Privacy Clauses in Contracts

Another reminder for you. (This was discussed at the April conference, too.)

Your contracts with third parties, such as payroll services, clearing firms and, of course, ESM (electronic storage media) providers, should have some language about safeguarding customer information. FINRA seems to be enforcing this in anticipation of final approval/effectiveness of amendments to Regulation S-P. Here’s a summary of the related change in that SEC rule:

Currently, Section 30(a) of Regulation S-P requires institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information.

Amendments to Reg. S-P would require firms to develop “information security programs” that would require firms to, among other things:

“oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing).”

The term “service provider” would mean any person or entity that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person subject to the rule.

Reasonable steps to evaluate the information safeguards of service providers could include the use of third-party review of those safeguards such as a Statement of Auditing Standards No. 70 (“SAS 70”) report, a SysTrust report or a WebTrust report. (This is straight from the SEC release—it seems geared towards large firms; small firms will have to determine which ‘reasonable steps’ are practical, affordable and effective.)

See http://www.sec.gov/rules/proposed/2008/34-57427.pdf for the SEC’s proposed amendment from last year.

The Adam Lambert Memorial Exam Findings Tips and other Reminders

Well, now we know: southern, culturally-conservative (i.e., anti-guyliner) voters favoring the underdog. That's who crowned Kris last night. But do we care? No. FINRA suits are walking through the door soon, armed with lists of practically irrelevant exam priorities. And you, my friend, have no-one calling 1-800-I Comply! to vote for you. (No-one except me: I'm here to help.)

btw: Not enough of you requested free conference notes. That means: a) you don't care, b) you're afraid to write to me, knowing I'll write back and talk too much, or c) you're not even reading this. You're over on that other, better blog: http://thereformedbroker.com/ But is that guy giving you practical information you can use immediately to improve your compliance grade (Randy Jackson wants to give you an "A+")? No, he's giving you insightful analysis of current economic and political events, all in a well-written and sometimes hilarious fashion. What good is that?*

*Real good. Check him out.

Oh, back to my exam findings tips, in honor of my favorite second-place, soon-to-be superstar, Glambert. Recent findings:

1. BCP summary disclosure not on website -- 3510(e);
2. CCO not disclosed on Schedule A of Form BD -- 3130(a);
3. AML testing not done by independent person or firm didn't comply with exemption provisions when using in-house, non-independent person -- 3011(c) and IM-301101;
4. Supervisory Control Procedures don't address electronically notifying FINRA of the reliance on the limited size and resources exception -- 3012(a)(2)(A)(iii);
5. Don't have procedures for monitoring new rules proposed under Section 311 of the USA Patriot Act -- 3011(b);
6. [The age-old] failed to notify of electronic storage media and provide required representations on format/storage and third party access -- SEC 17a-4(f)(2) and (f)(3)(vii);
7. Don't a have a third party to access electronic records to meet SRO requests -- SEC 17a-4(f)(3)(vii).

Comments on the above:

1. BCP: If you have a website, it has to be there. Remember, post just your summary, not the whole plan. Just do it.
2. CCO on Sked A: the thing is, no CRD deficiency is generated if it's not there. This rule came out in 2004--FIVE American Idol seasons ago!--and it's hard to believe that this violation can still exist. But it does. I think, like for FCS and other nec. disclososures, that the system should alert the firm on Gateway if no CCO is listed on Sked A.
3. AML Indep. Tester: for very small firms, this is frustrating. Yes, they may rely on an in-house person who isn't independent, but they have to provide justification for doing so and have written procedures about non-retaliation, etc.... look at http://finra.complinet.com/en/display/display_viewall.html?rbid=2403&element_id=3719&record_id=4397 for the requirements under IM-3011-1. Just do it. The obvious alternative is to hire an outside party (cha-ching).
4. Procedure to notify of LS&R exemption: Uh, this is easy to comply with. Put in your supervisory control procedures that you will make a filing in CRD, notifying FINRA of your reliance on this exception if you appoint someone not 'senior' to do branch examinations. Just do it.
5. 311 procedures: Guidance came out in 2007. If your firm doesn't have foreign accounts, just mention in your procedures that you don't have to include due diligence procedures for 'specified banks' under FinCEN's 'special measures' rules--from Section 311 of the USA Patriot Act. You can promise you'll add such procedures when deemed relevant to your business. Add a link to FinCEN’s Special Measures page http://www.fincen.gov/reg_section311.html for fast reference to changes.
6. ESM notification: Oh, don't get me started. Well, at least FINRA is showing some patience on this issue. For goodness sakes, by now firms should know what they have to do! Look at my many, verbose postings on this subject for more information. If you haven't notified FINRA on CRD of your use of acceptable ESM, just do it (it's under 'financial notifications' on the forms and filings tab on the Gateway).
7. Access: See my earlier postings on this topic. You have to have a third party to assert that they will provide access to your e-records in case you can't/won't produce them upon request. This party does not have to maintain your records--they just have to be able to access/produce them. There is a firm called Securities Industry Records Services in Utah that provides this access letter for a an annual fee...check them out at SIRSCO.com. (I don't endorse these guys...haven't yet had personal experience with them--but it might be worth talking to them if you want to store your own records.)

