Broker- Dealer Law Corner

Broker- Dealer Law Corner

FINRA’s Heavy Hand Questioned…By FINRA

Posted in Defenses, Disciplinary Process, Enforcement, FINRA, Rule 2010

I am on the record, many times, with my belief that, at least in theory, FINRA should never lose any Enforcement cases it files. This is for the simple reason that if FINRA has any genuine doubts about its ability to prevail in front of a hearing panel, due to the quality of the evidence that’s been gathered, it doesn’t have to file a complaint; rather, it can just settle the case cheaply and/or charge respondent with a more benign rule violation.  Given this dynamic, it is easy to understand why FINRA generally does not lose Enforcement cases.  Sometimes, however, it does.  These occasional decisions typically provide some lesson to be learned in how to defend a FINRA complaint; and, if they don’t, at least they provide the opportunity to celebrate a respondent’s victory.

Last week, Stanley Clayton Niekras, a former registered rep, managed to beat FINRA in a one-count complaint that accused him of making material misrepresentations in violation of Rule 2010. Essentially, the case boiled down to an accusation that Mr. Niekras took advantage of a strong relationship he had with a wealthy, senior couple to induce them to pay him for financial planning services that he had rendered to them. The couple themselves, it seems, had no issues with Mr. Niekras. Their adult children, however, viewed things rather differently. One of the children eventually filed a written complaint with FINRA about Mr. Niekras, and that ultimately led to the issuance of the Enforcement action.

According to the decision, the adult children told FINRA that their parents were too old to provide any meaningful assistance, and affirmatively prevented the examiner assigned to investigate the complaint from contacting the parents. Thus, everything FINRA ever learned before filing the Enforcement complaint came from the adult children and Mr. Niekras, but not from the two people who were the “victims” of the alleged misrepresentations.

That carried through to the hearing itself. At the outset of the hearing, in the opening statement, the Enforcement lawyer announced that while the case was indeed about the two parents, they were “94 and 95 years old, and, unfortunately, they will not be appearing at this hearing.” Enforcement reassured the Hearing Panel, however, it would hear from the adult daughter, who would “testify about conversations she had with her father.” As the decision put it, this “suggest[ed] that, but for their advanced years, the [parents] would have testified and Enforcement would not have needed to offer evidence through a surrogate.”

Turns out that FINRA’s suggestion was way, way off. The decision contains a very detailed discussion of the parents’ mental and physical condition, too detailed to recount here, but, it came down to this finding by the hearing panel: “[T]he record does not reflect that they suffered from mental or physical health problems preventing them from having provided evidence, in some form, at least during the investigation.” Notably, FINRA didn’t even bother to get the parents to sign Declarations in lieu of providing testimony. I am not saying that I advocate the use of such – indeed, when confronted with Declarations instead of live witnesses, I routinely argue as to the unfairness, given the inability to cross-examine the declarant. But, from FINRA’s perspective, arguably a Declaration is better than nothing. The hearing panel observed, however, that while the adult daughter “testified that it would have been emotionally difficult and painful for her parents to have provided a written statement or declaration, she did not point to any physical or mental infirmity that would have prevented them from doing so.”

This led to my favorite part of the decision, which recounts what happened on the night before the last day of the hearing. Apparently, Mr. Niekras and his attorney “drove unannounced to the [parents’] home and met with [the huband] for about an hour.” According to Mr. Niekras, the husband was “very sharp . . . sharp as a tack.” The decision continues:

Mr. Niekras claimed that when he asked [the husband] to testify, [the husband] told him he was unaware of this proceeding, but “would do anything he could to help,” including testifying, because Niekras had been loyal to him and had never cheated him or presented him with a bill. [The husband] and Niekras arranged for Niekras to pick up [the husband] the next day to take him to the hearing. But when Niekras and his counsel arrived at the [parents’] home the next morning, [the adult daughter and one adult son] were there and [the adult daughter] told him not to get out of his vehicle, so he left.

At the hearing, Mr. Niekras brought these developments out, and Enforcement basically corroborated them. And, in doing so, Enforcement counsel uttered these soon-to-be-famous lines:

I have not said this on the record before, but we were specifically requested not to call [the husband] to testify because the perception by his children is that it would not be good for him, good for his health. And, we respected that because that’s part of what we do as FINRA Enforcement lawyers. We don’t wave around a heavy hand like we may have if we were federal or state prosecutors.

NOW you see why I HAD to blog about this decision.

As to the merits of the case, turns out that without the parents’ testimony backing its allegations, FINRA had nothing but the adult children. And the hearing panel, to its credit, wasn’t buying what they had to say.  With regard to the adult daughter, in particular, the panel noted that she “impeded the investigation and Niekras’s defense by shielding the [parents] from contact with the parties,” and that “her objectivity was questionable” as “she was openly hostile toward Niekras.”  Not quite sure what’s so special about that last observation, as FINRA routinely trots out customers who are “openly hostile” to my clients, yet hearing panels have no problem believing them, but I suppose that’s an issue for another blog post.  The bigger problem was that the adult children were the only ones who testified for FINRA, but they were also the only reason that the parents themselves did not appear to testify.  As a result, the hearing panel chose not to believe the only witnesses that FINRA produced in support of the allegations.

