Monday, January 28, 2008
ESM: Outsourced or In-House?
You have a choice to make: do you attempt to meet the requirements using an in-house system or by hiring a third-party vendor? Or both? Some firms use third parties to archive and monitor their e-mails, IM’s and external message systems like Bloomberg; and they use an internal system to store and backup their other—non-communications—records. The goal in either case is to ensure proper archiving, back-up and recovery, and content management.
Quick apology: I have no expertise in this area—the tech side, that is. The vocabulary is foreign to me and therefore I use layman terms when speaking to the issues. But consider this: I’m not very different from small B-D business owners who are struggling to understand the rules and implement a compliant system. Regulators should—and I’ve seen evidence that they do—cut firms some slack in this area.
Your choices of third parties are many: Seccas, Smarsh, Iron Mountain Digital, Amicus and AdvisorMail, to name a few. As time goes by these services become more conversant in SEC-speak and more able to meet your regulatory compliance needs without resistance or ignorance. They meet the storage, serializing, indexing and backup requirements, they provide back-up copies on disk when requested, they issue representation letters as required, and they provide nice software tools for searching data and completing lexicon-based compliance reviews. And their pricing is pretty good: a one-time set up fee plus a small fee per month, per user/mailbox. This is a nice way for very small firms to meet ESM rules because you are leaving the technical stuff and the hardware expense to folks in the know. [That said, remember that member firms have been cited with violating the rules because their vendors didn’t meet the rules…that is, compliance is ultimately your responsibility, not the vendor’s.]
In-house systems for very small firms tend to be, well, non-compliant. Many firms keep records on their hard drives, then periodically download them to disk or tape. Their records are rewritable and erasable for a period of time prior to being stored in WORM (write once, read many) format. That gap of time is technically not okay under the rule. Also, they generally do not have indexing or auditing capabilities. Lastly, they may not make back-up copies of the archives that, too, are serialized, indexable and subject to an audit system. And, while these firms may have notified FINRA/SEC of their use of electronic storage, a) their representations may not be true; and b) they may not understand or meet the obligation under 17a-4(f)(3)(vii) to have a non-affiliated third party issue an ‘access letter’—a statement that the third party can get to and provide records requested by regulatory authorities. Firms that meet every letter of the ESM rules most likely have an expensive system or full IT staff in place. One such system is put out by EMC. Their software and hardware products are, as far as I can tell, state of the art and—important for you—completely compliant. And at least one third party vendor I know uses the EMC system in providing services to firms like yours. The problem here, depending on the firm’s size, is cost. EMC’s policy engines, ‘E-Mail Xtender’ and “Disk Xtender,” may be affordable choices for establishing records storage, indexing and destruction parameters, but in both cases you’ll still need a hardware storage system to hold those records and enforce the established policies (such as EMC’s “Centera” product). That’s where it gets expensive. Then again, if you’re spending a lot of time and money storing your records and updating your servers, breakeven may be just a few years away.
How far to go in attempting to meet every aspect of the ESM rules?—that is the question. Is a good faith, less-than-absolutely-compliant approach acceptable? It is if you say it is, but you may be forced to defend your choices. The more resolute and sincere your defense, the more apt you are to win your own principle-based vs. rule-based battle. Not the war, though: that rages on.
Footnote: Another consideration… the cost of discovery. If your system feels good enough, but doesn’t meet every requirement, and if your firm is subject to a regulatory investigation, you will spend huge bucks to recover and produce requested records. This possibility should be built into any cost benefit analysis.
Links (without permission but with luck, permitted):
EMC: http://www.emc.com/solutions/business-need/compliance-ediscovery/index.htm
Smarsh: http://www.smarsh.com/prinsite/my/default.asp
Seccas: http://www.seccas.com/
Amicus: https://www.amicus.com/solutions/EMM/
Iron Mountain Digital: http://www.ironmountain.com/digital/
AdvisorMail: http://www.advisormail.net/emailcompliance/index.asp
Stay tuned; another--maybe my last?--entry on the audit aspect of ESM rules is forthcoming.
Thursday, January 24, 2008
What Do the Numbers 3012 and 3013 Mean to You?
