NOVEMBER / DECEMBER 2010 CURRENTS NSCP NSCP Currents November/December 2010 Every employee associated with a broker-dealer shares a common responsibility for the firm and all its employees

CURRENTSA Publication of the NATIONAL SOCIETY OF COMPLIANCE PROFESSIONALS

NSCP N O V E M B E R / D E C E M B E R 2 0 1 0

© 2010 National Society of Compliance Professionals, Inc.

Inclusion of any advertisement in any NSCP publication is at the sole discretion of the NSCP Board of Directors, and in no way represents an endorsement of the advertiser or the advertised product by NSCP.

Inside(Continuedonpage2)

Risk Mgmt Controls Mkt Access 4

What’s on the SEC’s Radar? 19

SEC Whistleblower Proposal 12Changes in UK Regulation 15

NSCP Files Amicus Brief With SEC in Theodore W. Urban Case

David C. Prince is General Counsel of Stephens Investment Management Group, LLC an investment advisor headquartered in Little Rock, Arkansas. He serves on the NSCP Board of Directors.

by David C. Prince The National Society of Compliance Professionals (“NSCP”) has filed an Amicus Brief with the Securities and Exchange Commission in connection with the Commission’s Review of the Initial Decision of Chief Administrative Law Judge Brenda Murray In the Matter of Theodore W. Urban. See In the Matter of Theodore W. Urban, Adm. Proc. File No. 3-13655, Initial Decision (Sept. 8, 2010). The NSCP’s brief can be viewed at http://www.nscp.org/comments.html#urban. The appeal of this case to the Commission presents a unique opportunity for the Commission to clarify the existing standards on the role of a supervisor at a broker-dealer and to bring clarity to the question of when a legal and compliance officer can cross the line to become the supervisor of a salesperson. The initial decision decided on September 8, 2010 ruled that Theodore W. Urban (“Urban”), formerly the in house legal counsel of a regional brokerage firm was the supervisor of a rogue broker but held that Urban had acted reasonably in discharging his supervisory responsibilities “in a cautious, objective, thorough and reasonable manner.” The initial decision dismissed the case brought

by the Commission’s Division of Enforcement. The Division appealed the initial decision for review of the dismissal, and Urban cross-petitioned for review of Chief Judge Murray’s ruling that Urban was Glantz’ supervisor.The Factual Background Theodore Urban was General Counsel of Ferris, Baker Watts, Inc. (“FBW”) where he headed the Compliance, Human Resources, and Internal Audit departments. Urban had no authority to hire or fire employees outside of his three departments, but he served on the board of directors and his firm’s credit and risk committee as a full voting member. In the administrative proceeding initiated in October 2009, the SEC’s Division of Enforcement alleged that Urban became the supervisor of Stephen Glantz, a rogue broker, who subsequently admitted to securities fraud, manipulation, and unauthorized trading in customer accounts because:• Urban became aware of and was involved in addressing the red flags raised by Glantz’s conduct; and• Urban took inadequate action regarding red flags which came to his attention. The Division of Enforcement had argued that once Urban became a supervisor of Glantz, he was obliged either to obtain Glantz’s dismissal or to resign himself, and—having done neither — merited a significant monetary penalty and a bar from

association with any broker, dealer, or investment adviser in a supervisory capacity.The Statutory Framework for Failure to Supervise Liability Sections 15(b)(4)(E) and 15(b)(6)(A)(i) of the Securities Exchange Act of 1934 give the Commission broad authority to sanction a person associated with a broker or dealer where the person “has failed reasonably to supervise, with a view to preventing violations of the provisions of such statutes, rules and regulations, another person who commits such a violation, if such other person is subject to his supervision.” However, such a person will not be deemed to have failed to reasonably supervise if 1) there have been established procedures — and a system for applying such procedures — that would reasonably be expected to prevent and detect any such violation by another person, and 2) such person has reasonably discharged the duties and obligations incumbent upon him without reasonable cause to believe that the procedures in place were not

NSCP Currents November/December 2010 2

followed. Thus, a failure to supervise inquiry seeks answers to two basic questions:1. Was the person at issue the supervisor of someone who violated the federal securities laws?2. Did the supervisor act reasonably under the circumstances?The Initial Decision and Its Rationale In her Initial Decision, Chief Administrative Law Judge Murray found that Urban: • “did not have any of the traditional powers associated with a person supervising brokers” (initial decision at page 52); • “did not direct FBW’s response to dealing with Mr. Glantz” (initial decision at page 52); and• “was not responsible and had no authority for hiring, assessing performance, assigning activities, promoting, or terminating anyone, outside of the people in the departments he directly supervised” (initial decision at page 35). Nevertheless, she concluded at page 52 of the initial decision that Urban was in fact Glantz’ supervisor because his “opinions on legal and compliance issues were viewed as authoritative and his recommendations were generally followed by people in FBW’s business units, but not by Retail Sales.” In reaching this conclusion, Chief Judge Murray also noted that Urban was a member of the Credit & Risk Committee, and he “dealt with Glantz on behalf of the committee.” The Urban decision represents a significant extension of SEC precedent and a significant expansion of potential supervisory liability for legal and compliance personnel. By making supervisory status turn on whether a person’s opinions are viewed as authoritative and generally are respected within the organization, the standard announced in the Urban decision punishes the very type of Legal and Compliance personnel whose energy and independence the Commission should most wish to

AMICUS BRIEF: THE URBAN CASE(Continuedfrompage1)

protect and foster. In deciding this matter Chief Judge Murray relied extensively on the Commission’s decision InreGutfreund,1focusing primarily on whether Urban had the “requisite degree of responsibility, ability or authority to affect Mr. Glantz’s conduct.” While noting that the facts and circumstances of Urban’s situation “are very different from Gutfreund and its progeny” Chief Judge Murray relied on Gutfreund’slanguage to rule that once a legal or compliance officer – at least, one with sufficient gravitas within the relevant organization-becomes involved in formulating management’s response to a problem, that person becomes responsible for taking action. Gutfreund was a settled administrative case brought against line management of Salomon Brothers Inc. that the Commission accompanied with a Section 21(a) Report which considered the supervisory liability of Donald Feuerstein, Salomon’s Chief Legal Officer. Feuerstein was told by senior management that the head of Salomon’s government trading desk had submitted a false bid in an auction of U.S. Treasury securities and urged senior management to report the actions to proper authorities.2 Neither those authorities nor Salomon’s Compliance Department were informed of the improper conduct for a number of months, during which time the illegal activities continued.3 In analyzing Feuerstein’s role in the matter, the Commissioners noted that “[e]mployees of brokerage firms who have legal or compliance responsibilities do not become ‘supervisors’ for purposes of Sections 15(b)(4)(E) and 15(b)(6) solely because they occupy those positions.”4 However, the Commission reasoned that because Feuerstein had the “requisite degree of responsibility, ability or authority to affect” the trader’s conduct and failed to take the necessary steps to remediate that conduct, he failed to supervise the trader adequately.5 Another key Commission pronouncement on whether a legal