Here is what I take from this case: FINRA Enforcement lawyers have to remember that just because they are presented with an exam report from Member Reg with a recommendation to proceed with a complaint, the evidence supporting that recommendation may not be there.  Enforcement owes it to prospective respondents everywhere actually to do its job, to conduct a real review of the exam report for sufficiency of evidence, not merely to rubber-stamp Member Reg’s opinion.  Had Enforcement done that here, it would have realized that it could not prove a misrepresentation case without the ability to produce as witnesses the only two people who actually heard the alleged misrepresentations, and Mr. Niekras would not have had to go through with this silly charade of a case.

The Equifax Breach May Be A Problem For More Than Just Equifax

Posted in Confidential customer information, Cybersecurity, FINRA

All of you who use Equifax to conduct a part of your CIP responsibilities, raise your hands. Ok, now, only to those of you whose hands are in the air:  how many of you have checked your firm’s incident response plan to determine the steps that need to be taken in the event of a breach of your customer confidentiality obligations?  I am betting that there are very few hands left in the air.  And that could be a problem for you.

There have been a lot of articles published about what to do as a consumer if you are among the 145 million Americans whose data got hacked from Equifax. But, lost in all the excitement is the fact that BDs who utilize Equifax to run checks on new customers to satisfy CIP obligations – and that may be a lot, given that FINRA essentially endorsed Equifax for that role in Notice to Member 02-21 – may have exposed those customers’ information to the hackers.  And, as a result of that, you could have a variety of reporting obligations which, if you fail to recognize them, could land you in regulatory hot water.

In the event that a BD experiences a breach, it is possible it could have no disclosures to make, or several, depending on where it is located and the nature of the information at issue. This is a function of the fact that disclosure obligations are imposed by state law, among other things.  Forty-eight states – all but Alabama and South Dakota – have statutes requiring that customers impacted by the revelation of PII, or personally identifiable information, must be notified.  Thus, whether or not a breach has occurred that requires notification, and, if it is required, the method of disclosure, the timing of the disclosure, and who receives the disclosure (not to mention the penalty for not making a required disclosure) will vary from state-to-state.  Do not presume that FINRA or the SEC will tell you what to do, or that they will give you a pass just because the size of this breach is so big and has been so widely reported.

In guidance that FINRA has previously supplied in connection with cybersecurity, specifically, the 2015 Report on Cybersecurity Practices, it was pointed out that notification of a breach could very well include “customers, regulators, law enforcement, intelligence agencies, [and] industry information-sharing bodies.”  This is because “[f]irms may have notification obligations pursuant to, for example, Regulation S-ID, state reporting requirements and FINRA rules,” in particular, FINRA Rule 4530(b). In addition, according to FINRA, even if a cybersecurity incident does not trigger a reporting obligation, firms are “urged” to report such an incident “to their regulatory coordinator,” and stressed that “the information must be accurate and not misleading.”

This all boils down to a point I made in a blog post earlier this week: handling potentially troublesome compliance issues at a FINRA member firm in 2017 is, basically, a do-it-yourself proposition. You simply cannot count on FINRA to provide useful guidance or assistance.  Indeed, what you can count on is FINRA pointing fingers at you if you don’t manage to do things correctly.  Here, the Equifax breach appears to have been the fault of Equifax, not any of the BDs who have contracted with it to provide services.  Yet, despite the absence of any fault, this breach may have nevertheless created significant regulatory implications for BDs across the country.

So, do your homework. Check your incident response plan – assuming that you have one.  If you don’t, now is as good a time as any to prepare one.  If you have reports to make, get them in as quickly as possible.  And paper up everything you do.  Remember: (1) Spot the red flag.  (2) Investigate the red flag.  (3) Document the fact that you did both.  And then keep your fingers crossed that whatever you do is enough to make FINRA happy.

What Is FINRA’s Job?

Posted in Compliance, FINRA

A client of mine bought a BD, thereby requiring him to go through the CMA process. It was a very small firm, with fewer than ten registered reps.  He was a newly minted 24, so he had other, more experienced principals on board to handle all supervisory responsibilities.  His job, as outlined in the firm’s business plan that accompanied the CMA, was twofold: sales (i.e., to bring in banking deals) and to be the firm’s financier (i.e., the sole source of capital).

As is its right, MAP responded to the CMA by imposing Interim Restrictions, which, among other things, prevented my client – the guy who paid for the BD and who controlled the checkbook – from acting as a principal/supervisor, even though he was a 24. This confused him, and for obvious reasons.  Remember, he was not planning on acting as a supervisor.  Moreover, simply by virtue of the fact he controlled the firm’s money, it seemed difficult, if not impossible, for him to abide by that restriction.

So, he requested that MAP revise the Interim Restrictions, so he could at least make the decisions that impacted the firm’s – i.e., his – money. MAP agreed, and carved out an exemption to the no principal/no supervisory restriction by permitting him “to act in a limited capacity with respect to supporting the following financial functions of the Firm: invoice approval, payment of bills/corporate expenses, check writing, personal contributions of operating capital to the Firm, and oversight of corporate budgeting.”  That certainly helped, but it was still difficult figure out what his role would be.

For instance: SEC case law states that the act of hiring someone may be viewed as an activity that only a principal can do.  That suggests that if my client’s BD needed to hire someone, my client, because he was restricted from acting as a principal, could not be involved in the hiring process.  But, because he was permitted to approve invoices, write checks, and had oversight of the firm’s budget, FINRA apparently imbued him with veto power, on the back end, of any decision the firm might make – including hiring decisions – that impacted the firm financially.  Otherwise, others at the firm could theoretically do things – hire people and agree to pay them astronomical compensation, give themselves raises, throw a big party, buy a corporate jet, etc. – and my client would be left with no choice but to sign the check.

