Partner John Hewitt to Co-Host Webinar

  • Do you have an effective Vendor Management Policy?
  • Do you have an effective Vendor Due Diligence Questionnaire?
  • How frequently do you receive vendor compliance audits?
  • Do you have an internal Cyber Management Structure?
  • Do you have a CISO?  Who does s/he report to?

All financial institutions rely on third-party service providers. This introduces cybersecurity risks through connected systems and insider threats. Regulators are placing heightened scrutiny on third-party risk management. As the FDIC says, “a bank can outsource a task, but it cannot outsource the responsibility.”

On Thursday, December 12, 2017, P&D Partner John “Jack” Hewitt will co-host a webinar on cybersecurity.  Join our panel of highly-experienced financial and security experts to explore:

Cyber risks created by third parties

What regulators expect from community banks

How to confront cyber risks within your vendor risk management strategy

The webinar, entitled “Third-Party Cyber Risk: From Compliance to Enterprise Risk Management” will focus on cyber risks connected with financial institutions’ reliance on third-party service providers and the relevant regulatory requirements.

This webinar will address the increasing cyber risks involved in the use of third party vendors by banks. It will assess some of the most recent vendor breaches including the Scottrade Bank’s breach.  This will include a detailed review of Vendor Management Policies that provide guidance to ensure the security of a firm’s network when being used by its Vendors.  It will address all the applicable risk elements including compliance risk, strategic risk, operational risk and others.

Discussions will include due diligence in vendor selection including the development of an effective DDQ, the review of vendor’s cybersecurity program, their use of sub-contractors and insurance coverage.  The discussion will review the analysis of all outsourced processes, procedures, and practices relevant to bank’s business to be monitored on a regular basis.  This will encompasses all system resources that are owned, operated, maintained, and controlled by vendors and all other system resources, both internally and externally, that interact with these systems.

The panel will review vendor contract provisions that address: internal vendor controls, vendor audits, receipt of copies of all Vendor compliance audits, confidentiality and security procedures, encryption of PII, regulatory compliance, cyber-insurance coverage, business continuity planning, subcontracting, encryption, incident reporting, non-disclosure agreements, data storage, document retention and delivery, breach notification responsibilities, vendor employee access limitations, vendor obligations upon contract termination and an exit strategy.

Included in this will be a discussion of the NYS DFS Cybersecurity Regulation, the DFS Third-Party Service Provider Requirement.

For additional information and to register click here.

SEC Discusses New Cyber Unit to Combat Cyber-Related Misconduct

On October 26, 2017, Stephanie Avakian, Co-Director of the SEC’s Division of Enforcement gave a speech regarding Enforcement’s initiatives, in particular, regarding cybersecurity.

Ms. Avakian identified cybersecurity as one of the SEC’s “key priorities” necessitating a strategic focus and allocation of resources in order to fulfil the SEC’s “investor protection mission.”[1]  In order to effectuate these initiatives, the SEC created a Cyber Unit to combat cyber-related misconduct.[2]  According to Ms. Avakian, the increasing frequency coupled with the increasing complexity of these matters is what fueled the creation of the Cyber Unit.

The SEC identified three types of cases that have caught Enforcement’s interest:

Hacking to access material, nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities;

Account intrusions in order to conduct manipulative trading using hacked brokerage accounts; and

Disseminating false information through electronic publication, such as SEC EDGAR filings and social media, in order to manipulate stock prices.[3]

Specifically addressing the second area of Enforcement’s interest, Ms. Avakian identified specific SEC Rules—Regulations S-P, S-ID, SCI, among others—which are risk based and, notably, flexible, that apply to failures by registered entities to take the necessary precautions to safeguard information.  These situations often involve coordination with OCIE, where the SEC will consult with OCIE at the outset in order to determine which entity is better suited to lead an investigation.

