As you know I'm not happy about the ID Theft/Red Flags rules for introducing firms that offer margin accounts through their clearing firms. Doesn't make sense that these firms are considered 'creditors.' But don't get me started on bad rules that require time, money and effort for the sake of token compliance. Yuk. But a trusted informant from another consulting firm told me that FINRA is obsessing about compliance with these new rules--even though they don't take effect until June 1 and even though FINRA does not have authority to enforce the rules (FTC does). So gear up. Read this Notice Red Flags Rule and Template Procedures and customize the template FINRA provides.
On Privacy (wait, why is this separate from ID theft: isn't protecting customer information all under the same umbrella? Ugh. Whatever.): I came across this, about changes to Reg. S-P: eCFR Link to S-P Amendment. The Reg change eliminates the 'sample clauses' that most of you are using in your Privacy Notices right now. After this year, you won't be able to use those clauses to meet the disclosure requirements under Reg. S-P. Rather, there is a new 'model privacy form.' As of 2011, firms must either use the model form or be sure that their custom privacy notices meet all Reg. S-P criteria. You don't have to wait until 2011--the model form may be used now, and will give you the comfort of knowing your notice meets federal requirements (i.e., it is a safe harbor). You may want to begin the process of switching over from your currently-used notice.
There are two versions of the new model form: Notice with Opt-Out and Notice without Opt-Out. You'll want to decide which is right for your firm and then customize it. Remember, Privacy Notices are NOT required for institutional customers; for individuals, you must deliver the Notice at account opening and yearly thereafter.
Now go forth and confidently protect the privacy and identies of your customers. And do it in a well-documented fashion. Or else.
Thursday, January 28, 2010
Social Networking Sites: Word to the Wise
FINRA has put out guidance on the topic of social networking sites (SNS). The explosion of electronic communications in many forms has made it difficult for BD’s to know how to follow SEC books & records rules. It used to be straightforward, but with tools like Facebook & Twitter, it’s tough to decide what constitutes categories like advertising, public appearance, correspondence and recommendations. I suggest you read Notice 10-06 (it’s not long!) so you are aware of FINRA’s concerns.
What FINRA wants is this: if your Reps or the Firm itself use SNS’s for business purposes, then you have to be able to supervise all postings, whether they are ‘static’ (like profiles or wall posts) or ‘interactive’ (like chats or interactive posts with third parties), and you have to be able to store all that content under SEC books and records rules (17a-3/a-4). Pre-approval of anything considered an ‘advertisement’ (the static content) is required; pre-approval is not required for interactive content, but all other requirements apply to that material.
Sound like a big job? It is! Word has it the bigger e-mail storage vendors are working on products that firms can use to meet these requirements (automatically saving the online content and providing an automated review tool for monitoring it), but I can imagine those products will not be cheap. And it’s harder to imagine small firms being able to adequately meet the supervision/r-k requirements on their own.
So, if you are going to allow Reps to participate in SNS’s, you HAVE to implement procedures to meet FINRA’s guidance. And you HAVE to follow those procedures.
If you would rather avoid this administrative challenge & expense (and the related liability of allowing the activity), you will have to be clear about your expectations of firm personnel. Make sure your procedures include a prohibition of this activity; it would also be smart to send an e-mail reminder to everyone at your firm. I suggest:
What FINRA wants is this: if your Reps or the Firm itself use SNS’s for business purposes, then you have to be able to supervise all postings, whether they are ‘static’ (like profiles or wall posts) or ‘interactive’ (like chats or interactive posts with third parties), and you have to be able to store all that content under SEC books and records rules (17a-3/a-4). Pre-approval of anything considered an ‘advertisement’ (the static content) is required; pre-approval is not required for interactive content, but all other requirements apply to that material.
Sound like a big job? It is! Word has it the bigger e-mail storage vendors are working on products that firms can use to meet these requirements (automatically saving the online content and providing an automated review tool for monitoring it), but I can imagine those products will not be cheap. And it’s harder to imagine small firms being able to adequately meet the supervision/r-k requirements on their own.
So, if you are going to allow Reps to participate in SNS’s, you HAVE to implement procedures to meet FINRA’s guidance. And you HAVE to follow those procedures.
