Categories
Broker-Dealer Information

Regulation S-P and the Closure of a Broker-Dealer

One of the many challenges involved in closing down a broker-dealer is ensuring the security and privacy of customer data. There have been some very public instances in which broker-dealers have done this incorrectly and as a result, regulatory sanctions were imposed, in some cases against individuals. And regulatory bodies have shown that they are willing to take these cases, even if most of these cases are relatively small in the scope of all that they handle. This is because regulators take customer privacy very seriously, and they consider breaches, however small, to be serious.

The requirements related to this area are spelled out in Regulation S-P. And Rule 30 of that regulation includes requirements related to safeguarding and disposal of customer records. Regulation SP requires that broker-dealers deliver a notice of its privacy policy upon the opening of an account, and annually thereafter. These notices should contain a policy statement regarding what data the firm collections, how it uses that data and how it protect the data. If broker-dealers share information with certain third parties they must include an appropriate notice in the document along with an opt-out provision in the event that customers desire to opt-out of the broker-dealer sharing of their information. This opt-out provision is particularly important for firms that operate in the independent channel, as they typically allow departing representatives to take customer data with them upon departure. When a broker-dealer closes, the provision of customer information to third parties must be compliant with these provisions of Regulation SP. Also, the form of the opt-out notice is specified in the rule. For example, simply including an address to which the customer should write is not acceptable.

Finally, when a broker-dealer closes, there will invariably be customer data (electronically stored and in paper format) which will at some point require either transfer, storage and/or disposal. Any records that contain customer information (account numbers, account holdings, dates of birth, etc.) must be disposed of properly. And broker-dealers cannot transfer this information to other firms without first having provided the requisite privacy notice with the opt-out provision (and giving clients 30 days to opt-out before the transfer). Disposal of records should be by secure means and should not violate records retention rules spelled out in SEA Rule 17a-4. Also, there are many places one might not expect to find customer information, such as the hard drives now included with most copy machines. Finally, there are requirements related to storage of records and the appointment of a custodian of records when a broker-dealer closes. The custodian must be registered with the firm at the time of the filing of Form BDW.

Mitch Atkins, FINRA’s former SVP and Regional Director has extensive experience in Regulation S-P compliance and customer information protection.

For help with your data protection and Regulation SP compliance, contact Mr. Atkins at FirstMark Regulatory Solutions in Boca Raton, Florida at 561-948-6511.

Categories
Broker-Dealer Information

FINRA Broker-Dealer Cyber Security Matters

FINRA broker-dealers operate in one of the industries most frequently targeted by cyber criminals. In 2014 alone, there were numerous instances of highly-publicized cyber security and data breaches. And being a victim of these types of breaches comes with the added embarrassment of the negative press that invariably follows.SEC Chair Mary Jo White in a speech earlier this year said about Cyber threats,

“This is a global threat.  Cyber threats are of extraordinary and long-term seriousness.  They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And [the] director of the FBI, has testified that resources devoted to cyber-based threats are expected “to eclipse” resources devoted to terrorism.”

Fortunately, there is a significant amount of information available to broker-dealers that can help to ensure they are reasonably compliant with industry standards. FirstMark Regulatory Solutions conducts risk assessments in the area of cyber security and provides recommendations to broker-dealers that help to ensure compliance with industry requirements. Every broker-dealer has an obligation to protect customer information which is spelled out in the safeguarding standards of Regulation SP.

“…the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” – Gramm-Leach Bliley Act

Also, broker-dealers are required under FINRA’s supervision rule to have procedures that are reasonably designed to achieve compliance with rules applicable to each area of the firm’s business. Customer information protection is one of those areas.  

FirstMark advises clients on cyber security and customer data breach issues. With the former, security enhancements can include simple items such as restricting access to certain devices and technologies which can facilitate rapid transfer of large amounts of data (e.g. high speed data ports, copiers connected to the internet, portable media devices, etc.) to sophisticated penetration testing on a broker-dealer’s network. With the latter (data breaches), it is important to remember that many states have very significant penalties for failure to notify clients that their data has been compromised. For example, Florida implemented one of the toughest laws in the nation on July 1, 2014. An unreported breach could yield up to a $500,000 fine.

It is critical that broker-dealers are aware of these requirements and have procedures in place that are sufficient to address the risks inherent it their businesses. FINRA and the SEC have been conducting cyber-security sweep exams in 2014, and have indicated they will continue to do so going forward. For small firms, FINRA has created an excellent resource on cyber security that can be found here.

Mitch Atkins, FINRA’s former SVP and Regional Director has extensive experience in cyber security compliance and customer information protection. For help with your cyber security compliance, contact Mr. Atkins at FirstMark Regulatory Solutions in Boca Raton, Florida at 561-948-6511.