Interestingly, in efforts to combat the third area of Enforcement’s interest, the SEC  has not yet brought a case.  Despite identifying the importance of the disclosure requirements, Ms. Avakian states that “[w]e recognize this is a complex area subject to significant judgment, and we are not looking to second-guess reasonable, good faith disclosure decisions, though we can certainly envision a case where enforcement action would be appropriate”—seemingly indicating that of the three areas of interest, cyber-fraud in disclosures and the like may be of the least importance in Enforcement’s new cyber-initiatives.

The Cyber Unit will also spearhead the blockchain technology investigations, as the emerging issues in this area necessitate a “consistent, thoughtful approach.”  Although Initial Coin Offerings and Token Sales may be a new and legitimate platform to raise capital, this virtual currencies and offerings may also serve as “an attractive vehicle for fraudulent conduct.”[4]

Prior to the creation of the Cyber Unit, much of the cyber-related investigations have been led by the Market Abuse Unit, as there is a significant overlap between insider trading schemes and cyber-related schemes.  The risk, however, that cyber-related incidents pose is too great and, according to the SEC, warrants its own investigative unit.

[1] Stephanie Avakian, The SEC Enforcement Division’s Initiatives Regarding Retail Investor Protection and Cybersecurity, U.S. Securities and Exchange Commission (Oct. 26, 2017), https://www.sec.gov/news/speech/speech-avakian-2017-10-26#_edn2.

[2] Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017), available at https://www.sec.gov/news/press-release/2017-176.

[3] Avakian, supra note 1.

[4] Avakian, supra note 1.

P&D to Co-Host Bloomberg Webinar

On August 3, 2017, P&D Partner John “Jack” Hewitt will co-host a Bloomberg Webinar – An Analysis of the New Financial Market Technologies. The webinar will review in detail the new technologies being used in today’s modern financial markets including blockchain, robo-advisers, the Cloud, HFT, AI/machine learning, natural language processing and fraud detection.  In addition to providing a clear explanation of the function of each technology, the webinar will discuss the use of each technology in the markets and all applicable regulatory requirements.

 

For more information on the webinar, please visit the site below.

https://www.bna.com/analysis-new-financial-m73014461819/

FINRA Fines Member Firms for Violation of Its Recordkeeping Provisions and Issues Cybersecurity Warning

FINRA fined twelve of its largest member firms a combined $14.4 million for violation of its Rule 4511 and SEC Rule 17a-4(f) for their failure to keep hundreds of millions of electronic documents in a WORM or “write once, read many” format.  The WORM format is designed to ensure that important firm records including customer records containing Personally Identifiable Information are not altered after they are written.

The firms included Wells Fargo & Co., RBC Capital Markets, LPL Financial, RBS Securities, SunTrust Robinson Humphrey, Georgeson Securities Corp and PNC Capital Markets.  FINRA also found that these firms violated its Rule 3110, Supervision, and several other SEC recordkeeping provisions, Securities Exchange Act Section 17(a) and Rules 17a-4 (b) and (c), thereunder.

FINRA noted that such records must be maintained in order to ensure member firm compliance with investor protection rules and that over the last decade the volume of such data being stored electronically has risen exponentially.  In a cybersecurity warning, FINRA stated:

there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records, further emphasizing the need to maintain records in WORM format.

P&D is pleased to note that its newest partner, John R. “Jack” Hewitt is one of the country’s foremost cybersecurity authorities, and a major part of his practice is advising broker-dealers, RIAs and banks on their adherence to SEC, FINRA, CFTC and state cybersecurity requirements.  Among other things, he advises firms on information security programs, guides them through cyber-incidents and represents them in the event of a regulatory inquiry.  Mr. Hewitt regularly conducts cybersecurity audits for broker-dealers and investment advisers, and was the SEC appointed independent outside consultant in the first major SEC cybersecurity enforcement action.  He is the author of Cybersecurity in the Federal Securities Markets, a BloombergBNA publication, and Securities Practice & Electronic Technology, an ALM treatise. Mr. Hewitt is the Co-Chair of the American Bar Association, Business Section, White Collar Crime Subcommittee on Cybersecurity.