or compliance officer is subject to supervisory liability was InreHuff 6 in whichthe Commission dismissed failure to supervise charges brought against Arthur James Huff, a Senior Registered Options Principal at PaineWebber. Huff had been charged with failing to supervise a retail broker who violated the securities laws as well as a branch office manager who failed in his own supervisory duties over the broker.7 Though not addressing the question of whether Huff was a supervisor pursuant to Section 15(b)(4)(e), Chairman Breeden and Commissioner Roberts concluded that Huff had reasonably discharged his supervisory duties over the broker.8 Commissioners Lochner and Schapiro concurred in the dismissal but wrote separately to express their view that Huff could not be regarded to have failed to supervise the broker because, as a factual matter, the broker was not subject to Huff’s supervision. They concluded that, “the most probative factor that would indicate a person is responsible for the actions of another is whether that person has the power to control the other’s conduct. This view is supported by the common meaning of the term ‘supervision,’ when used in the employment relationship to which the statute refers and by the statutory language ‘subject to his supervision’ which also seems to emphasize control.”9 Focusing on whether Huff had the ability to hire or fire the violator and thus, had the ability to control the violator’s conduct, Commissioners Lochner and Schapiro concluded that Huff was not a supervisor.10 Conclusion By abstracting the language, but not the facts, of Gutfreund, Chief Judge Murray over read the Gutfreund decision and essentially changed the law. The Gutfreund case certainly held that legal and compliance employees could be held liable for failure to reasonably supervise employees in appropriate circumstances, but the commission never said that such personnel would be found to be supervisors each time a firm employee violates the securities laws.

NSCP Currents November/December 20103 Every employee associated with a broker-dealer shares a common responsibility for the firm and all its employees to achieve compliance with the securities laws, regulations and their firm’s supervisory procedures. Exactly when that common responsibility changes to elevate a particular individual to the status of the supervisor of another person should be a clear and well defined boundary. The appeal of the Urban case presents the Commission with a unique opportunity to clarify the existing standards in this area, and we are hopeful that clear and meaningful guidance will be forthcoming from the Commission on this issue.

NSCP’s amicus brief on the Urban case is here: http://nscp.org/media/Urban.pdf

q

1. 52 SEC 2849, 1992 WL 362753 (Dec. 3, 1992) and accompanying Section 21(a) Report regarding Donald Feuerstein (the “Feuerstein Report”).2. 1992 WL 362753 at *5.3. Id.4. Id.5. Id. at 15. Gutfreund also noted that the concurring opinion in Huff, which emphasized “control,” was consistent with Gutfreund’s statement of the standard. Id. at n. 24. Ten years later In re Kolar, another opinion written by two Commissioners, offered the view that the concurrence in Huff had “never been adopted by the Commission.” In re Kolar, Exchange Act Rel. No. 46127 at 5 & nn. 7-8 (June 26, 2002). However, Kolar – a line supervisor tasked with investigating wrongdoing, and not a compliance officer, was found to have had control in any event, leaving the Kolar Commissioners’ view on Huff as dictum.6. 50 SEC 524, 1991 WL 296561 (Mar. 28, 1991) (concurring opinion of Commissioners Schapiro and Lochner).7. 1991 WL 296561 at *1. .8. Id. at *5. 9. Id. at *7. 10. Id.

Dear NSCP Member, In preparation for the new regulatory challenges affecting NSCP’s members, we are looking for experienced and knowl-edgeable volunteers to work with us - and who better to ask for assistance than our loyal NSCP members!We are now in the process of revamping the Broker-Dealer, In-vestment Adviser, and Hedge Fund Committees to carry out this important work. These standing committees will be responsible for:• Supporting the mission of NSCP • Advising NSCP on “hot” topics• Participating on ad hoc committees in the drafting of comment letters on various initiatives (www.nscp.org/comments.html)• Assisting in the development of National and Regional Meeting topic selection and talking points• Contributing to NSCP publications (www.nscp.org/publications.html)• Providing expertise to compliance questions on the NSCP Com-pliance Forum (www.nscpforums.com)• Helping NSCP foster stronger relationships with regulatory agencies and industry groups If you are interested and have the time to participate in one of these standing committees, please download and complete the following form (www.nscp.org/BD-IA-HF-Committee-Interest-Form.doc). As space is limited, a Review Committee will initial-ly be selecting only a few for appointment to the respective sub-committees. Those not selected will be offered the opportunity to participate on ad hoc committees involved in drafting comment letters, surveys, etc. Once participant selections have been determined, further information will be provided. As always, NSCP values your continued support and looks forward to working with you in the future.

Very truly yours,Joan HinchmanExecutive Director, President and CEONSCP

HowyoucanbecomemoreinvolvedwithNSCP


SEC Adopts Rule Requiring Risk Management Controls for Market Access

by Kevin Campion, John Sakhleh and Katie Klaben

Kevin Campion and John Sakhleh are partners in Sidley Austin LLP’s Securities and Futures Regulatory Group. Katie Klaben is an associate in Sidley Austin LLP’s Securities and Futures Regulatory Group.

I. Introduction On November 3, 2010, the SEC adopted the final version of Rule 15c3-5 (the “Rule”) under the Securities Exchange Act of 1934 (“Exchange Act”),1 which will impose a series of risk management controls and supervisory procedures on brokers and dealers that have access to trading securities directly on an exchange or an alternative trading system (“ATS”), that provide such access to customers via sponsored access2 or direct market access3 arrangements, or that operate an ATS and provide non-broker-dealers access to the ATS for trading securities. In general, the Rule requires broker-dealers with market access, or that allow a customer or any other person to trade on an exchange or ATS through use of its market participant identifier (“MPID”), to establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks (e.g., legal and operational risks) related to their market access business activity.4 The Rule also requires broker-dealers to maintain direct and exclusive control over these controls and procedures, subject to a narrow exception for allocation to customers that are registered broker-dealers, as well as preserve documentation and perform a regular review of their market access controls and procedures.5 In adopting the Rule, the SEC indicated that it was intended to address the increase in financial and regulatory risks due to the proliferation of automated, algorithmic, high-speed trading and the growth in customers, especially sophisticated institutions,

placing orders under the MPID of their broker-dealer with little to no substantive intermediation by the broker-dealer via sponsored, direct market and naked access arrangements. According to the SEC, these market access arrangements, particularly naked access, in which the customer’s order is submitted to a trading center without the application of any pre-trade controls by the broker-dealer, can pose great risks to the market. These potential risks include, among other things, instances where capital or credit limits are exceeded, incorrect orders due to technological malfunctions or manual errors, noncompliance with SEC or exchange trading rules, and undetected misconduct. The Rule was adopted to address these risks by requiring orders to be filtered through pre-trade controls and procedures implemented by the broker-dealer with market access. The Rule could have a substantial impact on both the broker-dealers that provide market access and the customers who utilize such arrangements. Broker-dealers that offer sponsored and direct market access arrangements will have to review and possibly revise these arrangements and their market access controls to ensure they comply with the Rule. Further, investors, particularly sophisticated institutional investors, should inquire whether their current market access arrangement will need to be modified and possibly consider alternatives. The Rule becomes effective on January 14, 2011, and compliance is mandated by July 14, 2011. This article provides a summary of the Rule and the impact it could have on market participants that offer and use market access.II. Rule 15c3-5 Definitions “MarketAccess” In order to understand and comply with the scope of the Rule, it is important to understand the meaning