Categories
FINRA Rules

A New Approach to Branch Office Inspections

There has been quite a bit of recent news about FINRA’s revisions to its Supervision Rule. The details are spelled out in FINRA Regulatory Notice 14-10. Updates to the rule became effective on December 1, 2014. Since there are numerous articles already written on the FINRA Notice, the key focus of this discussion is the requirement to inspect branch offices. This requirement remains largely unchanged, other than the elimination of the producing branch manager requirements (replaced with identifying and managing conflicts). Taking a look back over the last several years, it is clear that the direction FINRA is moving on its expectations of its members’ branch inspection programs is similar to what it is doing with its own examination program – going risk-based.

If your firm is still conducting branch office examinations based simply on the time since the last review and whether or not the location is an OSJ, it may be time to revisit the design of the program. Simply put, a risk-based program employs the use of data to essentially risk-rank the branch offices (and representatives working in them). This may involve assigning a risk score to the representative and/or the branch office. To develop this risk score, firms consider all available data on the branch and its representatives including: complaints, disclosures, regulatory inquiries, production, outside business, and product mix to name just a few. Once a firm has identified its risk factors and compiled risk scores for each office/representative it may then tailor its branch program to those risks.

An effective risk-based branch inspection program will use the risk scores to drive both the frequency and intensity of the inspection. For example, a higher risk score may result in a more frequent (or even unannounced) visit to the branch. A risk score heavily weighted by outside business activities may drive in-depth reviews from the home office or by outside due diligence providers. And clearly, there are some risks that do not lend themselves to scoring – many have seen events that the information the firm maintains did not predict. For those, an element of randomness in the reviews is warranted as well.

A risk-based approach can yield benefits in terms of maximizing the yield of the branch inspection program. Broker-dealers will want to direct their limited resources to the places where they are most needed. Effective use of data can accomplish this. And both FINRA and the SEC have stated that they expect firms to conduct risk assessments to drive the frequency, intensity and focus of branch examinations. For more information on their views, see Joint SEC/FINRA National Examination Risk Alert – November 30, 2011 and FINRA Regulatory Notice 11-54

If you have questions about developing a risk-based branch inspection program, Mitch Atkins, FINRA’s former South Region Director has extensive experience in this area. Mitch Atkins, Principal at FirstMark Regulatory Solutions, can be reached by calling 561-948-6511.

Categories
FINRA Rules

On-the-Record Testimony

FINRA’s Rule 8210 is one of its most powerful investigative tools. It permits FINRA, in connection with an examination or investigation, to request documents and information. Sometimes, instead of a letter requesting information, FINRA asks for an appearance before a court reporter. If you have received a notice from FINRA requesting that you appear for on-the-record testimony (or an “OTR”), this is one letter you must take seriously. FINRA uses the OTR to conduct investigative testimony. Rule 8210 gives FINRA the authority to compel persons subject to its jurisdiction (generally persons associated with a FINRA registered broker-dealer) to appear before a court reporter and provide sworn testimony.

Most of the time, these OTRs are conducted at a FINRA district office. However, FINRA sometimes makes exceptions, depending on the circumstances of the proposed witness. One of the common exceptions occurs when a witness who is not near a FINRA district office requests that FINRA travel to his or her location due to a medical or financial hardship. FINRA does not always grant these requests, but if this is your situation, it is worth a try. Remember, FINRA may request evidence of your hardship. FINRA may also be flexible about the specific date of the OTR, depending on the urgency of the investigation. Either way, make sure you act promptly upon receiving a notice. Failure to appear for an OTR, absent exceptional circumstances, will likely result in a bar from the industry.

FINRA usually has several participants in an OTR. Generally, a FINRA attorney is present along with one or more staff members. As a witness you are permitted to bring an attorney as well. However, FINRA does not permit the participation of others (such as a compliance officer, a friend or a coworker). FINRA requires that anyone participating in an OTR with a witness be an attorney representing that witness.

Generally, an OTR lasts one or two days, depending on the complexity and volume of issues being discussed. FINRA may or may not give a witness much detail about what will be discussed, but they will usually give a very general outline.

An OTR starts with a court reporter swearing in the witness. Then FINRA reads a statement of instructions and begins asking a series of questions about whatever issue they are investigating. FINRA’s authority under Rule 8210 grants them the ability to specify the conditions under which the OTR will be taken, and that includes the prohibition of the use of recording devices by the witness. FINRA will generally make the transcript of the OTR available to the witness, either for review at the FINRA district office, or for purchase directly from the court reporting service.

FINRA’s OTRs are often utilized when the nature of the inquiry does not lend itself to a standard inquiry letter. For example, during an OTR, FINRA may present an exhibit to the witness and ask the witness questions about the exhibit. Document intensive questioning generally is not well suited to letter writing.

If you have been notified by FINRA that you are being requested to appear for an OTR, it is important that you take the request seriously and that you act immediately. Your first step should be to consider hiring an attorney who is experienced in representing clients in FINRA OTRs. Further, depending on the issues at hand, you may want to hire an experienced consultant to assist with the issues surrounding the investigation.

Mitch Atkins, FINRA’s former SVP and Regional Director has extensive experience as a consultant working with complex FINRA investigations. Contact him at FirstMark Regulatory Solutions in Boca Raton, Florida at 561-948-6511.

Mr. Atkins is not an attorney and does not provide legal services.