Thanks to Blaine for tackling FINRA’s annual list of things it is paying particular attention to in 2021. – Alan

 

The world has changed a lot in the last 12 months, but those in the securities industry can always rely on their trusty regulator, FINRA, to put out its annual priorities list to provide some semblance of consistency in the world.  In a break from the past, however, this year FINRA has combined two annual reports – the Report on Examination Findings and Observations, and the aforementioned Risk Monitoring and Examination Program Priorities Letter – into one new document (the “Report”).  The 46-page Report addresses 18 regulatory areas and organizes them into four categories (sadly, there is no mention of the ultra-recent GameStop saga).

Readers familiar with past priorities letters will recognize many of the issues raised in the current incarnation, and FINRA concedes that “many of the areas addressed in the publication represent ongoing core compliance responsibilities.”[1]  In other words, AML has always been a priority and continues to be a priority so nothing to see here.

Unfortunately, the subject that is likely to be of most interest, given the current state of affairs in the world, i.e., “Firms’ Practices During COVID-19,” is set off in blue because the “Report does not address exam findings, observations or effective practices specifically relating to how firms adjusted their operations during the pandemic.”[2]  Fortunately, FINRA promises, “those reviews are underway now and will be addressed in a future publication.”[3] If we are lucky, said results will issued before the entire country is vaccinated while the results are still relevant.[4]  Stay tuned to the BD Law Corner blog for timely updates in relation to COVID guidance.  With all of the above in mind, here are selected highlights from the new combined Report:[5]

Regulation Best Interest (“BI”)

Regulation BI replaces[6] the well-known and weathered suitability standard with one that requires broker-dealers and associated persons to make recommendations on transactions or investment strategies based on the best interests of their retail customers.  While the standard sounds simple, its implementation has caused heartburn in CCOs across the country as they struggled to understand how FINRA will interpret BI differently than suitability.  Unfortunately, CCOs will have to continue purchasing their extra-strength Tums.  Because, while the Report lists some rather obvious guidance, such as, “Has your firm provided adequate Reg BI training to its sales and supervisory staff,” it punts on the all-important question of what firms are being disciplined for and, more importantly, what FINRA will look at in the upcoming year.

FINRA’s posture is likely due to the fact that Reg BI is relatively new, in conjunction with the difficulties of regulating during a world-wide pandemic.  Notably, the Report does refer readers to a Roundtable that the SEC held on Reg BI that my colleague Heidi VonderHeide reviewed in another blog post.  Speaking of which, Ms. VonderHeide will be discussing the ins and outs of Reg BI in a webcast later this month that interested readers can register for here.

As was the case with its COVID guidance, FINRA promises to update the industry as information is gathered and priorities determined.  While we all hope COVID will soon be a distant memory, Reg BI is here to stay, so FINRA’s updates warrant further watching.

Cybersecurity

Another issue that is here to stay and promises, in fact, to increase in importance over the coming years is cybersecurity.  The Report notes increased occurrences of cybersecurity related issues, including system wide outages; email and account takeovers; fraudulent wire requests; imposter websites; and ransomware.  In addition, the Report indicated that data breaches remain an issue.   The pandemic has brought this already important issue to the forefront as brokerage personnel increasingly work remotely, increasing the importance of home internet security for each and every employee touching private company data.

The limitation on personal interactions between brokerage employees and their customers has only exacerbated the problem and ensured that most, if not all, exchange of customer paperwork takes place over the internet.  With such exchanges becoming the rule instead of the exception, FINRA has, not surprisingly, noted during its exams that firms have failed to encrypt customer personal information (which can be as simple as failing to encrypt and redact new account forms).  Firms also failed to limit access to customer information (along with other sensitive data) and failed to train personnel and maintain adequate branch policies, amongst others.  During compliance reviews, firms, naturally, tend to look within to figure out how they can improve internally.  While it is not necessarily intuitive, FINRA notes that firms must institute proper policies to ensure that their vendors are taking all steps that the firm, itself, is taking to ensure data safety.  This might be especially important for smaller firms that outsource their technological needs to vendors.  During past roundtables with Regulators at the Chicago Bar Association, those Regulators have indicated that a firm blaming its vendor is not a valid excuse if a data breach occurs and the Report seems to confirm as much.  The basic takeaway seems to be that internet technology is changing all of the time and the onus is on firms to keep pace in terms of protecting itself and its customers.

Communications with Public

As technology changes, the way that firms communicate with their customers has also changed.  Late last year, the SEC revolutionized its marketing rules for RIAs bringing them out of the 1960s and into the digital age (my colleague, Denise Fesdjian wrote about it here.) While FINRA did not do anything near as exciting as the SEC, it is worth noting the issues it uncovered as well as what infractions might focus on in the future.

Some findings have been virtually unchanged over the years, with the exception that they are now more likely to be found on the internet instead of in print, e.g. failing to balance promotional statements with prominent risk disclosures, while others deal with newer technology, i.e., the failure to retain email and other digital communication.  Once such technology that the Report sets off in blue (which apparently indicates that FINRA wants people to read it and, thus, will likely focus on it) is the emergence of new digital platforms with “Game-Like” features.”  FINRA cautions that these platforms, which are reaching a new segment of retail investors and, thus, providing important access to the marketplace, can also represent danger.  The message seems to be that firms can splash up their websites in order to appeal to new consumers but, in doing so, they are not relieved of any of their regulatory responsibilities.  Substance over form when it comes to the rules, in other words.

Above is just a smattering of what is available in the Report and I encourage anyone with an interest to review it in detail to learn about all of the topics not discussed here.

[1] https://www.finra.org/media-center/newsreleases/2021/finra-publishes-2021-report-finras-examination-and-risk-monitoring

[2] https://www.finra.org/rules-guidance/guidance/reports/2021-finras-examination-and-risk-monitoring-program#top

[3] Id. 

[4] See FINRA Regulatory Notice 20-16 for guidance on operating during the pandemic.

[5] For those wishing to read the report in its entirety, it is available at https://www.finra.org/rules-guidance/guidance/reports/2021-finras-examination-and-risk-monitoring-program#top

[6] Technically, Regulation BI supplements the suitability standard but according to Regulatory Notice 20-18, “Reg  BI’s Care Obligation addresses the same conduct with respect to retail customers that is addressed by Rule 2111, but employs a best interest, rather than a suitability, standard, in addition to other key enhancements. Absent action by FINRA, a broker-dealer would be required to comply with both Reg BI and Rule 2111 regarding recommendations to retail customers. In such circumstances, compliance with Reg BI would result in compliance with Rule 2111 because a broker-dealer that meets the best interest standard would necessarily meet the suitability standard.”

In other words, you have to follow Reg BI and if you follow Reg BI, you are meeting suitability so Reg BI is the determinative consideration.

Almost three years ago, in Reg Notice 18-08, FINRA wisely (but, nevertheless, still a bit late to the party) proposed to revise its own prior guidance regarding the troublesome intersection between outside business activities and investment advisor business, guidance that FINRA itself acknowledged had “caused significant confusion and practical challenges.”  Specifically, in crusty old Notices to Members 94-44 and 96-33, issued over two decades ago, FINRA saddled the industry with nearly inscrutable attempts to delineate the scope of a BD’s supervisory obligations over the investment advisory activities conducted by its dually registered RRs away from their BD.  Although it took FINRA about 25 years to finally attempt to clean up the muddy playing field it had created, finally, it seemed, clarity was on the way.  Astutely noting one of those rare instances in which FINRA actually seemed to be acting in its members’ best interests, I blogged about that proposal and dutifully congratulated FINRA for “provid[ing] meaningful relief to firms who are now nearly crippled by the sheer amount of their compliance obligations.”