of the terms “market access” and “regulatory requirements.” The term “market access,” which is crucial to understand because it determines which broker-dealers are subject to the Rule, was deliberately defined broadly by the SEC. The term includes broker-dealers that are members of an exchange or subscribers to an ATS as well as broker-dealer operators of ATSs that provide access to trading in securities on the ATS by non-broker-dealer subscribers.6 Requiring the ATS operator to implement the Rule’s controls and procedures with respect to non-broker-dealer subscribers ensures that all orders entered on an ATS are subject to the Rule.7 The term “market access” also includes all securities traded on an exchange or ATS, such as equities, options, exchange-traded funds, debt securities, and security-based swaps if they begin being traded on a national securities exchange.8 Finally, while the term “market access” covers sponsored and direct market access by customers, it also includes more traditional agency brokerage activities and proprietary trading by broker-dealers. However, in the Final Release, the SEC specifically stated that it believes, in many cases, it is likely that the existing risk management controls and supervisory procedures related to proprietary trading and traditional agency brokerage arrangements currently employed by broker-dealers should substantially satisfy the requirements under the Rule. “RegulatoryRequirements” The term “regulatory requirements,” which is important because the Rule mandates that broker-dealers design controls and procedures to ensure compliance with such requirements, encompasses all federal and self-regulatory organization (“SRO”) laws, rules, and regulations related to market access.9 The term “regulatory requirements” refers to

NSCP Currents November/December 20105

The Ascendant Compliance Conference

FOCUS ONREGULATORY CHANGESMarch 30–April 1, 2011Ritz-Carlton Golf ResortNaples, Florida

CONFERENCE DESIGNED BY

DETAILS/REGISTER AT ASCENDANTCOMPLIANCE.COM

SPECIAL NSCPPRICES!

860-435-2255

Liftman InsuranceInsuring the investment communityfor over 50 years:

• Errors & Omissions Liability

• Directors & Officers Liability

• ERISA and Fidelity Bonds

• Hedge Fund & Mutual Fund Liability

• Investment Company Bonds

• Data Security & Privacy Liability

• Employment Practices Liability

• State Surety and STAMP Bonds

• Broker/Dealer Bonds

Theodore Liftman Insurance, Inc.617-439-9595 • [email protected]

www.liftman.com

Contact us today for a FREE consultation.

(Continuedonpage6)

existing regulatory requirements, including exchange rules related to special order types, trading halts, odd-lot orders, and non-member sponsored participant arrangements, SEC rules pursuant to Regulations SHO and NMS, and post-trade responsibilities to monitor manipulation and other illegal activity. Over time, as laws, rules, and regulations are modified or new ones are adopted, the SEC acknowledges that the specific content that falls within the definition of “regulatory requirements” will change.III. Risk Management Controls and Supervisory Procedures The central focus of the Rule is the obligation for broker-dealers with market access to establish, document, maintain, and preserve documentation of risk management controls and supervisory procedures reasonably designed to manage financial, regulatory, and other market access risks.10 The Rule provides a limited exception for broker-dealers that provide outbound routing services to an exchange or ATS for the sole purpose of accessing other trading centers with protected quotations on behalf of the exchange or ATS in order to comply with Rule 611 of Regulation NMS for NMS stocks or with a national market system plan for listed options.11 The Rule provides this limited exception because, according to the Final Release, the orders provided to routing brokers will have already been subject to the Rule’s risk management controls required of the broker-dealer of the MPID that placed the order.12 These routing brokers, however, will still be responsible for meeting the provision of the Rule that requires controls and procedures to prevent the entry of erroneous orders, by rejecting orders that exceed appropriate price or size parameters, on an order-by-order basis, or that indicate duplicative orders. It is important to note that the SEC recognizes that the Rule does not impose a “one-size-fits-all” standard for compliance with the controls and procedures. To that end, the SEC stated that the standard for the controls

and procedures is flexible, and each broker-dealer’s controls or procedures may vary based on the broker-dealer’s business and customer types.13 The baseline requirement is that the controls and procedures be “reasonably designed” to meet the goals set forth in the Rule. Furthermore, broker-dealers may utilize pre-trade risk controls offered by exchanges and ATSs in the broker-dealers’ efforts to comply with the requirements of the Rule. For example, broker-dealers may utilize the market access tools provided by exchanges that allow members to apply filters to orders placed under the broker-dealer’s MPID. Further, broker-dealers may apply the order entry controls offered by ATSs that allow subscribers to establish limits and prevent orders outside of such limits. The broker-dealer remains ultimately responsible, however, for implementing the required risk controls under the Rule.IV. Financial Risk Management Controls and Supervisory Procedures Paragraph (c)(1) of the Rule describes the financial risk management controls and supervisory procedures imposed by the Rule on broker-dealers with market access. These financial risk management controls and supervisory procedures must be reasonably designed to systematically limit the broker-dealer’s financial exposure that could arise as a result of market access.14 The Rule specifically prescribes, among other things, two such limitations: • The first limitation requires a broker-dealer to prevent the entry of orders that exceed appropriate pre-set credit or capital thresholds in the aggregate for each customer and the broker-dealer, and where appropriate more finely-tuned by sector, security, or otherwise, by rejecting orders if such orders would exceed the applicable credit or capital thresholds.15 • The second limitation requires a broker-dealer to prevent the entry of erroneous orders, by rejecting orders


that exceed appropriate price or size parameters, on an order-by-order basis or over a short period of time, or that indicate duplicative orders.16 Concerning the financial controls, broker-dealers:• Must implement the controls on an automated, pre-trade basis before orders are routed to the exchange or ATS;• May want to establish “early warning” systems to send out notifications as the applicable credit or capital threshold is being approached; • May set smaller credit limits for each customer at each exchange or ATS that, when combined, total the established aggregate limit for that customer;17 • Should measure compliance with the appropriate credit and capital thresholds on the basis of orders entered rather than executions obtained;18 and• Should reasonably design the controls related to price and size parameters to detect malfunctions and prevent erroneous orders that result from technological malfunctions and manual errors on an order-by-order basis or over a short period of time. The Rule intentionally allows the broker-dealer to have flexibility in implementing these financial controls, in order to ensure the controls support the broker-dealer’s business. To that end, a broker-dealer should review its business and customer types to determine if more specific credit or capital limits are needed by sector, security, or otherwise. Broker-dealers should also consider the customer’s business, financial condition, trading patterns, and other relevant matters when establishing the credit and capital thresholds, should document the process, and should regularly review and update, as necessary, both limits. When deciding how to set parameters to prevent erroneous and duplicative orders, broker-dealers should consider the customer’s type, trading patterns, and order entry history. As an example

