The Adam Lambert Memorial Exam Findings Tips and other Reminders

Well, now we know: southern, culturally-conservative (i.e., anti-guyliner) voters favoring the underdog. That's who crowned Kris last night. But do we care? No. FINRA suits are walking through the door soon, armed with lists of practically irrelevant exam priorities. And you, my friend, have no-one calling 1-800-I Comply! to vote for you. (No-one except me: I'm here to help.)

btw: Not enough of you requested free conference notes. That means: a) you don't care, b) you're afraid to write to me, knowing I'll write back and talk too much, or c) you're not even reading this. You're over on that other, better blog: http://thereformedbroker.com/ But is that guy giving you practical information you can use immediately to improve your compliance grade (Randy Jackson wants to give you an "A+")? No, he's giving you insightful analysis of current economic and political events, all in a well-written and sometimes hilarious fashion. What good is that?*

*Real good. Check him out.

Oh, back to my exam findings tips, in honor of my favorite second-place, soon-to-be superstar, Glambert. Recent findings:

1. BCP summary disclosure not on website -- 3510(e);
2. CCO not disclosed on Schedule A of Form BD -- 3130(a);
3. AML testing not done by independent person or firm didn't comply with exemption provisions when using in-house, non-independent person -- 3011(c) and IM-301101;
4. Supervisory Control Procedures don't address electronically notifying FINRA of the reliance on the limited size and resources exception -- 3012(a)(2)(A)(iii);
5. Don't have procedures for monitoring new rules proposed under Section 311 of the USA Patriot Act -- 3011(b);
6. [The age-old] failed to notify of electronic storage media and provide required representations on format/storage and third party access -- SEC 17a-4(f)(2) and (f)(3)(vii);
7. Don't a have a third party to access electronic records to meet SRO requests -- SEC 17a-4(f)(3)(vii).

Comments on the above:

1. BCP: If you have a website, it has to be there. Remember, post just your summary, not the whole plan. Just do it.
2. CCO on Sked A: the thing is, no CRD deficiency is generated if it's not there. This rule came out in 2004--FIVE American Idol seasons ago!--and it's hard to believe that this violation can still exist. But it does. I think, like for FCS and other nec. disclososures, that the system should alert the firm on Gateway if no CCO is listed on Sked A.
3. AML Indep. Tester: for very small firms, this is frustrating. Yes, they may rely on an in-house person who isn't independent, but they have to provide justification for doing so and have written procedures about non-retaliation, etc.... look at http://finra.complinet.com/en/display/display_viewall.html?rbid=2403&element_id=3719&record_id=4397 for the requirements under IM-3011-1. Just do it. The obvious alternative is to hire an outside party (cha-ching).
4. Procedure to notify of LS&R exemption: Uh, this is easy to comply with. Put in your supervisory control procedures that you will make a filing in CRD, notifying FINRA of your reliance on this exception if you appoint someone not 'senior' to do branch examinations. Just do it.
5. 311 procedures: Guidance came out in 2007. If your firm doesn't have foreign accounts, just mention in your procedures that you don't have to include due diligence procedures for 'specified banks' under FinCEN's 'special measures' rules--from Section 311 of the USA Patriot Act. You can promise you'll add such procedures when deemed relevant to your business. Add a link to FinCEN’s Special Measures page http://www.fincen.gov/reg_section311.html for fast reference to changes.
6. ESM notification: Oh, don't get me started. Well, at least FINRA is showing some patience on this issue. For goodness sakes, by now firms should know what they have to do! Look at my many, verbose postings on this subject for more information. If you haven't notified FINRA on CRD of your use of acceptable ESM, just do it (it's under 'financial notifications' on the forms and filings tab on the Gateway).
7. Access: See my earlier postings on this topic. You have to have a third party to assert that they will provide access to your e-records in case you can't/won't produce them upon request. This party does not have to maintain your records--they just have to be able to access/produce them. There is a firm called Securities Industry Records Services in Utah that provides this access letter for a an annual fee...check them out at SIRSCO.com. (I don't endorse these guys...haven't yet had personal experience with them--but it might be worth talking to them if you want to store your own records.)

Some areas of exam focus:

• Reg. SHO: aggregation units, controls in place to prevent illegal short sales, affirmative determination records.
• Scrutiny of lack of SAR filings: why none?

A few reminders for those of you who didn't read my notes:

1. Get a PCAOB-registered accounting firm before December--for your next audit. Remember that, for non-public BD's, this registration doesn't change the accounting standards or protocols; for now, the auditor just has to pay a fee to register. Don't be lured into paying higher fees for your audit.