In light of that fuzzy situation – my client could not act as a principal by hiring people, but nevertheless could veto hiring decisions as a matter of firm finances – my client sought guidance from MAP. And here’s where it gets odd:  MAP declined to provide any guidance.  At the Enforcement hearing that ultimately ensued when FINRA filed a complaint against my client for allegedly breaching the terms of the Interim Restrictions, two MAP personnel testified.  It was undisputed that my client reached out to MAP for help in crafting language that would accurately describe the role that MAP expected him to occupy, but would allow him still to control the firm’s financial situation.

Unfortunately, it was similarly undisputed that MAP didn’t provide the requested help. Under oath, MAP said, in essence, that’s not our job, and wished my client luck.  MAP left my client to figure it out on his own. Granted, because my client had never been involved in a CMA before, had never owned a BD, he utilized the services of a compliance consultant to assist with the CMA.  But, even the consultant had no ready answers to address the thorny questions raised by the odd place in which my client found himself.

As readers of this column are well aware, I used to work for NASD. Heck, I was a District Director.  And, believe me or not, I instructed the examiners who worked for me that it was our job to help our member firms comply, whenever possible.  And, frankly, it was routinely possible.  The last thing we wanted was to encounter a problematic situation on an exam that could have easily been avoided if the BD had simply called and asked how to do something.  Indeed, my Associate Director and I spent a lot of time encouraging the member firms in our District to call us with questions; but, that proved to be a difficult assignment, since historically members were extremely reluctant to display any sort of ignorance of any rule to their examiners, even by posing questions that ultimately would have provided better compliance.  Regardless, it was important that we continued to try and get that message across, that we were, in fact, there to help our members.

Anyway, it is rather amazing to me what has become of FINRA. The notion that instead of answering a firm’s questions, today FINRA will, instead, ignore them, is staggering in its callousness, as well as its disregard for FINRA’s role as a membership organization.  Then, compounding the problem, after not providing guidance, FINRA will happily file an Enforcement action when the firm does not manage to correctly divine FINRA’s expectations.  I really don’t know how we got to this point, where dealing with FINRA has turned into such a game of “gotcha.”

My friend Brian Rubin just released his mid-year statistical review of FINRA’s Enforcement actions, and his data show a reduction in the number of cases brought so far this year, as well as the dollar amount of fines imposed.  Does that suggest a correlation with Robert Cook’s listening tour?  Has the pendulum finally started to swing back from the Enforcement oriented approach FINRA has maintained since it whiffed on the massive Bernie Madoff and Allen Stanford scams?  Unfortunately, there is no way to know, at least not yet.  Six months is too short of a timeframe to provide much meaningful perspective.  Moreover, my personal experience suggests that there has been no perceptible change in attitude at the boots-on-the-ground level at FINRA, i.e., the examiners and regional counsel.

I remain hopeful, however, that sooner or later – and hopefully sooner, before small firms simply disappear completely – FINRA will again embrace the notion that it exists not just to file complaints, but, as well, to help its members avoid complaints in the first place.

I Want HIS Lawyer!

Posted in Defenses, Disciplinary Process, Enforcement, SEC, Settlements

A little over a year ago, the SEC announced a stunning settlement with Merrill Lynch regarding its violation of SEC Rule 15c3-3, commonly known as the “Customer Protection Rule.”  This is an important rule whose name gives away its purpose:  it is designed to ensure that if a broker-dealer ever fails, customer assets can be quickly returned to the customers and not swallowed up by the BD or its creditors.  In violating the rule, the SEC concluded that Merrill “plac[ed] billions of dollars of . . . customers’ money at risk.”  Why was the settlement stunning?  First, and most notably, because it cost Merrill $415 million, the biggest penalty the SEC had ever exacted for such a rule violation.  Second, because unlike most settlements, in which the respondent neither admits nor denies the findings, Merrill admitted the facts, and that the violation was “willful.”

Right before the long Labor Day weekend, the SEC announced the bookend to that matter, a settlement with William Tirrell, Merrill’s former FINOP and Head of the Regulatory Reporting Department, i.e., the man who ran the department that was responsible for Merrill’s compliance with Rule 15c3-3.  Given the magnitude of Merrill’s violation, the important nature of the violation from a customer perspective, Merrill’s admission of guilt, and the finding that the violation was willful, one would expect that Mr. Tirrell would get seriously whacked by the SEC, right?  Nope.  To the contrary, amazingly enough.  Unlike Merrill, Mr. Tirrell was found not to have acted willfully; rather, the SEC found that he “negligently caused” Merrill’s $415 million 15c3-3 violations.

Moreover, and even more astounding, Mr. Tirrell’s settlement has him paying nothing. Not a cent.  Moreover, he was not barred.  Nor was he suspended, not for a single day.  Indeed, the only sanction imposed on Mr. Tirrell was an order that he “cease and desist from committing or causing violations of and any future violations of Section 15(c)(3) of the Exchange Act and Rule 15c3-3 thereunder.”

So, let’s get this straight: Merrill acted willfully in committing these rule violations, but Mr. Tirrell only acted negligently in causing these violations?  Merrill pays $415 million, but Mr. Tirrell pays nothing?  Even after the following findings against Mr. Tirrell?