If you would rather avoid this administrative challenge & expense (and the related liability of allowing the activity), you will have to be clear about your expectations of firm personnel. Make sure your procedures include a prohibition of this activity; it would also be smart to send an e-mail reminder to everyone at your firm. I suggest:
Our firm strictly prohibits you from engaging in business communications in a social media site (such as Twitter, Facebook and Linked-In, among others). Your participation in such sites must be for purely personal reasons. You may not present yourself on such sites as a representative or agent of the firm: to do so is considered “advertising” and requires pre-approval by our compliance staff. Likewise, on such sites you may not recommend securities or engage in discussions about securities or the firm’s business. Lastly, you may not: link to third party material relating to securities; assist third party site participants in preparing such material; or comment on/endorse third party posts on such material. Our firm may from time to time request access to your social networking sites in order to spot check them for compliance with this prohibition. Perceived violations will be met with disciplinary action.No matter how you word it, the message should be clear--personnel may not use these sites for business purposes: to do so immediately puts your firm at risk.
Thursday, January 14, 2010
AML: P.O. Boxes for Address Confidentiality Program Participants
I just read about FinCEN's position on the subject of customers who are participants in Address Confidentiality Programs (ACP) and how firms can comply with CIP 'street address' rules for these customers.
To back up: right now, if you're meeting CIP requirements for a new customer, you are gathering a residential or business street address for that person; if the person gives you a P.O. Box, you kindly ask for a street address for the records, but promise to use the P.O. Box for mailing and other business purposes. That's great.
But what if your customer informs you that s/he is participating in an ACP in order to protect his/her confidentiality? These programs are State-run and help to protect victims of domestic violence, sexual assault or stalking. The customer gives you only a P.O. Box address, in keeping with ACP standards. What do you do? You have to comply with CIP rules and your firm's internal procedures, but you want to honor your customer's right to self-protection.
Well, your answer comes in FinCEN Ruling FIN-2009-R003. In this Ruling, FinCEN explains that CIP rules allow customers who do not have street addresses to provide a "residential or business street address of next of kin or of another contact individual." In this case, however, the customer does have a street address, but s/he is keeping it a secret on purpose. What FinCEN has done is made an exception to the CIP rule in this instance. They will treat the ACP participant as not having a street address. In our example above, you would record the P.O. Box of the customer and also collect the street address of the ACP sponsoring agency (such as the Secretary of State or other state agency administering the ACP). That street address will meet the CIP requirement. In essence, the entity administering the ACP will serve as the agent of the customer for CIP purposes.
Obviously, you are required to reasonably believe that you know the true identity of your new customer: if the person gives you an ACP address, risk-based thinking will compel you to check on that address, just in case. Not all states offer these programs--I found this table, which has updated information through Jan. 2009: States with ACP's .
**********
One more thing: I have seen examiners looking for OFAC checks on new associated persons. I haven't researched the rule calling for this, but it may be a good idea to incorporate this procedure in your hiring/registration practices. Run the check, put the results in the personnel file.
To back up: right now, if you're meeting CIP requirements for a new customer, you are gathering a residential or business street address for that person; if the person gives you a P.O. Box, you kindly ask for a street address for the records, but promise to use the P.O. Box for mailing and other business purposes. That's great.
But what if your customer informs you that s/he is participating in an ACP in order to protect his/her confidentiality? These programs are State-run and help to protect victims of domestic violence, sexual assault or stalking. The customer gives you only a P.O. Box address, in keeping with ACP standards. What do you do? You have to comply with CIP rules and your firm's internal procedures, but you want to honor your customer's right to self-protection.
Well, your answer comes in FinCEN Ruling FIN-2009-R003. In this Ruling, FinCEN explains that CIP rules allow customers who do not have street addresses to provide a "residential or business street address of next of kin or of another contact individual." In this case, however, the customer does have a street address, but s/he is keeping it a secret on purpose. What FinCEN has done is made an exception to the CIP rule in this instance. They will treat the ACP participant as not having a street address. In our example above, you would record the P.O. Box of the customer and also collect the street address of the ACP sponsoring agency (such as the Secretary of State or other state agency administering the ACP). That street address will meet the CIP requirement. In essence, the entity administering the ACP will serve as the agent of the customer for CIP purposes.
Obviously, you are required to reasonably believe that you know the true identity of your new customer: if the person gives you an ACP address, risk-based thinking will compel you to check on that address, just in case. Not all states offer these programs--I found this table, which has updated information through Jan. 2009: States with ACP's .
**********
One more thing: I have seen examiners looking for OFAC checks on new associated persons. I haven't researched the rule calling for this, but it may be a good idea to incorporate this procedure in your hiring/registration practices. Run the check, put the results in the personnel file.
Wednesday, January 6, 2010
We Have a Winner! (clarification on subject of k2i a/c and fin. resp. rules)
And the Snuggie goes to: a kind gentleman at FINRA who called me back TODAY and pointed to what I should have reviewed in the first place: response to comments and amendment 2 as they relate to the original rule filing.