Boy, did I speak too soon.

Three years after it was issued, the proposal has never been approved.  Indeed, who knows where it is today.  In a July 2020 release, the SEC observed that FINRA’s review of the proposed rule change was still pending, but, since then, I have seen nothing.  Making matters much, much worse, FINRA continues to enforce 94-44 and 96-33, despite FINRA’s explicit acknowledgement of the terrible job those notices have done in establishing a clear standard of conduct.  Just ask Cetera.  Right before the new year, FINRA issued an AWC from Cetera with a $1 million fine for doing something that, had FINRA followed through on the proposal in Reg Notice 18-08, would have been ok.

Before I get on my soap box, let me break down the AWC.

First you need to understand the underlying dynamic.  Cetera – like hundreds of other firms – has RRs who are simultaneously registered with an outside RIA, where the RRs serve as IARRs.  These folks are referred to as “dually registered representatives” or DRRs.  Because what the DRRs do at the RIA constitutes a securities business, from the perspective of the BD, it is a private securities transaction, thereby triggering Rule 3280.  The issue this tees up is what role, if any, Cetera has to supervise the IA work that its dually registered RR/IARRs are conducting at the RIA (where, of course, they are already subject to the RIA’s supervision).

The NASD tried in 94-44 and 96-33 to account for that fact, i.e., that DRRs are already being supervised by their RIAs, by attempting to delineate a more narrow scope of the DRRs’ RIA activities that the BDs also have to supervise.  The problem is, this was very difficult to articulate.  So difficult that the securities industry has struggled with this problem for the past 25 years.

Consider this:

  • As the AWC notes, according to Rule 3280, when a BD approves a PST, the BD must “supervise the person’s participation in those transactions as if the transactions were executed on behalf of the firm.”
  • Consistent with that, 94-44 states that “these requirements apply ‘to all investment advisory activities conducted by [DRRs] that result in the purchase or sale of securities by the associated person’s advisory clients”
  • But, curiously, 94-44 also states that Rule 3280 is focused “primarily upon the RR/RIA’s participation in the execution of the transaction – meaning participation that goes beyond a mere recommendation. Article III, Section 40 [the precursor to Rule 3280], therefore, applies to any transaction in which the dually registered person participated in the execution of the trade.”
  • 96-33 similarly states: “Most notably, Notice to Members 94-44, clarifies” – sorry, I have to pause here to insert the laughter that the use of “clarifies” will undoubtedly trigger – “the analysis that members must follow to determine whether the activity of an RR/IA falls within the parameters of Section 40. Fundamental to this analysis is whether the RR/IA participates in the execution of a securities transaction such that his or her actions go beyond a mere recommendation, thereby triggering the recordkeeping and supervision requirements of Section 40.”

So…we’ve got this hard-and-fast standard in the rule – “all” PSTs must be supervised by the BD.  But, we’ve also got this squishy interpretation that says it is NOT all PSTs, only those where the DRR “participates in the execution.”  THIS is the gray area that NASD created, which it never remedied, but teasingly proposed to fix in Reg Notice 18-08, in which poor Cetera found itself.

What, exactly, did Cetera do?  According to the AWC, “[f]rom January 2011 through December 2018, [Cetera] failed to establish, maintain and enforce a supervisory system and written supervisory procedures reasonably designed to supervise certain private securities transactions conducted by their dually-registered representatives (DRRs) at unaffiliated or ‘outside’ registered investments advisors (RIAs).”  Why did Cetera get picked on FINRA?  That’s easy: the AWC provides that Cetera underwent three SEC exams between 2013 and 2017 in which findings were made about this issue, but the firm failed to take adequate remedial measures.  FINRA had no choice, it seems, but to reluctantly step in and enforce its own fuzzy standard, just to be able to look the SEC in the eye.  In other words, Cetera paid the price for FINRA waiting 25 years to try to fix a problem that it created…and then quietly pretending that it hadn’t.  And speaking of price…how the heck did this possibly become a $1 million problem?  For a firm that has NO relevant disciplinary history?  Seems to me like FINRA trying to show the SEC something.

Ok, back to my soap box.

So, why has FINRA failed to act on the 18-08 proposal?  Let’s say I have my theory.  To start, let’s take notice of the fact that the rule proposal garnered 51 comments.  That may not be the indoor record, but it’s a lot.  I have gone through them, so you can spare yourself that exercise.  Nearly without exception (for some reason, Raymond James didn’t seem to like the rule), the industry was strongly in favor of it.  Just as a for instance, Fortune Financial Services wrote that NTM 94-44 and 96-33 were “both confusing and difficult to implement without providing any meaningful investor protection.”  Foreside noted that implementation of the proposal “will dramatically save costs and reduce a firm’s administrative and regulatory burden.”  I could go on, but you get the point.

The rule proposal – from the perspective of FINRA’s members – was a fantastic idea.  And for good reason: it saves BDs from having to try and supervise activities which they have limited, if any, access to or ability to control,[1] yet without adding any regulatory risk – given that the activities of the IARRs away from the BDs are already subject to the supervision of the particular RIA with which they are associated, under the watchful regulatory eyes of either the states or the SEC (depending on the size of the RIA).  I mean, who needs FINRA to butt into the existing supervisory scheme of an RIA that seems to be working ok on its own?

Well, guess who didn’t like the rule proposal?  Yes, that’s right, PIABA condemned it, dramatically claiming that FINRA was “contemplating the evisceration of crucial protections that have been in place for decades to safeguard investors against investment schemes!”  Ironically, and in apparent total disregard for the mess that 94-44 and 96-33 actually created, PIABA insisted that adoption of the proposed new rule “would create mass confusion for brokerage firms and registered representatives.”  That’s funny stuff.

So, there you go.  On one side, you have the industry almost entirely lined up in support of the proposed rule. On the other side, you have PIABA arguing that the rule would be bad.  Given that dynamic, who do you think FINRA is going to listen to?  You don’t have to guess, of course.  FINRA’s three-year-and-counting failure to follow through on its eminently reasonable rule proposal tells you all you need to know.  And, as I stated earlier, it’s not just FINRA’s failure to follow through on the rule proposal that is so aggravating, it’s the fact that FINRA has the temerity to nick Cetera for $1 million for failing to meet the needless and fuzzy standards that FINRA attempted to articulate in 94-44 and 96-33.

 

 

[1] As an example of this, the AWC points out that for years, Cetera did not receive “transaction data for its DRRs’ outside securities . . . and, thus, did not have the information necessary to reasonably supervise its outside RIA transactions. And even after [Cetera] began receiving transaction data, it did not receive the customer-specific account information to satisfy its supervisory obligations including, but not limited to, a suitability review.”