  • Mr. Tirrell and his subordinates calculated Merrill’s customer reserve requirement each week;
  • Mr. Tirrell caused Merrill to reduce the amount of money it should have reserved for the protection of its customers by billions of dollars through the use of certain trades that “improperly used . . . customer assets to finance [Merrill’s] own activities”; and
  • Mr. Tirrell failed to respond to questions from FINRA for information about those trades, which “prevented regulators from receiving information that could have prompted them to prohibit ML from moving forward.”

Commentators, myself among them, have been complaining forever that there is a clear disparity between the treatment that management of small firms receives at the hands of regulators versus the treatment that big firm management receives. The regulators routinely deny this, of course, but, a situation like Mr. Tirrell’s amply demonstrates that this denial is bogus.  While this is nothing but rank speculation, I find it difficult to believe that a FINOP at a small firm would have managed to walk away from a series of rule violations like this with a finding that his or her conduct was merely “negligent,” without paying a penny in civil penalties, and without being barred or suspended.

Perhaps there is something more to this story than meets the eye, something that explains the ridiculous difference between what Merrill had to pay and what the man who was responsible for Merrill’s rule violations had to pay.  But, perhaps not.  Perhaps this is simply another, but shining, example of the point I made in May last year, when MetLife paid a measly $25 million to settle an annuity switching case with no individual being named as a respondent and no finding of willfulness:  when it comes to dealing with regulators and settlements, money talks.

OMB Approves Additional Delay For Further Study Of The DOL Fiduciary Rule

Posted in Fiduciary Rule

The Office of Management and Budget’s Office of Information and Regulatory Affairs (OIRA) announced this week that it was effectively approving a delay in full implementation of the Department of Labor (DOL) Fiduciary Rule. After several years of study and comment, the final version of the Rule was originally slated to take effect earlier this year, but was delayed consistent with President Trump’s order to the DOL to further review the Rule’s impact on the cost to the investment industry vs. its efficacy in protecting investors (despite the DOL’s several prior years of study of that precise issue).  Pursuant to this action, the Rule is not likely to be fully implemented until at least July 1, 2019, and may be changed or scrapped in the interim.

Some provisions of the Rule – notably the definition of “fiduciary” and the “impartial conduct” standards that require advisors to retirement plans and investors to act in investors’ best interests when recommending products – became effective on June 9, 2017. During the “Transition Period” after June 9 and before the Rule is fully implemented (now July 2019), however, the DOL indicated it will not enforce the Rule for advisors who are attempting to comply in good faith.  Of course, the DOL’s position will not stop investors from alleging the impartial conduct standards are now the applicable standards of care for financial advisors in the retirement industry in litigation.

The DOL indicated yesterday that it may delay implementation of the Rule even further. It has received over 60,000 comments already on the impact of delay, and has set a deadline of September 15, 2017 for further comments.

The OIRA approved the additional delay “consistent with change,” which means it has suggested some undisclosed changes to the Rule. The next step is for the DOL and OIRA to conduct closed-door deliberations of proposed changes and reach agreement, a process that carries no deadline and could delay the Rule even further.  Meantime, several studies have suggested the cost of delay far outweighs the cost of compliance with the Rule as it now stands, so it is unclear whether even the retirement industry will actually benefit from the additional process.

 

Dawn Bennett Redefines “Spirited Defense” In Her SEC Case

Posted in Administrative Proceedings, Defenses, Disciplinary Process, SEC

This one belongs in the “truth is stranger than fiction” category. By now, you are probably familiar with the exploits of Dawn Bennett, former hostess of her radio show, “Financial Myth Busting.” She was the one who the SEC permanently barred last year after she elected not to appear at her administrative hearing (after her efforts to get the matter heard in federal court, rather than before an SEC ALJ, proved unsuccessful).  Well, earlier this week, the SEC brought a new case against her, and this time, she got her wish, as it was, in fact, filed in federal court in Maryland.

That case is not particularly remarkable. It contains the usual collection of allegations one sees in Ponzi scheme cases, i.e., money collected from naïve, often elderly investors who were promised outrageous returns, which was then diverted to support an extravagant lifestyle, including $1.45 million to the Dallas Cowboys for back-rent on a luxury suite, and at least $500,000 on “high-end, luxury clothing, jewelry, and other personal items.”  Lots and lots of shoes, apparently.  What is remarkable, however, is the companion criminal case filed against her by the United States alleging wire fraud, bank fraud and making false statements related to a loan and credit application.  Why is it remarkable?  Consider the affidavit of an FBI agent filed in support of the complaint to demonstrate Ms. Bennett’s “consciousness of guilt.”

According to that FBI agent, an August 2 search of Ms. Bennett’s penthouse in Maryland revealed, according to the New York Times’s description of the event, “two freezers containing sealed Mason jars bearing the initials of U.S. Securities and Exchange Commission lawyers, on whom Bennett may have hoped to cast a ‘hoodoo spell.’” In addition, agents found instructions for a “Beef Tongue Shut Up Hoodoo Spell,” which, according to the affidavit, “suggest[ed] that Bennett had many times cast a ‘hoodoo spell’ in hopes of paranormally silencing the SEC attorneys investigating Bennett.”

I have been representing respondents and defendants in securities cases for a long time, and, candidly, I am forced to admit that this defense never occurred to me. There are often occasions during hearings when I might wish that the particular Enforcement attorney prosecuting my client would simply sit down and shut up, but, beyond wishing for that, I have never taken matters into my own hands in an attempt actually to make it happen.  Live and learn!

