Broker- Dealer Law Corner

Broker- Dealer Law Corner

Ransomware In 2017: Not A Pretty Picture

Posted in Cybersecurity, FINRA, SEC

I am happy to share this post from my colleague, Greg Stein, about ransomware.  While ransomware is not something unique to the financial services industry, because, as criminal Willie Sutton famously answered when asked why he robbed banks, our industry is “where the money is,” BDs, IAs and banks do seem to attract more than their fair share of ransonware attention.  I do not profess to be an expert in this area, but, happily, Greg is just a phone call away.  – Alan

Ransomware is hot.  And unlike some trends, it is unlikely to be a short-term trend.  Criminals have been able to easily deploy ransomware attacks, which encrypt a users’ data and hold it hostage until the victim pays a ransom, and unlike stealing personal information, there is direct payment to the criminals and no need to sell anything on the dark web.  Those characteristics have made ransomware increasingly attractive to criminals.  It is unsurprising, then, that ransomware attacks were up 50% in the first half of 2017, according to a July 2017 breach insight report prepared by insurer Beazely.  The Beazely Report merely confirms what has become obvious to all businesses: ransomware is one of the most significant cyberthreats to every business and it is critical to develop plans to prevent ransomware attacks and to respond if an organization gets hit with a ransomware attack.

Unfortunately, 2017 has been the year of the ransomware threat, with the WannaCry and Petya outbreaks, widespread ransomware attacks that infected computers throughout the world.  Recognizing the threat that WannaCry posed to broker-dealers, investment advisers, and investment companies, the SEC issued a Cybersecurity: Ransomware Alert on May 17, 2017 describing the threat and steps Firms should be taking to prevent the attack.

The SEC Alert explained that the WannaCry hack was exploiting vulnerabilities through Microsoft’s Remote Desktop Protocol and a critical Windows Server Message Block version 1 vulnerability.  To prevent the threat, it recommended that Firms (1) review the alert published by the United States Department of Homeland Security’s Computer Emergency Readiness Team; and (2) determine whether they had properly and timely installed Microsoft patches for Window XP, Windows 8, and Windows Server 2003.

Further, the SEC Alert identified important practices that would help protect against ransomware threats generally:

  • Cyber-risk assessments – Performing periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.
  • Penetration Tests – Performing penetration tests and vulnerability scans of critical systems.
  • System Maintenance – Implementing a program to timely apply software patches as part of system maintenance.

Like WannaCry, Petya is a strain of ransomware that impacted systems throughout the world. One notable victim was TNT Express B.V., a transportation company acquired by FedEx Corp. in May 2016.  In FedEx’s 10-K, it explained that TNT was a victim of the Petya attack, that it cannot yet determine the financial impact of the crime other than it will likely be “material,” and  FedEx did not have cyber or other insurance that would mitigate the costs of the attack.

Ransomware poses a significant threats to broker-dealers and their customers and implicate many different legal issues.  FINRA reviews firms’ ability to protect the confidentiality, integrity, and availability of sensitive customer information. The legal authority for that review includes Regulation S-P, Regulation S-ID, and the Securities Exchange Act of 1934.  In other words, ransomware is not an information technology issue.  It is a critical business issue with significant legal implications.

Best practices for firms include performing cyber-risk assessments, penetration testing, and system maintenance and having the work performed by a party engaged by an attorney. By having an attorney hire the party perform these tasks, there is an argument that the results of such assessments and testing are protected under attorney-client privilege.  Without an attorney’s involvement in such projects, the results undoubtedly will be discoverable in civil litigation and regulatory investigations.

Further, as illustrated by FedEx, it is important to review whether an entity has cyberliability insurance in place that protects against ransomware attacks.  Not all cyberliability policies are the same, so it is important to closely analyze whether your policy will cover restoring impacted systems and lost revenue in the event operations are disrupted by a ransomware attack.

The threat from ransomware is rising, a trend that appears to continue into the future.  Planning to prevent and, if necessary, recover from a ransomware attack should be a legal issue that is treated as a priority for broker-dealers.

 

The Head-In-The-Sand Approach To Supervision: A Primer

Posted in CCO, Defenses, Disciplinary Process, Enforcement, FINRA, Supervision

There’s a claimant’s lawyer I’ve litigated against several times who is very good at his job, and who I personally like very much. Part of the reason for his success is that he is very engaging, so even when he utterly lacks any decent facts on which to base his claim – which is often the case – he still makes it a big show, with posters and charts and such.  My favorite prop that he uses is a well-worn photo of an ostrich with its head shoved in the sand.  As you could guess, this is the demonstrative he brandishes to support his inevitable argument that the firm failed to be diligent in its look-out for red flags.  This week, FINRA issued a decision in a churning/excessive trading case that – without using an ostrich picture – included a nice analysis of whether, and when, the head of a broker-dealer can successfully avoid liability for a supervisory failure by arguing that it was someone else’s job.  In other words, this decision makes for very instructive reading for anyone hoping to delegate away not just supervisory responsibility, but potential liability.

The law is clear, and FINRA readily acknowledges, that while a BD’s president is responsible for supervision at the firm, those supervisory responsibilities may be delegated away: “[A] brokerage’s president is ultimately responsible for supervision, unless he or she has delegated that responsibility to someone else at the firm and does not know or have reason to know that the responsibility is not being properly exercised.” The problem for supervisors who do this, but still find themselves involved in disciplinary actions, is the end of the quote, i.e., the part about neither knowing nor having reason to know that the individual to whom the supervisory responsibilities have been delegated is not doing the job.  As FINRA put it, “[e]ven if the president delegates particular functions to another person, once on notice of the firm’s continuing failure to satisfy regulatory requirements, the president is ‘obligated to respond with utmost vigilance and take remedial action.’”  Unfortunately for the respondents in the case at issue, Mr. Taddonio and Mr. Porges, while they had the delegation part covered, their defense fell short when they made the ostrich-with-its-head-in-the-sand argument.