FYI, in February, Ulmer & Berne will be hosting a series of webinars on the following: FINRA Expungement: Rule Changes and Updates on Tuesday, February 9 2:00 PM EST; SEC Update: Reg BI, Enforcement Activity, and the Willfulness Standard on Thursday, February 11, 2021 at 2:00 PM EST; Data Protection & Cybersecurity Challenges for Financial Institutions in 2021 on Wednesday, February 17, 2021 at 2:00 PM EST; and FINRA 2021: What to Expect on Wednesday, February 24, 2021 at 2:00 PM EST.  (I will be co-presenting this last one, fair warning.)  If you are interested in attending any or all of them, here is the unique registration link you can use:   

https://event.on24.com/wcc/r/2961937/69BFE2596E50DB183919821DB15AF4AA/1819854

A long time ago, long before there existed any whistleblower statutes, I had a client – a CCO of a broker-dealer – who discovered some pretty funky trading at his firm.  As he tells the story, when he went to see his boss (who was the owner of the firm) to report his troubling discovery, the owner sidled out from behind his desk, and casually unbuttoned his suitcoat, deliberately revealing the handgun he had strapped to his belt, and told my guy, basically, that he must be mistaken about those trades.  My client took the not-so-subtle hint and bid a hasty adieu and said not another word.  But, from that day forward until the day he was able to find a new job, he carefully documented every trade that made him queasy.  When he finally left, he took with him all that trade data and presented it, wrapped in a bow, to the SEC.  Fast forward: the SEC, as well as the DOJ, brought actions against the owner, and my client was the hero (and star witness).

Cool, true story.  But the same underlying issue for CCOs (and all supervisors, I suppose) still exists today:  what do you do when you come across a situation that raises serious compliance concerns, but which firm management appears to condone?

The answer, according to an SEC settlement from a week ago, is SPEAK UP.  Here are the pertinent facts,[1] as I have pieced them together:

  • Michael Sztrom has been in the securities industry since 1998.
  • In 2015, he tried to associate with Advanced Practice Advisors (“APA”), an RIA.
  • Unfortunately, he couldn’t, due to an open FINRA investigation into his activities at his prior firm, which caused Schwab, APA’s clearing firm, to bar Michael from its platform.
  • Unable to service his clients, Michael had his son, David – a newly minted IARR whose “only prior advisory experience was assisting Michael for five months at [Michael’s prior firm] by performing administrative tasks, such as processing forms and taking notes at meetings – join APA.
  • Michael told APA that he “would serve in the limited role of financial planner to the clients who moved to APA,” but would not serve as their investment advisor.

Well, as you may have guessed, Michael didn’t honor that promise.  Rather, “he continued to provide investment advice to the clients who had followed him from his prior firm to APA and who were supposed to be advised by his son.”  Indeed, there was no formal agreement for Michael to serve as a financial planner to his former advisory clients, he never charged any client to prepare a financial plan, and never actually prepared any such plan.  (Easy to see why the SEC called this supposed financial planner role a “sham.”)

But this isn’t about Michael and David (although you ought to take note that the SEC has filed a complaint against the son and his undisclosed-advisor father); this is about the CCO – the hero of this story but whose name, sadly, is never revealed – and his boss, Paul Spitzer.

Turns out, rather unsurprisingly, if you ask me, that Mr. Spitzer either knew or should have known what Michael was up to.  As the SEC points out, Mr. Spitzer knew

that the father and son shared office space and telephone lines, that all of the APA clients the son worked with had come from his father, and that the son lacked any significant experience and was just learning the business. In addition, Spitzer would often correspond directly with the father, rather than with the Adviser Representative, about things such as advisory fees.

Despite this, Mr. Spitzer did not require that David “maintain separate office space from his father or take other precautionary measures, such as implementing an ethical screen to prevent the Adviser Representative from sharing confidential client information with his father.”

Six months after David joined APA, enter our hero, the new CCO.  He saw that Michael, who was not formally associated with APA, worked in the same office with David, allowing him to access APA client information and advise APA clients.  Moreover, the new CCO was concerned that APA clients might not know that Michael was not formally associated with APA, was not permitted access to APA information and systems, and could not advise clients under APA’s aegis.  He apparently told his boss, Mr. Spitzer, but none of this managed to sway Mr. Spitzer.

And then it got worse.  Schwab called Mr. Spitzer to report that Michael had called and “impersonated his son on at least 38 occasions.”[2]  In recorded calls, some of which David participated in (albeit silently), Michael

identified himself by his son’s name and as a representative of APA, and discussed block trading, warrants trade allocation, and rebalancing APA client accounts. He also asked APA’s clearing broker how to execute a trade for a client and repeatedly provided the clearing broker with the master account number for APA.

When the CCO learned about this, he went to his boss – again – and recommended that Mr. Spitzer fire David.  Mr. Spitzer refused.  Instead, he simply imposed a heightened supervision plan on David, and even though Michael didn’t work for APA, he made Michael sign it, too.  Even then, however, the SEC found that APA and Mr. Spitzer “failed to enforce several of the requirements set forth in that agreement.”

When the dust settled, the SEC brought actions against Mr. Spitzer, APA, Michael and David, but, more to the point of this blog post, NOT against the CCO.  Why not?  Because he (or she?) appears to have brought his concerns about Michael to his boss immediately – i.e., he spotted the red flag – and made recommendations for action to be taken.  (Given that the CCO only made a recommendation to fire David, we can safely presume that he lacked the authority actually to take that action.)  Even though Mr. Spitzer shot down that idea, it gave the CCO the protection he needed when the regulators subsequently came knocking.

Only one thing to add: the importance of documentation.  To become the hero of the story, the CCO here, like my client many years ago, had to have the documents to back up what he told the SEC happened.  When he discovered the odd situation with David and Michael, I am willing to bet he memorialized his findings.  When he recommended that the firm let David go, I bet there’s an email, at a minimum, that corroborates this.  The lesson is clear: no matter that it’s obviously a CYA moment, it is critical to take the steps necessary to protect yourself, and this typically means creating a document.  An email is good, especially because they are automatically preserved.  A memo to the file.  An entry on a calendar.  Frankly, anything is better than nothing.  Remember: no matter how credible you think you are, no matter how clean your record, no matter how long you’ve been in the industry, in the eyes of a regulator, you didn’t do anything unless there’s a document that proves you did.

[1] The facts that I lifted from the settlement can safely be called facts; those that come from the SEC complaint should be understood to be mere allegations, for now.

[2] To Schwab’s credit, when it “discovered Michael’s deception, it immediately terminated David’s access to its platform and gave all of the APA clients 90 days to either find an investment adviser other than APA or move their brokerage accounts to another brokerage firm.”

Historically, one of the surest ways to get yourself permanently barred from the industry is to forge a customer’s signature on something.  According to the pertinent Sanction Guideline, at a minimum, a forgery, that is, a true forgery – a signature that is neither authorized nor subsequently ratified by the customer – should result in suspension of two months to two years, but, where the forgery is “in furtherance of another violation, result[s] in customer harm or [is] accompanied by significant aggravating factors,” “a bar is standard.”  And that doesn’t count the fine of $5K – $155K.

FINRA recently issued an AWC that involved what I just called “true” forgery, however, that suggests, at least under certain circumstances, that unhappy outcome might be avoidable.

The facts of this case are pretty concise:

  • Timothy Joseph has been in the securities industry as a Series 6 for almost 20 years, with one firm – First Command Brokerage Services, Inc. – and with no disciplinary history.
  • In August 2019, Mr. Joseph met with a customer regarding opening two accounts with the firm’s investment advisor affiliate.
  • After meeting with the customer again in September 2019, Mr. Joseph electronically affixed her signature to the account opening documents, causing assets to be transferred from her firm account to the new advisory accounts.
  • When the customer learned that the advisory accounts were opened, she immediately complained that she had not signed anything to open those accounts, digitally or otherwise, and instructed Mr. Joseph to reverse the transactions.
  • Joseph reported his customer’s complaint to First Command (resulting in a disclosure on his Form U-4), which reversed the transactions.
  • In that same month, Mr. Joseph also electronically affixed the signatures of:
    • two other customers to advisory account opening documents,
    • one customer to four IRA distribution forms, and
    • five other customers to ACH authorization agreements.
  • Although none of these other customers initially authorized Mr. Joseph to electronically affix their signatures, they all subsequently approved the transactions.
  • When First Command learned of Mr. Joseph’s conduct, the Firm disciplined him by, “among other things”:
    • fining him $10,000
    • assigning him additional (but undescribed) training.
  • FINRA fined Mr. Joseph nothing, but merely suspended him for 45 business days.
  • FINRA learned about this when First Command reported the incident in a Rule 4530 filing.