Are there any lessons to be gleaned from Ms. Bennett’s circumstances, beyond the obvious – which is don’t lie to customers and don’t lie to regulators? Perhaps this:  no matter how much you may disagree with the case that the regulators have brought, it is necessary at all times to maintain some sense of decorum, and treat the other side, both examiners and attorneys, as well as the factfinder, of course, with respect.  It can be easy to forget that these people are human beings, and, as such, tend to react to certain things in predictable ways, even if that reaction is sub- or unconscious.  Judges and juries, for example, theoretically work hard to decide cases based solely on the relevant facts and the pertinent law; at least they try to do so.  But, it is humanly impossible to ignore certain dramatic facts that create strong impressions, regardless of whether those facts are relevant, and develop a visceral response to them.  That is why the rules of evidence allow even relevant facts that are “unduly prejudicial” to be excluded, because they might overshadow everything else in the case, and result in decisions based on emotion, not logic.

It seems clear here, at least based on what I have read, that the SEC simply has it out for Ms. Bennett. She has already been barred, yet, here we go again.  Arguably, that is a function, or perhaps partially a function, of the fact that Ms. Bennett has seemingly taken every opportunity possible to poke the SEC in the eye.  And, on some level, the SEC simply doesn’t like that.  At all.  And it has reacted in a predictable, human way.  So, if presented with the chance to bring yet another Enforcement action, it will.

In short, it is one thing to put on a spirited defense; indeed, the Canons of Ethics governing the conduct of lawyers demand the “zealous” representation of clients. But, it is quite another actually to summon the spirits themselves.

Has FINRA Completed Its Inquiry?

Posted in Arbitration, Disciplinary Process, FINRA

Here is a very interesting post from Michael Gross about what happens at the end of a FINRA exam.  One point that he omitted, but worth mentioning, is that in the event FINRA does issue a close-out letter stating that its exam is done and no disciplinary action will be taken, that letter cannot be used by the respondent in a parallel customer arbitration touching upon the same subject as the FINRA exam as evidence that no wrongdoing has taken place.  At least, not without potentially becoming the subject of a new disciplinary action.  See my blog post on this from a couple of years ago. – Alan 

Has FINRA completed its inquiry?[1] I have fielded this question from multiple registered reps. It is a fair question to ask. It is quite understandable that a rep who is the subject (but feels like the target) of an inquiry wants to know if he can sleep easier at night. Knowing that the results of an inquiry, over which a rep has no control, may adversely impact his professional reputation, current employment situation, and livelihood is undeniably a stressful event – even for the rep who has done nothing wrong. Not surprisingly, reps want to know when the inquiry is over.

Sometimes, but not always, FINRA issues a close-out letter to advise a rep that it has completed its inquiry, and that it will not be pursuing formal disciplinary action. As far as I can tell, there is no rhyme or reason why the letters are issued in some inquiries, but not in others. A recent close-out letter that I received on behalf of a rep advises that: “Based on our inquiry, we have determined to close our file pertaining to this matter.” Not surprisingly, the letter contains reservation of rights language: “This determination is based on the facts known to us at this time. In this regard, new or additional facts could lead to a new inquiry.” FINRA, of course, is not going to (nor should it) absolve a rep of liability if FINRA later learns of new facts that prove that the rep engaged in wrongdoing. Nonetheless, a close-out letter is a welcome and comforting communication for a rep who is the subject of an inquiry to receive.

Unfortunately, FINRA does not issue close-out letters in all inquiries that it is has decided to close, officially or unofficially. While an inquiry may be officially, or unofficially and effectively, closed in the eyes of FINRA, the inquiry is not closed in the eyes of the unknowing rep. Unlike in civil cases and certain SEC actions, there is no statute of limitations to which a rep can look to find peace of mind. Concrete statutes of limitations do not apply to FINRA regulatory inquiries and disciplinary actions, which can linger for years. Under the Hayden line of cases, FINRA disciplinary actions can be dismissed if after a certain, undefined period of time, it is unfair to require a rep to attempt to piece together a defense to old claims. However, the number of cases dismissed on Hayden grounds can be counted on one hand. One of the principal purposes of statutes of limitations is that litigation of a long-dormant matter may result in more cruelty than justice. A close-out letter serves a similar purpose.

A rep who has not heard from FINRA about an inquiry in three, six, or even 12 months may be tempted to ask FINRA whether or not it has concluded its inquiry. Unless the inquiry is impacting a rep’s health, he should not give into temptation. First, it is not unusual for an inquiry to sit dormant for months at a time, and then pick up again. Second, don’t poke the bear. A call asking about the status of an inquiry may just serve as a reminder to pick up the dusty file. The longer an inquiry lasts, the more likely it is to be closed for one reason or another.

In sum, it should be standard operating procedure for FINRA to issue close-out letters to reps and firms in all inquiries where FINRA has decided to close its inquiry, and not pursue formal action, especially in light of the reservation of rights language in its standard close-out letter. Simply put, this common courtesy should be extended to all of those who work under the umbrella of the membership organization.

[1] FINRA starts its examination process by conducting an “inquiry,” which is not a reportable event on a rep’s Form U4. If Enforcement issues a Wells notice in connection with an “inquiry,” then the “inquiry” becomes an “investigation,” which is a reportable event on Form U4.

