I recently had to the opportunity to sit in on a talk from high ranking CFTC and SEC enforcement officials at a local bar association meeting. The purpose of the get together was, in part, to let industry folks and their lawyers know what the regulators will be focusing on in the near future in a non-adversarial forum.  In other words, it was a chance to let industry players know what to avoid doing BEFORE they end up opposite an enforcement official during an OTR, or worse.

So, without further ado, here is what the regulators had to say, with a special focus on the SEC portions of the talk and an acknowledgment that regulators tend to be pretty guarded with their comments; meaning the reader should not expect anything too exciting.

During exams, regulators will focus (not surprisingly) on protecting retail customers, especially elderly investors.   Of particular interest are conflicts of interest and hidden fees and costs.  Other areas of focus will be the ubiquitous AML and cyber-security.  Speaking of which, cyber-security continues to be a blip on the SEC’s radar that has grown and will continue to grow.  Of interest to compliance workers (and frankly, lawyers and law firms) were comments directed at companies that use third-party vendors to handle customer personal information (which is many, if not most, these days).  The gist of the comments were that when a security breach happens, and it will happen, pointing the finger at your third-party vendor is not going to absolve a party of guilt.  The SEC speaker was adamant that an industry member will have to be able to demonstrate, tangibly, that they asked the right kind of questions from their vendors and got satisfactory answers.  In other words, the supervisory responsibilities that go along with protecting a customer’s Regulation SP information do not flow to the vendors but stay with the registered party.  Needless to say, since vendors are unlikely to be registered, the corresponding consequences of a breach will also rest on the industry member.

Still, the SEC realizes cybersecurity is a tough business and that mistakes will happen, so in February it published guidance to public companies relating to when they need to disclose a data breach and what needs to be disclosed.[1]  Recognition that cybersecurity is a tough business does not mean, however, that the SEC will let things slide.  In fact, just a few days ago, the SEC announced that an Iowa-based RIA/BD agreed to pay a $1 million dollar fine as a result of a cybersecurity intrusion .[2]  Readers should expect to hear about similar penalties for firms as cyber threats will only increase in future years.

The speakers next turned to another hot topic related to technology, namely, cryptocurrency or ICOs. The regulators seemed to agree on two things: 1) this is an area that is changing quickly, and 2) the public should be very careful about investing in these products.  As for jurisdiction, while the speakers agreed that it depends on the characterization of the product as either a security or a commodity, both of them seemed to lay claim, in the most polite way possible, for their respective organizations.  In other words, everyone agrees that the determinative factor is whether the product is a commodity or a security, but it is not yet clear what test will be used to make that determination.  So it looks like, at least for the immediate future, crypto will be of interest both to the SEC and CFTC (and their respective SROs).

Issuers have been a traditional target for the SEC when dealing with crypto, but the speaker stressed that the SEC can and will bring actions against broker-dealers, as well as companies promoting crypto. The regulators made clear they think this area in one that is ripe for abuse of public investors, so any business considering getting involved in crypto or ICOs should be aware that dealing with them could put your business in the crosshairs of one or both of these regulators.

Finally, the SEC speaker stressed that with an already stretched thin budget, the Commission will continue to rely on technology in order to spot wrongdoers and will focus on recidivism and customer harm. The essence of the meeting seemed to be that as technology evolves, so will the regulators, and with that comes the responsibility for industry members to keep up with changes that could help or harm their business and its customers.

 

[1] https://www.sec.gov/rules/interp/2018/33-10459.pdf

[2] https://www.sec.gov/news/press-release/2018-213