Category Archives: Uncategorized

New One-Page Fee Table Required For Massachusetts Investment Advisers

On June 14, 2019, the Massachusetts Securities Division upped the fee disclosure requirement for state-registered advisers (i.e., advisers with less than $100 million in assets under management). Starting January 1, 2020, state advisers will be required to provide a one-page, fee table in addition to the usual narrative fee disclosures in Form ADV Part 2A. Advisers will be required to update and deliver the table consistent with existing updating and delivery requirements for Form ADV. Firms are also required to put a link to the table on their websites.

What does this mean?

Massachusetts registered advisers will need to churn out a one-page fee table containing three sections: one for fees charged by the adviser, another for fees charged by third party advisers, and a final one for additional/costs and fees, such as mutual fund expenses. The first section breaks out AUM fees, hourly fees, subscription fees, fixed fees, commissions paid to the adviser, performance based fees, and a space for “other” fees. The table requires inputting the amount (with tiers if applicable), frequency of charging, and a column to identify the services provided. There are identical columns for the third party fees section, which addresses third-party money manager and robo fees. Finally, to the extent that other fees might apply, e.g., mark-ups, custodian fees, commissions not paid to the adviser, etc., the table requires a binary Y/N and, where applicable, that the adviser identify to which firm the money is paid.

Opportunity or Burden?

While the initial set up for the table and updates will entail additional work, it is likely that Massachusetts-registered investment advisers will have a leg up should the SEC and/or other states ultimately decide to impose their own fee “distillation” requirements. Given recent changes under Regulation BI, and consistent pressure across the industry to simplify disclosures around fees and other items, Massachusetts firms may well be ahead of the curve.

Here is a link to the Rule:



SEC Fines Firm For Cyber Lapses Leading to Disclosure Of Info For 5,600 Customers

The Securities and Exchange Commission recently announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle allegations related to its failures in cyber security policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. In addition to a $1 million penalty, the firm was required to hire an independent consultant for a 2 year term, who will generate reports for submission to the SEC.

Over 6 days in April 2016, individuals impersonating independent contractor representatives to Voya Financial Advisors, Inc. (VFA) called VFA’s technical support line and requested resets of 3 representatives’ passwords for web portal access. Notably, the fraudsters used phone numbers the parent company, Voya, had previously identified as associated with fraudulent activity. Nonetheless, support staff reset the passwords and provided temporary passwords over the phone.

When an actual contractor representative called support to inform them that he had received an email confirming a password change that he had not requested, VFA did not immediately terminate the intruders’ access to the system. As a result of that any other security failures, the intruders were able to access to the personally identifiable information of at least 5,600 customers.

Although there were no known unauthorized transfers from customer accounts, the SEC found that VFA’s practices violated the Safeguards Rule, which requires every BD and RIA to have written policies and procedures that address technical and physical safeguards for the protection of customer records and information. The SEC concluded that VFA’s policies and systems relating to contractor password resets, terminating web sessions in its gateway system for contractors, and identifying higher risk representatives and customer accounts for additional security measures, were not reasonably designed.

For example, VFA’s 15-minute inactivity timeouts, which applied to employee representatives accessing the web portal, was not applied to the web portal for contractor representatives. In addition, VFA’s policy requiring a user to answer security questions when logging on from a new device was easily circumvented by the intruders calling support to reset their security questions.

Bottom line: Firms are faced with cyber threats on multiple fronts every day. Many threats take the form of malware or other web or software-based attacks probing systems for weaknesses. The VFA incident, however, was relatively low tech. It involved natural persons impersonating remote independent contractor representatives over the phone. Accordingly, firms should consider assessing not only their software-based bulwarks against intrusion, but also the training and policies overseeing phone conversations and other human interactions.