Wednesday, April 26, 2017

Cybersecurity and Investment Advisors and Brokers

The tides are turning for investment advisors and brokers when it comes to cybersecurity. The states are starting to flex their authority in a realm that has historically fallen under the jurisdiction of Federal authorities. We urge investment advisors and brokers to keep apace of the regulatory outcomes pending this May as developments may have a deep impact on their compliance obligations and trigger a need for additional firm resources.

For a number of years, the SEC and other federal regulators have mandated that their member firms establish cybersecurity policies and procedures.  The SEC, for instance, requires its members to establish policies and procedures that will (i) identify the firm’s Cybersecurity risks to Network Components, assets, data and capabilities; (ii) develop necessary policies and procedures to limit or contain the impacts of potential Cybersecurity Incidents; (iii) develop and implement policies and procedures to identify the occurrence of Cybersecurity Incidents; (iv) identify and implement appropriate activities to combat detected Cybersecurity Incidents; and (v) develop and implement appropriate procedures for restoring any capabilities or services impaired as a result of a Cybersecurity Incident. The actual policies and procedures that a firm develops and maintains will be dependent on a number of factors, including the size of the firm, the complexity of its technology architecture and the use of third party vendors. 

In a departure from the past, several states have started to promulgate their own rules in recent months.  In March of this year, for example, Colorado regulators proposed changes to increase the amount of electronic security that financial firms must exercise when dealing with secure client information.   The two new rules of the Colorado Securities Act are Rule 51-4.8 and Rule 51-4.14(IA)— both of which may be referenced here. Among other aspects, the proposed rules would require broker-dealers and investment advisors to include cybersecurity in their annual risk assessment procedures and uphold a set of written procedures to protect clients from these risks.[1]  There are many areas where the proposed cybersecurity rules in Colorado overlap with the SEC guidelines, but there are also areas in which the proposed rules are more prescriptive.  For instance, the Colorado proposal requires use of secure email, including digital signatures and encryption, and would require firms to inform clients regarding the risks of using electronic communications.[2]  In such cases, the more stringent regulation would have to be followed and the onus would be on the firm itself to recognize this distinction. A hearing on the proposal is set for May 2nd. If the rule is approved as proposed, it will mean that any investment advisor and broker-dealer that conducts business within Colorado will have to comply with the new state regulation. This translates into a need for additional cost and time resources to implement these new requirements. 

New York also has their own cybersecurity rules for financial institutions. Though New York State does not license investment advisers and brokers, it does issue licenses and exercise regulatory oversight over banks and insurance companies through the Department of Financial Services (DFS).  Advisors will be compelled to follow state rules if they are licensed by the department in another capacity (e.g. agents who sell insurance).

While the overarching theme of the new laws is clear, we anticipate seeing much variety on a state by state basis. Investment advisors and broker dealers seeking expert advice on the impact of laws in your specific state should reach out to Lawrence Wagner, Managing Director of COMPASS Regulatory and Compliance Advisers, at lwagner@compassadvisers.net for a consultation.



[1] United States, Colorado Division of Securities, Department of Regulatory Agencies. Code of Colorado Regulations, Rules Under the Colorado Securities Act 3 CCR 704-1, Draft Statement of Basis and Purpose, Promulgation of Amendments to Division Rules. Colorado Division of Securities, March 6, 2017. Retrieved from https://drive.google.com/file/d/0BymCt_FLs-RGUWl5c3lDUVlzeDg/view on April 26, 2017.
[2] Ibid.
Posted by at No comments:

Tuesday, April 18, 2017

AML for Investment Advisors…They’re Serious This Time

They’ve been talking about it for years, but it looks like regulators are making motions to finally enforce tighter regulation on AML for investment advisors. We think they’re serious about it this time. Although most other financial regulations are likely to be scaled back under the present administration, cracking down on the financial power of terrorism seems to have picked up steam.[1] If you’re an investment advisor, read on to hear about the provisions of the applicable law as well as what impact it will likely cause.

2017 AML Standards

While banks, broker-dealers, investment banks, and insurance companies currently have had to abide by AML standards under the Bank Secrecy Act for years, there are rumblings that the breadth will expand to include investment management companies.[2] Registered Investment Advisor (RIA) firms are required to file with either the state in which they do business or the SEC. This is determined by such factors as number of clients, assets under management, place of domicile, location of clients, etc. These firms include traditional registered investment advisor entities, typically comprised of financial professionals who manage individual or institutional money for a fee in accordance with fiduciary standards. Certain hedge funds and private equity firms who offer pooled investment vehicles must also register as RIA firms. It is important to note that in some cases, investment advisors are not required to become RIA firms at all if they qualify for a de minimus exemption by having less than a certain amount of clients in a particular state.
Investment advisors should refer to the FINRA manual for further information on Rule 3310 for the basic tenets of a comprehensive AML compliance program.  Among other requirements, an AML program should be tailored to the investment advisers business model, compliant with AML/BSA standards, and tested independently on an annual basis. In addition, the identity of new clients/investors needs to be verified, transactions need to be analyzed and any suspicious activity needs to be reviewed.  Further, employees of the advisor must be trained.[3]

Industry Impact

Unfortunately, in our view, this movement is going to burden small to medium sized RIA firms, most of whom do not have in-house compliance teams. In such cases, the onerous cost of adhering to applicable law only increases with each new regulation imposed. This new development poses a major opportunity for technology and compliance vendors who serve this niche market. Small or medium sized firms even with in-house resources tend to lack the resource capacity to maintain such comprehensive policies and procedures satisfactorily.

For more information about how to ease the business impact of AML standards and other compliance inquiries, please email Gary Swiman of COMPASS Regulatory and Compliance Advisers at GSwiman@compassadvisers.net, or Larry Wagner at LWagner@compassadvisers.net.



[1] Corbin, Kenneth. “Anti-money laundering rule looms for advisers.” Financial Planning. Source Media, 8 March 2017. Web. Retrieved on 11 April 2017 from https://www.financial-planning.com/news/anti-money-laundering-rule-looms-for-advisers
[2] Ibid.
[3]“3310. Anti-Money Laundering Compliance Program.” FINRA, (n.d.),Web. Retrieved on 10 April 2017 from http://finra.complinet.com/en/display/display_main.html?rbid=2403&element_id=8656
Posted by at No comments:
Subscribe to: Posts (Atom)