This is a reminder for those of you who first complied in about February or March 2006--and again last Feb. or March--with the 'testing and verification' requirement under FINRA Rule 3012 . You are required to test and verify every 12 months; that is, by the anniversary of your last test date. Since the testing and verification process takes longer than 5 minutes, or even a few hours, you may want to start the process now, or least prepare your strategy.
Remember your goal:
To verify that your firm has in place processes to:
(a) establish, maintain and review policies and procedures reasonably designed to achieve compliance with applicable NASD/FINRA rules, MSRB rules and federal securities laws and regulations;
(b) modify such policies and procedures as business, regulatory and legislative changes and events dictate; and
(c) test the effectiveness of such policies and procedures on a periodic basis, the timing and extent of which is reasonably designed to ensure continuing compliance with NASD/FINRArules, MSRB rules and federal securities laws and regulations .
Here is an example of the steps you might take to meet that goal:
1. Take an inventory of the securities rules and regulations that are relevant to the firm’s business, including identification of new or changed requirements applicable to existing or new lines of business;
2. Review the firm’s supervisory procedures and control system procedures that are designed to address the rules and regulations, as well as additional, internal policies;
3. Perform testing of adherence to the firm’s compliance, supervisory, and supervisory controls procedures using a risk-based approach;
4. Identify and detail the gaps perceived in meeting required procedures.
5. Devise a reasonable plan for addressing the perceived gaps.
Note the term 'risk-based'--it's important. You don't have to test every single procedure every year. You can prioritize and stagger your reviews according to product risks, customer profiles, new business areas and perceived weaknesses (i.e., from earlier office inspection or FINRA exam results).
You'll want to put the results your process in writing and present it to the top business officer of your firm. This meeting between you (CCO) and the top dog (CEO, for instance) is required. If you and the top officer are one and the same, may I suggest a mirror to aid in the communication?
Your top business officer will sign the 3013 Certification after reading the report and judging for him/herself that your firm does indeed have the necessary processes in place. S/He doesn't have to like the state of compliance, but s/he does have to acknowledge the existence of the firm's processes.
And remember, you don't submit the 3012 report or the 3013 certification to FINRA or SEC. You put them in labelled files and hope the examiner is happy with them in your next cycle exam. He or she probably will be: word has it examiners are not being overly fussy about compliance in small firms, but they do want to see good faith efforts.
The $5,000/hr Online C/E Course
But if you don't make $5,000/hour, it may be worth taking the assigned course yourself. Just ask Karen Curtis, who was fined $5,000 and suspended for 60 days for trying this new method of meeting firm element requirements. Or ask Rebecca Sappington, who will never be allowed to work as a FINRA principal again because she directed people to take the courses for RR's. (She also paid $10,000 and is suspended for 6 months.)
To verify that I didn't make this up, and to see other unsmart ideas for getting around the rules, check out January's disciplinary actions at http://www.finra.org/web/groups/enforcement/documents/monthly_disciplinary_actions/p037831.pdf .
Tuesday, January 22, 2008
Electronic Storage Media: Audit System?
This blog entry addresses a specific instance of what many have experienced: differing expectations from FINRA on meeting SEC rules. With regard to electronic storage, this is typical. On the one hand, we are informed that there are no interpretations: the rule is the rule and must be followed. On the other hand, we're expected to accept different degrees of testing during exams and differing exam findings--some tolerant and seemingly 'principle-based' and some strictly by the book. FINRA staff do not apologize for this. Exam methodologies are 'risk-based' and therefore can vary greatly--even for firms with identical business niches. While that seems reasonable, it also seems unfair.
17a-4(f) rules relating to electronic storage are hard to live by. Most small firms do not meet those standards. But then again, most small firms are forgiven by FINRA examiners (not officially, of course) who witness the firms making good faith efforts towards compliance. A firm that backs up its server daily and takes the tapes home is generally not penalized for not having WORM compliant media and not evidencing instantaneous compliance with the rules (that is, there is a gap between record creation and compliant-format storage). And that's good.
But how to plan for this sort of non-uniform enforcement? I mean, a compliance consultant like moi can't just say, "Awe, don't worry about it--your system is close enough!" Our job--I should say my job--is to help firms understand what is expected of them (i.e., rules) and help them put in place procedures that meet those expectations (i.e., compliance). It's not up to me to exempt firms from certain aspects of certain rules, where there is no official regulatory exemption. I have to promote compliance to the highest degree. But in cases like electronic storage, my job is hard.
