It is unclear how much due diligence is enough, but an investment that promises a 1000% return likely requires more than a few phone calls. When financial professionals recommend a losing investment, they bear the burden of proving that their recommendations and due diligence satisfied their fiduciary and/or suitability obligations.
As firms implement FinTech and RegTech, they cannot simply set it and forget it. Compliance, operations, and IT personnel must work together in real time to ensure that systems reflect current regulatory requirements. Technology is a great tool, but it is not the complete answer to regulatory compliance.
censured and fined a broker-dealer for inadequate email reviews. Although the firm, through its President/CCO,
conducted weekly reviews, FINRA charges that the firm’s random sampling and
lexicon-based reviews were not sufficient given the firm’s size and risk
areas. The firm used 24 search terms
provided by its email provider, but FINRA asserts that the search terms did not
reflect a meaningful assessment of risk areas and resulted in a large number of
false positives. FINRA faults the firm
for failing to change the email reviews “[d]espite the obvious indications that
the firm’s lexicon system was not reasonably designed.” FINRA also criticizes the firm’s Written Supervisory
Procedures for omitting specific email review procedures.
Just doing email reviews isn’t enough. A firm must conduct effective email reviews that can statistically assess whether supervised persons are complying with the securities laws. We call this “compliance alchemy” i.e. the appearance of compliance without the implementation of adequate procedures and testing.
SEC’s Office of Compliance Inspections and Examinations has published a Risk
Alert calling out advisers and broker-dealers for their failures to protect personal
information. Based on deficiencies
identified over the last 2 years, the SEC found failures related to privacy
notices, policies and procedures, and physical safeguards. The SEC faulted registrants for failing to
deliver initial and annual privacy notices or for delivering notices that did
not accurately reflect policies and procedures.
The SEC found firms that completely failed to adopt policies and
procedures by simply restating the Safeguards Rule. Other firms either adopted weak policies and procedures
or failed to properly implement them. Some
common deficiencies included unsecure laptops, unencrypted emails, inadequate
training, insufficient control of third-party vendors, inadequate incident
response plans, and shared login credentials.
OCIE states that the Risk Alert is intended “to assist advisers and
broker-dealers in providing compliant privacy and opt-out notices, and in
adopting and implementing effective policies and procedures for safeguarding
customer records and information.”
Compli-pros should ensure the annual testing program includes the privacy notice process and the implementation of policies and procedures to avoid the highlighted issues. It may make sense to combine the testing with the required cybersecurity assessment.
The SEC charged
an unregistered day trader for lying about his trading success and misappropriating
client funds. The defendant convinced clients to hire him by asserting that
that he had done very well as a day trader over several years and then promised
over 50% annualized returns. Once retained,
the trader did very poorly and siphoned client assets for personal
expenses. According to the SEC, he then
concealed his misconduct by delivering false account statements and implementing
a microcap wash sale scheme. The
defendant also faces criminal charges brought by the U.S. Attorney’s Office for
the Eastern District of New York.
Lying about your investment track record constitutes securities fraud, subjecting you to civil and criminal penalties. Do not make performance claims unless you can affirmatively support your claims with hard data.
Corporate executives cannot avoid accountability by claiming that they were just following orders. The SEC has maintained that senior executives have a duty to investors and the markets to stop financial wrongdoing at the companies they steward. Once charged, the SEC will often use its leverage to encourage cooperation in cases against others in the C-Suite.
Although the SEC does not have criminal prosecution powers, it has the discretion to refer matters to the U.S. Attorney once it uncovers securities wrongdoing. If the DoJ can make a federal criminal case because of fraud or theft, an investment adviser can end up a guest of the state for several years.
Fund managers that engage in selling efforts must register as broker-dealers unless they can take advantage of the issuer exemption (Rule 3a4-1), which prohibits the receipt of specific transaction-based compensation.
Up until now, the SEC has taken the position that ICOs are securities offerings, subject to the Securities Act’s registration and disclosure requirements. This no-action letter and companion guidance suggest that the SEC may back off its aggressive position and allow the digital token world to evolve organically. What is unclear is whether any ICO sponsor should go forward without a no-action letter.