Let’s, as they say, unpack this.

First, as I said, at least with regard to the first customer, the one who complained, this was a true forgery.  Not an “accommodation forgery,” which was highlighted in FINRA’s 2019 Exam Findings Report and defined as “where registered representatives and associated persons asked customers to sign blank, partial or incomplete documents.”  Also not a “falsification of records,” which is what FINRA sometimes charges in cases of accommodation forgery.  No, this was true forgery.

Moreover, in light of the fact that the customer not only complained of the forgery but instructed that the transactions at issue – the establishment of advisory accounts and the transfer of assets to those accounts from her brokerage account – be reversed, it seems pretty logical to conclude that the transactions were not authorized.  In other words, Mr. Joseph’s forgeries were “in furtherance of another violation,” i.e., the unauthorized trades.

Based on the Sanction Guideline, therefore, as well as about a million prior FINRA settlements for forgery (and unauthorized trading), Mr. Joseph ought to have been barred.  Yet, he wasn’t; he only got suspended for about two months.  On top of that, he was not made to pay a fine in addition to the $10K he paid his BD.  All in all, this was a pretty tepid response by FINRA.  Why?

I can mostly speculate, of course, since there’s not much to work from in the AWC itself, except when it comes to the fine.  In the AWC, FINRA states that it “considered that First Command fined Joseph $10,000,” so we know that this is why Mr. Joseph didn’t have to pay anything additional.  The odd part is how infrequently this happens.  The General Principles Applicable to All Sanction Determinations that serve as a preface to all the specific Sanction Guidelines include this admonition:  “Where appropriate, Adjudicators should consider . . . previous corrective action imposed by a firm on an individual respondent based on the same conduct.”  It goes on to provide that a “firm-imposed fine or suspension is most comparable to FINRA-imposed sanctions when FINRA’s sanctions would have also included a fine or suspension, and Adjudicators should consider according some mitigative weight where these firm-imposed sanctions have already been fully satisfied by a respondent.”

Note the many waffle words and phrases FINRA tosses about here.  “Should consider,” not “shall consider” or “must consider” or some other mandatory, not precatory, language. “Where appropriate,” without bothering to tell us when it would, and wouldn’t, be appropriate.  “Some mitigative weight.”  Does that mean a dollar-for-dollar reduction?  A 50-cents-on-the-dollar reduction?  No reduction?  I get that the Sanction Guidelines are just that, guidelines that can be followed or ignored, but it is troubling that the deliberate flexibility that the Sanction Guidelines provide to FINRA make it extremely difficult to be able to predict how a case will be charged and how it will be resolved.  There is no reason that internal sanctions meted out by BDs should ever be disregarded by FINRA, but often they are.  And while I am happy that Mr. Joseph avoided paying two fines, I am just not sure why he got so lucky.

But that’s small potatoes to the big issue here: why was he not barred?  The facts here – one instance of true forgery coupled with eight more instances of accommodation forgery – strongly suggest that this was egregious misconduct, mandating a bar.  Or, if not a bar, something more than the short suspension he received.  It is frustrating that more facts are not supplied, because I guarantee you that the first time I attempt to use this AWC as persuasive precedent that some client of mine ought not to be barred for forging a customer’s name, FINRA will tell me that, oh, there were “unique circumstances” in Mr. Joseph’s case, so we should just ignore it.

The other thing worth discussing is the fact that in addition to reporting the customer complaint on Mr. Joseph’s Form U-4, First Command also filed a 4530 report about this.  That rule requires a BD to report within 30 days when “an associated person of the member . . . is the subject of any written customer complaint involving allegations of . . . forgery,” and also when “an associated person of the member is the subject of any disciplinary action taken by the member involving . . . the imposition of fines in excess of $2,500,” both of which appear to have happened here.[1]  So, First Command had no choice but to make its 4530 report.

But it did, it appears to have done so in a timely manner, and (whether or not you agree it was adequate) it took prompt action to address Mr. Joseph’s misconduct.  I am hardly saying that this was anywhere near the sort of above-and-beyond self-reporting behavior that garners credit from FINRA, but you can’t argue with the outcome.  No supervisory nick against the firm or Mr. Joseph’s direct supervisor, and Mr. Joseph escaped with not much more than a wrist slap for behavior that has cost countless others their careers.  Yes, two and two doesn’t always equal four, but I think here the results had to have been dictated, at least in part, by the fact that First Command took quick, demonstrable steps in response to a pretty big red flag and presented FINRA with a done-deal.  Something everyone should think about doing when presented with similar circumstances.

 

 

 

[1] Pursuant to 4530(e), a 4530 report is not required in addition to a U-4 amendment disclosing a customer complaint, but it is required to disclose the internal discipline that a firm takes.

LPL may be the biggest BD in the country, with 21,500 reps operating out of almost 13,000 branch offices.  Heaven knows how much money it brings in every year, but, goodness, it must be a lot.  And good thing, too, given how much the firm keeps paying to FINRA in fines for its serial, repeated, and egregious supervisory failures.

A week or so week ago, LPL kept its string of massive supervisory fines intact with a $6.5 million AWC.  I will get to the details, of course, but, for starters, let’s take note of the following:

  • In the “Relevant Disciplinary History” section of the AWC, FINRA identified three prior AWCs, dating back only five years, with fines totaling almost $12 million
  • For some reason, however, FINRA left out of that section another supervisory AWC, from 2013, in which LPL paid a $7.5 million fine for its failure to retain (and review) emails…which sort of sounds like the very problem that is the subject of the latest AWC
  • According to the firm’s BrokerCheck report, and as I pointed out in a blog post from a year ago, LPL “has 253 total disclosures, of which 175 are regulatory events, perhaps 20 or more of which involved a supervisory violation”
  • No individuals were named in this AWC, or in any of the three prior AWCs that FINRA mentions in the new AWC, or in the 2013 AWC that FINRA omitted (and without going through all of the 20 or so other supervisory cases, I would venture to speculate that no individual was named in them, either, although I am happy to be proven wrong by anyone with the inclination to review all those cases).

I am guessing that given these initial observations (well, and, perhaps, the title of this piece), you can deduce what I am thinking:  if you happen to be a firm that is big enough, with enough money, to pay FINRA millions and millions of dollars, year after year, for repeated supervisory violations, a firm whose CEO maybe sat on the FINRA Board of Governors not too long ago, you can happily remain in business no matter how pervasive the problems seem to be, and no one in management will be held personally accountable.  This is not conjecture.  This is fact.  All you have to do is read LPL’s BrokerCheck report, read the AWCs, and you will see for yourself the kinds of violations the firm has committed, the amount of fines it has paid, and who has NOT been named as respondents.