Here is an example: SEC 240.17a-4(f)(3)(v) says, "The member, broker, or dealer, must have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved pursuant to Rules 17a-3 and 17a-4 to electronic storage media and inputting of any changes made to every original and duplicate record maintained and preserved thereby."
This little (v) is down deep in the electronic storage rules and not typically seen in exam findings. In fact, many compliance personnel and FINRA staff don't even know about this rule. Lately some firms were written up in exit conferences for lack of compliance. I did some research and had some conversations in an attempt to understand what, exactly, is expected under this rule. Here's what I can report:
- There is no published guidance on this specific paragraph under 17a-4(f)--the audit system; that is, there is no Notice or other such wonderful distillation of FINRA or SEC expectations for compliance.
- There is no conspiracy, in my judgment, by FINRA examiners to suddenly pick on small firms in examinations; no master plan to increase awareness of this subject by including it in every LOC henceforth. There is however--dare I say the word--inconsistency among Districts and examiners, so that you may or may not be tested for compliance with this little paragraph (v).
- 'Audit system' appears to imply a system that keeps records of every record saved on the firm's ESM (electronic storage media). The records show the creation time and date of each record created, as well as every change made to those records. The system also must keep information on every duplicate record created/changed. This might be easy for some IT folks to understand and implement; it may be insanely impossible for non-IT minded small firms attempting to understand and implement.
- The only thing close to an explanation of SEC's expectations for an audit system are included in their release of the final rule from 1997 (SEC Release No. 34-38245--http://sec.gov/rules/final/34-38245.txt ). Here's the paragraph:
'The Proposing Release would have required a broker-dealer to "have in place an audit system providing for accountability regarding all access to records maintained and preserved using optical storage technology and any changes made to every original and duplicate optical disk." Commenters sought clarification as to whether this provision requires maintenance of a log of all persons who have the capability or authority to access optical disks, or maintenance of a log indicating each instance where data is added to a disk. The rule adopted by the Commission today requires an audit system to be utilized only when records required to be maintained under Rule 17a-4 are being entered or when any additions to existing records are made. Therefore, an audit record is not required when a record is accessed but cannot be altered by the reader.'
So this can be interpreted--or can it?--to mean firms that have their records in truly WORM compliant format do not have to have an audit system for tracking changes to the records--duh, they can't be changed. But they do have to have a system that tracks inputting of records; some way to track at what date and time a record was created in the WORM format. And of course, the duplicate records also have to have such a tracking system.
But here's a possible contradiction... in FINRA's release of amendments to the SEC Rule, they state this: "Audit Systems: Requires the implementation and use of an audit system where required records pursuant to Rule 17a-4 are being entered or when any additions to existing records are made. No audit records will be required for records that can be accessed but not altered by the reader." That would imply that firms do not have to have audit records at all if their data is non-rewriteable. Perhaps firms should think about quoting this in their next exam, if tested. Here's the link to this text: http://www.finra.org/RulesRegulation/NoticestoMembers/1997NoticestoMembers/P004673
- Explanations from two District staff members treat the subject this way: audit system means firms have to periodically check to see that their electronically stored records are indeed still there; that is, they should access their records once in a while to see if the records are intact. That seems simplistic to me and not in-line with the SEC's language, above. But then again, if the District staff will examine for compliance under this interpretation, it's not a difficult standard to meet.
- On the subject of third-party ESM providers... who knows? The rule itself speaks to the member having an audit system in place: does that mean the third party provided can't run the audit system? My helpful FINRA contacts did not have an answer for this. The question must be directed to the SEC.
- In talking to EMC squared, their systems are most likely to include such a tool, but it's not necessarily called that, which makes the subject hard to sort out.
- On the broader topic of ESM, here's some good news (old news, but still good): SIFMA has requested that SEC amend 17a-4(f) to create a reasonableness standard for ESM compliance. Ahhhh, wouldn't that be nice? It is also pursuing changes to 17a-4(b)(4)--retention of communications. See http://www.sifma.org/regulatory/erecords/index.html for reading on the subject.