of such a parameter, a broker-dealer could implement a systematic control that only allows orders to be entered if the order is reasonably related to the security’s price quote. The financial risk management controls and supervisory procedures delineated in the Rule are not inclusive, but merely a minimum standard. Broker-dealers may consider implementing financial controls and procedures in addition to those prescribed in the Rule. V. Regulatory Risk Management Controls and Supervisory Procedures Paragraph (c)(2) of the Rule describes the regulatory risk management controls and supervisory procedures that broker-dealers with market access must implement. Specifically, the Rule stipulates that the regulatory controls and procedures must be reasonably designed to: (i) prevent the entry of orders unless there has been compliance with all regulatory requirements that must be satisfied on a pre-order entry basis; (ii) prevent the entry of orders for securities for a broker or dealer, customer, or other person if such person is restricted from trading those securities; (iii) restrict access to trading systems and technology that provide market access to persons and accounts pre-approved and authorized by the broker or dealer; and (iv) assure that appropriate surveillance personnel receive immediate post-trade execution reports that result from market access.19 The regulatory risk controls and procedures that are intended to prevent orders that do not comply with the regulatory requirements must be implemented automatically and before orders are entered. The SEC clarified, however, that only those regulatory requirements with which a broker-dealer can effectively comply before an order is entered on an exchange or ATS must be satisfied on a pre-trade basis.20 For example, the regulatory requirements that must be satisfied on an order-by-order pre-trade basis include the Regulation SHO

marking and locate requirements, the Regulation NMS conditions that must be satisfied before marking an order as an “intermarket sweep order,” and exchange rules that govern special order types and trading halts. Further, if a customer, another person, or the broker-dealer is restricted from trading in certain securities, the broker-dealer must implement automatic, pre-trade controls to prevent the customer, person, or broker-dealer from entering an order for such securities. Other regulatory requirements, such as monitoring for fraud and manipulation, can be satisfied on a post-trade basis. With respect to providing only pre-approved persons and accounts with market access, the SEC indicated that effective controls and procedures should include: (1) an effective process for vetting and approving persons at the broker-dealer or customer, as applicable, who will be permitted to use the trading systems or other technology; (2) maintaining such trading systems or technology in a physically secure manner; and (3) restricting access to such trading systems or technology through effective mechanisms that validate identity.21 The Rule requires that appropriate surveillance personnel receive immediate post-trade execution reports that result from market access. In this regard, broker-dealers are expected to, among other things, be able to identify the applicable customer associated with each execution report. Also, while appropriate surveillance personnel must receive the post-trade execution reports immediately, the Rule does not require all post-trade surveillances, such as those for manipulation and fraud, to occur immediately. Instead, these surveillances need only occur in a timely manner, as determined by the facts and circumstances.VI. Broker-Dealer’s Direct and Exclusive Control Broker-dealers, subject to a limited exception described in greater detail below, are required to retain direct and exclusive control over the financial and

RISK MANAGEMENT CONTROLS(Continuedfrompage5)

NSCP Currents November/December 20107regulatory risk management controls and supervisory procedures mandated by the Rule.22 In other words, in general, broker-dealers may not rely on customers or a third party to establish or maintain the risk controls and supervisory procedures required by the Rule or delegate the oversight of such controls. The one, narrow exception to the requirement of direct and exclusive control allows broker-dealers providing market access to reasonably allocate, subject to certain conditions, responsibilities related to the implementation of regulatory risk management controls and supervisory procedures to broker-dealer customers who, due to their position in the transaction and relationship with an ultimate customer, are able to more effectively implement the controls and procedures (e.g., a clearing firm allocating to an introducing broker).23 It is important to note, however, that even if certain responsibilities are allocated, the broker-dealer providing market access is not relieved from its obligations under the Rule. This allocation provision applies only to the regulatory controls and procedures. The allocation must be evidenced by written contract, which should include the scope of the arrangement and the specific responsibilities of each party. The allocation arrangement may only commence after a thorough due diligence review by the broker-dealer providing market access, in which the broker-dealer finds a reasonable basis for determining that the broker-dealer customer has both the capability and, based on its position in the transaction and its relationship with the ultimate customer, has better access to the ultimate customer and its trading information in order to implement more effectively the specific controls and procedures allocated. In addition, the broker-dealer providing market access may not simply rely on the customer broker-dealer’s attestation that the allocated controls or procedures are being

implemented in compliance with the Rule. The broker-dealer providing market access should establish, document and maintain a system to review, on a regular basis, the broker-dealer customer’s performance and the allocated functions’ effectiveness, and redress any issues identified or, if such issues cannot be redressed, terminate the allocation contract. The SEC provided the following non-exhaustive list of controls that the broker-dealer providing market access could allocate to a registered broker-dealer customer: • Control over the regulatory controls and procedures that require specific knowledge of the ultimate customer and its trading activity; • Responsibilities under suitability and similar “know your customer” rules; • The obligation to prevent the ultimate customer from trading securities that the customer is restricted from trading;• Surveillance responsibilities related to manipulation or fraud, including wash sales, marking the close, and insider trading; and • Compliance with the locate requirement of Regulation SHO, unless the broker-dealer providing market access contractually accepted the obligation to comply with the locate requirement.24

Further, the broker-dealer providing market access is expected to provide the customer broker-dealer with immediate post-trade execution reports it receives from exchanges and ATSs so that the broker-dealer customer can conduct fraud and manipulation surveillance over the ultimate customer’s accounts. Additionally, there are certain conditions under which a broker-dealer may utilize, in limited instances, risk management tools or technology provided by a third party service provider that is independent of its market access customers and their affiliates. In implementing its controls, a broker-dealer may use technology or software developed by independent third parties and located at the

(Continuedonpage8)

A S H L A N D P A R T N E R S

Jacksonv ille, OR � Boston � Jersey Cit yShang hai � Seoul � Tokyo

Did the new custody rule catch you by SURPRISE? Contact Ashland for clarification of the rule and to learn more about our SURPRISE custody exam service.

In addition, Ashland specializes in:

■ GIPS® consultation and verification

■ SAS 70 audit

■ Mock SEC examinations

■ CCO resources (annual compliance review assistance)

Jason Millard, CFA, CIPMDirector of Business [email protected]

Lawrence Kamin – specializing in securities

and futures regulation and litigation for over

75 years.

300 S. Wacker Dr., Ste. 500 Chicago, Illinois 60606

(312) 372-1947 WWW.LKSU.COM


independent third party’s facilities. If a broker-dealer utilizes third-party functionalities, the broker-dealer would be expected to directly monitor and exclusively modify the controls and to perform due diligence to ensure the controls comply with the applicable provisions of the Rule. However, an independent third party may make modifications to the controls pursuant to explicit instructions provided by the broker-dealer on a case-by-case basis, rather than pursuant to standing instructions. Further, a broker-dealer may enlist an independent third party to supplement the broker-dealer’s own monitoring of the operation of its controls or perform routine maintenance or technology upgrades on its risk management controls, but the broker-dealer should review any changes to such controls as part of its obligation to conduct appropriate due diligence. The independent third party could be another broker-dealer, an exchange or ATS, a service bureau, or other entity that is not an affiliate, and is otherwise independent, of the market access customer.25 In determining the independence of the third party, the substance of the relationship is more important than the form. For example, merely because a third-party is not technically an affiliate of a customer does not mean it is independent, if it has a material business or other relationship with the customer. Further, mere reliance on the third party’s representation of independence is inadequate; the broker-dealer must conduct a due diligence review of the independence of the third-party. VII. Regular Review of Risk Management Controls and Supervisory Procedures Broker-dealers with market access are required to establish, document, and maintain a system for regularly reviewing the effectiveness of the risk management controls and supervisory procedures and for promptly addressing

