Advisers Should Review Their Employment Agreements and Policies for Restrictions on Employee Reporting to SEC

SEC Rule 21F-17, spun out of Dodd-Frank, prohibits any person or entity under SEC jurisdiction from taking “any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.” In 2015-16, the SEC brought several enforcement actions against investment adviser firms whose employment agreements (e.g., offer letters, confidentiality agreements, and severance agreements) either required the employee to waive his or her whistleblower rights or more subtlety impeded that ability, e.g., by stating that an employee must report a possible violation internally to compliance or management before reporting out to the SEC.

Since those actions, OCIE followed up with a risk alert stating that it will review advisers’ “compliance manuals, codes of ethics, employment agreements, and severance agreements to determine whether provisions in those documents pertaining to confidentiality of information and reporting of possible securities law violations may raise concerns under Rule 21F-17.” This means that no internal document is safe from  review for what the SEC may deem restrictive reporting language. Accordingly, advisers should take a second look at all employment agreements as well as internal policies (e.g., Code of Ethics) containing confidentiality language. Those sections should clearly provide that an employee may directly report out to the SEC (without prior notice to the firm) if the employee believes that there is a possible securities law violation.

 

Investment Advisers Should Review Their Codes of Ethics For Conformity with SEC Fiduciary Interpretation

On June 5, 2019, the SEC approved a package of rule-making and interpretations designed to harmonize (or bring closer) the standards of conduct for brokers (BDs) and investment advisers (RIAs). The lion share of attention has been focused on the elimination, effective June 30, 2020, of the “suitability” standard governing retail brokerage accounts in favor of a version of the “best interests” standard. There has been less attention, however, paid to the SEC’s explicit guidance and parsing of RIAs’ fiduciary duties to clients, set forth in the SEC’s Fiduciary Interpretation. Because that interpretation went into effect on July 12, 2019, Advisers who have not reviewed their internal and disclosure documents for conformity should do so immediately or risk OCIE deficiencies or worse.

SEC Rule 204A-1 requires every RIA to establish, maintain and enforce a written code of ethics that contains a minimum set of standards, including “[a] standard (or standards) of business conduct that the adviser requires of each supervised person, which standard must reflect the adviser’s fiduciary obligations and those of its supervised persons.” Under the SEC’s Fiduciary Interpretation (and case law), all RIAs have the following duties: (1) a duty of care, and (2) a duty of loyalty.

The Interpretation goes on to detail those duties. For example, the duty of care requires the adviser to: (1) provide advice that is in the best interest of the client, (2) seek best execution of a client’s transactions, and (3) provide advice and monitoring over the course of the relationship. To act in the client’s best interest, an adviser must have both: (a) a reasonable understanding of the client’s objectives, and (b) a reasonable belief that the advice it provides is in the best interest of the client based on the client’s objectives.

The above items are just a small part of the important interpretive guidance in the Fiduciary Interpretation. RIAs should review their existing codes of ethics and other documents, and, where appropriate, make changes to conform to the new guidance.

Here is a link to the June 5, 2019 SEC Release.

https://www.sec.gov/rules/interp/2019/ia-5248.pdf

 

New One-Page Fee Table Required For Massachusetts Investment Advisers

On June 14, 2019, the Massachusetts Securities Division upped the fee disclosure requirement for state-registered advisers (i.e., advisers with less than $100 million in assets under management). Starting January 1, 2020, state advisers will be required to provide a one-page, fee table in addition to the usual narrative fee disclosures in Form ADV Part 2A. Advisers will be required to update and deliver the table consistent with existing updating and delivery requirements for Form ADV. Firms are also required to put a link to the table on their websites.

What does this mean?

Massachusetts registered advisers will need to churn out a one-page fee table containing three sections: one for fees charged by the adviser, another for fees charged by third party advisers, and a final one for additional/costs and fees, such as mutual fund expenses. The first section breaks out AUM fees, hourly fees, subscription fees, fixed fees, commissions paid to the adviser, performance based fees, and a space for “other” fees. The table requires inputting the amount (with tiers if applicable), frequency of charging, and a column to identify the services provided. There are identical columns for the third party fees section, which addresses third-party money manager and robo fees. Finally, to the extent that other fees might apply, e.g., mark-ups, custodian fees, commissions not paid to the adviser, etc., the table requires a binary Y/N and, where applicable, that the adviser identify to which firm the money is paid.

Opportunity or Burden?

While the initial set up for the table and updates will entail additional work, it is likely that Massachusetts-registered investment advisers will have a leg up should the SEC and/or other states ultimately decide to impose their own fee “distillation” requirements. Given recent changes under Regulation BI, and consistent pressure across the industry to simplify disclosures around fees and other items, Massachusetts firms may well be ahead of the curve.

Here is a link to the Rule:

http://www.sec.state.ma.us/sct/sctfeetable/Adopting-Release.pdf

 

 

SEC Fines Firm For Cyber Lapses Leading to Disclosure Of Info For 5,600 Customers

The Securities and Exchange Commission recently announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle allegations related to its failures in cyber security policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. In addition to a $1 million penalty, the firm was required to hire an independent consultant for a 2 year term, who will generate reports for submission to the SEC.