Mr. Taddonio was the firm’s President and CEO. Mr. Porges was the COO and also a sales manager.  Mr. Taddonio testified that he delegated all his supervisory responsibilities to the CCOs.[1]  He argued that the very reason he hired CCOs was because he “was not experienced in supervision and compliance issues.”  Moreover, he stated that he did not supervise the CCOs.  The CCOs, however, saw it differently.  They testified that:

  • They reported to both Mr. Taddonio and Mr. Porges;
  • Their employment contracts gave them no responsibility for supervising the firm’s reps;
  • Mr. Taddonio and Mr. Porges were responsible for managing and instructing the firm’s sales force;
  • Their roles were limited to compliance, administration, and operations;
  • Mr. Taddonio “could and did review the RRs’ trading electronically.”

In addition, the firm’s WSPs didn’t help the defense that it was the CCOs who were supervising the RRs. The principal problem is that the WSPs were ambiguous.  Some portions did suggest that Mr. Taddonio had delegated his responsibilities.  But, others read differently.  And, worse, others were simply nonsensical.  For instance, supervisory responsibilities were supposedly reflected on an “ORG Chart,” but there was no such chart in the WSPs.  As a result of these ambiguities, FINRA concluded that there was no proper delegation of supervisory responsibilities in the WSPs:  “[T]he ambiguities in the WSPs meant that no one [to whom Mr. Taddonio had supposedly delegated supervision] had clear responsibility for evaluating the suitability of individual trades or the quantity of trading in customers’ accounts.”

There was also “considerable evidence” that Mr. Taddonio, despite his titles, was functioning as the firm’s sales manager “and kept close track of the RRs’ sales activities.” He sent emails to the reps with specific trading ideas.  He also “encouraged and rewarded the RRs” with sales awards.

Given all this, the hearing panel held that Mr. Taddonio did not delegate away his supervisory responsibilities. But, that’s not all.  In addition, it held that even if he had delegated them properly, he was nevertheless aware of “red flags” indicating not just excessive trading by the RRs, but also “inadequate supervisory responses to those red flags, and was thus on notice of the firm’s continuing failure to satisfy regulatory requirements.”  He failed, however, “to respond with utmost vigilance and take remedial action.”  Even though the CCOs were concerned about excessive trading, and took certain steps to address the problem, “it should have been obvious to Taddonio” – who was aware of those concerns and the attempts at remediation – “that those steps were inadequate to ensure that his firm was meeting its supervisory responsibilities and protecting its customers from improper sales practices by its RRs.”

As for Mr. Porges, the COO, he claimed his role was primarily to deal with the firm’s finances, and was never assigned responsibility to supervise the RRs. To the extent he became aware of red flags, he insisted that “it was not appropriate for him to second guess the much more experienced CCOs of the firm.”

The hearing panel did not buy his arguments. Remember, the CCOs testified that they reported to Mr. Porges.  He was actively involved in hiring the CCOs.  He was involved in creating activity letters sent to customers, and became responsible for actually signing them.  Mr. Porges received exception reports relating to account activity.  In an 8210 response, Mr. Porges stated that he oversaw RRs’ “production, monitoring monthly commissions and compensation.”  Along with Mr. Taddonio, he was responsible for issuing the awards for sales.  Based on this evidence, the hearing panel concluded that Mr. Porges “had ample indications that [the RRs] were, or might be, excessively trading customer accounts,” and therefore “should have realized that the steps being implemented by the CCOs were insufficient to fully address the issue.”  In conclusion, the hearing panel quoted the SEC:  “When indications of impropriety reach the attention of those in authority, they must act decisively to detect and prevent violations of the securities laws.”

And therein lies the rub: the head of a firm must respond quickly and appropriately to red flags, i.e., “indications of impropriety,” but, at the same time, the head of the firm may not attempt to avoid learning of such red flags – and, therefore, supervisory liability – by burying his head in the sand and then claiming ignorance. Mr. Taddonio and Mr. Porges learned the hard way that for a firm president, or COO, to avoid supervisory liability, they must do several things correctly.  First, they must properly delegate their responsibilities, and do so in clear, cogent, consistent, up-to-date documents.  Ambiguous WSPs won’t cut it.  Second, even if they do that, they must be able to demonstrate – through documents – the efforts they took to monitor the success of the supervisory activities of those people to whom they delegated their supervisory responsibilities.  If they can make that showing, that they were watching carefully for red flags but never saw any, then, and only then, can they sit back while their delegates twist in the wind.

[1] There were two CCOs, apparently, during the pertinent time period.

FINRA’s Board Acts To Fix The Problem…That FINRA Created

Posted in Arbitration, Board of Governors, Enforcement, FINRA

So, as you undoubtedly recall, in its typical reactive approach to regulation, FINRA has expressed concern – after having concerns expressed to it by others (none of whom are actually from the securities industry, of course) – about (1) the high number of registered reps working in the industry with spotty disciplinary records, and (2) the number of arbitration awards against BDs that go unpaid. Well, FINRA is now preparing to address these pressing issues.

At its most recent Board meeting, FINRA agreed to publish a Regulatory Notice soliciting comments on proposed rules designed to address both of these “problems.”  On the “rogue rep” issue, FINRA will be soliciting comments on proposed amendments to FINRA’s Membership Application Program (“MAP”) rules that would require a member firm to seek a materiality consultation, or MatCon as we like to call it, in two different circumstances.  The first is when “a broker with certain specified risk events seeks to become an owner, control person or principal of the member,” and the second is when “the member seeks to add a broker with certain specified risk events to the firm.” This raises a few of issues.

First, what, exactly, are “certain specified risk events?” Are these determined qualitatively, by the nature of the individual’s disciplinary disclosures?  Or, are they determined quantitatively, by the number of disclosures?  Or, perhaps, some combination of the two?  I guess we need to wait for the Reg Notices themselves to learn.  Clearly, this is where the rubber will meet the road on these proposals.  If the threshold is set too low, then too many prospective owners will be swept into this process, rendering the filter useless.  But, if it is set too high, then those darned “high-risk” brokers will running things at BDs all over the place.