Read FINRA’s official announcement

NYS DFS Cybersecurity Regulation Webinar 4/20/17: Presented by P&D’s Jack Hewitt and CohnReznick’s Jim Ambrosini

John R. Hewitt, Partner at Pastore & Dailey LLC, and Jim Ambrosini, Managing Director at CohnReznick Advisory, will be conducting a complimentary Webinar on Thursday, April 20, 2017 at 12:00 PM EDT.  Mr. Hewitt is recognized as a national authority in cybersecurity and Mr. Ambrosini is a leader in cybersecurity and technology assurance service offerings at CohnReznick.

Mr. Hewitt and Mr. Ambrosini will discuss the New York State’s Department of Financial Services (DFS) regulation, effective as of March 1, 2017, providing an overview of the regulation, a summary of what controls must be in place, how to implement controls using a risk-based approach, key DFS regulation issues, and how to develop a roadmap towards compliance.

Please join us for this Webinar on April 20, 2017 at 12:00 PM EDT by registering below:

https://event.on24.com/eventRegistration/EventLobbyServlet

Enforcement in the Second Circuit of FINRA Pre-Hearing Subpoenas and Discovery Orders

In a Financial Industry Regulatory Authority (“FINRA”) arbitration under either the Consumer or Industry Arbitration Rules, there are two mechanisms for seeking discovery.  For parties and non-parties who are not FINRA members, FINRA Rules 12512 and 13512, authorize an arbitrator to issue a subpoena for production of documents.  For parties and FINRA members, FINRA Rules 12513 and 13513, authorize an arbitrator to issue an arbitration order (not a subpoena) for the production of documents. However it is unlikely that a party seeking enforcement of either the subpoena or the order issued by a FINRA arbitration panel will find relief in the court system. But that doesn’t leave enforcement out of reach.

Parties and Non-Parties who are not FINRA members

FINRA Rules 12512 and 13512 authorize an arbitrator to issue subpoenas for the production of documents. FINRA Rules 12512(a)(1) and 13512(a)(1).  If the subpoena is not complied with, the next step for most litigators would be to move to enforce the subpoena in Federal District Court.  However such an action is unlikely to be successful.

There is split among the Circuits but the Second Circuit interprets the Federal Arbitration Act (“FAA”) Section 7 as prohibiting enforcement of subpoenas for pre-hearing discovery.  See Life Receivables Trust v. Syndicate 102 at Lloyd’s of London, 549 F.3d 210, 212 (2d Cir. 2008).  However the Second Circuit court made it clear that,

[i]nterpreting section 7 according to its plain meaning “does not leave arbitrators powerless” to order the production of documents. Hay Group v. E.B.S. Acquisition Corp., 360 F.3d 404, 413 (3d Cir. 2004) (Chertoff, J., concurring). On the contrary, arbitrators may, consistent with section 7, order “any person” to produce documents so long as that person is called as a witness at a hearing. 9 U.S.C. § 7. Peachtree concedes as much, admitting that “Syndicate 102 could obtain access to the requested documents by having the arbitration panel subpoena Peachtree to appear before the panel and produce the documents.” In Stolt-Nielsen, we held that arbitral section 7 authority is not limited to witnesses at merits hearings, but extends to hearings covering a variety of preliminary matters. 430 F.3d at 577-79. As then-Judge Chertoff noted in his concurring opinion in Hay Group, the inconvenience of making a personal appearance may cause the testifying witness to “deliver the documents and waive presence.” 360 F.3d at 413 (Chertoff, J., concurring). Arbitrators also “have the power to compel a third-party witness to appear with documents before a single arbitrator, who can then adjourn the proceedings.” Id. at 413. Section 7’s presence requirement, however, forces the party seeking the non-party discovery — and the arbitrators authorizing it — to consider whether production is truly necessary. See id. at 414. Separately, we note that where the non-party to the arbitration is a party to the arbitration agreement, there may be instances where formal joinder is appropriate, enabling arbitrators to exercise their contractual jurisdiction over parties before them. In sum, arbitrators possess a variety of tools to compel discovery from non-parties. However, those relying on section 7 of the FAA must do so according to its plain text, which requires that documents be produced by a testifying witness.