Can it be any wonder that small firms see this AWC and gnash their collective teeth in anger over the disparate treatment they receive?  Just look at my most recent blog post, about a FINRA AWC for Worden Capital Management for supervisory failures.  Guess who was also named as a respondent, as a result of the conclusion that he was personally responsible for the unreasonable WSPs?  That’s right, Jaime Worden, the firm’s owner and CEO.  Neither Mr. Worden or his firm had any relevant disciplinary history leading up to that AWC, quite unlike LPL, yet FINRA was comfortable naming him along with the BD.  And that is just one example.  The list goes on, and on, and on.[1]

Well, with that off my chest, let’s talk a look at LPL’s latest supervisory cluster.  There are actually three components to the firm’s failure to meet its regulatory obligations: record retention, fingerprinting and screening of associated persons, and supervision of consolidated reports.  I will take them one at a time.

Regarding record retention, for over five years – a time period that, incidentally, overlaps with prior AWCs – from January 2014 to September 2019, LPL failed “to retain electronic records in the required format, preserve certain electronic records, and notify FINRA prior to employing electronic storage media.”  That failure “affected at least 87 million records and led to the permanent deletion of over 1.5 million customer communications maintained by a third-party data vendor,” including “mutual fund switch letters, 36-Month Letters, and wire transfer confirmations.”  This bit about the third-party vendor is my favorite part of the AWC:

In August 2017, after FINRA requested certain customer letters that LPL could not locate, LPL contacted Vendor A in an attempt to locate them. Vendor A informed LPL that about 500,000 customer communications, including the letters, had been deleted because Vendor A placed them in a temporary storage location from which records were automatically deleted after one year. Subsequently, LPL did not take reasonable steps to verify that Vendor A migrated the other documents remaining in the temporary storage location to an appropriate location. Therefore, on October 26, 2018, Vendor A discovered that the migration did not occur and that approximately one million additional LPL customer communications had been deleted.

Whoops.  In addition, LPL also “failed to send account notices that are required to be sent to customers at 36-month intervals for each account in which a suitability determination had been made.”  This one impacted over one million customers.

Regarding the fingerprint problem, from January 2014 through the present, LPL failed to obtain fingerprints for more than 7,000 non-registered associated persons.  Because these associated persons were not fingerprinted, LPL did not screen them to determine whether any individual was subject to a statutory disqualification.  As part of the remediation efforts that the firm commenced, it determined that approximately 5,000 of the individuals were no longer associated with LPL, so it could not obtain their fingerprints or determine if they were subject to statutory disqualification.  5,000!

Of course, the AWC also provides that LPL actually did get the fingerprints for one guy, properly sent them to FINRA for review, and received a notice back that he was SD’d, which should have resulted in either (1) him being terminated, (2) the firm filing a BDW, or (3) the firm filing an MC-400.  LPL, however, boldly chose a fourth option: do nothing, and let the guy continue to work there for 2 ½ years.  I wish my small firm clients got that choice!

The final aspect of LPL’s supervisory failures relates to consolidated reports, “a document that combines information about most or all of a customer’s financial holdings, including assets held away from the firm.”  FINRA has previously expressed its concerns about the use of consolidated reports in Reg Notice 10-19.  I don’t want to get into the weeds here, but the concern was, basically, that consolidated reports create “the potential for communicating inaccurate, confusing, or misleading information to customers” because a BD may not “test or otherwise validate data” for assets that appear on such reports that are held away from the BD.

LPL got in trouble with FINRA in 2015 for not reasonably supervising consolidated reports, and so it told its RRs who wanted to use such reports that they could use only “LPL proprietary systems or specific, approved third-party vendors.”  Good move…but not good enough.  For five years, LPL still messed up in a number of ways:

  • While a copy of a finalized consolidated report was sent automatically to LPL to review and validate the information, RRs could also generate draft reports, which were not sent to LPL or reviewed by the firm. LPL does not know how many draft consolidated reports – including drafts containing manually-added values – its RRs sent to customers.
  • Although LPL’s WSPs required the firm to “review and validate” all manually entered valuations for “securities-related assets,” including retirement or brokerage accounts held away from LPL, private placements, or variable annuities, in practice, LPL only reviewed manually-entered assets if the RRs specifically characterized the assets as “securities-related.” If the RR said the manually-added assets was not a security, LPL didn’t review it.
  • Two of LPL’s vendors gave customers direct access to their consolidated reports without LPL’s knowledge or review. Although LPL could not quantify the problem, the AWC states that “at least 9,000 customers accessed one of the third-party vendors’ portals in one year alone.”
  • Three of LPL’s approved third-party vendors provided RRs the option of receiving consolidated reports directly, which the firm failed to supervise entirely.
  • Two of the approved vendors allowed RRs to export consolidated reports to Microsoft Excel files, after which the RRs could manually alter the reports. LPL was unaware of this, and therefore did not receive, much less review, those reports or any exported Excel files.
  • Finally, one approved third-party vendor enabled RRs to direct that emails be sent to customers that contained hyperlinks to consolidated reports. LPL was unaware that the vendor provided this service and therefore did not review any consolidated reports that its representatives disseminated in this manner.

I don’t mean to single LPL out here, but when confronted with this AWC, the big firm vs. small firm problem was too much to ignore.  LPL’s supervisory issues are serious.  Despite repeated representations to FINRA that the firm was prepared to do whatever it takes to remedy the problem and avoid a recurrence, that seems simply not to be true.  Either LPL is, in fact, not taking its supervisory obligations seriously (because it knows it can afford to write the next multi-million-dollar check to FINRA), or it is simply too big, with too many RRs, to reasonably supervise them all despite its best efforts.  Either way, one needs to ask whether this should be permitted to continue as it has for all these years.

Update:  Just to show that LPL is not the exception, a couple of days ago, FINRA released another AWC, this one from Goldman Sachs, with similar violations and a $1.25 million fine, and, of course, no individuals being named.  Specifically, FINRA found that “[b]etween January 2015 and November 2019, . . . Goldman failed to timely fingerprint at least 1,061 non-registered associated individuals. The Firm was unable to determine whether it timely fingerprinted an additional 4,089 non-registered associated persons because it failed to locate any documentation reflecting that the Firm fingerprinted these individuals. In addition, the Firm failed to maintain fingerprint records for an additional 466 non-registered associated persons whom the Firm did fingerprint. Separately, between April 2018 and November 2019, Goldman permitted two nonregistered associated persons, who were subject to statutory disqualification, to associate with the Firm.”

Double Bonus Update:  Today, FINRA announced another AWC, this time from HSBC.  Same issue, basically.  Over a period of 8+ years, HSBC failed to fingerprint and screen for possible disqualification 2,191 non-registered persons.  HSBC was only made to pay $650,000, however, a mere pittance, because FINRA gave the firm credit for self-reporting and remediating the problem on its own.  Man, is this a money-maker for FINRA or what??

[1] It is worth contrasting this, at least in a footnote, to other regulators.  I read just last week that the OCC, the Office of the Comptroller of the Currency, fined the former GC of Wells Fargo $3.5 million “for his role in Wells Fargo Bank, N.A.’s systemic sales practices misconduct.”  Mr. Strother was the SIXTH individual manager named by the OCC for some responsibility for the scandal involving the creation of millions of fake bank accounts.

I apologize for taking so long between posts, but, to be fair, there’s been a lot going on in the past week or so that has captured my attention!  I wish everyone a happy and SAFE new year! – Alan

While undoubtedly FINRA will be issuing its annual “examination priorities” letter any day now, that is hardly the best way to figure out exactly what FINRA is paying attention to now (as that letter kind of reads the same, year after year).  Rather, it is much more effective to read the results of the latest Enforcement actions.  That will really tell you the kinds of cases that FINRA is bringing, the kinds of respondents it is naming, and the sort of sanctions it is meting out.