 

Ransomware In 2017: Not A Pretty Picture

Posted in Cybersecurity, FINRA, SEC

I am happy to share this post from my colleague, Greg Stein, about ransomware.  While ransomware is not something unique to the financial services industry, because, as criminal Willie Sutton famously answered when asked why he robbed banks, our industry is “where the money is,” BDs, IAs and banks do seem to attract more than their fair share of ransonware attention.  I do not profess to be an expert in this area, but, happily, Greg is just a phone call away.  – Alan

Ransomware is hot.  And unlike some trends, it is unlikely to be a short-term trend.  Criminals have been able to easily deploy ransomware attacks, which encrypt a users’ data and hold it hostage until the victim pays a ransom, and unlike stealing personal information, there is direct payment to the criminals and no need to sell anything on the dark web.  Those characteristics have made ransomware increasingly attractive to criminals.  It is unsurprising, then, that ransomware attacks were up 50% in the first half of 2017, according to a July 2017 breach insight report prepared by insurer Beazely.  The Beazely Report merely confirms what has become obvious to all businesses: ransomware is one of the most significant cyberthreats to every business and it is critical to develop plans to prevent ransomware attacks and to respond if an organization gets hit with a ransomware attack.

Unfortunately, 2017 has been the year of the ransomware threat, with the WannaCry and Petya outbreaks, widespread ransomware attacks that infected computers throughout the world.  Recognizing the threat that WannaCry posed to broker-dealers, investment advisers, and investment companies, the SEC issued a Cybersecurity: Ransomware Alert on May 17, 2017 describing the threat and steps Firms should be taking to prevent the attack.

The SEC Alert explained that the WannaCry hack was exploiting vulnerabilities through Microsoft’s Remote Desktop Protocol and a critical Windows Server Message Block version 1 vulnerability.  To prevent the threat, it recommended that Firms (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team; and (2) determine whether they had properly and timely installed Microsoft patches for Window XP, Windows 8, and Windows Server 2003.

Further, the SEC Alert identified important practices that would help protect against ransomware threats generally:

  • Cyber-risk assessments – Performing periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
  • Penetration Tests – Performing penetration tests and vulnerability scans of critical systems.
  • System Maintenance – Implementing a program to timely apply software patches as part of system maintenance.

Like WannaCry, Petya is a strain of ransomware that impacted systems throughout the world. One notable victim was TNT Express B.V., a transportation company acquired by FedEx Corp. in May 2016.  In FedEx’s 10-K, it explained that TNT was a victim of the Petya attack, that it cannot yet determine the financial impact of the crime other than it will likely be “material,” and  FedEx did not have cyber or other insurance that would mitigate the costs of the attack.

Ransomware poses a significant threats to broker-dealers and their customers and implicate many different legal issues.  FINRA reviews firms’ ability to protect the confidentiality, integrity, and availability of sensitive customer information. The legal authority for that review includes Regulation S-P, Regulation S-ID, and the Securities Exchange Act of 1934.  In other words, ransomware is not an information technology issue.  It is a critical business issue with significant legal implications.

Best practices for firms include performing cyber-risk assessments, penetration testing, and system maintenance and having the work performed by a party engaged by an attorney. By having an attorney hire the party perform these tasks, there is an argument that the results of such assessments and testing are protected under attorney-client privilege.  Without an attorney’s involvement in such projects, the results undoubtedly will be discoverable in civil litigation and regulatory investigations.

Further, as illustrated by FedEx, it is important to review whether an entity has cyberliability insurance in place that protects against ransomware attacks.  Not all cyberliability policies are the same, so it is important to closely analyze whether your policy will cover restoring impacted systems and lost revenue in the event operations are disrupted by a ransomware attack.

The threat from ransomware is rising, a trend that appears to continue into the future.  Planning to prevent and, if necessary, recover from a ransomware attack should be a legal issue that is treated as a priority for broker-dealers.

 

The Head-In-The-Sand Approach To Supervision: A Primer

Posted in CCO, Defenses, Disciplinary Process, Enforcement, FINRA, Supervision

There’s a claimant’s lawyer I’ve litigated against several times who is very good at his job, and who I personally like very much. Part of the reason for his success is that he is very engaging, so even when he utterly lacks any decent facts on which to base his claim – which is often the case – he still makes it a big show, with posters and charts and such.  My favorite prop that he uses is a well-worn photo of an ostrich with its head shoved in the sand.  As you could guess, this is the demonstrative he brandishes to support his inevitable argument that the firm failed to be diligent in its look-out for red flags.  This week, FINRA issued a decision in a churning/excessive trading case that – without using an ostrich picture – included a nice analysis of whether, and when, the head of a broker-dealer can successfully avoid liability for a supervisory failure by arguing that it was someone else’s job.  In other words, this decision makes for very instructive reading for anyone hoping to delegate away not just supervisory responsibility, but potential liability.

The law is clear, and FINRA readily acknowledges, that while a BD’s president is responsible for supervision at the firm, those supervisory responsibilities may be delegated away: “[A] brokerage’s president is ultimately responsible for supervision, unless he or she has delegated that responsibility to someone else at the firm and does not know or have reason to know that the responsibility is not being properly exercised.” The problem for supervisors who do this, but still find themselves involved in disciplinary actions, is the end of the quote, i.e., the part about neither knowing nor having reason to know that the individual to whom the supervisory responsibilities have been delegated is not doing the job.  As FINRA put it, “[e]ven if the president delegates particular functions to another person, once on notice of the firm’s continuing failure to satisfy regulatory requirements, the president is ‘obligated to respond with utmost vigilance and take remedial action.’”  Unfortunately for the respondents in the case at issue, Mr. Taddonio and Mr. Porges, while they had the delegation part covered, their defense fell short when they made the ostrich-with-its-head-in-the-sand argument.