any issues.26 Among other things, the broker-dealer must perform an at least annual review of its market access business activity to assure the overall effectiveness of the financial and regulatory risk management controls mandated by the Rule, conducted in accordance with written procedures and documented appropriately.27 The written procedures and documentation of each review must be retained as part of the broker-dealer’s books and records in a manner consistent with Rules 17a-4(e)(7) and 17a-4(b) of the Exchange Act.28 Furthermore, the Chief Executive Officer, or equivalent officer, of the broker-dealer must annually certify that its risk management controls and supervisory procedures comply with the Rule and that such review was conducted by the broker-dealer.29 These certifications are required to be retained as part of the broker-dealer’s books and records in a manner consistent with Rule 17a-4(b) of the Exchange Act.30 Although the annual certification required by the Rule is a separate and distinct certification, the SEC stated that, in many cases, it would expect the annual certification requirement under the Rule to be executed concurrently with the broker-dealer’s annual review and certification of its supervisory systems mandated by FINRA Rule 3130.VIII. Conclusion The SEC has indicated its belief that the Rule is expected to benefit investors, broker-dealers, their counterparties, and the national market system as a whole by minimizing the risks related to market access arrangements by requiring financial and regulatory risk management controls to be implemented on a uniform, market-wide basis. The adoption of the Rule, however, may impose burdens on many market participants. The Rule’s effective elimination of naked access arrangements, as well as the obligations imposed on all market access arrangements, will require broker-dealers that have sponsored access and direct market access arrangements

with their customers to review and modify (and possibly eliminate) some of these arrangements and update related controls. Further, the Rule will impact the competitive landscape for sophisticated traders (e.g., high-frequency traders) who are not broker-dealers, who no longer can bypass the broker-dealer to place trade orders. Despite these obstacles, it is imperative that broker-dealers with market access review and adjust their current risk management controls and supervisory procedures to conform to the new Rule before compliance is mandated on July 14, 2011. This would include, among other things, a clearing firm reviewing, and modifying as necessary, its arrangements with introducing firms, to cover situations where the clearing firm is seeking to rely on the allocation provisions outlined above.

q

1. See Risk Management Controls for Brokers or Dealers with Market Access, Exchange Act Release No. 34-63241, 75 Fed. Reg. 69791 (Nov. 3, 2010) [hereinafter Final Release]; see also Risk Management Controls for Brokers or Dealers with Market Access, Exchange Act Release No. 34-61379, 75 Fed. Reg. 4007 (Jan. 19, 2010) [hereinafter Proposing Release].2. In general, sponsored access arrangements involve a broker-dealer permitting customers to place orders that bypass the broker-dealer’s trading system and are routed directly to the exchange or ATS. Generally, naked or unfiltered access is a type of sponsored access in which no pre-trade controls or filters are applied before such orders are submitted to an exchange or ATS. See Final Release, 75 Fed. Reg. at 69793. 3. Generally, direct market access arrangements involve a broker-dealer allowing customers to place orders, but the order flows through the broker-dealer’s trading system before the exchange or ATS receives the order. See Final Release, 75 Fed. Reg. at 69793.4. See Rule 15c3-5(b), Final Release, 75 Fed. Reg. at 69825.5. See Rule 15c3-5(d) – (e), Final Release,

RISK MANAGEMENT CONTROLS(Continuedfrompage7)

NSCP Currents November/December 2010975 Fed. Reg. at 69825 – 69826.6. See Rule 15c3-5(a)(1), Final Release, 75 Fed. Reg. at 69825.7. Broker-dealer operators of ATSs who provide non-broker-dealers access to their ATS were added to the definition of “market access” in response to comments received by the SEC regarding the Proposing Release.8. The SEC noted that it will consider possible application of risk management controls and supervisory procedures to trading on security-based swap execution facilities and other venues that facilitate the trading of such products. See Final Release, 75 Fed. Reg. at 69795, n.20.9. See Rule 15c3-5(a)(2), Final Release, 75 Fed. Reg. at 69825.10 . See Rule 15c3-5(b), Final Release, 75 Fed. Reg. at 69825.11. See id.12. It is important to note that this exception, which was added to the Rule in response to comments received by the SEC regarding the Proposing Release, only applies to the extent that the routing broker is providing services to an exchange or ATS in order to comply with Regulation NMS Rule 611 for NMS stocks or a national market system plan for listed options. Any routing services that go beyond this limited purpose will be required to comply with the entire scope of Rule 15c3-5.13. For example, the controls and procedures of a broker-dealer with retail customers may differ from those of a broker-dealer with sophisticated, high-volume customers. 14. See Rule 15c3-5(c)(1), Final Release, 75 Fed. Reg. at 69825.15. See Rule 15c3-5(c)(1)(i), Final Release, 75 Fed. Reg. at 69825.16. See Rule 15c3-5(c)(1)(ii), Final Release, 75 Fed. Reg. at 69825.17. However, such an arrangement would require that the broker-dealer, when assessing the customer’s credit exposure at one exchange or ATS, assume the customer has reached its credit threshold at all other exchanges and ATSs to which it provides access.18. However, the SEC acknowledged that there are trading strategies in which the orders entered are consistently only rarely executed. For orders submitted pursuant to such strategies, the credit or capital limits may be discounted based on the probability

of execution as predicted by a reasonable risk management model. However, broker-dealers utilizing discounting models should review on an on-going basis and modify, as necessary, the risk management models and credit and capital threshold calculations. See Final Release, 75 Fed. Reg. at 69801.19. See Rule 15c3-5(c)(2)(i) – (iv), Final Release, 75 Fed. Reg. at 69826.20. See Final Release, 75 Fed. Reg. at 69803.21. See Final Release, 75 Fed. Reg. at 69804.22. See Rule 15c3-5(d), Final Release, 75 Fed. Reg. at 69826.23. See Rule 15c3-5(d)(1), Final Release, 75 Fed. Reg. at 69826. This exception was added in response to comments received by the SEC regarding the Proposing Release.24. See Final Release, 75 Fed. Reg. at 69807.25. In this context, the SEC defines the term “affiliate” to mean any person that, directly or indirectly, controls, is under common control with, or is controlled by, the customer. The SEC does not, however, define the term “independent” in the Final Release.26. See Rule 15c3-5(e), Final Release, 75 Fed. Reg. at 69826.27. See Rule 15c3-5(e)(1), Final Release, 75 Fed. Reg. at 69826.28. See id. Rule 17a-4(e)(7) requires every broker or dealer subject to Rule 17a-3 to maintain and preserve in an easily accessible place each compliance, supervisory, and procedures manual, including any updates, modifications, and revisions to the manual, describing the policies and practices of the broker or dealer with respect to compliance with applicable laws and rules, and supervision of the activities of each natural person associated with the broker or dealer until three years after the termination of the use of the manual. Rule 17a-4(b) requires every broker or dealer subject to Rule 17a-3 to preserve for a period of not less than three years, the first two years in an easily accessible place, certain records of the broker or dealer.29. See Rule 15c3-5(e)(2), Final Release, 75 Fed. Reg. at 69826.30. See id.