Life Receivables Trust v. Syndicate 102 at Lloyd’s of London, 549 F.3d 210, 218, (2d Cir. N.Y. 2008).  To obtain the aid of the Court system, the Second Circuit quoting from the Third Circuit clearly indicates that the arbitrators must order an appearance in some fashion of the object of the subpoena.  Accordingly if such an appearance is ordered, then Section 7 of the FAA is no longer a prohibition against the production of the documents even if it is a pre-hearing appearance.

Parties and FINRA Members

FINRA Rules 12513 and 13513 authorize an arbitrator to issue a discovery order for the production of documents.  If the discovery order is not complied with there is no opportunity to turn to the court system for enforcement relief because there was no actual subpoena issued.  However, turning to FINRA’s Department of Enforcement is likely to be successful.

Enforcement of a pre-hearing discovery order, issued to a non-party FINRA member under FINRA rule 13513, is largely an issue of first impression. By way of background, FINRA Rule 13513 went into effect in its current form on February 18, 2013.  Since that time there does not appear to have been any enforcement action by the FINRA Department of Enforcement for its violation.  However, there is at least one enforcement action for violation of a party’s discovery obligations in an arbitration proceeding.  See In Re Westrock Advisors.  It is a violation of FINRA Rule IM-13000 to fail to comply with any rule of the arbitration code and specifically for failure to produce a document:

It may be deemed conduct inconsistent with just and equitable principles of trade and a violation of Rule 2010 for a member or a person associated with a member to:

… (c) fail to appear or to produce any document in his possession or control as directed pursuant to provisions of the Code;…

In Westrock Advisors failure to comply with discovery orders was censured and a $50,000 fine was imposed.
Conclusion

Accordingly, enforcement of a subpoena or discovery order without use of the Court system is both possible and likely to be successful in obtaining documents in pre-hearing discovery from parties, non-parties, FINRA members and Non-FINRA members alike.

SEC Cuts Back on the Use of Administrative Law Judges

In the past two years, the SEC has drastically reduced the number of contested cases it has sent to its internal administrative law judges (“ALJs”). The number of cases sent to these judges had been increasing since 2010, when the SEC gained new powers under the Dodd-Frank Act.

From then on, and especially after the SEC decided in 2014 to expand the use of the ALJs to contested cases for crimes such as insider trading, members of the legal community have argued that it would be very hard for these judges to remain unbiased given the fact that one of the parties in every case they review is responsible for their income — in a much more direct way than a state or federal court judge. Additionally, the ALJs were generally appointed by a lower-level employee than one might expect (an issue which has led to Constitutional challenges, which are outside the scope of this article).

The Wall Street Journal analyzed the cases sent to the ALJs from October 2010 to March 2015, and found the SEC won 90% of these cases. While this could be attributed to the fact that the SEC does a thorough job investigating before charging defendants with a crime, the fact that the SEC was victorious only 69% of the time in federal courts casts some doubt on this. In fact, the Wall Street Journal has reported that in spring of 2015, the SEC director of enforcement, Andrew Ceresney, shifted the policy of the Commission back to putting contested cases in federal court. Since then, the SEC has been using the federal court system for contested charges. From October 2014 to September 2015, the SEC used the ALJs in 28% of the contested cases, whereas the year before ALJs heard 43%.

Commodity Futures Trading Commission Proposes New Conflict of Interest Rules

The Commodity Futures Trading Commission recently proposed new rules to implement statutory provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The proposed rules relate to the conflicts of interest provisions set forth in section 732 of the Dodd-Frank Act, which amends section 4d of the Commodities and Exchange Act, to direct futures commission merchants and introducing brokers to implemental conflict of interest systems and procedures to establish safeguards within the firm. The proposed rules seek to ensure that any person researching or analyzing the price or market for any commodity is separated by appropriate informational partitions. The proposed rules also address other issues, such as enhanced disclosure requirements.

