The Adam Lambert Memorial Exam Findings Tips and other Reminders

Well, now we know: southern, culturally-conservative (i.e., anti-guyliner) voters favoring the underdog. That's who crowned Kris last night. But do we care? No. FINRA suits are walking through the door soon, armed with lists of practically irrelevant exam priorities. And you, my friend, have no-one calling 1-800-I Comply! to vote for you. (No-one except me: I'm here to help.)

btw: Not enough of you requested free conference notes. That means: a) you don't care, b) you're afraid to write to me, knowing I'll write back and talk too much, or c) you're not even reading this. You're over on that other, better blog: http://thereformedbroker.com/ But is that guy giving you practical information you can use immediately to improve your compliance grade (Randy Jackson wants to give you an "A+")? No, he's giving you insightful analysis of current economic and political events, all in a well-written and sometimes hilarious fashion. What good is that?*

*Real good. Check him out.

Oh, back to my exam findings tips, in honor of my favorite second-place, soon-to-be superstar, Glambert. Recent findings:

1. BCP summary disclosure not on website -- 3510(e);
2. CCO not disclosed on Schedule A of Form BD -- 3130(a);
3. AML testing not done by independent person or firm didn't comply with exemption provisions when using in-house, non-independent person -- 3011(c) and IM-301101;
4. Supervisory Control Procedures don't address electronically notifying FINRA of the reliance on the limited size and resources exception -- 3012(a)(2)(A)(iii);
5. Don't have procedures for monitoring new rules proposed under Section 311 of the USA Patriot Act -- 3011(b);
6. [The age-old] failed to notify of electronic storage media and provide required representations on format/storage and third party access -- SEC 17a-4(f)(2) and (f)(3)(vii);
7. Don't a have a third party to access electronic records to meet SRO requests -- SEC 17a-4(f)(3)(vii).

Comments on the above:

1. BCP: If you have a website, it has to be there. Remember, post just your summary, not the whole plan. Just do it.
2. CCO on Sked A: the thing is, no CRD deficiency is generated if it's not there. This rule came out in 2004--FIVE American Idol seasons ago!--and it's hard to believe that this violation can still exist. But it does. I think, like for FCS and other nec. disclososures, that the system should alert the firm on Gateway if no CCO is listed on Sked A.
3. AML Indep. Tester: for very small firms, this is frustrating. Yes, they may rely on an in-house person who isn't independent, but they have to provide justification for doing so and have written procedures about non-retaliation, etc.... look at http://finra.complinet.com/en/display/display_viewall.html?rbid=2403&element_id=3719&record_id=4397 for the requirements under IM-3011-1. Just do it. The obvious alternative is to hire an outside party (cha-ching).
4. Procedure to notify of LS&R exemption: Uh, this is easy to comply with. Put in your supervisory control procedures that you will make a filing in CRD, notifying FINRA of your reliance on this exception if you appoint someone not 'senior' to do branch examinations. Just do it.
5. 311 procedures: Guidance came out in 2007. If your firm doesn't have foreign accounts, just mention in your procedures that you don't have to include due diligence procedures for 'specified banks' under FinCEN's 'special measures' rules--from Section 311 of the USA Patriot Act. You can promise you'll add such procedures when deemed relevant to your business. Add a link to FinCEN’s Special Measures page http://www.fincen.gov/reg_section311.html for fast reference to changes.
6. ESM notification: Oh, don't get me started. Well, at least FINRA is showing some patience on this issue. For goodness sakes, by now firms should know what they have to do! Look at my many, verbose postings on this subject for more information. If you haven't notified FINRA on CRD of your use of acceptable ESM, just do it (it's under 'financial notifications' on the forms and filings tab on the Gateway).
7. Access: See my earlier postings on this topic. You have to have a third party to assert that they will provide access to your e-records in case you can't/won't produce them upon request. This party does not have to maintain your records--they just have to be able to access/produce them. There is a firm called Securities Industry Records Services in Utah that provides this access letter for a an annual fee...check them out at SIRSCO.com. (I don't endorse these guys...haven't yet had personal experience with them--but it might be worth talking to them if you want to store your own records.)

Some areas of exam focus:

• Reg. SHO: aggregation units, controls in place to prevent illegal short sales, affirmative determination records.
• Scrutiny of lack of SAR filings: why none?

A few reminders for those of you who didn't read my notes:

1. Get a PCAOB-registered accounting firm before December--for your next audit. Remember that, for non-public BD's, this registration doesn't change the accounting standards or protocols; for now, the auditor just has to pay a fee to register. Don't be lured into paying higher fees for your audit.

2. Don't expect 30 days advance notice of your next exam--even though Robert Errico in his February 2007 letter to members stated the following:

Advance Notice of Examinations. For the vast majority of firms, NASD is doubling the amount of notice in advance of a routine examination. Specifically, we are moving the notice period from 14 days to 30 days. This change will provide member firms with adequate time to respond to the WebIR and to gather the records and other information requested prior to the on-site portion of the examination. Similarly, it will provide our examiners with more time to review materials, leading to a more efficient examination.

I rarely see 30 days notice being given. The staff at the April conference said, 'Oh, it's up to 30 days.' I guess they didn't know about Mr. Errico's kind promise. Oh, and don't kid yourself into thinking you're on a set exam schedule--they'll use BORAM (clearly, Spock language) every year to decide when your next exam will be.

3. Establish a policy for protecting customer information when Reps leave your firm. If you let them take Outlook contacts information or other data that contains non-public info, you have to disclose this in your privacy policy (and give customers an opt-out choice).

4. Remember that the ID Theft Program requirement has been delayed until Aug. 1--and remain on the lookout for FTC's promised "template to help entities with a low risk of identity theft to comply with the rule" (but then again, we know how promises work...you promised you'd vote for Adam and you didn't).

Thanks for reading. And remember to amend your Reps' U4's for the new disclosure questions. But you've got time...first go out and enjoy the fine weather.