Second, I seriously question how much protection such amendments would actually provide. I can assure you that today, under the existing MAP rules, if someone with a disciplinary history files an application under Rule 1017 to become the owner, or even an owner, of a BD, that application would first be fly-specked to death, and then, eventually, denied.  The existing MAP process is tough.  MAP examiners, while lovely individuals and generally easy to work with, are pleased as punch to hold against an applicant the smallest of infractions, or perceived infractions.  Indeed, a prospective new owner need not even have a formal disciplinary history to raise MAP’s eyebrows.  I know of applicants that were merely the subject of pending exams – exams that had not yet even made it to the findings stage – who were told that mere “examiner concerns” were enough to cause MAP to look negatively on a 1017.  I suppose that if the MatCon was required no matter how small of an ownership interest the applicant was seeking to acquire, it might add something to the existing process,[1] but that would be an incremental change, at best.

Third, existing rules also allow FINRA today to prevent an individual RR from moving from one firm to another. Anytime a rep changes BDs, the old BD files a Form U-5 and the new firm files a Form U-4.  FINRA must approve the U-4, of course.  Given that, in theory, FINRA already possesses the power to serve as gatekeeper, by not approving Forms U-4 for reps with troublesome records.  But, FINRA generally does not do that.

Which is the principal reason why FINRA’s professed concern about high-risk brokers is so odd to me. As I have blogged about before, there is simply no way for any of this to be a surprise to FINRA.  It controls every aspect of the process that exists to become and remain a member firm, or an individual to become and remain associated with a member firm, i.e., the membership/registration piece, the examination piece, and the enforcement piece.  Thus, to the extent that there are reps still working out there with lots of disciplinary events on their records, i.e., the reps about FINRA is so worked up, it is 100% because (1) FINRA approved their registrations, and (2) when it disciplined them – after all, their disciplinary histories derive from enforcement actions that FINRA brought – it determined that whatever they did wrong was not bad enough to require them to be tossed out of the industry.

Thus, whatever problem supposedly exists now regarding high-risk brokers, it has arguably been caused by FINRA itself. And now, it proposes to ride in to the rescue from its self-created problem, after the media had the bad taste to shed some light on this situation.  It would be funny if it wasn’t true.

Regarding the unpaid arbitration awards, FINRA is also proposing to use its MAP rules to address the perceived problem. What FINRA has suggested is an amendment that will allow it “to presumptively deny a new membership application if the applicant or its associated persons are subject to pending arbitration claims.”  In addition, in the context of a CMA, or change in ownership of an existing member, the proposed amendments would require a MatCon when “the member is seeking to effect a business expansion or asset transfer and the member or an associated person has a substantial level of pending arbitration claims, an unpaid arbitration award or an unpaid settlement related to an arbitration.”

It is really interesting that somehow FINRA’s concern about unpaid arbitration awards has morphed here into concern about “pending arbitration claims.” Aren’t the two very different?  When there’s an unpaid award, it necessarily means that the firm has already lost the arbitration, and has been ordered to pay some money to the claimant because the hearing panel concluded the firm did something wrong.  But, in a pending arbitration, one in which the award has not yet been rendered, the respondent firm is presumed to be innocent until proven otherwise, as the claimant has the burden of proof.  It seems a bit incongruous, and certainly unfair, for FINRA to be permitted to hold mere allegations, not findings, against a prospective owner.  (But, as I said above, MAP already does this today, rightly or wrongly.)

Also, as I have mentioned before, in its existing arsenal of procedural weapons, under Rule 9554, FINRA already has the right to seek summary expulsion of a firm if it fails to pay an arbitration award in a timely manner or to follow through on a settlement agreement. If it is FINRA’s goal to weed out from its ranks those firms that don’t pay arbitration awards, it has the power to accomplish that now.  Moreover, if the goal is also to prevent Firm A from simply not paying an arbitration award and going down the street and opening Firm B, or just joining Firm B, this proposal would not prevent that.  The proposal, at least as described by FINRA in the brief summary, is really tied to awards against individuals, either the individual owners of a firm or its associated persons.  When individuals have unpaid arbitration awards, FINRA can stop them from either owning a BD or from joining one.  On the other hand, when the awards are not against individuals, but, rather, against the firm for which they used to work, the individuals are free to move.  And neither the existing rule nor the proposal would stop that.

One final observation. It is remarkable how quickly FINRA seems to act when it receives a complaint from Congress, or, worse, from the media, about how it does business; yet, when its own members complain about something, it falls on deaf ears.  This certainly suggests that FINRA has its priorities backwards.

[1] Under the existing rules, neither a MatCon nor a full-blown 1017 is required unless the transaction would result in someone becoming at least a 25% owner of the firm.  So, if a “bad actor” wanted to acquire, say, only 10% of a BD, that can be accomplished simply through the filing of an amendment to Form BD, without the need to obtain FINRA approval.

Let The Sun Shine On FINRA’s Office Of Disciplinary Affairs

Posted in Disciplinary Process, FINRA, ODA

Back in the old days, back when it was still NASD and it bore some reasonable semblance of a true self-regulatory organization, the important decisions relating to the Enforcement process – the decision to issue a complaint, the decision to settle a case, and the decision in litigated matters that actually went to hearing – all resided with the District Business Conduct Committee, or DBCC (n/k/a the District Committee) and, for, trading cases, the Market Surveillance Committee (n/k/a the Market Regulation Committee). The DBCC and MSC were comprised exclusively of industry members who were voted into their roles by their peers.  That’s where the “self” in self-regulation came from, since it was actually brokers making decisions about other brokers.

That changed, of course, in 1996, when NASD got sanctioned by the SEC in the infamous 21(a) Report that disclosed that the relationship between NASD staff in the New York District and the members of the DBCC, as well as the relationship between the Market Surveillance staff and members of the MSC, was a bit too cozy, resulting in those committee members sometimes using the NASD to bring Enforcement actions (relating to market making activities) against their business competitors.  As a result of that Report, NASD dramatically altered it processes, carving out the DBCC and MSC from any decisions relating to filing or settling complaints, and vesting those decisions with NASD Enforcement staff.  Thus, many argue, began the elimination of “self” from self-regulation.

To prevent Enforcement from running amok, NASD also created the Office of Disciplinary Affairs, or ODA. ODA is a completely separate group, not associated with Enforcement, designed as a check to ensure that Enforcement’s decisions were reasonable.  Specifically, before Enforcement could file a complaint, it first had to apply for and obtain approval from ODA.  Additionally, ODA needed to approve all settlements, even though the actual settlement negotiations were conducted with Enforcement staff.  Clearly, in light of these critical activities, ODA was established to play a very, very powerful role in the Enforcement process.  And today, nothing has changed.