Dear member,

First and foremost, if Form ADV requirements do not ap-ply to your business, you need read no further! But if they do, then we kindly ask that you read on…

NSCP is conducting a 10 question survey regarding the Form ADV Part II. This survey is time sensitive; we believe the survey results will help in making decisions on how to complete the ADV brochure. We know this is a particularly busy time of year for all, but in order to deliver the results in a timely manner, we must ask everyone to sub-mit their responses AS SOON AS POSSIBLE – the survey will close Friday, December 31, 2010.

We sincerely appreciate any and all responses, and we will disseminate the analyzed data on or around the first week in January. We here at NSCP wish you and yours the happi-est and healthiest of holidays, and thank you in advance for your time and commitment to our efforts.

Link to survey http://www.surveymethods.com/EndUser.aspx?E3D5ABB1E6A2BEB9E9A9B5

ADV Part II Survey



Financial Services Education Online TrainingAs one of the �nancial service industry's leading providers of accredited online training, 360training.com o�ers training and professional development in these areas:

Firm Element

Corporate Ethics and Compliance

Insurance CFP CPA

www.360training.com/nscpmembers

We would like to discuss with you how we can respond to your compliance responsibilities with a cost-e�ective and timely solution.

.com

Call Today! 888-360-TRNG

©2010 Bloomberg Finance L.P. All rights reserved. 41253083 1210

MANAGE RISK AND COMPLIANCE: BLOOMBERG AIMThe Bloomberg Asset and Investment Manager (AIM) delivers a full range of solutions to manage risk and compliance for client, firm, and regulatory requirements in a single workspace.

• Choose from a library with more than 500 pre-loaded rule templates, including standard global regulatory rule templates

• Leverage Bloomberg’s security master database for true pre-trade compliance

• Monitor key client, regulatory, and firm-based restrictions

• Access the online audit tool to capture all pertinent trading and compliance events

• Receive real-time notification of breaches via the violations blotter to approve and/or reject violations

For more information about Bloomberg AIM and its compliance offering, visit bloomberg.com/compliance


The SEC’s Whistleblower Proposal

by Glen Barrentine

Glen P. Barrentine is Special Counsel at Cadwalader, Wickersham & Taft LLP in New York.

The SEC recently issued a release setting forth a proposed rule and accompanying forms to implement the whistleblower provisions set forth in Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). See SEC Release No. 34-63237 (Nov. 3, 2010); 75 FR 70488 (Nov. 17, 2010) (the “Proposing Release”). Section 922 of Dodd-Frank added new Section 21F to the Securities Exchange Act of 1934 (the “Exchange Act”), which, among its provisions, directs the Commission to pay awards to whistleblowers under prescribed regulations. Section 21F is subject to a number of limitations and conditions, including that the whistleblower voluntarily provide the SEC with original information relating to a violation of the securities laws that leads to a successful Commission action. Importantly, no whistleblower award may be paid unless the Commission obtains monetary sanctions in excess of $1,000,000. Section 21F also includes an express prohibition on retaliation by employers against whistleblowers and provides a private cause of action to employees who believe they have been discharged or discriminated against in violation of Section 21F. Whistleblower Provisions are Currently in Effect. Significantly, the provisions of Section 21F relating to whistleblowers and anti-retaliation have an effective date of July 22, 2010 and are not dependent for their effectiveness upon the adoption by the Commission of final, implementing regulations. See Section 4 of Dodd-Frank (providing that except as otherwise specifically provided, the Act and its amendments are to take effect on the

day following their enactment). As a result, as noted on the Commission’s website, whistleblowers that provide information to the Commission on or after July 22, 2010 may be eligible to receive an award provided the “whistleblower complies with all such rules once effective.” www.sec.gov/spotlight/dodd-frank/whistleblower.shtml. The Proposing Release. The Proposing Release would add new Rule 21F under the Exchange Act, 17 CFR §240.21F-1 through §240.21F-16. As noted by the Proposing Release, proposed Rule 21F is meant to be “complete and self-contained” such that “all relevant provisions applicable to whistleblower claims” can be found in one place without the need to refer back to Section 21F. Proposing Release at 4; 75 FR 70488. The Proposing Release requests comments on a large number of specific questions. Comments are due by December 17, 2010. This article focuses on the following:• general limitations on the applicability of proposed Rule 21F; • the possible negative impact of the proposed rule on internal compliance programs;• the proposed rule’s exclusions of certain persons or information from whistleblower treatment; and• steps that broker-dealers and advisers should consider in response to Section 21F and the proposed rule.Limitations on the Applicability of Proposed Rule 21F. There are two significant, general limitations on the applicability of proposed Rule 21F. First, subsection 2(a) of proposed Rule 21F limits whistleblower status to persons that supply information relating to a potential violation under the “securities laws.” Accordingly, in order to qualify for a whistleblower award, a person must report information that relates to

a violation under one or more of the Securities Act of 1933, the Exchange Act, the Sarbanes-Oxley Act of 2002, the Trust Indenture Act of 1939, the Investment Company Act of 1940, the Investment Advisers Act of 1940 and the Securities Investor Protection Act of 1970. See Exchange Act Section 3(a)(47)(defining the term “securities laws”). The effect of this is two fold. One, it means that a whistleblower action may relate to any person to the extent such person is subject to one or more of the securities laws. While this may include regulated financial entities such as brokers, dealers, and registered or unregistered advisers, it may also include companies that file periodic reports with the SEC on account of having issued registered securities or securities that are traded on an Exchange. It will even apply to individuals who violate a federal securities law, including, for example, individuals who engage in insider trading. Two, it means that the applicability of the whistleblower provision is limited to the federal securities laws and does not apply to rules of a self-regulatory organization, such as the Financial Industry Regulatory Authority, Inc. (“FINRA”), or the laws of a foreign jurisdiction. The second general limitation on the applicability of proposed Rule 21F is that it conditions the grant of an award on the Commission having obtained monetary sanctions totaling more than $1,000,000. As a result, proposed Rule 21F should have little if any impact with respect to the minor violations that most broker-dealers typically experience. As to more significant matters that may be likely to meet the $1,000,000 threshold, arguably broker-dealers that are members of FINRA will be required to self-report these matters themselves under recently approved, but not yet effective, FINRA Rule

NSCP Currents November/December 2010134530 .01 (requiring self-reporting whenever the member concludes or “reasonably should have concluded” that an associated person or the member itself has violated any “securities, insurance, commodities, financial or investment-related laws, rules, regulations or standards of conduct of any domestic or foreign regulatory body or self-regulatory organization,” provided no reporting is required under this provision unless the conduct at issue “has widespread or potential widespread impact to the member, its customers or the markets” or the conduct “arises from a material failure of the member’s systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts.”).Possible Negative Impact on Existing Compliance Programs. Recognizing the possibility that a potential monetary award could discourage the reporting of violations to a subject entity and, thereby, “reduce the effectiveness of . . . existing . . . internal processes for investigating and responding to potential” securities law violations, the Commission included within proposed Rule 21F a provision that is “intended not to discourage whistleblowers” from making their first report to the subject entity rather than the SEC. Proposing Release at 4; 75 FR 70488. This provision, which is found at subsection 4(b)(7) of the proposed rule, allows a whistleblower to treat the date of any report to a person with legal, compliance, audit, supervisory or governance responsibility for an entity as the date of reporting to the SEC, provided the individual, within 90 days, submits the same information to the Commission. While this provision is designed, in the words of the Proposing Release itself, “not to discourage” internal reporting, it is important to understand that, as proposed Rule 21F is currently structured, internal reporting is likely to be detrimental to a whistleblower. This follows from the fact that notifying an entity with respect to a potential violation provides the subject entity