More power to you.
Friday, January 11, 2008
Accentuate the Negative; Or, How to Record Nothing
Specifically, certain examiners have requested that firms that have not filed any suspicious activity reports and have had no suspicions arise (during a certain period of time), put a memo in the AML files to the effect of: "during the period x to y, we did not note any suspicious activity.”
So, while you all have a detailed AML program that explains how you detect illegal activities, how you report them in-house, how you vet them, how you report them to officials and how you document the whole process, the examiners want to see more. They want a record of something that evidences nothing. Or is it, they want a record of nothing that evidences something? Hmmm.
Your firm may want to start documenting such nothingness, if applicable. That way, in your next exam, you won't be surprised by this curious request. Oh, and let's remember not to blame FINRA examiners. I'm serious--they are bending to the will of SEC and federal authorities when enforcing these rules. I bet they think it's curious, too.
Wednesday, January 9, 2008
Post Primary Thoughts on AML
http://www.finra.org/web/groups/educ_progs/documents/education_programs/p037702.pdf
This is a link to Mary Shapiro's recent webcast text on what to expect in an exam, re: AML compliance. I wanted to comment on two things: independent annual exams and CIP for friends and relatives.
The Independent Exam Quandary
Independent exams must happen every year for almost all firms. If your BD is nothing but a prop desk, it can be every two years. For firms that have anything to do with customers and securities transactions (and yes, you private placement firms out there now know that your are, indeed, conducting securities business), audits of AML programs must take place once/calendar year. FINRA, back in early 2006, clarified this and also what it meant to be independent; they also offered exceptions to the independence standard. That's the background.
What I'd like to comment on is that, if a firm uses an outside party to do the audit, and that same party provided template language for the firm's AML program--but does not otherwise implement or control the firm's AML compliance process in any way--that outside party in my opinion is independent for the purposes of meeting FINRA's expectations. My belief is that, if you look at their exceptions for in-house auditors who are not independent, and imagine a scenario whereby a firm relies on those exceptions (for instance, trains some staff person to do AML testing and has that person report the results to someone other than the AML compliance officer), in most cases, the testing will not be sophisticated enough or adequate to detect important deficiencies. In that scenario, the tester will apply his/her limited knowledge of applicable regulation to broadly review evidence of compliance. This will not result in effective testing and the firm, if failing to comply with the more esoteric or topical requirements, will continue to do so, given the lack of focused and informed reviews.
The other scenario, where an outside consultant who has provided template language--either originally or on an on-going, update basis--and who is engaged daily in the business of compliance; that is, who spends his or her time researching new rules, interpretations and guidance put out by securities or federal regulators, and who visits clients once a year to ensure, in a lengthy and thorough examination process, all aspects of AML compliance, is bound to be more effective than the in-house model. That was a long sentence--my apologies. Remember too that many of these firms who may rely on the in-house model are those who downloaded FINRA's AML template and just barely customized it. The outside consultant procedures+audit model has to be preferable to the FINRA template+in-house audit model, in my opinion. Better to have expertise than confusion.
If your firm runs into an examiner who expresses displeasure with your outside AML auditor because that same auditor provided update language to your written program, you may want to use my argument to defend your choice. Or rely on the the Rule itself, which requires that, in summary, the tester should neither be one who performs the AML functions being tested, nor any designated AML compliance person or a person who reports to either one. You will be meeting this restriction and should be confident about doing so.
CIP for Friends and Relatives
Oh, my second point. In the recent guidance, Ms. Shapiro reiterates what was included in last year's online workshop--that you have to ID your own mother-in-law. Well, here's the exact quote: "Be sure to note that just because a customer is a registered representative’s personal acquaintance, this does not satisfy CIP verification requirements. But, the risk-based approach is flexible enough to make identity verification for personal acquaintances as unobtrusive as possible. For example, if the customer is a relative or a close personal friend of the registered
representative, the firm may not require more than the minimum verification required by the rules, such as checking her driver’s license. However, the verification that is undertaken must still be documented."