Mr. Taddonio was the firm’s President and CEO. Mr. Porges was the COO and also a sales manager.  Mr. Taddonio testified that he delegated all his supervisory responsibilities to the CCOs.[1]  He argued that the very reason he hired CCOs was because he “was not experienced in supervision and compliance issues.”  Moreover, he stated that he did not supervise the CCOs.  The CCOs, however, saw it differently.  They testified that:

  • They reported to both Mr. Taddonio and Mr. Porges;
  • Their employment contracts gave them no responsibility for supervising the firm’s reps;
  • Mr. Taddonio and Mr. Porges were responsible for managing and instructing the firm’s sales force;
  • Their roles were limited to compliance, administration, and operations;
  • Mr. Taddonio “could and did review the RRs’ trading electronically.”

In addition, the firm’s WSPs didn’t help the defense that it was the CCOs who were supervising the RRs. The principal problem is that the WSPs were ambiguous.  Some portions did suggest that Mr. Taddonio had delegated his responsibilities.  But, others read differently.  And, worse, others were simply nonsensical.  For instance, supervisory responsibilities were supposedly reflected on an “ORG Chart,” but there was no such chart in the WSPs.  As a result of these ambiguities, FINRA concluded that there was no proper delegation of supervisory responsibilities in the WSPs:  “[T]he ambiguities in the WSPs meant that no one [to whom Mr. Taddonio had supposedly delegated supervision] had clear responsibility for evaluating the suitability of individual trades or the quantity of trading in customers’ accounts.”

There was also “considerable evidence” that Mr. Taddonio, despite his titles, was functioning as the firm’s sales manager “and kept close track of the RRs’ sales activities.” He sent emails to the reps with specific trading ideas.  He also “encouraged and rewarded the RRs” with sales awards.

Given all this, the hearing panel held that Mr. Taddonio did not delegate away his supervisory responsibilities. But, that’s not all.  In addition, it held that even if he had delegated them properly, he was nevertheless aware of “red flags” indicating not just excessive trading by the RRs, but also “inadequate supervisory responses to those red flags, and was thus on notice of the firm’s continuing failure to satisfy regulatory requirements.”  He failed, however, “to respond with utmost vigilance and take remedial action.”  Even though the CCOs were concerned about excessive trading, and took certain steps to address the problem, “it should have been obvious to Taddonio” – who was aware of those concerns and the attempts at remediation – “that those steps were inadequate to ensure that his firm was meeting its supervisory responsibilities and protecting its customers from improper sales practices by its RRs.”

As for Mr. Porges, the COO, he claimed his role was primarily to deal with the firm’s finances, and was never assigned responsibility to supervise the RRs. To the extent he became aware of red flags, he insisted that “it was not appropriate for him to second guess the much more experienced CCOs of the firm.”

The hearing panel did not buy his arguments. Remember, the CCOs testified that they reported to Mr. Porges.  He was actively involved in hiring the CCOs.  He was involved in creating activity letters sent to customers, and became responsible for actually signing them.  Mr. Porges received exception reports relating to account activity.  In an 8210 response, Mr. Porges stated that he oversaw RRs’ “production, monitoring monthly commissions and compensation.”  Along with Mr. Taddonio, he was responsible for issuing the awards for sales.  Based on this evidence, the hearing panel concluded that Mr. Porges “had ample indications that [the RRs] were, or might be, excessively trading customer accounts,” and therefore “should have realized that the steps being implemented by the CCOs were insufficient to fully address the issue.”  In conclusion, the hearing panel quoted the SEC:  “When indications of impropriety reach the attention of those in authority, they must act decisively to detect and prevent violations of the securities laws.”

And therein lies the rub: the head of a firm must respond quickly and appropriately to red flags, i.e., “indications of impropriety,” but, at the same time, the head of the firm may not attempt to avoid learning of such red flags – and, therefore, supervisory liability – by burying his head in the sand and then claiming ignorance. Mr. Taddonio and Mr. Porges learned the hard way that for a firm president, or COO, to avoid supervisory liability, they must do several things correctly.  First, they must properly delegate their responsibilities, and do so in clear, cogent, consistent, up-to-date documents.  Ambiguous WSPs won’t cut it.  Second, even if they do that, they must be able to demonstrate – through documents – the efforts they took to monitor the success of the supervisory activities of those people to whom they delegated their supervisory responsibilities.  If they can make that showing, that they were watching carefully for red flags but never saw any, then, and only then, can they sit back while their delegates twist in the wind.

[1] There were two CCOs, apparently, during the pertinent time period.

FINRA’s Board Acts To Fix The Problem…That FINRA Created

Posted in Arbitration, Board of Governors, Enforcement, FINRA

So, as you undoubtedly recall, in its typical reactive approach to regulation, FINRA has expressed concern – after having concerns expressed to it by others (none of whom are actually from the securities industry, of course) – about (1) the high number of registered reps working in the industry with spotty disciplinary records, and (2) the number of arbitration awards against BDs that go unpaid. Well, FINRA is now preparing to address these pressing issues.

At its most recent Board meeting, FINRA agreed to publish a Regulatory Notice soliciting comments on proposed rules designed to address both of these “problems.”  On the “rogue rep” issue, FINRA will be soliciting comments on proposed amendments to FINRA’s Membership Application Program (“MAP”) rules that would require a member firm to seek a materiality consultation, or MatCon as we like to call it, in two different circumstances.  The first is when “a broker with certain specified risk events seeks to become an owner, control person or principal of the member,” and the second is when “the member seeks to add a broker with certain specified risk events to the firm.” This raises a few of issues.