There have a bunch of interesting cases of late, and I intend to get to them all eventually, but I thought I would start with this AWC from New Year’s Eve, a churning mess involving Worden Capital Management and its owner, Jamie Worden.  I realize that I just posted a piece about churning in November, but this case merits its own attention.

According to the summary, for about a 4-and-1/2-year period, the firm and Mr. Worden

failed to establish, maintain, and enforce a supervisory system, including written supervisory procedures (WSPs), reasonably designed to achieve compliance with FINRA’s suitability rule as it pertains to excessive trading.  As a result, WCM registered representatives made unsuitable recommendations and excessively traded customer accounts, causing customers to incur more than $1.2 million in commissions.

Let’s explore what happened.

First of all, you should know that the bulk of the firm’s business consisted of “registered representatives recommending active short-term trading to retail customers with speculative investment objectives.”  Given that, and given the fact that Rule 3110 mandates that a firm’s WSPs must be specifically tailored to the kinds of business that it actually conducts, it seems pretty dang clear that the suitability section of WCM’s WSPs should have contained a pretty hefty portion devoted to the supervision of churning, a/k/a quantitative unsuitability.

Well, not so much.  Turns out that the WSPs were, in fact, pretty skimpy where it mattered.

First, while the WSPs appropriately noted “that factors such as the turnover rate, the cost-to-equity ratio, and in-and-out trading might be indicative of a suitability violation,” they “did not define those terms.”  Second, and worse, the WSPs “also failed to explain what actions to take when supervisors and principals observed such activity.”  Finally, “although branch managers were responsible for supervising trading activity at their assigned branches, the WSPs were silent on how they should perform that supervision.”

In other words, the WSPs not only failed to describe what supervisors should have been looking for, they also failed to detail how the supervisors should have been conducting such reviews, or what to do if they actually found a problem.  0 for 3.

The AWC goes on to describe the ways that WCM did attempt to keep any eye out for churning, but, as you will see, they were so patently insufficient that FINRA found that they “were individually and collectively unreasonable.”

The principal unreasonable thing that the firm did was not provide its supervisors with the proper tools they needed to perform their job.  WCM supplied its branch managers daily trade blotters.  But, because the blotters “were not designed to flag excessive activity,” they didn’t contain the typical data one needs to spot churning.  Some branch managers were alert enough to independently calculate the cost-to-equity ratios – which, according to the AWC, “revealed high levels of trading activity in customer accounts” – but they failed to take reasonable steps to address what they discovered.

Apparently, WCM also used a Monthly Active Account Report, which “flagged customer accounts meeting certain thresholds such as high commission-to-equity ratios, high volume of trades, and losses greater than 20% of an account’s equity during the month.”  Wow, sounds great, right?  Indeed, the report “routinely flagged dozens of customer accounts each month.”  Even better, the report is doing what it was designed to do!

Sadly, even a good report is useless if you ignore it, or don’t understand it.

Here, Mr. Worden delegated a guy to review the report, but, alas, Mr. Worden failed to train him how to read it.  As a result, the poor delegate “could not define or calculate a cost-to-equity ratio or turnover rate.”  Thus, even though the report generated “high cost-to-equity ratios and turnover rates to identify potentially violative conduct,” that data was meaningless to the supervisor, who “wrongly assumed all active trading was suitable for customers with a speculative investment objective.”

Take, for example, the March 2017 Monthly Report.  It flagged 91 accounts, approximately 10% of all firm accounts that traded during that month.  Those accounts – which appeared on the report multiple times – “should have attracted scrutiny because the accounts had (1) annualized cost-to-equity ratios and turnover rates well above the traditional guideposts of 20% and 6, respectively, (2) large numbers of transactions and high commissions, and (3) substantial losses.”  Unfortunately, there was no such scrutiny.

Finally, it is particularly instructive to note that the AWC takes the delegate to task for the activity letter (or happiness, or comfort letter, as some refer to it) that he sent to flagged customers.  Rather than telling them in clear terms that their accounts were potentially being churned, his letter “merely stated that the firm ‘trust[ed]’ customers were receiving ‘trade confirmations and monthly statements on a timely basis and are reviewing them for accuracy.’”  This comports with the advice that I have been giving for decades, that it is actually worse to send a BS activity letter than not to send anything.  If you are going to notify a customer that his or her account has exceeded one or more objective criteria consistent with excessive trading, you need actually to spell out the numbers.  While such a letter is, obviously, more likely to induce the recipient to conclude his account has been mishandled,[1] at least you will get some credit with the regulator (and, perhaps, an arbitration panel) when it comes to the supervisory aspect of the case.

Compounding his problem, Mr. Worden also failed to ensure that his delegate was actually conducting the review.  And, in a triumvirate of supervisory failures, “although Worden had access to the Monthly Reports and occasionally reviewed the reports [himself], he never acted on the dozens of accounts that routinely were flagged because he believed active trading was suitable for speculative customers.”  Indeed, to the contrary, Mr. Worden “rejected the CCO’s recommendation that at least four representatives be disciplined for unsuitable recommendations.”

As for sanctions, as ugly as these supervisory problems appear to have been, and despite the fact the AWC also includes violations of two other rules, one relating to a plan by Mr. Worden and the firm to interfere with 288 customers’ efforts to transfer their accounts from WCM to another BD, and another involving the firm’s failure to timely disclose customer arbitrations on Forms U-4 and U-5, they don’t appear to be too bad.  Sure, there’s the hefty restitution piece – to the tune of $1.2 million – that we have come to expect to see under Jessica Hopper’s reign as head of Enforcement – but Mr. Worden got slapped with a mere $15,000 fine, a measly three-week suspension in all capacities, and a three-month supervisory suspension.  The firm got a $350,000 fine.  Not cheap, but not horrible, under the circumstances.

What are the lessons we can glean from this New Year’s Eve settlement?

  • Make sure your WSPs are specific to your business.
  • Make sure the principals to whom you delegate supervisory responsibilities are properly qualified, by training and/or pertinent experience, to do the job.
  • After you delegate supervisory responsibilities, take steps – demonstrable, provable steps – to follow up and ensure that they are, in fact, doing what they are supposed to be doing.
  • Provide your delegates with the tools to do their job. Spring for the exception reports that your clearing firm offers.
  • Don’t play games with your customers. If you are going to go to the trouble of sending them a letter about their account activity, make it meaningful.
  • If you do something wrong, and it costs your clients money, pay it back to them. Do it before FINRA makes you.

[1] As proof of this point, the AWC recites that “WCM briefly implemented a more detailed active account letter that reflected, among other things, the amount of commissions paid by the customer and the number of transactions,” but “the firm ceased using this letter after one month because it caused customers to express concerns about their accounts.”  Ha!

Happy Holidays, everyone!  Since you’re all just sitting home with plenty of time on your hands, it is the perfect opportunity to enjoy this post from my colleague Denise Fesdjian, about the SEC’s new marketing rule for RIAs. – Alan

“The SEC score(s) one for the digital age.” These are the words of SEC Commissioner Heist, though, not my own. After a nearly year-long comment period, the SEC announced last week that it was replacing its former advertising and cash solicitation rules with a single, streamlined merged marketing rule. The former advertising rule has not been updated since 1961, back in the Mad Men era of advertising. Recognizing that social media and other digital communications play a significant role in current advertising practices, the SEC agreed that investment advisers can now use such methods as social media, third-party ratings, and testimonials for their marketing.

