition became clearer. According to the Fourth Circuit, the definition of “customer” does not include investors who initiated investments on the advice of an individual who was connected indirectly to a FINRA firm. Raymond James Financial Services, Inc. v. Cary, No. 12-1053 (4th Cir. March 9, 2013).

In Cary, the individual investors sought to arbitrate claims against Raymond James Financial Services (“RJFS”), after the investors bought “allegedly fraudulent securities.” The investors had purchased securities directly from Inofin, Inc. (“Inofin”). Inofin’s president, Michael Cuomo, recruited his college roommate, Kevin Keough, a registered representative of Morgan Stanley, and David Affeldt, Keough’s friend and tax attorney, to refer investors to Inofin. Because Keough was employed by Morgan Stanley at the time, Cuomo and Keough agreed that Inofin would pay Keogh’s wife for the referrals. Affeldt and Keough’s wife agreed to equally share referral fees from Inofin.  Keough later joined RJFS, which is a FINRA member.

The investors brought claims against RJFS, which alleged violations of state securities laws, FINRA conduct rules, and that Keough assured them of their investments and sought to arbitrate their claims pursuant to FINRA Rule 12200.   Under Rule 12200 of the FINRA Code of Arbitration, a “customer” is allowed to bring arbitration proceedings against a FINRA member if the dispute arises in connection with the business activities of the member or its associated persons. 

In Cary, the investors argued that they were customers because they bought Inofin securities on the advice of an attorney who was a business and personal acquaintance of RJFS’ registered representative, Keough.  Because FINRA’s definition of “customer” is not instructive, the court, instead, relied on its previous definition of “customer” stating: “customer” means “an entity that is ‘not a broker or dealer, who purchases commodities or services from a FINRA member in the course of the member’s business activities,’ namely, ‘the activities of investment banking and the securities business.’”

The court determined that the Inofin investors had no direct customer relationship with RJFS, or the registered representative. As a result, because the investors did not purchase the securities from RJFS, did not have any accounts at RJFS, and did not have any personal contact with the registered representative, the court determined that the investors did not fall within the definition of “customer.”



Expanding Leviathan’s Reach (with apologies to Thomas Hobbes)

On Friday, January 25, 2013, FINRA posted Regulatory Notice 13-06 (the “Notice”), which serves as official notice to the broker-dealer community that effective, February 25, 2013, under amended Rule 8210, FINRA examination staff may now request, inspect, and copy books and records about the outside non-investment related business activities of a firm’s associated persons or of the firm itself.  The operative phrase in the amended rule is any information in the “possession, custody or control” of the firm or any of its associated persons.  This would appear to include any records related to such outside endeavors as real estate, accountancy, insurance, or investment advisory activities of representatives doing such business away from their member firms.

In the adopting Notice, FINRA stated that the word “control” requires firms, associated persons, and other persons subject to FINRA’s jurisdiction to provide records that they have the legal right, authority, or ability to obtain upon demand even though the records are not in the immediate possession of the person subject to the request.

The extent of FINRA’s access to records is found in the catch-all phrase “possible violations of just and equitable principles of trade” and not only violations of FINRA rules, MSRB rules, and other federal securities laws. 

Noteworthy, too, is the term, “associated persons” as used in the amended Rule. An associated person is not just a registered representative of a firm, but includes a director, partner, officer, LLC member, or any other person occupying a similar status or performing similar functions.  This also includes any natural person involved in the investment banking or securities business that is directly or indirectly controlling or controlled by a member firm, whether or not that person is registered or exempt from registration.

It’s not too soon to amend your written policies and procedures to include the wider scope of the amended rule and/or send informational notices to senior management and registered representatives of the impending change related to FINRA’s expanded authority to access records of any of their outside business activities.  

President Obama nominates Mary Jo White as SEC Chairman

Since December 2012 the Securities and Exchange Commission announced that several key regulators would be leaving including Mary Shapiro, the agency’s chairman, three division heads, general counsel and the chief of staff.  