Some areas of exam focus:

• Reg. SHO: aggregation units, controls in place to prevent illegal short sales, affirmative determination records.
• Scrutiny of lack of SAR filings: why none?

A few reminders for those of you who didn't read my notes:

1. Get a PCAOB-registered accounting firm before December--for your next audit. Remember that, for non-public BD's, this registration doesn't change the accounting standards or protocols; for now, the auditor just has to pay a fee to register. Don't be lured into paying higher fees for your audit.

2. Don't expect 30 days advance notice of your next exam--even though Robert Errico in his February 2007 letter to members stated the following:

Advance Notice of Examinations. For the vast majority of firms, NASD is doubling the amount of notice in advance of a routine examination. Specifically, we are moving the notice period from 14 days to 30 days. This change will provide member firms with adequate time to respond to the WebIR and to gather the records and other information requested prior to the on-site portion of the examination. Similarly, it will provide our examiners with more time to review materials, leading to a more efficient examination.

I rarely see 30 days notice being given. The staff at the April conference said, 'Oh, it's up to 30 days.' I guess they didn't know about Mr. Errico's kind promise. Oh, and don't kid yourself into thinking you're on a set exam schedule--they'll use BORAM (clearly, Spock language) every year to decide when your next exam will be.

3. Establish a policy for protecting customer information when Reps leave your firm. If you let them take Outlook contacts information or other data that contains non-public info, you have to disclose this in your privacy policy (and give customers an opt-out choice).

4. Remember that the ID Theft Program requirement has been delayed until Aug. 1--and remain on the lookout for FTC's promised "template to help entities with a low risk of identity theft to comply with the rule" (but then again, we know how promises work...you promised you'd vote for Adam and you didn't).

Thanks for reading. And remember to amend your Reps' U4's for the new disclosure questions. But you've got time...first go out and enjoy the fine weather.

800 Overseas Investors Thank You

Alternate title: Keep those SAR Filings Coming! Terrorist financing down 36%!

Please read FinCEN's 15th Issue of The SAR Activity Review – Trends, Tips & Issues (http://www.fincen.gov/news_room/rp/files/sar_tti_15.pdf). It's a blast.

Seriously, you AML officers out there should read it. It gives you a reason to value all the time you spend worrying about whether or not to file a SAR. You and all your AML brethren are making a difference! The SAR report outlines some cases cracked thanks to your efforts (for instance, a foreign national was busted for leading a scheme involving hedge funds and advisory firms that resulted in $21 million in losses for over 800 foreign investors: that makes you feel good about doing all that AML work, right?). ....(right??)

Here's what examiners want to see from you:

1. Complete written procedures.
2. Implementation of written procedures.
3. Monitoring for susp. activity.
4. Reporting of susp. activity.

Here's what examiners are seeing from you:

1. Failure to document reviews of suspicious activity.
2. Incomplete SAR forms.
3. Crappy SAR's: completed inaccurately; inadequate narrative section (why is it suspicious?); includes supporting docs even though it's not supposed to; filed late.
4. Inadequate due diligence on potentially susp. activity--investigate to determine if you should file!

Recent transactions in the sale of unregistered securities or representing fraud/market manipulation are not being reported as required (such as those involving penny stocks). Read the publication for an example that may be familiar to you.

The report includes sound advice on how to maintain a current and effective SAR program at your firm, for instance, by addressing:

• current events and emerging trends: thanks to our little financial crisis, automated surveillance based on certain profiles and parameters don't work like they should (stock price/volume swings--all that is now normal; and customers with 'top reputations' can't be trusted anymore--those darned institutional short sellers!).
• cyber crime: one-two punch, here--electronic intrusion into online brokerage accounts combined with traditional market manipulation (market-savvy hackers, our worst nightmare).
• trade-based money laundering: no, not that kind of trade, this kind: international trade of goods and services. These Marco-Polo types under- or over-invoice or route invoices through various financial institutions (not just banks), leading to multiple payments for the same goods. Sophistication is growing in the illicit trade finance arena.
• reported suspicious activity: evaluate your firm's reporting history; analyze trends; identify similar schemes, common locales or names, or possible red flags; follow enforcement actions.
• identification and analysis of transaction types: don't just think of securities transactions that involve money: there are far more things to worry about! account transfers, free deliveries and receipts, external withdrawal by transfers and internal journal entry transfers. Your program should be able to detect activity and gaps that occur across the full spectrum of operations--all transactions "by, at or through" your broker dealer.
• identification of detection points: all departments and personnel must be adequately incorporated into escalation workflows. Matters such as ID theft, insiders trading, 314a matches, law enforcement subpoenas, customer tax issues, customer due diligence, credit reviews, back office operations, interaction with other financial institutions, and employee financial crime and prohibited trading... they all should feed into the SAR consideration stream.