But, here’s the thing, and the point of this post: Who, exactly, is ODA?  Who is actually making its decisions?  On what basis does it makes its decisions?  And why is it that only Enforcement gets to communicate with ODA?

Look at the FINRA website, and I challenge you to figure out what exactly the ODA is, what it does, of whom it is comprised, how it functions, etc. I mean, you can easily see the old Notice to Members from 1999 that announced the formation of the ODA, and you can see the rules – 9211, 9216, and 9270 – that state that the ODA must authorize complaints and approve settlements.  There is also Reg Notice 09-17, which did not create anything new, but merely reiterates the current Enforcement process.  It provides the following completely unhelpful, unenlightening explanation about ODA:

FINRA’s Office of Disciplinary Affairs (ODA) is independent of Enforcement and is not involved in the investigation or litigation of cases. ODA is charged with reviewing each proposed settlement or complaint, including any Wells Submissions, to provide an independent review of the legal and evidentiary sufficiency of the charges proposed by the staff. ODA also reviews settlements for consistency with the Sanction Guidelines as well as applicable precedent. ODA approval is required before the issuance of a settlement or complaint.

Let’s take this incrementally. Let’s say Enforcement wants to file a complaint, and, in anticipation of that, it invites my client to submit a Wells letter.  I prepare the response and send it to Enforcement which, apparently, then sends it to ODA.  But, what else does Enforcement do?  Does it also submit a rebuttal to the Wells?  Does it get to converse with ODA?  Does it get to answer questions that ODA may have?  The answer to these is yes, of course.  All of those communications between Enforcement and ODA happen, yet I never get to see them, or respond, or comment, or participate.  ODA is “independent of Enforcement,” purportedly, yet it is entirely dependent on Enforcement for the information it needs to do its assigned job.  Why can’t a prospective respondent communicate directly with ODA?  Why does everything I submit have to get filtered by Enforcement first?  Why can’t I even know the name of the individual(s) who is (are) serving as the final arbiter of whether a complaint is mandated?  Indeed, I have no idea if ODA is one person, or a group (as it used to be), or if it is a group, who runs the place.  And if it is, truly, independent of Enforcement, to whom does ODA report?

Same thing with settlements. While it certainly helps to have the Enforcement lawyer agree that my offer is reasonable (because the Enforcement lawyer, in turn, will then try to sell it to ODA), ultimately it is only ODA’s opinion that matters.  The Enforcement lawyer is largely relegated to the role of ferrying offers and demands back and forth between ODA and me.  It would be way easier, and more sensible, if I could just talk directly to ODA, rather than having Enforcement serve as the conduit.

The point is, ODA is incredibly powerful in the FINRA Enforcement process, arguably more powerful than the Department of Enforcement itself, given that Enforcement can’t issue a complaint or settle a case unless ODA says so. Yet, ODA is nameless, faceless, accountable to no one, working entirely behind the scenes, away from public scrutiny, unavailable for a dialogue, able to issue decrees that both Enforcement and respondents must follow.  This sounds like the antithesis of what due process should be, but it is the norm for FINRA.  Members should demand that, as the SEC did when it issued the 21(a) Report against NASD, more sunshine be provided to remove the mysterious procedures that now shroud Enforcement actions.  Make ODA show itself, let respondents be able to communicate directly with ODA, require it to be accountable for its decisions.

FINRA’s Annual Report: I Wish It Was Fake News

Posted in Annual Report, FINRA

This past week, FINRA very, very quietly released its Annual Report for 2016.  Too quietly, as they say in the movies.  No press release.  No press conference.  No media attention at all, hardly.  As President Trump just asked about State Election Commissioners who refused to respond to a request from his Election Fraud taskforce for a vast array of personal information about voters, “what is it hiding?”  Well, seems to me there are a couple of things in the Report that, frankly, FINRA would prefer not become the topic of too many conversations.

First, of course, is the embarrassing annual parade of FINRA millionaire employees. At first glance, you may be buoyed by the fact that only three of the top ten earners are slated actually to make $1 million or more in 2017, down from six in 2016.  But, that is deceiving, as the 2017 figures revealed in the Report do not include deferred comp, which isn’t determined until the end of year.  Once that is tallied up, undoubtedly, the number will climb.  Plus, even absent a consideration of deferred comp, no one on the list is struggling to make ends meet.  The lowest comp number is still a whopping $728,000.  And, one of the poor guys who doesn’t make $1 million (absent deferred comp) is Tom Gira, who made a cool $2.6 million last year (due to a one-time pension thing), more than anyone else at FINRA.  Tom is nice guy, and I personally like him, but there is simply no way that he brought $2.6 million of value to the table.

FINRA may be a not-for-profit company, but its management compensation sure looks a lot more like a Silicon Valley tech success than a stuffy old regulator. These insane comp numbers make Robert Cook’s boast that he is addressing FINRA’s expected “operating revenue challenges” this year by “freezing officer salaries” sound more than a bit ridiculous.  What?  You’re going to freeze my salary at a paltry $1 million??”

The second thing of note about the Report is that it makes abundantly clear just what FINRA views its job to be, and what, presumably, it feels the public deems important. And believe me, it is not to make the lives of broker-dealers easier. To the contrary, what FINRA leads its Report off with is a self-congratulatory recitation of its Enforcement work, extolling $173.8 million in fines, $27.9 million in restitution to harmed investors, 24 firms expelled, 727 brokers suspended, 517 brokers barred, 1,434 disciplinary actions, 785 cases referred for prosecution to the SEC and other federal or state law enforcement agencies, 439 potential market manipulation cases referred to the SEC, and 97 potential Reg M violations detected by cross-market patterns referred to the SEC.