Now it is time to rebuild the agency.  On January 24, President Barack Obama announced the nomination of the next chairman of the Securities and Exchange Commission Mary Jo White.  Ms. White was the former U.S. attorney in Manhattan and may be best known for successfully prosecuting terrorists in the 1993 World Trade Center bombing trial and helped prosecute crime boss John Gotti.  She has served as a director of the Nasdaq Stock Exchange and served on its executive, audit and policy committees. Also of note, Ms. White has represented numerous individuals and corporations facing SEC enforcement proceedings. 

Mr. Obama said “It’s not enough to change the law.  We also need cops on the beat to enforce the law,” leading to speculation that the choice of Ms. White may be a signal that the President is looking for the SEC to be more aggressive about enforcement. 

President Obama’s remarks during press conference:



Holiday Cheer From FINRA

Last Monday, FINRA issued its new Regulatory Notice 12-55, “Suitability – Guidance on FINRA’s Suitability Rule.” This guidance backpedaled on a couple of significant matters provided in its previous guidance with respect to its definition of a “customer” under the new suitability rule.

In May, two months prior to the July 9, 2012, effective date for the new rule, FINRA issued Regulatory Notice 12-25 (“RN 12-25”), which defined the term “customer” to “include an individual or entity with whom a broker-dealer has an informal business relationship related to brokerage services, as long as that individual or entity is not a broker or dealer.” In an attempt to explain what an “informal business relationship” might mean, RN 12-25 stated that, “A broker-customer relationship would arise and the suitability rule would apply, for example, when a broker recommends a security to a potential investor, even if that potential investor does not have an account at the firm.”

The guidance issued last Monday withdraws the rather expansive “even if” clause above and now states that, “the term customer includes a person … who opens a brokerage account at a broker-dealer or purchases a security for which the broker-dealer receives or will receive, directly or indirectly, compensation even though the security is held at an issuer, the issuer’s affiliate or a custodial agent (e.g., ‘direct application’ business, ‘investment program’ securities, or private placements), or using another similar arrangement.” Therefore, the suitability rule does not apply to a potential investor unless that person becomes a customer of the firm or the representative who made the recommendation by opening an account and placing the trade, which essentially puts FINRA’s guidance back to the way it was always previously understood.


The second significant revision relates to the application of the suitability rule to non-securities products. In the guidance from May, FINRA applied the suitability rule widely to cover even non-securities product recommendations (e.g., fixed annuities or universal life insurance).  The new guidance draws some clarifying distinctions, but makes clear that the suitability rule applies only to the securities component of the recommendation or investment strategy.   However, as for a potentially “unsuitable” recommendation of a non-securities product, FINRA rules still pick up this misconduct under Rule 2120 (Standards of Commercial Honor and Principles of Trade), Rule 3270 (Outside Business Activities), and Rule 2210 (Communications with the Public).  For further information on this point, see endnote No. 18 in the new release, which is available by clicking here.

Given the new guidance, you’ll want to be sure that whatever new suitability policies and procedures you adopted under the new rule that went into effect on July 9, 2012, are revised accordingly to ensure you don’t inadvertently and unnecessarily subject your firm to the expansive requirements and related recordkeeping of the older guidance.

Monitoring Crowdfunding on the Internet

After the Jumpstart Our Business Startups (JOBS) Act was enacted, NASAA created a task force on Internet fraud investigations to monitor crowdfunding and other Internet offerings.  Read more about what state and Canadian securities regulators found during their analysis of Internet domain names and plans to coordinate multi-jurisdictional efforts to scan for fraud.

SEC Closes Second Highest Year in Enforcement Actions

The SEC announced last week that it filed 734 enforcement actions in its fiscal year that ended Sept. 30, 2012, which was only one shy of last year’s record of 735. The SEC noted that it saw the most significant increases in cases involving highly complex products, transactions, and practices, including those related to the financial crisis, trading platforms and market structure, and insider trading by market professionals.

The SEC also filed 134 enforcement actions related to broker-dealers, which was a 19% increase over the previous year.

For more information about the SEC’s enforcement action in the past fiscal year, read the full release here.