In summary, even if your firm is a subscription-based mutual fund retailer--not a clearing firm and not a carrying firm--you still fit into the category of ''carrying/clearing members' if you have an account for the exclusive benefit of customers as described in paragraph (k)(2)(i) of SEA 15c3-3. That is, if you receive and deposit customer checks in an account you control, you're in this category for the sake of rule compliance. It's a customer protection thing, so they say.
So review Notice 09-71 again, and remember that all of these rules might apply to you, even if you think they don't (or shouldn't).
Going home now to put on my own Snuggie. Brrrr.
In summary, even if your firm is a subscription-based mutual fund retailer--not a clearing firm and not a carrying firm--you still fit into the category of ''carrying/clearing members' if you have an account for the exclusive benefit of customers as described in paragraph (k)(2)(i) of SEA 15c3-3. That is, if you receive and deposit customer checks in an account you control, you're in this category for the sake of rule compliance. It's a customer protection thing, so they say.
So review Notice 09-71 again, and remember that all of these rules might apply to you, even if you think they don't (or shouldn't).
Going home now to put on my own Snuggie. Brrrr.
Happy Oh-10: Financial Responsibilty Rules and New CCO Exam Proposal
Was just reading some Notices and had a few comments:
1. Financial Responsibility Rules (see Notice 09-71): I'm a little confused about whether non-clearing/non-carrying firms with "k2i" accounts are or are not included in the category of clearing/carrying members for many of the new rules... footnotes in the Rules, the Notice and the Rule Filing all say: "Members Operating Pursuant to the Exemptive Provisions of SEA Rule 15c3-3(k)(2)(i). For purposes of this Rule, all requirements that apply to a member that clears or carries customer accounts shall also apply to any member that, operating pursuant to the exemptive provisions of SEA Rule 15c3-3(k)(2)(i), either clears customer transactions pursuant to such exemptive provisions or holds customer funds in a bank account established thereunder."
But the Rule Filing explains, in a Pg 36 footnote: “For clarification, introducing firms and firms with limited business models (for example, firms that engage exclusively in subscription-basis mutual fund transactions, direct participation programs, or mergers and acquisitions activities) are not deemed carrying or clearing members and therefore would not be subject to Proposed FINRA Rule 4110(a), or for that matter any of the other provisions of the proposed rules that would apply only to carrying or clearing members.”
But what if a mutual fund application-way firm has a k2i account established to receive customer funds? I sent an email to one of the Notice authors: I'll let you know what I hear. Or if you can shed light on this apparent contradiction, please write me and I'll enter your name into a drawing for a free Snuggie.
2. Proposed Changes in Registration/Qualification Requirements (see Notice 09-70): One of the changes creates a new category for Chief Compliance Officers--they'd have to pass a specific exam to hold that title. Those with a 24 and who are listed on Form BD prior to the rule taking effect would be grandfathered (no new exam nec.), but those assuming the role after that, even if they have their 24, would have to take the test. I was thinking that some of you principals might want to take advantage of the "multiple CCO" mechanism before they make this rule effective. That way, you will be on the Form BD as CCO in time, and won't have to take the exam. For instance, if you're a small shop with a just a few senior managers, and you originally flipped a coin to see who would serve as CCO, what happens if your existing CCO moves to Jamaica, leaving you with an obligation to pass a new test just to step into Mr. Sun-n-Surf's shoes? Or, perhaps you have a new employee who got his 24, but hasn't yet assumed the role of CCO that you're anxiously looking forward to handing over...you could appoint him co-CCO (dividing up responsibilities, of course, and outlining all this in your WSP) and therefore he won't have to pass the new test later.
Other reminders: Look at your final renewal statements and pay what you owe or request a refund (see excerpted FINRA help, below); do your FCS check by Jan. 27; and don't forget to do quarterly complaint filing by the 15th. And send thank-you notes to all those nice people who gave you xmas gifts!! Emails don't count!
Your compliance compadre,
Sharon
RENEWALS:
If your statement shows an ‘Amount Due’ (i.e., positive amount or debit balance), then your firm needs to pay the balance to FINRA by February 5, 2010.
Print the statement. A copy of the statement’s first page should be included if your firm is paying with a check.
See the "How to Submit Renewal Payment" section of this Bulletin or visit the Renewal Program Payment Options page on the FINRA Web site.
If your Final Renewal Statement displays ‘Paid In Full’:
If your Final Renewal Statement’s ‘Paid In Full’ amount is equal to the amount owed for your Preliminary Renewal Statement then the balance is $0 and no additional payment is required.