In fact, FINRA notes in the Report that it collected so much money in fines last year that this single part of its revenue stream was alone more than enough to address the loss that FINRA suffered in 2015. The Report states: “We reported net income of $57.7 million in 2016 versus a loss of $39.5 million in 2015.  The change is primarily related to two areas: fines and portfolio returns.  An increase in fines revenue more than offset the decrease in operating revenues for the year….”  I suppose the good news, therefore, if you were a respondent in a FINRA Enforcement action last year and paid a fine, is that you can rest easier at night knowing that you helped FINRA turn around its financial problem.[1]

Perhaps it wouldn’t be so difficult to stomach FINRA’s Report if it was clear that it was doing a good job and that it was spending its money wisely. But, anecdotally, anyway, based on comments from the very members who pay those salaries through assessments, fees and fines, FINRA is failing to meet its statutory mandate.  It still spends way too much time and money going after firms and individuals who don’t represent a true threat to the integrity of the markets.  It refuses to settle cases for a reasonable sanction, even though such sanctions are not supposed to be punitive.  It sends out examiners who lack sufficient knowledge and understanding of how firms run their businesses, leading to miscommunications and time wasted, at a minimum.  It is way too focused on headlines, especially negative ones, that is, on the appearance of accomplishing something, than actually accomplishing it.  It is very fast to jump on problems that others have discovered, rather than proactively identifying such problems itself and nipping them in the bud.

Ultimately, it boils down to whether member firms feel like they are getting what they’re paying for with FINRA, and, at least as I see it, the consensus is a resounding “no.”

 

[1] To be fair, FINRA “do[es] not view fines as part of [its] operating revenues.  The use of fine monies is limited to capital expenditures and regulatory projects, such as [its] efforts to leverage technology innovations and the Cloud initiative, and other projects as appropriate, which are reported to and approved by [its Finance, Operations and Technology Committee and Board.”

The Unassailable FINRA Rule 8210

Posted in Disciplinary Process, Enforcement, FINRA, Rule 8210

My dissatisfaction with FINRA’s Rule 8210 and, more specifically, the aggressive manner with which FINRA wields that rule, has been the subject of several prior blogs.  I happy to report that my partner, Michael Gross, has drunk the Kool-Aid, and joined me in tilting at this windmill.  – Alan

The first paragraph of a paper calling for reform at FINRA notes that:

FINRA is a regulator of central importance to the functioning of U.S. capital markets. It is neither a true self-regulatory organization nor a government agency. It is largely unaccountable to the industry or to the public. Due process, transparency, and regulatory-review protections normally associated with regulators are not present . . . .[1]

One of FINRA greatest powers – FINRA Rule 8210 – epitomizes its lack of accountability and meaningful due process protections.

The Power of Rule 8210

FINRA Rule 8210 requires members and their associated persons to provide documents, information, and testimony “with respect to any matter involved in the investigation, complaint, examination, or proceeding.” Because of the exceedingly broad scope of FINRA Rule 2010 (which requires firms and individuals, “in the conduct of [their] business, [to] observe high standards of commercial honor and just and equitable principles of trade”), the subject matter of an investigation can encompass anything business-related. Moreover, FINRA alone determines what is relevant to its investigations.

Rule 8210 is a tremendous power. If a registered rep does not comply with a request for documents, information, or testimony, FINRA can have the rep barred from the securities industry.[2] Once barred, an individual becomes subject to statutory disqualification, which has implications beyond the ability to function as a registered rep. Simply put, FINRA’s power through Rule 8210 extends beyond the securities industry it governs.

The Potential for Abuse

With this much power, Rule 8210 has the potential for abuse. FINRA can seek to expel those whom it deems to be undesirable by making compliance with the nature, volume, or scope of Rule 8210 requests so undesirable or burdensome that providing the requested documents or information is not a real option.

There is no limit on the number of document and information requests that FINRA can issue. It is not uncommon for FINRA to issue pages upon pages of document and information requests, and to follow up one set of overly broad and unduly burdensome set of requests with another set of the same. There likewise is no limit on the number of hours or days for which FINRA can take a rep’s testimony.[3] Multiple-day on-the-record interviews are not uncommon. Under Rule 8210, FINRA can even compel a rep, who lives within walking distance of its New York office, to travel across the country at his own expense to provide testimony in its Los Angeles office.

In addition, there generally is no limit on the scope of document and information requests that FINRA can issue.[4] For example, a rep may possess confidential medical records regarding a client to whom he sold an annuity (which is not a security). FINRA can demand those records, even if the rep did not conduct any securities business with the client. By further example, it may be a violation of state, federal, or international law or a breach of contract to provide certain confidential documents that a rep possesses by virtue of his non-securities-related business, but FINRA still can requests that those documents be produced.

Further, there is no time limitation on the length of a FINRA inquiry.[5] It is not uncommon for FINRA to investigate matters long after the fact, or to conduct inquiries that can be measured in years, not months. It likewise is not uncommon from FINRA to receive a response to a Rule 8210 request, not communicate with the rep for months or longer, and then continue to pursue the inquiry. Lengthy inquiries can be quite stressful to those under scrutiny, as well as their families.

The potential for abuse is there. And there are plenty of firms and reps that will testify that they have been harassed by FINRA through its seemingly limitless Rule 8210 power.

The Unassailability of Rule 8210

If a rep believes that FINRA is abusing its Rule 8210 powers, he has limited options –none of which provide appropriate due process.

The first option is to complain to FINRA. This can be done through complaints at the district and national levels or to its Office of the Ombudsman. This route leaves a rep at the mercy of FINRA – the very same people who issued the requests (and who feel compelled to defend the actions of their organization). This is not due process.

The second option is to not provide the requested documents and information. This is a very risky route. It requires a rep to put his license on the line to assert that FINRA has overstepped the bounds of Rule 8210. If FINRA determines that it is entitled to the requested documents and information (which presumably will be the case), then it likely will initiate a disciplinary proceeding in its forum, the Office of Hearing Officers (OHO), which can be appealed to another one of its forums, the National Adjudicatory Council (NAC). If those tribunals, and any tribunals to which subsequent appeals are lodged, determine that any of the requested materials should have been provided, the likely result is a bar from the securities industry. Needless to say, this method of “due process” discourages challenges to Rule 8210 requests, gives FINRA a tremendous amount of leverage in any attempt to negotiate a limit to the scope of Rule 8210 requests, and emboldens FINRA to push the boundaries of the Rule.