Investment Adviser Branch/Satellite Office Supervision

Often overlooked by investment advisers are supervisory procedures for branch or satellite offices.  During a routine investment adviser examination of a Michigan registered investment adviser, the Office of Insurance and Financial Regulation (“OFIR”) criticized the investment adviser for failure to have reasonable policies and procedures tailored to all of its business. While the firm did have written supervisory procedures, they were not reasonably designed cover all of its business activities,  particularly with regard to satellite or branch office locations. While not an exhaustive list, OFIR cited the following items as needing to be included in the firm’s policies and procedures:

  •  Documentation requirements:
    • How client files will be saved/preserved and transferred to the main office.
  • Correspondence procedures:
    • Covering hard copies and email.
    • Archiving and copying for home office review.
    • Complaint handling procedures.
  • Client meetings, how, when, and where with related documentation.
  • Branch/satellite office inspection/audit policies and procedures.
    • Specific audit steps, what records will be examined?
    • Review for unauthorized sales materials, performance reports, outside business activities.
    • Unannounced inspections and inspections by appointment (regulators request both).

The SEC likely has the same concerns with respect to branch/satellite offices of investment advisers registered with it. In various investment adviser compliance conferences, SEC speakers have pointed to FINRA’s guidance for broker-dealer branch offices as a starting point for designing investment adviser branch office supervision programs. To get started enhancing your own firm’s branch/satellite office supervisory system, see FINRA’s Regulatory Notice to Members 11-54 where FINRA and the SEC issued joint guidance on effective policies and procedures for broker-dealer branch inspections available here.  Contact any member of the Broker Dealer/Investment Adviser Practice Group if you need assistance with your branch office policies and procedures.

Be Aware, Email Based Wire Fraud Is On The Rise

The FBI and FINRA have recently issued alerts about the rise in email-based scams that request advisers to wire client funds.

The alerts warn that scammers are hacking into email accounts to gain access to personal information.  The scammers have become more sophisticated, than in the past.  They study the tone and style of the intended victim’s emails, look for personal information, such as account numbers and signature blocks, and then send phony emails to the victim’s financial contacts.

Over the past few months, our clients have shared the following real-life scenarios:

  • Adviser receives an urgent email request for funds to purchase a condo inFlorida.  Since the client was planning to purchase a condo inFlorida, this request seems legitimate.  The introduction in email even matched the familiar greeting between client and adviser of “Hey Buddy.” 
    • The “real” client realized that their email was hacked and informed adviser before funds were sent. 
  • Adviser receives an urgent request for funds by email with a follow up phone call to adviser’s office.
    • Adviser knows the client well and does not recognize the voice of the caller.  Adviser does not send funds, contacts the “real” client and the client’s custodian about the attempted fraud.
  • Adviser receives an urgent email request for funds that states the client is traveling and will not be available by phone.  Client will sign any required documents the next day, but money must be sent today.  Since client travels often, the request seems appropriate. 
    • Adviser sends funds and learns later that the request was not legitimate.

Although there is no guarantee that you can prevent becoming a victim of fraud; financial advisers should review their current practices and where necessary institute additional procedures to help detect fraud and protect client assets.  Advisers should consider implementing the following practices:

  • Review current procedures to determine potential risks to clients and the firm
  • Educate clients about the potential for fraud and phishing attacks 
  • Inform clients of any newly instituted procedures to help detect scammers 
  • Consider having clients send request verification to facsimile instead of email
  • Review email requests for odd phrases, grammatical errors, poor punctuation and spelling errors that might alert you to a fraudulent request
  • Urgent requests or statements that the client is not currently available may be cause for alarm.  Investigate first before sending funds
  • No matter how urgent the request for funds, do not send funds without first confirming by phone or fax that the client’s request is legitimate.
  • Make sure that when you confirm the request by phone that the voice and speech pattern match the voice and speech pattern of your client
  • Work with the client’s custodian to help identify best practices

Remember, scammers continue to change their method of attack to attempt to deceive even the most sophisticated systems.  Review procedures and inform staff and clients to be vigilant.  Although clients expect good customer service, take time to verify requests before the client and you become a victim of a scam.

Additional information about how to detect fraud and scams may be found using these links. 

FBI: http://www.ic3.gov/media/2012/EmailFraudWireTransferAlert.pdf and FINRA:  http://www.finra.org/investors/protectyourself/investoralerts/fraudsandscams/p125460?

Next Page »