You see, the requirement to verify the identities of customers is so bound up in legalese and paranoid FederalSpeak, that broker-dealers cannot be trusted to vouch for the identities of their own family members. Crazy, huh? I'm sure the folks at FINRA hate enforcing this and also find it ludicrous, but as they always say, it's not their Rules, it's the government's. With that sad excuse in mind, don't forget to check your brother's driver's license next time he opens an account--just to be sure he really is your brother.
Friday, January 4, 2008
Correspondence, Trade Blotter Review Violations
Therese C. Castro (Principal) AWC/2005002680301/October 2007
Castro asked an unregistered employee of her member firm or its affiliate to place Castro’s initials on numerous pieces of branch correspondence as evidence that she had reviewed the correspondence, although she had not done so. Castro falsely certified in monthly reports submitted to her member firm that a supervisor had reviewed daily trade blotters when many had not been reviewed.
Therese C. Castro (Principal): Fined $15,000; Suspended 1 year; Barred in Supervisory/Principal capacities
Final Renewal Statement--Pay or Get a Refund
If you have excess funds in your account, they have been transferred to your daily account. If you'd like them refunded, send a fax to:
FINRA, FAX NO. (240) 386-5344, ATTENTION: Finance Department
Make sure it's on your letterhead and also include a copy of your daily account statement. Remember to name the amount you want refunded and have an authorized person sign the request.
Deferred Variable Annuities Rule -- some parts delayed
Oh my gosh...for how long has the new rule on Deferred Variable Annuities been forthcoming?? The Rule (2821) was to be effective May 5, but certain parts of it will now be delayed until August 4. FINRA has asked the SEC for more time to consider three issues related to paragraph (c):
- the seven-business-day period within which principal review must be completed;
- principal review of all transactions as if they had all been recommended; and
- the prohibition on depositing customer funds in an insurer's suspense account prior to completion of an affiliated broker-dealer's principal's review.
The rest of the Rule will be effective May 8. Please see Notice 07-53 for details. http://www.finra.org/RulesRegulation/NoticestoMembers/2007NoticestoMembers/P037403
Thursday, January 3, 2008
Expectations Under 17a-4 for Electronic Records
SEC Rule 17a-3 and 17a-4
SEC Rule 17a-3 requires broker-dealers to make certain records, including trade blotters, asset and liability ledgers, income ledgers, customer account ledgers, securities records, order tickets, trade confirmations, trial balances and various employment related documents. Rule 17a-4 specifies the manner and length of time that the records maintained by broker-dealers must be preserved. In combination, Rules 17a-3 and 17a-4 require broker-dealers to create and preserve a comprehensive record of all securities transactions the broker-dealer effects and of the securities business in general. The SEC views these requirements as the primary means of monitoring compliance with the securities laws, including anti-fraud provisions and financial responsibility standards.
Email is one of the most significant communications applications of the modern era and is no doubt a book and record under Exchange Act Rules 17a-3 and 17a-4 if it is a communication related to a broker-dealer's "business as such." The key requirements with regards to email archiving gleaned from SEC Rule 17a-4 are as follows:
SEC 240.17a-4(f)(2)(ii)(A)
"Preserve the records exclusively in a non-rewritable, non-erasable format."
SEC 240.17a-4(f)(2)(ii)(B)
"Verify automatically the quality and accuracy of the storage media recording process."
SEC 240.17a-4(f)(2)(ii)(C)
"Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media."
SEC 240.17a-4(f)(2)(ii)(D)
"Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member."
SEC 240.17a-4(f)(3)(i)
"At all times have available, for examination by the staffs of the Commission and self-regulatory organizations of which it is a member, facilities for immediate, easily readable projection or production of micrographic media or electronic storage media images and for producing easily readable images."
SEC 240.17a-4(f)(3)(ii)
"Be ready at all times to provide, and immediately provide, any facsimile enlargement which the Commission or its representatives may request."
SEC 240.17a-4(f)(3)(iii)
"Store separately from the original, a duplicate copy of the record stored on any medium acceptable under Rule 17a-4 for the time required."
SEC 240.17a-4(f)(3)(iv)
"Organize and index accurately all information maintained on both original and any duplicate storage media."
SEC 240.17a-4(f)(3)(iv)(A)
"At all times, a member, broker, or dealer must be able to have such indexes available for examination by the staffs of the Commission and the self-regulatory organizations of which the broker or dealer is a member."