Over 6 days in April 2016, individuals impersonating independent contractor representatives to Voya Financial Advisors, Inc. (VFA) called VFA’s technical support line and requested resets of 3 representatives’ passwords for web portal access. Notably, the fraudsters used phone numbers the parent company, Voya, had previously identified as associated with fraudulent activity. Nonetheless, support staff reset the passwords and provided temporary passwords over the phone.

When an actual contractor representative called support to inform them that he had received an email confirming a password change that he had not requested, VFA did not immediately terminate the intruders’ access to the system. As a result of that any other security failures, the intruders were able to access to the personally identifiable information of at least 5,600 customers.

Although there were no known unauthorized transfers from customer accounts, the SEC found that VFA’s practices violated the Safeguards Rule, which requires every BD and RIA to have written policies and procedures that address technical and physical safeguards for the protection of customer records and information. The SEC concluded that VFA’s policies and systems relating to contractor password resets, terminating web sessions in its gateway system for contractors, and identifying higher risk representatives and customer accounts for additional security measures, were not reasonably designed.

For example, VFA’s 15-minute inactivity timeouts, which applied to employee representatives accessing the web portal, was not applied to the web portal for contractor representatives. In addition, VFA’s policy requiring a user to answer security questions when logging on from a new device was easily circumvented by the intruders calling support to reset their security questions.

Bottom line: Firms are faced with cyber threats on multiple fronts every day. Many threats take the form of malware or other web or software-based attacks probing systems for weaknesses. The VFA incident, however, was relatively low tech. It involved natural persons impersonating remote independent contractor representatives over the phone. Accordingly, firms should consider assessing not only their software-based bulwarks against intrusion, but also the training and policies overseeing phone conversations and other human interactions.

Link: https://www.sec.gov/litigation/admin/2018/34-84288.pdf

Supreme Court Limits “Whistleblower” Status to People Who Report Out to SEC

The Supreme Court, by unanimous decision, has held that “whistleblower” status under the 2010 Dodd-Frank Act, with its cash award and enhanced anti-retaliation benefits, is limited to individuals who report violations to the SEC and does not include people who internally report at a company but fail to report to the SEC. The decision is likely to increase call volume on the SEC’s whistleblower hotline, as well as costs and headaches for legal and compliance personnel at regulated companies.

Although an individual who reports internally (and not to the SEC) may still get the anti-retaliation benefits afforded under the 2002 Sarbanes-Oxley Act, that individual would not be entitled to the enhanced anti-retaliation benefits (e.g., double back pay) or the potential cash payout (10-30 percent of any SEC monetary penalties) under Dodd-Frank. Accordingly, individuals with information that could lead to SEC charges are now more likely to report out to the agency than try to resolve things internally.

Consequently, compliance and legal personnel at Pubcos, RIAs, and BDs should consider reviewing their policies and procedures to ensure that they are striking the correct balance between motivating employees to report potential problems internally and not limiting an employee’s ability to report out. This is especially true given the SEC’s focus (through enforcement actions) on entities who limit such reporting by requiring employees to sign restrictive confidentiality agreements that may have the effect of “chilling” an employee’s desire to report out.

Here is a link to the Supreme Court’s decision:

https://www.supremecourt.gov/opinions/17pdf/16-1276_b0nd.pdf

 

EB-5 “Golden Ticket” Visa Fraud Article Published in The Champion Magazine

Will Haddad’s article, “EB-5 Visa Fraud, What You Need to Know,” was published in The Champion Magazine. The article reviews recent legislative, legal and other issues related to these highly desirable “fast track” visas. Such developments include a number of securities fraud cases brought by the SEC, as well as some federal criminal cases.

A copy of the article is reproduced here, with the written permission of the publisher, the National Association of Criminal Defense Lawyers.

EB-5 Visa Fraud Article

(c) 2017, National Association of Criminal Defense Lawyers.

Supreme Court Holds 5-Year Statute of Limitations Applies to SEC Disgorgement

On June 5, 2017, by unanimous decision, the U.S. Supreme Court determined that disgorgement – a remedy that generated $3 billion in 2015 – is a “penalty” thereby subjecting it to the 5-year statute of limitations that applies to any “action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise.” Kokesh v. SEC, No. 16-529, slip op. at 1 (June 5, 2017) (quoting 28 U.S.C. §2462). The Court’s decision relieved Kokesh of a $30 million disgorgement order entered in the lower court.

The SEC had argued that disgorgement is a different animal – it simply places the defendant in the same position as he or she would have been but for the offense. The Court strongly disagreed noting the deterrent qualities of disgorgement, which is a hallmark of a penalty, “[s]anctions imposed for the purpose of deterring infractions of public laws are inherently punitive.” Id. at 8. The Court observed that the victims (if there are any) of a securities law violation need not participate in the enforcement action and may not even support it. In addition, money that is disgorged to the Treasury often stays there; i.e., there is no absolute requirement that the money that is recovered be distributed to the purportedly aggrieved investors.

Going forward, the SEC is faced with having to speed up its investigations and charging decisions.  That can be a challenge, especially in complex cases where the Enforcement Division would prefer to thoroughly build out a case in advance.

Here is the decision:

https://www.supremecourt.gov/opinions/16pdf/16-529_i426.pdf