First, what, exactly, are “certain specified risk events?” Are these determined qualitatively, by the nature of the individual’s disciplinary disclosures?  Or, are they determined quantitatively, by the number of disclosures?  Or, perhaps, some combination of the two?  I guess we need to wait for the Reg Notices themselves to learn.  Clearly, this is where the rubber will meet the road on these proposals.  If the threshold is set too low, then too many prospective owners will be swept into this process, rendering the filter useless.  But, if it is set too high, then those darned “high-risk” brokers will running things at BDs all over the place.

Second, I seriously question how much protection such amendments would actually provide. I can assure you that today, under the existing MAP rules, if someone with a disciplinary history files an application under Rule 1017 to become the owner, or even an owner, of a BD, that application would first be fly-specked to death, and then, eventually, denied.  The existing MAP process is tough.  MAP examiners, while lovely individuals and generally easy to work with, are pleased as punch to hold against an applicant the smallest of infractions, or perceived infractions.  Indeed, a prospective new owner need not even have a formal disciplinary history to raise MAP’s eyebrows.  I know of applicants that were merely the subject of pending exams – exams that had not yet even made it to the findings stage – who were told that mere “examiner concerns” were enough to cause MAP to look negatively on a 1017.  I suppose that if the MatCon was required no matter how small of an ownership interest the applicant was seeking to acquire, it might add something to the existing process,[1] but that would be an incremental change, at best.

Third, existing rules also allow FINRA today to prevent an individual RR from moving from one firm to another. Anytime a rep changes BDs, the old BD files a Form U-5 and the new firm files a Form U-4.  FINRA must approve the U-4, of course.  Given that, in theory, FINRA already possesses the power to serve as gatekeeper, by not approving Forms U-4 for reps with troublesome records.  But, FINRA generally does not do that.

Which is the principal reason why FINRA’s professed concern about high-risk brokers is so odd to me. As I have blogged about before, there is simply no way for any of this to be a surprise to FINRA.  It controls every aspect of the process that exists to become and remain a member firm, or an individual to become and remain associated with a member firm, i.e., the membership/registration piece, the examination piece, and the enforcement piece.  Thus, to the extent that there are reps still working out there with lots of disciplinary events on their records, i.e., the reps about FINRA is so worked up, it is 100% because (1) FINRA approved their registrations, and (2) when it disciplined them – after all, their disciplinary histories derive from enforcement actions that FINRA brought – it determined that whatever they did wrong was not bad enough to require them to be tossed out of the industry.

Thus, whatever problem supposedly exists now regarding high-risk brokers, it has arguably been caused by FINRA itself. And now, it proposes to ride in to the rescue from its self-created problem, after the media had the bad taste to shed some light on this situation.  It would be funny if it wasn’t true.

Regarding the unpaid arbitration awards, FINRA is also proposing to use its MAP rules to address the perceived problem. What FINRA has suggested is an amendment that will allow it “to presumptively deny a new membership application if the applicant or its associated persons are subject to pending arbitration claims.”  In addition, in the context of a CMA, or change in ownership of an existing member, the proposed amendments would require a MatCon when “the member is seeking to effect a business expansion or asset transfer and the member or an associated person has a substantial level of pending arbitration claims, an unpaid arbitration award or an unpaid settlement related to an arbitration.”

It is really interesting that somehow FINRA’s concern about unpaid arbitration awards has morphed here into concern about “pending arbitration claims.” Aren’t the two very different?  When there’s an unpaid award, it necessarily means that the firm has already lost the arbitration, and has been ordered to pay some money to the claimant because the hearing panel concluded the firm did something wrong.  But, in a pending arbitration, one in which the award has not yet been rendered, the respondent firm is presumed to be innocent until proven otherwise, as the claimant has the burden of proof.  It seems a bit incongruous, and certainly unfair, for FINRA to be permitted to hold mere allegations, not findings, against a prospective owner.  (But, as I said above, MAP already does this today, rightly or wrongly.)

Also, as I have mentioned before, in its existing arsenal of procedural weapons, under Rule 9554, FINRA already has the right to seek summary expulsion of a firm if it fails to pay an arbitration award in a timely manner or to follow through on a settlement agreement. If it is FINRA’s goal to weed out from its ranks those firms that don’t pay arbitration awards, it has the power to accomplish that now.  Moreover, if the goal is also to prevent Firm A from simply not paying an arbitration award and going down the street and opening Firm B, or just joining Firm B, this proposal would not prevent that.  The proposal, at least as described by FINRA in the brief summary, is really tied to awards against individuals, either the individual owners of a firm or its associated persons.  When individuals have unpaid arbitration awards, FINRA can stop them from either owning a BD or from joining one.  On the other hand, when the awards are not against individuals, but, rather, against the firm for which they used to work, the individuals are free to move.  And neither the existing rule nor the proposal would stop that.

One final observation. It is remarkable how quickly FINRA seems to act when it receives a complaint from Congress, or, worse, from the media, about how it does business; yet, when its own members complain about something, it falls on deaf ears.  This certainly suggests that FINRA has its priorities backwards.

[1] Under the existing rules, neither a MatCon nor a full-blown 1017 is required unless the transaction would result in someone becoming at least a 25% owner of the firm.  So, if a “bad actor” wanted to acquire, say, only 10% of a BD, that can be accomplished simply through the filing of an amendment to Form BD, without the need to obtain FINRA approval.

.