2. Don't expect 30 days advance notice of your next exam--even though Robert Errico in his February 2007 letter to members stated the following:

Advance Notice of Examinations. For the vast majority of firms, NASD is doubling the amount of notice in advance of a routine examination. Specifically, we are moving the notice period from 14 days to 30 days. This change will provide member firms with adequate time to respond to the WebIR and to gather the records and other information requested prior to the on-site portion of the examination. Similarly, it will provide our examiners with more time to review materials, leading to a more efficient examination.

I rarely see 30 days notice being given. The staff at the April conference said, 'Oh, it's up to 30 days.' I guess they didn't know about Mr. Errico's kind promise. Oh, and don't kid yourself into thinking you're on a set exam schedule--they'll use BORAM (clearly, Spock language) every year to decide when your next exam will be.

3. Establish a policy for protecting customer information when Reps leave your firm. If you let them take Outlook contacts information or other data that contains non-public info, you have to disclose this in your privacy policy (and give customers an opt-out choice).

4. Remember that the ID Theft Program requirement has been delayed until Aug. 1--and remain on the lookout for FTC's promised "template to help entities with a low risk of identity theft to comply with the rule" (but then again, we know how promises work...you promised you'd vote for Adam and you didn't).

Thanks for reading. And remember to amend your Reps' U4's for the new disclosure questions. But you've got time...first go out and enjoy the fine weather.

Exam Priorities

FINRA just put out its annual notice on exam priorities. Below I've listed the areas they prioritize (many), along with summaries and few comments. Far below, I note some recent findings I've seen on exams. This isn't overly original or interesting, but I thought I'd throw it in my blog, since I've been way too busy lately to write anything else... :)

Senior Investors – hot topics include misleading advertising, shameless, fear-inducing sales pitches and of course, suitability. Advice: don’t let your reps claim to be qualified
‘senior investing’ specialists and make sure each transaction is well documented to establish suitability.
Deferred Variable Annuities – new Rule 2821 went into effect, sort of, on May 5. Reps have to document their reasonable basis for recommending a Def. V/A purchase or switch; principals in the future will also be required to ensure reasonableness. Training is in Def. V/A rules and products is required. Here is the link to the April Phone-In Workshop on the subject - phone-in workshop; also reference my notes on this in an earlier blog entry.
Anti-Money Laundering (AML) – final rule 312 of Patriot Act went into effect in Feb; most small firms are not effected since they don’t have foreign banking relationships. Examiners are looking for suspicious activity monitoring and SAR filings; also making sure firms are having independent testing as required. Remember, follow-up on testing recommendations and keep records of your follow-up action taken.
Protection of Customer Information – issues include online account hacking (not relevant for most small firms) and protecting information stored electronically (on hard drives, portable drives, laptops and PDA’s). Exam deficiencies include failure to provide privacy notices (and keep records of providing them), failure to have procedures addressing disposal of consumer report information, failure to obtain required confidentiality agreements from third parties; failure to insure that outsourcing entities maintained the confidentiality of customer information; and failure to include a required “opt out” clause in their privacy policies. While firm procedures may address safeguarding their information, it’s a good idea to have a separate “IT” type document detailing the administrative, technical and physical safeguards used to secure data.
Supervision and Supervisory Controls – I guess a lot of firms are still struggling with the difference between supervisory procedures under 3010 and control procedures under 3012/3013. Exams focus on separate control procedures, review of producing manager, heightened supervision of high-risk brokers, annual testing and verification and CEO certifications.
Sales of New or Non-Conventional Products – firms have to have procedures for approving of new products; examiners are also focusing on recommendations in new and non-conventional products, such as hedge funds, CMOs/CDOs, REITS, auction rate securities and other structured products. Guidance references MSRB notices for firms doing muni business.
Transaction Reporting – accuracy of reported transaction information is the firm’s responsibility, no matter how it’s reported. Trade Reporting Facility participants must transmit certain information regarding last sale reports of transactions in designated securities. Examiners are also finding firms to have incorrectly reported riskless principal transactions, incorrectly reported transactions with the long/short-sale indicator and not properly submitted OATS data with accurate order information, terms and conditions, and/or special handling codes.
Business Continuity Planning (BCP) – the exam priorities publication states that firms should periodically test their plan to ensure all of its components work as envisioned…but this is not required by the Rule itself or in FINRA’s 2006 NTM 06-74 on the subject. Firms should decide if periodic testing is necessary, given their size and customer services.
Data Integrity – exams will look at CRD filings, complaint reporting and clearing firm reporting to ensure accuracy and timeliness. Firms face steep fines for late filings.
Bank Sweep Programs – for broker-dealers sweeping customer credit balances into deposits at banks. All sorts of issues, here, including: protection of funds, net capital requirements, written agreements, reconciliations, books and records, SIPC/FDIC coverage, and account statements. Call district contact to discuss before setting up such a program.
Agency Lending Disclosure – for firms that operate an agency securities lending business. Exam findings show firms not performing principal counterparty credit risk monitoring or reconciliations and not resolving contract differences nor computing securities borrow deficit capital charges at the principal counterparty level. Ref: 05-45.
Inventory Valuations – firms should have controls to independently validate the pricing of inventory positions.
Outsourcing – outsourcing is not a substitute for internal controls and compliance monitoring; outsourcing should be monitored and overseen. Outsourcing to foreign entities may result in risks and should be closely monitored.
Order Audit Trail System (OATS) – as of February 4, 2008, OATS reporting requirements include OTC equity securities such as orders for OTC equity securities traded on the OTCBB, Pink Sheets or otherwise, as well as orders for certain foreign equity securities and other securities meeting the definition of OTC equity security in NASD Rule 6951. Best to visit the OATS web site (OATS) and FAQs to understand the complexities of OATS reporting.
Regulation NMS -- SEC Rules 610 (the Access Rule) and 611 (the Order Protection Rule) were fully implemented for all NMS stocks as of October 8, 2007. Initial FINRA exams show that some firms mistakenly may believe that Reg NMS does not apply to them, either because they make markets in a limited number of NMS stocks or because they infrequently execute orders internally. Note that Reg NMS does not include any exception to the definition of “trading center” based on de minimis activity. Firms are reminded that the requirements for ISOs apply to “any broker or dealer” that uses ISOs, and are not limited solely to broker-dealers that operate as trading centers. Refer to online resources for clarity on this: Spotlight On Regulation and Frequently Asked Questions on Rules 610 and 611.