SEC 240.17a-4(f)(3)(iv)(B)
"Each index must be duplicated and the duplicate copies must be stored separately from the original copy of the index."
SEC 240.17a-4(f)(3)(iv)(C)
"Original and duplicate indexes must be preserved for the time required for the indexed records."
SEC 240.17a-4(f)(3)(v)
"The member, broker, or dealer, must have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved pursuant to Rules 17a-3 and 17a-4 to electronic storage media and inputting of any changes made to every original and duplicate record maintained and preserved thereby."
SEC 240.17a-4(f)(3)(v)(A)
"At all times, a member, broker, or dealer must be able to have the results of such audit system available for examination by the staffs of the Commission and the self-regulatory organizations of which the broker or dealer is a member."
SEC 240.17a-4(f)(3)(v)(B)
"The audit results must be preserved for the time required for the audited records."
SEC 240.17a-4(f)(3)(vi)
"The member, broker, or dealer must maintain, keep current, and provide promptly upon request by the staffs of the Commission or the self-regulatory organization of which the member, broker, or broker-dealer is a member all information necessary to access records and indexes stored on the electronic storage media; or place in escrow and keep current a copy of the physical and logical file format of the electronic storage media, the field format of all different information types written on the electronic storage media and the source code, together with the appropriate documentation and information necessary to access records and indexes."
SEC 240.17a-4(f)(3)(vii)
"For every member, broker, or dealer exclusively using electronic storage media for some or all of its record preservation under this section, at least one third party (the undersigned), who has access to and the ability to download information from the member's, broker's, or dealer's electronic storage media to any acceptable medium under this section, shall file with the designated examining authority for the member, broker, or dealer the following undertakings with respect to such records."
Electronic Storage
What is new is this: in the past, for instance, at FINRA conferences, panelists have discussed the issue of how long data sits on a server (in non-compliant format—i.e., it is rewritable/erasable) before it is downloaded to a compliant format for storage. There was an expectation out there that—of course—information would necessarily have to be in non-compliant format for a little while (a day for some firms, a week for others, etc.). Yesterday, my contact stated emphatically that the SEC allows for no such ‘gap.’ The information, from the moment of its creation, should conform to the standards in 17a-4(f)(2).
FINRA understands the difficulty of enforcing SEC Rules and admits that flexibility is required. But they also don’t stray from preaching the letter of the law. I can’t say whether this hard-line stance will be adopted universally by FINRA examiners—we can never really predict their preferences for findings—but it is worth noting.
One more thing: Third party storage vendors charge a lot of money, and there is the perception among some regulators that they’re ripping off BD’s—basically, they’re riding on firm paranoia and overcharging for the SEC representation letters. Some of these vendors use storage software provided by a company called EMC. It may be worth cutting out the middle man—that is, a BD may want to maintain, backup and protect its own records using EMC products, rather than relying on a third party to do it. This may be more cost effective in the end. And the good news is, the EMC product ensures instantaneous compliance--from the moment of record creation (i.e., no gap). In this case, the firm itself makes the required (f)(2) representations and gets any old 3rd party to make the (f)(3) –access—representation (an easy rep to make). We may see a movement towards this self-storage model.
Update: Talked to Iron Mountain just now. They do not consider the (f)(3)(vii) representation easy to make. They will NOT make the (f)(3)(vii) reps for their storage clients. That is, for clients who use them only to store their records--not their 'digital clients' for whom they create and maintain the records in compliant format--they will not issue a letter stating that they will provide access to those records when requested by authorities. Reason? They don't want the responsibility of producing records over which they have no control...legal cya. Their representative told me that they have some 1/2 million of those customers...when I noted that there are only little over 5,000 BD's, and that making such representations wouldn't expose them too heavily, she had no comment. Also, she admits that they never have requests from FINRA and the only federal requests are subpoenas in large-scale investigations of wrongdoing...in other words, (f)(3)(vii) is never really invoked. Which is exactly what my FINRA contact said: 99.9% of the time, these 3rd party vendors will never have to do what they're jacking their prices for.
Link to EMC, fyi: http://www.emc.com/solutions/index.jsp?tab4