At first, the expanded marketing rule sounds promising for investment advisers looking to take advantage of the Amazon age of online reviews and ratings. While some industry leaders applaud the long-awaited rule update, the SEC does not shy away from the fact that its new marketing rule is meant to serve the agency’s real raison d’être: investor protection. Indeed, the SEC makes it clear throughout the final rule that since marketing practices have a higher risk of being fraudulent, the rule’s real purpose is to ensure investor protection, rather than to “score one for the digital age.”

To further its regulatory goal within the new rule, the SEC imposes a set of seven “principles-based” prohibitions (which largely mirror the anti-fraud provisions of the Advisers Act) that apply to all advertisements under the rule. The SEC also sets out three types of regulated marketing practices under the rule: (1) testimonials and endorsements; (2) third-party ratings; and (3) performance advertising, which are all subject to stringent disclosures and other requirements.

To better understand the magnitude of the new marketing rule, I rely on what the SEC has to say about it: “we estimate that all investment advisers will disseminate at least one communication that meets the rule’s definition of ‘advertisement’ and therefore be subject to the requirements of the marketing rule.” The SEC’s near-guarantee that “100 percent of investment advisers” will communicate to an investor in a way that invokes the new marketing rule speaks volumes as to its breadth.

In addition to the rule’s broad application and onerous disclosure requirements, the SEC also updated related requirements under its Form ADV and books and records rules, adding a higher compliance burden on firms. For instance, the new recordkeeping requirement now applies to all advertisements (instead of only to those made to ten persons or more under the old rule).

The final rule also includes an oversight and compliance provision that requires an investment adviser to have a reasonable basis for complying with certain elements of the rule to “address the accuracy of disclosures made to investors.” Collectively, these oversight activities, recordkeeping obligations, and disclosure requirements come at a cost, and not just to investment advisers, but also to the very investors the SEC seeks to protect. As the SEC admits, “although the direct costs of advertisements would be borne by the investment adviser, it is possible that some portion of the costs of advertisements will be indirectly borne by investors. As a result, investments in advertisements may result in higher fees for investors.” And since the SEC expects that “100 percent” of investment advisers will engage in some activity regulated by the new rule, it is likely that nearly every investor will bear the costs of compliance with this rule.

The SEC provides an 18-month grace period for firms to adapt to these new changes once the rule goes into effect. It will be interesting to see how investment advisers will avail themselves of the new marketing rule considering the cumbersome restrictions imposed on them. While I was initially idealistic about the new marketing rule, it seems that the SEC’s attempt to modernize advertising practices falls short of the millennial style of digital advertising I was hoping for.

Not too long ago, I posted a blog complaining that FINRA’s Nominating Committee had basically abdicated its responsibility to identify suitable candidates for certain seats on FINRA’s Board.  Perhaps not surprisingly, I never heard – from anyone, but least of all FINRA itself – why the Nominating Committee had punted.  But, I put my head down and went on with my life, such as it is these days, content merely – as my law school professors would say – to have spotted the issue.

Until yesterday.  Yesterday I got my weekly email from FINRA announcing the results of elections to fill seats on certain Regional Committees, the Small Firm Advisory Committee (SFAC), and the National Adjudicatory Council (NAC).  The email had a link to the December 15 Election Notice, so, cleverly, I checked that out.

According to that Notice, in five of FINRA’s Districts, specifically, District 1 (San Francisco), District 3 (Denver), District 5 (New Orleans), District 6 (Dallas), and District 10 (New York) – there were still empty seats after the election.  Seats for which, according to the Notice, “appointees [were] being identified.”  Huh?  That is really odd.  Helpfully, there was a footnote in the Notice, and it explained that “[i]ndividuals are being identified for appointment to the Regional Committee seats for which no individuals self-nominated.”  In other words, no one wanted the job.

In addition, the Notice reported that while someone appeared to have won election for the Midwest Region seat on the SFAC, in fact, that was not the case; indeed, there was no election.  According to a footnote, “[n]ormally, the SFAC Midwest seat is an elected position; however, since no candidates came forward to run for election for this seat, FINRA filled this vacancy by appointment.”

Finally, in two of the so-called elections – for the two Large Firm NAC Member seats and the one Small Firm NAC member seat – while (yay) there were actual nominees for those seats, the races “were uncontested,” so FINRA didn’t bother actually to mail ballots to anyone and simply appointed the nominees.

I don’t know about you, but I find all of this extremely concerning.  Not just for FINRA, but for the industry, and its future.  What does it mean when no one is interested enough to bother to serve on a FINRA committee?  It was NEVER like this back in the day.  There was always a surplus of qualified candidates eager to serve on the committees; indeed, it was often a challenge for the nominating committee to winnow down the candidates to a manageable number.  Not anymore, apparently.

I think the obvious and easy answer to my question is simply that no one wants to waste their time doing something that is pointless.  Or thankless.  Or will do nothing other than cause you frustration and aggravation.  FINRA is, of course, a self-regulatory organization, meaning that, by statute, it exists at the pleasure of the industry members whom it regulates.  But, no one really believes that anymore.  No one believes that FINRA is truly interested in serving its member firms.  To the contrary, the commonly held view is that FINRA doesn’t much care for its members, particularly small firms (who still comprise a majority of FINRA’s membership).  And it demonstrates this in the often heavy-handed manner in which it runs its Enforcement program.  Or by passing onerous and complex rules that are difficult and expensive to comply with, especially by small firms.  Or by listening more closely to the concerns of lawyers whose job it is to sue broker-dealers than to BDs themselves.

What this means, in short, is that industry members know that their voices are not being heard by FINRA management, so what’s the point?   And that’s a terrible shame.  I have encouraged many people over the years to volunteer to serve on FINRA committees, particularly a national committee like the NAC.  And the reason I do so is that I believe that change needs to come from within FINRA, from the industry people who sit on committees, and can provide real-world perspectives to the non-industry people on those same committees.  If industry people have concluded that it doesn’t really matter what they think, or what they say, because FINRA is simply going to do what FINRA is going to do, then the future is bleak indeed.

There is a little corner of the FINRA world that most people never have the need or desire to visit, and that’s the not-so-quaint village of statutory disqualification.  SD, for short.  I have written about this sad place many times, mostly about those poor souls who manage to end up here through confusion, or, too often, reliance on bad legal advice, and who discover – too late – that it is impossible to leave.  Like the Roach Motel, where “roaches check in, but they can’t check out.”  Or Gilead, for you Handmaid’s Tale fans.  Or, in the spirit of the Season, the Island of Misfit Toys.  Safely navigating away from SD can be a procedural nightmare, as the rules are complex and hardly intuitive.

But all trips to SD start with the same event: a determination by FINRA staff that you are, in fact, statutorily disqualified.  It comes in a letter addressed to your BD.  It recites, basically, that because you are SD’d, the BD has a few weeks within which to choose one of three options, none of which is particularly attractive:

  • Fire you
  • File a Form BDW (because a BD is not permitted to associate with an individual who’s SD’d; to do so renders the firm SD’d, too, thus necessitating the withdrawl from FINRA membership)
  • File an MC-400 (to seek permission to remain a FINRA member firm notwithstanding the fact that you are SD’d)

If your firm agrees to file the MC-400, there is long, complicated, expensive process that ensues.  FINRA staff have the authority to approve, but not reject, an MC-400 application.  So, in a best case scenario, some months after the MC-400 is filed you learn that it’s been accepted, and you can avoid being fired.  If, on the other hand, FINRA staff is disinclined to approve the application, they will notify the BD, providing it the opportunity to withdraw the application.  Most firms opt for this.  If it is not withdrawn, then the process culminates in an evidentiary hearing before a two-person hearing panel representing the NAC’s SD Subcommittee.