Additional areas of exam findings:

Changes in Account Name or Designation – changes in account name or designation, including error accounts, must be approved by a designated principal and there must be records to show that s/he was personally made aware of the essential facts concerning the change. Approval must be noted on the order or another record.
Time and Price Discretion – when relying on a verbal, one-day time and price discretion exception to Rule 2510 (discretionary accounts), firms must note the reliance on tickets and must not extend the discretion beyond the close of business that day. (Doesn’t apply to institutional accounts in ‘good-til-cancelled’ transactions on a ‘not held’ basis.)
Net Capital – violations include inaccurate inventory valuations of prop. positions and mark-to-markets performed by traders; and improper treatment of ‘cash-like’ investments offered by banks (non-allowable).
Customer Protection – 15c3-3 violations include: inaccurate treatment of stock record allocation positions; non-bona fide reserve bank deposits; and creation of segregation deficits by deliveries, securities loaned and securities borrowed returns.
Back-Office Transaction Processing – inaccurate trade processing and reconciling. Conversions of processing systems often leads to a lot of trade breaks and unreconciled items, creating inaccuracies in books and records, charges against net capital and increased customer reserve requirements.

What I have seen lately in exam results:

Audit of Electronic Storage Input -- failure to have procedures for/comply with the ‘audit’ function under the SEC electronic books and records rule (17a-4(f)(3)(v). I have requested guidance from four FINRA staff members; three clients have directly requested guidance, verbally and/or in writing, from their examiners and/or liaisons, but NONE has been provided. At very least, perhaps firms should ‘check to see that the records are there’—paraphrased advice from one FINRA staff member.
Notify Outside Brokerage Firms of Employee Accounts – Rule 3050. If reps opened accounts prior to being associated persons of the firm, they will not have informed the outside brokerage firm of their status as RR. Firm should send letter to outside brokerage firm with request to provide duplicate statements/confirms.
Provide Copy of U5 to Term’d Rep – copies of U5’s must be provided to terminated reps within 30 days of termination; keep a record to show that the U5 was indeed provided.
Maintain Updated Contacts on FCS – be sure when updating contact information that you hit “save” or the changes will be lost. Changes of most CRD information should be made within 30 days of the change or of knowing of the change.
Provide BCP Disclosure Summary – required for all firms, including those with institutional customers. Provide at account opening and when the information changes (not an annual disclosure requirements, but a good idea to include in annual disclosures).
Register Personnel with Access to B/R – back office or administrative staff who have access to customer records or the firm’s financial b/r should be registered on CRD as “NRF” employees. Fingerprint cards and certain personal data are filed.
Obtain AML Information (CIP) -- new account forms or other such forms should include all required CIP information—name, physical address, TIN and DOB if individual. Verification must be in evidence and customers must be informed of firm’s CIP verification efforts—keep records of all compliance with this rule.