If your Final Renewal Statement’s ‘Paid In Full’ amount is less than the amount your firm paid for its Preliminary Renewal Statement then your overpayment has been systematically transferred to your firm’s Daily Account. Any refunds should be requested from that account. You may request a refund check from FINRA or leave the funds in your Daily Account for future registration-related fees.
To request a refund check, have an appropriate signatory sign the first page of the Final Renewal Statement and mail it to FINRA for receipt by February 5, 2010. Send your refund request to:
FINRA Registration Management-CRD Accounting
9509 Key West Avenue
Rockville, MD 20850
(301) 869-6699
1. Financial Responsibility Rules (see Notice 09-71): I'm a little confused about whether non-clearing/non-carrying firms with "k2i" accounts are or are not included in the category of clearing/carrying members for many of the new rules... footnotes in the Rules, the Notice and the Rule Filing all say: "Members Operating Pursuant to the Exemptive Provisions of SEA Rule 15c3-3(k)(2)(i). For purposes of this Rule, all requirements that apply to a member that clears or carries customer accounts shall also apply to any member that, operating pursuant to the exemptive provisions of SEA Rule 15c3-3(k)(2)(i), either clears customer transactions pursuant to such exemptive provisions or holds customer funds in a bank account established thereunder."
But the Rule Filing explains, in a Pg 36 footnote: “For clarification, introducing firms and firms with limited business models (for example, firms that engage exclusively in subscription-basis mutual fund transactions, direct participation programs, or mergers and acquisitions activities) are not deemed carrying or clearing members and therefore would not be subject to Proposed FINRA Rule 4110(a), or for that matter any of the other provisions of the proposed rules that would apply only to carrying or clearing members.”
But what if a mutual fund application-way firm has a k2i account established to receive customer funds? I sent an email to one of the Notice authors: I'll let you know what I hear. Or if you can shed light on this apparent contradiction, please write me and I'll enter your name into a drawing for a free Snuggie.
2. Proposed Changes in Registration/Qualification Requirements (see Notice 09-70): One of the changes creates a new category for Chief Compliance Officers--they'd have to pass a specific exam to hold that title. Those with a 24 and who are listed on Form BD prior to the rule taking effect would be grandfathered (no new exam nec.), but those assuming the role after that, even if they have their 24, would have to take the test. I was thinking that some of you principals might want to take advantage of the "multiple CCO" mechanism before they make this rule effective. That way, you will be on the Form BD as CCO in time, and won't have to take the exam. For instance, if you're a small shop with a just a few senior managers, and you originally flipped a coin to see who would serve as CCO, what happens if your existing CCO moves to Jamaica, leaving you with an obligation to pass a new test just to step into Mr. Sun-n-Surf's shoes? Or, perhaps you have a new employee who got his 24, but hasn't yet assumed the role of CCO that you're anxiously looking forward to handing over...you could appoint him co-CCO (dividing up responsibilities, of course, and outlining all this in your WSP) and therefore he won't have to pass the new test later.
Other reminders: Look at your final renewal statements and pay what you owe or request a refund (see excerpted FINRA help, below); do your FCS check by Jan. 27; and don't forget to do quarterly complaint filing by the 15th. And send thank-you notes to all those nice people who gave you xmas gifts!! Emails don't count!
Your compliance compadre,
Sharon
RENEWALS:
If your statement shows an ‘Amount Due’ (i.e., positive amount or debit balance), then your firm needs to pay the balance to FINRA by February 5, 2010.
Print the statement. A copy of the statement’s first page should be included if your firm is paying with a check.
See the "How to Submit Renewal Payment" section of this Bulletin or visit the Renewal Program Payment Options page on the FINRA Web site.
If your Final Renewal Statement displays ‘Paid In Full’:
If your Final Renewal Statement’s ‘Paid In Full’ amount is equal to the amount owed for your Preliminary Renewal Statement then the balance is $0 and no additional payment is required.
If your Final Renewal Statement’s ‘Paid In Full’ amount is less than the amount your firm paid for its Preliminary Renewal Statement then your overpayment has been systematically transferred to your firm’s Daily Account. Any refunds should be requested from that account. You may request a refund check from FINRA or leave the funds in your Daily Account for future registration-related fees.
To request a refund check, have an appropriate signatory sign the first page of the Final Renewal Statement and mail it to FINRA for receipt by February 5, 2010. Send your refund request to:
FINRA Registration Management-CRD Accounting
9509 Key West Avenue
Rockville, MD 20850
(301) 869-6699
Subscribe to:
Posts (Atom)