Section 732 of the Dodd-Frank Act requires that futures commissions merchants and introducing brokers “establish structural and institutional safeguards to ensure that the activities of any person within the firm relating to research or analysis of the price or market for any commodity are separated by appropriate informational partitions within the firm from the review, pressure, or oversight of persons whose involvement in trading or clearing activities might potentially bias the judgment or supervision of the persons.” While section 732 could be read to require informational partitions between persons involved in any research or analysis and persons involved in trading or clearing activities, the Commission believes that the Congressional intent underlying section 732 was primarily intended to prevent undue influence by persons involved in trading or clearing activities over the substance of research reports that may be publicly distributed.

The proposed rule establishes restrictions on the interaction between persons within a futures commission merchant or introducing broker involved in research or analysis of the price or market for any derivative and persons involved in trading or clearing activities. Further, the proposed rules also impose duties and constraints on persons involved in the research or analysis of the price or market for any derivative by, for example, requiring such persons to disclose during public appearances and in any reports any relevant personal interest relating to any derivative the person follows. The proposed rule also prevents futures commissions merchants and introducing brokers from retaliating against a person for producing a report that adversely impacts the current or prospective trading or clearing activities of the firm.

If the proposed rules are implemented, they would require that futures commission merchants and introducing brokers adopt written conflicts of interest policies and procedures, document certain communications between non-research personnel and provide other disclosures. They would also prevent non-research personnel from reviewing a research report prior to dissemination, except to verify the factual accuracy of the report and provide non-substantive edits. Non-research personnel may only communicate with research personnel through authorized legal or compliance personnel. The firm’s business trading unit may not influence the review or approval of a research personnel’s compensation and may not influence the research personnel. Futures commissions merchants and introducing brokers must keep a record of each public appearance by a research analyst. The proposed rule applies to third-party research reports as well, except where the reports are made available upon request or through a web site maintained by the futures commissions merchants or introducing brokers.

While the Commodity Futures Trading Commission is continuing to receive public comments on any aspect of the proposed rule, the Commission is particularly interested in comments about whether the rules should apply to futures commission merchants and introducing brokers of all sizes or whether the nature of the partitions should depend on the size of the firm.

 

Brokers and Advisors Beware

In the last two months, the SEC and FINRA have, for the first time each, taken Enforcement action — including against a broker-dealer’s chief compliance officer — in regard to the safeguarding of confidential customer information under a 10-year-old SEC rule called “Regulation S-P.”  These actions seem likely to cause a significant shift in how brokers, investment advisers and their firms handle customers’ confidential information, particularly when it comes to a broker or adviser taking his or her “book” of business to another firm.

Overview

Previously, when brokers or advisers left for new firms, they and their new firms usually only had to worry about their former firm suing them for breaches of non-compete, non-solicitation and non-disclosure clauses in their agreements, or suing the new firm for “raiding” the former firm’s agents (and, thus, their customers).

But recent SEC and FINRA actions put brokers, advisers and their firms on notice that each could suffer formal regulatory consequences (including fines and suspensions) from brokers or advisers casually — or clandestinely — taking confidential customer information to their new firms.

Background

The SEC adopted Regulation S-P in 2001 pursuant to a mandate in the Gramm-Leach-Bliley Act of 1999, and amended it in 2005 pursuant to a mandate in the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act).

Broadly speaking, Regulation S-P requires broker-dealers, investment advisers and other financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties.  Included in Regulation S-P is the “Safeguard Rule” (Rule 30(a)), which requires broker-dealers to, among other things, adopt written policies and procedures reasonably designed to protect customer information against unauthorized access and use.

Of course, several headlines in recent years have focused on the reported thefts or losses of large caches of confidential customer information from banks and other businesses, so it comes as no surprise that the SEC and FINRA would seek to assert their Enforcement powers in this area.  Each of the recent SEC and FINRA Enforcement actions arose from departing registered representatives taking customer information to new employers without providing said customers with sufficient notice and opt-out procedures under €¨Regulation S-P.