an opportunity to fix the violation and to itself bring such matter to the Commission’s attention and otherwise cooperate with any Commission action resulting therefrom. As each of these actions may have the effect of reducing any monetary sanction that the Commission ultimately obtains, they may also have the effect of reducing or even eliminating any whistleblower award that might otherwise result. Specifically, notification may give the subject entity an opportunity to identify and fix the violation, which should serve to limit the scope of the problem and, therefore, should also help limit the size of any Commission sanction. Notification also gives the subject entity a chance to report the problem to the Commission, take remedial action, cooperate with the SEC’s own investigation and otherwise take the type of actions that the SEC has identified as likely to lead to “credit . . . in deciding whether and how to take enforcement action. . . .” The Seaboard Report, SEC Release No. 34-44969 (Oct. 23, 2001), available at http://www.sec.gov/litigation/investreport/34-44969.htm#framework; seealso, the SEC’s “Enforcement Cooperation Initiative” available at http://www.sec.gov./spotlight/enfcoopinitiative.shtml. As noted in the Proposing Release, the Commission considered, but rejected, an approach of “requiring potential whistleblowers to utilize in-house complaint and reporting procedures” out of concern that some firms may lack “compliance processes that are well-documented, thorough, and robust, and offer whistleblowers appropriate assurances of confidentiality. . . .” Id. at 34; 75 FR at 70496. The Proposing Release does, however, solicit comments on whether the Commission should “require whistleblowers to utilize employer-sponsored complaint and reporting procedures?” Id. at 36 and 37; 75 FR at 70496 (question 18). The Proposing Release also seeks comment on whether the Commission,

in determining the amount of an award to a whistleblower, should take into account whether the whistleblower reported the potential violation through effective internal whistleblower, legal or compliance procedures before reporting the violation to the Commission.” Id. at 52; 75 FR 70500 (question 27).Voluntarily. To be eligible for a whistleblower award, information must be “voluntarily” provided to the Commission. Proposed Rule 21F defines “voluntarily” in a manner that would exclude two groups of persons. The first consists of individuals that have “a clear duty to report violations of the type at issue.” Proposing Release at 14; 75 FR 70491. This would include employees of appropriate regulatory agencies among others. Seeid. The second group consists of persons whose submission to the Commission is made after their receipt of a “formal or informal request, inquiry, or demand from the Commission, Congress, any other federal, state or local authority, any self-regulatory organization, or the Public Company Accounting Oversight Board about a matter to which the information in the submission is relevant.” Id. at 11; 75 FR 70490. An employee will be deemed to fall within the foregoing exclusion, if the employee “possess the documentation or other information that is within the scope of” any request, inquiry or demand to the employee’s employer. Id. Significantly, the foregoing would not exclude information provided by employees who make a submission after receiving a request from a foreign agency or regulator. Seeid. at 15; 75 FR 70491 (soliciting comment at question 3). Similarly, employees who make a submission after learning about a matter through an internal investigation or other action taken by an entity to investigate or monitor for a possible violation also

(Continuedonpage14)


would not be covered by the above exclusion – though, as discussed below, the information gained thereby might be excluded from the proposed definition of “original information” and, therefore, might not support a whistleblower award. Seeid at note 11 (noting that information obtained as a result of questioning from a compliance review would nonetheless be considered to have been obtained “voluntarily”). Original Information. Section 21F(a)(3) of the Exchange Act defines “original information” to mean “information that is derived from the whistleblower’s independent knowledge or analysis; is not already known to the Commission from any other source . . . ; and is not exclusively derived from an allegation made in a judicial or administrative hearing, in a governmental report, hearing, audit, or investigation, or from the news media, unless the whistleblower is a source of the information.” Proposed Rule 21F-4(b) excludes information gained under seven circumstances from the definition of “original information.” Information excluded form the definition of “original information” cannot be used to support a whistleblower award. Legal and Audit Representation. The first three of these exclusions are designed to prohibit the use of information obtained by professionals, such as attorneys or independent accounts, in the performance of services for a client, as well as certain associated individuals and other persons retained to assist on such matters.Compliance Related Matters. Significantly, the fourth and fifth exclusions relate to knowledge obtained from supervisory, compliance and related or similar functions. Specifically, the fourth exclusion applies to a person with “legal, compliance, audit, supervisory, or governance responsibilities for

an entity” but only to the extent such person “receives information about potential violations, and the information was communicated to the person with the reasonable expectation that the person would take appropriate steps to cause the entity to respond to the violation.” Proposing Release at 23 and 24; 75 FR 70493. The fifth exclusion, which the Proposing Release characterizes as “closely related” to the fourth, applies to information obtained “from or through an entity’s legal, compliance, audit, or similar functions or processes for identifying, reporting, and addressing potential non-compliance with applicable law.” Id.at 23 and 24; 75 FR 70493and 70494. Unlike the fourth exclusion, which is limited to persons who perform certain specific functions, the fifth exclusion applies broadly to anyperson who obtains information from or through the entity’s compliance function. As noted in the Proposing Release, while this includes persons directly responsible for compliance-related processes, it also includes persons who learn about a matter only because of a compliance function, e.g., being questioned by a compliance officer. Id. It is important to note, however, that the fourth and fifth exclusions only apply if the entity in question self-reports the matter within a “reasonable time” and does not otherwise proceeded in “bad faith.” Id. at 25; 75 FR 70493. Accordingly, the proposed rule allows even compliance and supervisory personnel to submit information to the SEC, even information that is obtained by them in the fulfillment of their compliance and supervisory responsibilities, but conditions the right of such persons to share in any whistleblower award except upon the subject entity’s failure to self-report or if the entity otherwise proceeds in bad faith. Importantly, the fourth and fifth exclusions do not apply to information learned by an employee through his or her work-related functions except to the extent such functions are compliance-related or otherwise specifically covered by the two exclusions.

Other Exclusions. The remaining exclusions apply to persons who obtain information in violation of federal or state criminal law or from any person subject to any of the foregoing exclusions.Further Considerations for Regulated Financial Entities. Because Section 21F is currently effective and in anticipation that the whistleblower provisions ultimately approved by the SEC are likely to follow, at least, the general outline of proposed Rule 21F, regulated financial entities such as broker-dealers and advisers, should take steps to determine whether:• They have a robust no retaliation policy in effect that is consistent with the scope of Section 21F. If not, a formal policy should be adopted and steps should be taken to ensure that employees are aware of their rights and obligations thereunder.• Their existing processes require all reports of violations, including “tips” to be documented and promptly investigated, the results of such investigation to be appropriately reviewed, and any determination as to whether responsive action is required, including self-reporting of any such matter to the SEC and/or FINRA, also to be appropriately documented. • Their existing processes are sufficient to allow all compliance-related reviews to be clearly identified as such.

q

WHISTLEBLOWER PROPOSAL(Continuedfrompage13)


All Change in UK Regulation What We Have, What is Changing, and Why

by David Symes

David Symes is MD of Compliance Recruitment Solutions (offices in London and New York) and both VP of the London Chartered Accountants and Chairman of their Compliance Group.