There is no body, independent or otherwise, from which a rep can seek interlocutory relief from overly broad, unduly burdensome, harassing, or otherwise abusive Rule 8210 requests, without running the risk of being barred from the securities industry. Given the power that FINRA wields through Rule 8210, there should be.

[1] A copy of the paper, entitled “Reforming FINRA,” by David R. Burton, is available here.

[2] I used the term “request” throughout this post, because that is the term that FINRA uses. As one of my colleagues has observed, “demand” is probably the more appropriate nomenclature given the consequence of non-compliance.

[3] The Federal Rules of Civil Procedure limit the number of interrogatories to 25 and the length of a deposition to one day of seven hours, without leave of the court. The Federal Rules of Civil Procedure limit the number and scope of document requests, as well as discovery in general, through relevancy, proportionality, and other requirements.

[4] FINRA usually recognizes common law and statutory privileges, such as the attorney-client privilege.

[5] The period for discovery in a civil proceeding is typically limited by court order. SEC enforcement actions seeking civil penalties are subject to a five-year statute of limitations.

 

What Else Is New? FINRA Skates Despite “Massive” Failure To Produce Documents

Posted in Discovery, Enforcement, FINRA, Rule 8210, Rule 9251, Uncategorized

Let’s play pretend.  Can you imagine what FINRA would do to a respondent broker-dealer in an Enforcement action that announced on Day Five of the hearing – i.e., during the “final phase” of the hearing – that – whoops! – it had forgotten to produce certain documents that it should have produced eight months before the hearing even started? Documents that would potentially prove FINRA’s case?  And then, after being given a week to determine exactly how many documents it forgot to produce, the respondent announced that, in fact, it was, um, 30,000 emails?  That the failure was the result of an “apparent miscommunication?”  And that in addition to those emails there were another few hundred more that also hadn’t been produced because they were “inadvertently omitted” from an earlier production?

I am speculating, if course, but it’s not difficult to imagine that there would be a permanent bar involved.  Rule 8210, which gives FINRA the power to compel the production of documents and information, is powerful.  The failure to abide by the rule routinely results in permanent bars.  FINRA takes very seriously its right to require member firms and their associated persons to produce whatever documents it feels are necessary to conduct an exam.  Apparently, however, when the shoe is on the other foot, when it is FINRA that fails to produce required documents, a simple apology is good enough to resolve the problem.

How do I know?  Yesterday, FINRA issued an Order in an Enforcement case denying a motion to dismiss that Respondent Stephen Larson filed stemming from FINRA’s “massive” – to quote the Hearing Officer – failure to produce required documents.  These were documents that FINRA should have produced eight months before the hearing.  And there were, as my hypothetical suggests, 30,000 emails, including potentially exculpatory documents.  According to the Hearing Officer, however, this was no big deal.

He started his analysis of whether to sanction FINRA – which could, theoretically, have included a dismissal of the Complaint – by considering FINRA Rule 9251, which “requires Enforcement to make available to a respondent for inspection and copying all documents (subject to various exemptions) prepared or obtained by FINRA staff in connection with the investigation that led to the disciplinary proceeding.”  This sounds an awful lot like the flip-side of Rule 8210, which requires a respondent to produce the equivalent documents to FINRA.  It, too, is a serious, powerful rule.  As the Hearing Officer stated, “[i]t is essential that Enforcement exercise diligence in complying with this obligation, as rule-compliant document production by Enforcement is fundamental to a fair disciplinary proceeding.” He also observed that “under the Code of Procedure’s regulatory scheme, a respondent typically relies substantially on Enforcement’s good faith and diligence in producing documents; in most cases, a respondent will never know what documents Enforcement has withheld.”[1]

 

Given this, is not surprising that the Hearing Officer called FINRA’s document debacle “disconcerting,” explaining that

  • FINRA utterly blew its Rule 9251 obligations;
  • It violated the terms of the Case Management and Scheduling Order;
  • It missed the production deadline by a whopping eight months;
  • It didn’t acknowledge the production failure until the hearing was nearly over;
  • The volume of missing documents was “staggering”;
  • The production failure “did not result from a single cause, but from a combination of miscommunications, misunderstandings, and other errors”; and
  • The missing documents were potentially exculpatory, but, at a minimum, were relevant to Mr. Larson’s defense.

Despite all this, the Hearing Officer took no action against FINRA.  Nothing.  No dismissal.  No sanction.  Why?  Because he basically concluded that FINRA didn’t intend to screw up, and that it was all an innocent mistake:  “Enforcement [did not] engage in willful misconduct, bad faith, or . . . otherwise act contemptuously.”  Guess what?  When respondents make this same argument in the defense of an 8210 claim, they are laughed off by FINRA.

The Hearing Officer also noted that “Enforcement admitted it made a mistake in not producing the omitted documents,” and deemed this admission to be important to his ruling.  I can assure you, as a respondents’ counsel, FINRA could care less if my client is willing to admit that a “massive,” eight-month-late production was a “mistake.”  The sanction would undoubtedly be harsh; after all, intent is not an element that FINRA needs to prove in an 8210 case.  It would be unheard of to suggest that there would be no ramifications for a respondent who mistakenly failed to produce 30,000 emails, as was the case here for FINRA.

The Hearing Officer also put a lot of stock in the fact that he granted a four-month continuance in the hearing to allow Mr. Larson to review the late-produced documents, asserting that somehow this “eliminated, or at least substantially mitigated” any prejudice to Mr. Larson.  At best, this is an arguable point, not nearly the dispositive issue it is made out to be.  Prejudice is in the eyes of the beholder, and I doubt Mr. Larson would concur that he was not prejudiced by this delay in the hearing.

If anyone ever has any doubt that the deck is stacked against you in a FINRA Enforcement case, or that FINRA rules only work to the detriment of the members, just read this Order.  FINRA completely blew its deadlines by months, omitted tens of thousands of documents that should have been produced, and yet, because it was a mistake and not intentional, and because it admitted its mistake, the Hearing Officer essentially concluded “no harm, no foul.”  Respectfully, I humbly suggest that if the roles had been reversed, Mr. Larson would never have received the same treatment.  And there are dozens and dozens of former reps who have been barred for 8210 violations involving way fewer documents, way less delay, with an equal lack of intent, who will attest to this.