Case Study # 1: Recent SEC Disciplinary Actions

In an administrative settlement dated April 7, 2011, the SEC fined a brokerage firm’s president, national sales manager and chief compliance officer between $15,000 and $20,000 each in regard to the transfer of 16,000 customer names and addresses, account numbers and asset values to a new firm.  It did not matter that customers approved the transfer after the fact, nor did it matter that the transfer occurred because the broker-dealer was winding down its business and thus simply transferring many of its accounts to a new broker-dealer. The SEC found the firm and its senior executives liable for Regulation S-P violations and fined each of them accordingly.

Especially noteworthy is that the SEC fined the firm’s chief compliance officer for “aiding and abetting” these Regulation S-P violations by failing to improve the firm’s “inadequate” written supervisory procedures for safeguarding customer information (the “Safeguard Rule”) after “red flags” arose from prior security breaches at the firm.  (Significantly, those security breaches did not involve other instances of intentional transfer of customer data to a new firm, but rather mostly theft by outsiders of a few RRs’ laptops and the unauthorized access by a former employee of a current employee’s firm e-mail account.)

Case Study # 2: Recent FINRA Disciplinary Action

This past December, FINRA’s National Adjudicatory Council affirmed a $10,000 fine and 10-day suspension ordered by a FINRA hearing panel in a contested hearing against a broker for his downloading confidential customer information from his firm’s computer system onto a flash drive on his last day of employment and then sharing that information with a new firm.  FINRA found the broker’s actions prevented his former firm from giving its customers a reasonable opportunity to opt out of the disclosures, as required by Regulation S-P.  FINRA also found the broker’s misconduct caused his new firm to improperly receive non-public personal information about his former firm’s customers.

Conclusion

These Enforcement actions will change the legal and practical landscape concerning the portability of a broker’s “book” of customers.  From a contractual point of view, brokers and advisers would be well-advised to build Regulation S-P-compliant language into their agreements with their current and new firms if they anticipate ever switching firms again, as these Enforcement actions effectively sound the alarm that the SEC and FINRA will sanction a broker or adviser for furtively taking customer information to a new firm. Likewise, investment adviser and brokerage firms would be well-advised to understand the relevance of Regulation S-P when it comes to brokers or advisers moving to other firms and taking firm customer information with them.

€¨Finally, from a regulatory point of view, a broker’s or adviser’s “former” firm should implement reasonable policies and procedures to ensure compliance with Regulation S-P by all firm personnel, including brokers or advisers looking to leave the firm, and a broker’s or adviser’s “new” firm should take similar care and caution when a broker or adviser brings in confidential information regarding new customers (lest the new firm also be found liable for a Regulation S-P violation, which would have happened in the above FINRA case had the new firm done anything with the customer information it got from the subject broker).

November 2010 – SEC Adopts New Rule

On November 3, 2010, the Securities and Exchange Commission (SEC) voted unanimously to adopt a new rule requiring broker-dealers to implement risk controls before they provide customers with electronic access to the equities markets. The new rule will effectively end so-called “naked” (or “unfiltered”) access by customers to the markets, and is part of a larger effort by the SEC “to help ensure the markets are fair, transparent and efficient.”

Specifically, the rule prohibits broker-dealers from providing customers with unfiltered access to an applicable exchange or alternative trading system (ATS). It requires brokers who directly access an exchange or an alternative trading system — including those who “sponsor” customers’ access to same — to put in place financial and regulatory risk management controls and supervisory procedures that are “reasonably designed to prevent the entry of orders that exceed appropriate pre-set credit or capital thresholds, or that appear to be erroneous.” Among other things, these controls must include the programming and implementation of pre-order-entry filters by brokers in their own systems for orders directed either by them or their customers to the equities markets.

This issue of unfiltered access has been the subject of much debate, especially involving the high-frequency trading firms that use algorithms and high-speed and high-capacity computers to capture minimal and fleeting arbitrage (and other quantitative) opportunities in the markets. Some observers have estimated that such activity constitutes upwards of 70 percent of the volume traded in U.S. equity markets today.

Broker-dealers have eight months — which includes 60 days from publication of the rule in the Federal Register plus an additional six months — to comply with this new rule.