Once that first letter is received, there is nothing to stop the SD train from rumbling down the tracks to its eventual (but yet undetermined) destination.  This is true even in those circumstances where there is some question whether or not FINRA is correct that there has been an SD trigger.  Indeed, sometimes it is not so clear.  Take one case I had, as an example.  The SD statute states that any felony conviction results in an SD.  But, what happens if a convicted felon manages, under state law, to have the conviction expunged?  The fact is, in some states, the result is that the conviction goes away completely, as if it never happened in the first place.  In other states, however, it only goes away partially.  This can result in a debate over whether or not someone who obtains an expungement of their criminal record is truly SD’d.

The problem is, as the rule is presently structured, apart from attempting to engage in a dialogue with the people that run the SD program at FINRA (who, by the way, are really nice and normal and seem truly to care about getting the right result), there is no formal, official mechanism to immediately challenge the determination that you are SD’d.  Rather, the only way to go about doing that is to go through the full-blown MC-400 process and try to convince the hearing panel that FINRA staff erred.  That is expensive and time-consuming, and incredibly inefficient.

Well, wonder of wonders, it seems that FINRA management has recognized this.  I was excited to learn that at its December Board meeting, FINRA approved a “Proposal to Establish a Process to Appeal Staff Statutory Disqualification Determinations.”  Specifically,

[t]he Board approved the filing with the SEC proposed amendments to the FINRA Rule 9000 Series to establish a process to appeal statutory disqualification determinations made by FINRA staff.  The new process would provide individuals with the ability to challenge a FINRA decision that the person is subject to a statutory disqualification, without needing the support of a firm to do so.

There are two important things to observe here.

First, as noted, it is encouraging to see that FINRA has acknowledged that there is a hole in its current process, a hole that forces individuals who want to contest the threshold determination that they are SD’d to go through the entire MC-400 process.  This is the very sort of hole in the Rule 8210 process I have been complaining about for years, i.e., that in order to challenge the validity of an 8210 request for documents and information, one must become a respondent in an Enforcement complaint, and take the matter to a hearing (with the knowledge that an adverse outcome results in a permanent bar).  I am pleased anytime FINRA tries to make improvements to its administrative scheme that same time and money.

Second, note the last sentence: under the proposal, if you are SD’d, you can file the application yourself.  That saves you from the always-awkward, mostly unsuccessful conversation with management of the BD in which you try to convince them to file the MC-400 on your behalf (because, under the current rule, if the BD declines to file the MC-400, you are out of luck).  As I said earlier, a BD only has three options when you’re SD’d, and only one of them – firing you – is free and easy.  By ceding some control over the situation to the SD’d (or apparently SD’d) individual, the proposal helps reduce the pressure on the BD to take that easy way out.

I like to think that I am evenhanded in my critiques of FINRA, that is, while I am quick to point out problems and errors, when FINRA manages to get something right, I am perfectly willing to give it the credit it deserves.  That is the case here.  I get that for most people, and I mean the overwhelming majority of people registered with FINRA firms, this proposal will have zero impact on their lives.  But for the few unlucky people who, as I said, find themselves trapped in SD through mistake or inadvertence, the new mechanism could be a Godsend.  I only hope that FINRA considers doing something similar with Rule 8210.

We have frequently blogged here about the degree of attention that regulators pay to Chief Compliance Officers, and whether it is proper that they sometimes are named individually in Enforcement actions.  And we are hardly the only ones who see this issue.  The New York City Bar back in February – I know, that seems like a lifetime ago, as it was before COVID-19 really impacted us all – published a Report On Chief Compliance Officer Liability In The Financial Sector that explored the subject in great detail.  It concluded that “Compliance officers can function as effective gatekeepers only if they are given the information and tools necessary to carefully police the boundary between culpable and permissible conduct—and do so without bearing a disproportionate risk of liability for others’ misconduct.”

Interestingly, that Report noted at the time that there was some reason for hope, citing remarks made by Peter Driscoll, the Director of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), at a spring 2019 conference.  There, he announced that OCIE was embarking on a “pilot initiative to hold regional roundtables with CCOs in select locations” designed “to encourage productive dialogue with the compliance community and ‘search for ways to strengthen the role of the CCO, improve the culture of compliance, and deliver on the shared goal of investor protection.’”

Well, last week, Mr. Driscoll again offered remarks relating to CCOs that, once again, reveal not only that he feels their pain, but provide some solid guidance as to what the CCO job should look like and how CCOs should be treated by firm management.  And while he was discussing CCOs of RIAs, not BDs, I think both should pay heed to his words, as they apply equally to both.

He started with this summary observation:  A CCO “should be empowered with full responsibility and authority to develop, implement, and enforce appropriate policies and procedures for the firm.  And a CCO should have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”  He then went on, very helpfully, to illustrate what that general description means by detailing what the SEC does NOT like to see during an exam:

  • CCOs who are hired merely so the firm can “check the box,” but who are not supported or empowered by management;
  • CCOs who hold one or more roles in a firm and are, as a result, inattentive to their compliance responsibilities;
  • CCOs who are “too low in the organization to make meaningful change and have a substantive impact, such as a mid-level officer or placed under the CFO function”;
  • CCOs who “are expected to create policies and procedures, but are not given the resources to hire personnel or engage vendors to provide systems to implement those policies and procedures”;
  • When “a CCO is replaced because they challenge questionable activities or behavior”;
  • When “a CCO is trotted out for an examination or sits silently in the corner in compliance discussions, overshadowed by firm senior officers”;
  • When “a firm puts responsibility on the CCO for a failure of an employee or an officer to follow a firm policy or procedure.”

Then, he listed what the SEC LIKES to see in a CCO:

  • CCOs who “are routinely included in business planning and strategy discussions and brought into decision-making early-on, not for appearances, but for their meaningful input”;
  • CCOs with “access [to] and interaction with senior management, prominence in the firm, and when they are valued by senior management;”
  • Senior management who evidence “demonstrable actions, not just words, supporting the CCO and compliance.”

He concluded his remarks with some very powerful statements on what makes not just a good CCO, but a good firm, a firm that is truly interested in achieving – and demonstrating to its regulators – effective compliance.  If I was a CCO, I would print these things out and hand deliver them to firm management, and if all I got in return was a hearty laugh, I’d find somewhere else to work:

  • The CCO is not there to fill out irrelevant paperwork or serve as a scapegoat for the firm’s failings.
  • A firm’s compliance department should be fully integrated into the business of the adviser for it to be effective.
  • Compliance regarding conflicts of interest, disclosures to clients, calculation of fees and protection of client assets should not be done from the sidelines. The CCO needs a meaningful seat at the table.
  • Although the responsibilities and challenges are significant, the critical function of compliance should not all fall on the shoulders of CCOs.
  • Without the support of management, no CCO, no matter how diligent and capable, can be effective.
  • An effective CCO should have confidence that they can stand up for compliance and be supported.
  • Compensation and job security for CCOs should be commensurate with their significant responsibilities.
  • CCOs should not be made to feel that they are one “no” away from termination.
  • CCOs should not be made the target of every problem. The cause or blame for a compliance issue or failure typically does not sit only with the CCO and may not sit at all with the CCO.  In fact, we appreciate that often the CCO is the one responsible for identifying the problem and for fixing it.

So, let’s hear it for CCOs, as well as firms who rightfully value their CCOs.  Let’s not just look at them merely as a line – and a big one, at that – on the expense side of the ledger.  Let’s no longer brand them the “anti-sales department.”  And let’s agree that Ari Spyros on Billions is not a realistic portrayal.