[1] I blogged – here – about the unfairness of Rule 9251 – that a respondent is essentially forced to rely on representations by FINRA that it has produced all the required documents – a couple of years ago.

Don’t Let The Revolving Door Hit You In The Butt

Posted in FINRA, Rule 9141, SEC

There has been a lot of talk, especially given the relatively recent change in the Executive Branch in Washington, about the problem with the “revolving door,” a concept so wide in scope that it actually has its own Wikipedia page.  It is defined to be the “movement of personnel between roles as legislators and regulators and the industries affected by the legislation and regulation.” It happens all the time in broker-dealer world, especially with FINRA and the SEC, where lawyers move back and forth between private practice and the regulator.

The examples are rampant.  Look no further than the current and former Chairmen of the SEC, Jay Clayton and Mary Jo White.  Both came from law firms before taking the reins at the SEC, and Ms. White is now back in the defense business again.  Mary Schapiro, former head of FINRA and then the SEC, is now a consultant to the industry.  Heck, look at me, I started in private practice, worked at NASD for a decade or so, and then returned to my current defense work 13 years ago.  Of course, unlike those others, I was never an officer of NASD, so my career path back to private practice is a bit less interesting, and my thoughts on things of much less import.

FINRA passed a rule about it a few years, even if it is rather a bit tepid in its scope, prompting immediate criticism. Conduct Rule 9141(c), subtitled the “One Year Revolving Door Restriction,” provides that “[n]o former officer of FINRA shall, within a period of one year immediately after termination of employment with FINRA, make an appearance before an adjudicator on behalf of any other person under the Rule 9000 Series.”

The problem with the concept of the revolving door is that it is, basically, unseemly. It is just amazing to listen to some former senior ranking officer of a securities regulator stake out a position that, prior to going through the revolving door, would never have been uttered aloud.  Judge for yourself.  The latest issue of Investment Advisor contains a column featuring comments from Brad Bennett, who recently rejoined Baker Botts after departing from his former job as head of FINRA’s Enforcement Department, a position proudly featured (and rightly so) in his firm bio.  According to the article, when asked about the regulatory burdens that broker-dealers face, Mr. Bennett said these burdens “have not been reduced. It is difficult to comply with the broad array of compliance responsibilities if a broker-dealer does not have scale. . . .  There is no doubt that the regulatory burden is more manageable from a business perspective if you are an investment advisor.”

I am unfamiliar with any remarks that Mr. Bennett – or any other FINRA officer – ever made (at least while still employed by FINRA) (a) admitting that it is hard for broker-dealers to comply with regulations, and (b) suggesting that small firms might be better off leaving FINRA and becoming investment advisors (thus, removing themselves from FINRA’s jurisdiction). The funny part about this is that Mr. Bennett is telling the truth.  I imagine that my clients and I are in practically universal agreement with his new (at least newly voiced0 viewpoint on regulation and compliance.  The problem is, as I suggested, where was this sentiment while he ran Enforcement?  Where was the concession that compliance these days is hard, hard, hard?  Where was the sympathetic ear to pleas of mercy when there was no evidence of intent, no customer harm?  Where was anything other than the heavy hand of Enforcement?  It simply wasn’t there.

I have no doubt that Mr. Bennett, and Ms. White, and Ms. Schapiro, and all the other former officers of FINRA and the SEC are doing just great in their new gigs, and that clients will continue to flock to them to provide the sort of access to their former colleagues at the highest levels of FINRA and the SEC that can often work wonders in resolving thorny problems. And, truly, I wish them all the best.  But, that does not change the fact that the revolving door problem exists as much as it ever has, and that whatever rules or policies have been implemented to address the problem have been ineffective.

Open The Pod Bay Doors: Computers Are Here To Take Your Job

Posted in Compliance, FINRA, Fintech

I read recently that in the not-too-distant future, the practice of law by actual human beings will become a rarity, as computers will take over those jobs, because they will be able to do the work better, cheaper and faster.  Speaking as a lawyer, I find that to be a somewhat troubling prospect.  I mean, this is what puts food on my table and all.  So, given a choice, I would clearly vote “no” on this.

Well, yesterday, I read that all of you compliance personnel will eventually be joining me on the unemployment line. IBM announced that Watson, its super-amazing Super Computer, is now providing Watson Financial Services.  Now you, too, can be replaced by a machine that does your job better and faster.  (I don’t know about cheaper!)  According to IBM, Watson can “[t]ransform your regulatory compliance and surveillance programs by deploying cognitive capabilities that drive the identification and understanding of regulatory requirements, improve your efficiency at addressing compliance requirements, while reducing the risk of misconduct.”

Holy cats, that sounds good. It is all too common in my experience that one of my clients get into difficulty with a regulator (and sometimes with a customer, as well) not because the firm had a lousy supervisory system or deficient written supervisory procedures, but due to good old human error.  Someone appropriately delegated some supervisory function forgets to do it.  Or does it but fails to document it.  Then you get, essentially, what HAL 9000 said in 2001: A Space Odyssey:  “I know I’ve made some very poor decisions recently, but I can give you my complete assurance that my work will be back to normal.  I’ve still got the greatest enthusiasm and confidence in the mission.”  No matter how well intended, and even in the absence of any demonstrable customer harm, human errors like this routinely result is regulatory scrutiny, and possible disciplinary action.

If there is a computer out there that can reduce, or, better, eliminate the possibility of errors like this, I am all in favor it.

The harder question concerns the other kind of thing that gets broker and broker-dealers in trouble: the exercise of subjective judgment. Most FINRA rules (but hardly all) have a reasonableness standard, including most notably the supervision rules.  To be in compliance, all one needs to be able to demonstrate is that he or she acted reasonably.  That means, necessarily, that while errors may not be encouraged, or welcomed, they can be tolerated, at least to a degree.

There are tons of events that occur every single day that call for the exercise of some subjective determination. For example, does this penny stock trade constitute a “red flag” for AML purposes?  Is this structured product suitable for that particular customer?  Would the addition of this business line constitute a material change requiring the filing of a 1017?  Is this letter from the customer a “complaint” that requires disclosure on the RR’s Form U-4.  You get the picture.  Some clients do a very good job of making good, reasoned judgments, based on all pertinent facts and circumstances.  But, sadly, some don’t.  And even if they think they do, they do a poor job of memorializing the analysis and the reasons on which the ultimate conclusion was based.