(Those aren't my big words, by the way--not all of them. That summary is derived from the aforementioned SAR report.)

If you work for a huge firm with well-staffed internal legal, audit and compliance departments, this improvement to your AML/SAR program should seem reasonable. If you are a micro-firm, with one guy who pretty much wears every supervisory hat, well, my advice is to dedicate your summer in an attempt to achieve this level of AML musculature. Good luck. Take steroids.

You know what I think? That small firms should have an AML clearing house that performs their AML responsibilities for them, collectively. I mean, c'mon, it's crazy to imagine small firms being able to implement the goals expressed above. The whole cybercrime topic makes me scream louder than Danny Gokey: it's hard enough to get Outlook to work correctly, let alone defeat intergalactic cyberfiends. Wouldn't it be cool if the several thousand tiny FINRA BD's could outsource their AML stuff to one place? That place would be super-good at their job: they'd use unemployed MBA's and IT jocks to mastermind the most sophisticated and effective AML tools available on our planet, and they'd give the small firms the comfort of knowing that none of their clients was a foreign national perpetrating fraud on a global basis. They'd manage CIP, OFAC, 314a lists, 314b filings, account monitoring, suspicious activity investigations and reporting--and just think! AML audits would be a thing of the past! Instead, SEC or FINRA could do one big audit of the clearing house (let's call it AML, Inc. (tm) for now) to ensure compliance for the thousands of firms. The tiny firms could go back to doing what they do: helping their clients make money in the markets. Ahhhhh. (Un cafe, s'il vous plait...I think I was just dreaming.)

Anyway, 53,022 SAR's filed by the securities and futures industry through 2008. And exactly 6 cases solved. (Okay, I made that second number up.) Keep at it, folks! Some day a SAR you file will be profiled in a FinCEN report, and you'll be able to share your pride with your grandkids.

Oh, wait, no, you won't.

Conference Notes: For Less Than the Cost of a Snuggie!

I attended the Small Firms Conference that FINRA presented on April 7 in NYC--and guess what? I took notes! I apologize for the delay in putting my notes into digital format. Thanks to Gokey voters (see below), I have now finished this process. Rather than post the document here (it's 12 pages long), I will be happy to email it to you upon request.

Please hit this link and send me a request for the notes. I'll send them over without even asking why you care so much, what with the economy in the tank, the Taliban gaining power, and an AI top 3 without Allison. Your priorities are your own business. mailto:inquiry@imhoffconsultingproject.com

Here are some topics sure to lure you:

• BORAM;
• Broadened supervisory authority over outside business activities;
• Required reporting of internal violations;
• Circulation of rumors (and rumors of rumors);
• Principles-based research rules;
• Customer data protection--when your reps leave;
• PCAOB compliance; and
• Unanswered questions (are you surprised?).

I'll be standing by. No credit card required.

The Allison Iraheta Memorial Promise and Red Flags Reprieve

In reaction to last night's travesty on American Idol, I now swear to you that by day's end I will have posted a message about my April conference notes. I have hunkered down and worked diligently on typing my notes--and translating my hand-scrawled gibberish. The wretched AmIdol results led me to this confinement: I am eschewing contact with the public today in hopes of snubbing those who cast votes for Danny. You Gokeyites who read my blog are henceforth required to either a) pay me money for the pleasure or b) promise you'll vote 30 million times for Adam next week.

In the mean time, I hope you've heard that (cut and pasted from FINRA's e-mail, emphasis added):

"FTC Delays Enforcement of FACT Act Red Flags Rule Until August 1
The Federal Trade Commission (FTC) has delayed until August 1 its enforcement of the new Red Flags Rule, which requires most broker-dealers to have in place a written program to identify, detect and respond to patterns, practices or specific activities that could indicate identity theft ("red flags"). In addition, the FTC will soon release a template to help entities with a low risk of identity theft to comply with the rule. Enforcement of the Red Flags Rule, which implements a section of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), was previously scheduled to begin on May 1."

God Bless the FTC. (I give all the credit to Obama.)

Be back soon.