What I don’t know is whether a computer, no matter how Super it may be, can really be relied upon to make, or even help make, the sort of subjective decisions that compliance and supervisory personnel face every day. But, I feel like as a lawyer, I make a million judgment calls a day, and if a computer is eventually going to take my job away because it can make those calls better than me, then I suppose it is possible that the same is true of anyone who works in the area of securities regulation and compliance.

This is clearly a very interesting development, and merits our attention going forward to see if, indeed, IBM has created a better mousetrap. I suppose that it is only fitting that the press release came the same week that Robert Cook announced FINRA’s Innovation Outreach Initiative, a program that, according to the press release, will “foster an ongoing dialogue with the securities industry that will help FINRA better understand financial technology (fintech) innovations and their impact on the industry.”  The impact that technological innovations will have on the securities industry is obvious; it is just a matter of how much and when, not if.

As long as this doesn’t turn into HAL 9000, or Skynet, or Nomad.  If that happens, please beam me up.

Rogue Brokers: The Numbers Do Not Tell The Whole Story

Posted in FINRA, Registered Representative, Rogue rep

Not too long ago, I blogged a couple of times about the amount of attention that is suddenly being paid to the number of registered representatives with disciplinary histories working for FINRA member firms, i.e., the so-called recidivists (who used to be called “rogue reps”).  Among the complaints I voiced was the fact that while FINRA is, and has always been, well aware of this fact, it is seemingly acting as if this is somehow a newsflash, something just discovered that needs to be dealt with right away!

Well, today I ran across a fascinating article in Reuters that not only backs up my argument, but does so based on its own analysis of empirical data drawn directly from BrokerCheck.

What Reuters did was identify particular 12 disclosure events (of the 23 they say potentially appear in Brokercheck) – supposedly the 12 “most serious” disclosures – and then see how many RRs at each FINRA member firm have such disclosures on their CRD records. I cannot imagine the amount of work that this endeavor took, since, as the article points out, it is not possible to run a “bulk” search in BrokerCheck, but I am thankful for the coders that managed to pull it off.

According to their results, and assuming that they are correct, there are a lot of broker-dealers out there with a lot of RRs with disclosures, all still merrily working in the industry. Indeed, based on its study of BDs with 20 or more RRs with disclosures made between 2000 and 2015, Reuters found a total of 48 firms that had 30% or more of their RRs with at least one of the 12 disclosures; at 14 of those firms over 50% of the RRs had disclosures.

Now, I am not saying that each of those 48 firms should be branded a “bad” firm; indeed, several are my clients, and I will be the first one to attest that they are not at all bad, and that hiring an RR with a mark on his record is not something should, in isolation, invite regulatory scrutiny. The current law permits individuals with disclosure histories to continue to work in the industry, and broker-dealers are free to hire them.

That underscores the point I made in my earlier blog posts: FINRA knows who these firms are. Not surprisingly, because FINRA owns the database that Reuters examined, FINRA is already well aware of its contents, including those firms that hire a high percentage of RRs with disclosures.  Interestingly, FINRA admitted as much to Reuters.  The article quotes Susan Axelrod, FINRA’s executive vice president of regulatory operations, as having said, “Let’s just say those are not new names to us,” when confronted with a list of the firms identified by Reuters.

But, armed with that knowledge, FINRA still, largely, has does nothing that changes the fact that having a disclosure event, even multiple disclosures, simply does not prevent someone from working for a broker-dealer. At a speech he gave this very week, Robert Cook, FINRA’s CEO, addressed this subject:

We are also asked why firms or individuals with a regulatory history are allowed to remain in the industry in the first place. On the one hand, I share the desire to be aggressive in this space and to address recidivist misconduct promptly—and we need to make sure we are doing all we can.  On the other hand, like other regulators, FINRA does not—and should not—have unfettered discretion. Formal action to bar or suspend a broker requires satisfying procedural safeguards established by federal law and FINRA rules to prevent enforcement overreach by regulators (including FINRA) and to protect the rights of brokers to engage in business unless proven guilty of serious misconduct. Those safeguards include the right to defend oneself before a hearing panel and the right to appeal to FINRA’s National Adjudicatory Council, the SEC, and ultimately the federal courts.

In addition, federal law and regulations define the types of misconduct that presumptively disqualify a broker from associating with a firm, and also govern the standards and procedures FINRA must follow when a broker who was found to have engaged in such misconduct applies to re-enter the industry. These requirements, which are complex and beyond what I can address today, impose significant constraints on FINRA.   I do not mean to profess that we are perfect—we must continually work to improve our programs within these constraints to protect investors, while doing so in a manner that is transparent and fair to those involved.  A critical factor in ensuring that we are meeting this objective is the comprehensive SEC oversight that occurs with respect to our regulatory programs, including the standards and processes governing our examination, enforcement, sanctions, and adjudication activities.

The bottom line comes down to this. First, data simply do not tell the whole story.  Just because a firm has a number of RRs with “dings” on their record is not a reason in and of itself to conclude, or even suggest, that the firm represents a particular threat to the investing public.  FINRA correctly recognizes this.  Second, FINRA’s hands are tied when it comes to its ability to address quickly those firms that it does determine to be bad.  In FINRA world, as elsewhere, people (and firms) are presumed to be innocent.  FINRA has the burden to prove misconduct, and that is not always easy, or quick, to accomplish.

Finally, regardless of whatever significance you ascribe to the data the Reuters analyzed, FINRA should quit acting like the sky is falling. This is, as I have said, old news.  Perhaps it is new to Senator Elizabeth Warren, but rather than scrambling to do something – anything – to appease her and others in Congress critical of the job FINRA is doing, FINRA ought instead to educate them about the rules, the regulations, the laws that govern broker-dealers, none of which permit the sort of mass, summary revocations that the politicians seem to be contemplating.  It is time for FINRA to stand up for its members – the overwhelming majority of whom are, in fact, good – and defend them for a change, instead of rushing to jump on the recidivist bandwagon.

.