I. INTRODUCTION The origin of what the UK currently has and why it is changing is closely related to the politics of the UK, hence this article aims to explain not only what we have in the UK and how it has been developed in the relatively short (compared to the US) time of 22 years and what is now proposed, but also the political motivations between the one major shift after 9 years in 1997 and why the current revisions now proposed to effectively reverse that shift are also mainly political based. From this it should be clear to see why it is completely different in purpose to Dodd Frank even if its effects may be as wide sweeping for the UK. Please note EU driven change is not properly considered here but may be covered in a future article, nor are the separate changes in the development of Anti Money Laundering. II. BACKGROUND a) First Regulatory Structure 1988-1997 Until 1988 the UK had nothing like the US, only Stock Exchange (and related statutory and voluntary code requirements) around requirements for listing companies and areas of Corporate Finance and these were reactively enforced - i.e. when problems arose, then investigations were carried out and possibly mild punishments issued but there was no one to police whether the firm was following the rules or even had procedures in place (even insider dealing legislation wasn’t enacted until 1980). Then following a succession of scandals and frauds, the Tory (Conservative) government under

Margaret Thatcher commissioned the Gower Report in 1981 which led to the Financial Service Act of 1986 (the same year London Securities trading was opened up in what was known as Big Bang and which led to a flood of global banks moving into London and buying up Merchant Banks and Stockbrokers) and in summary extended the scope of regulation across all the front and back office functions of Brokers Dealers, Investment Advisors and Investment Banks and Managers, covering most traded products (and the Sales and Marketing of Life Assurance and Pension products) whilst requiring pro-active registration with an SRO (or similar) overseen by the Securities and Investment Board (SIB), otherwise carrying out such activities became a criminal offence. This structure was quasi-governmental but supervised directly by the Department of Trade and Industry (changed in 1991 to the Treasury, under the Chancellor of the Exchequer). This Act finally came into force in April 1988. This meant that for the first time, outside of members of the London Stock Exchange (and now a lot more demanding for those firms), companies had to prove that they were fit and proper, both as to the integrity of Directors and Owners and the capitalisation and ongoing financial stability of the firm. They also had to designate a Compliance Officer with adequate resources and a Compliance Manual, submit regular returns confirming Compliance Monitoring had been carried out and any serious breaches reported, and submit to regular regulatory inspections. However, normal Banking activity stayed regulated by the Bank of England, itself theoretically independent from the Government though always working closely, and famed for it’s relaxed approach (if there

may be an issue or problem, then that Bank’s Senior Management was called in for “a cup of tea and sandwiches” resulting in, at most, a verbal warning or strong recommendation). There then followed a period of relative regulatory stability during which the five SRO’s under the SIB became three, the first major fines were handed out and a few firms closed. However, during this period there were two major banking failures, firstly the BCCI (a Middle Eastern bank famed for money laundering but not de-authorised by the Bank of England until it collapsed in 1991, two years before the first pro-active UK Anti Money Laundering legislation was fully introduced), then in 1994 the famous typically blue blooded Barings Bank, as a result of one rogue trader (Nick Leeson) trading in the Japanese markets from Singapore. b) New Regulatory Structure 1997 and Why In 1992 the Tory government was on its knees 18 months after Margaret Thatcher was ousted as Prime Minister and Labour were expected to easily win the election, having already announced that they would merge the SIB and the then four SROs and associated other bodies into one. However they lost the Election due to unbalanced socialist tax policies and had to wait another five years before “New Labour,” effectively jointly led by Tony Blair as Prime Minister and Gordon Brown as Chancellor, finally swept to victory with a landslide. Within the week, Gordon Brown delighted the Bank of England by giving them the right to set interest rates independently of Government control, however a fortnight later announced that not only was he rolling up the Tory created SRO and SIB structure into one body to be known as the Financial Services Authority, he would give this body the responsibility


for Banking Regulation too instead of the Bank of England, particularly due to the two Banking failures above which had occurred under the Tories, of course. Thus from now on the Banking Sector would be supervised by a tri-partite arrangement of the FSA supervising the individual Banks whilst the Treasury and Bank of England looked at the broader macro economic and markets viewpoint. c) Regulatory Change 1998 to 2007 Despite Labour’s much trumpeted new regime, in practise the only change was moving the Bank of England supervisory staff into SIB/FSA buildings and reporting lines and similarly but more gradually, the integration of the SRO’s staff and processes. Even this physical reorganisation didn’t really finish until 2000 whilst the new Act of Parliament to structure this, the Financial Services and Markets Act 2000, was repeatedly delayed with missed deadlines and didn’t finally come into effect until midnight on the last day of November 2001 (“N2”), more than 4.5 years after the political decision was announced. Other changes then came into effect, notably the introduction of regulation to the mortgage and general insurance sector (both surprisingly omitted from the scope of the 1986 Act, especially mortgages), initially through semi voluntary codes from 1999 and eventually full FSA regulation from October 2004 and January 2005 respectively. [General Insurance had been regulated above retail level through a combination of Lloyds of London regulation if relevant and Government Departments, albeit in the latter’s case reactively, not proactively] Then the introduction of the EU MiFID directive in 2007 led to a mass change in the detail of the rulebooks as well as commercial opportunities in the securities trading sector – however, a detailed analysis of this is outside the scope of this article.

Finally, rules were drafted to actually regulate properly Retail Banking under the FSA instead of a Banking Code although they didn’t come into force late 2009 alongside the EU enforced Payment Services Directive (again, outside this article’s scope). III. SEVERE PROBLEMS 2007 – 2009a) Northern Rock September 2007 Northern Rock was a relatively recently (1997) demutualised smaller Bank that had specialised in providing savings accounts and mortgages locally in the North East of England but had gradually expanded beyond its comfort zone in localities and business model as well as deviating from its standard sources of finance by borrowing in the money markets until such sources started drying up at the beginning of the Credit Crunch in summer 2007. The authorities, supposedly acting together under the Tripartite Arrangement above, failed to act decisively even as queues of panic stricken savers were repeatedly shown until after what was the first run on a UK bank in 150 years, the Government finally guaranteed all deposits and effectively took it over. Subsequent reports and investigation showed two underlying causes. Firstly, the ineffective FSA supervision/examination of what was considered a smaller low risk operation, meant visits were not regularly made, and when they were, no proper examination took place whilst what was reviewed was not even documented and the ongoing business model was not challenged. Secondly, when the problems did come to light, none of the three bodies involved in the Tripartite Arrangement was willing to act first or decisively until too late and the damage was done, not only to the individual Bank, but to public (and institutional) confidence in the whole system. In fact, the only body to call anyone to account was the Treasury Select Committee (similar to Congressional Committees or Senate Hearings) who after interviewing the

heads of all three tripartite bodies involve belatedly saw the resignation of one senior regulator (the FSA CEO during the period having conveniently left by plan shortly afterwards) then more dramatically interviewed the Chairman and CEO of Northern Rock interrogating them in particular on their approach (or lack of) to Risk Management, following which they both finally resigned. b) Lehman September 2008 After a year of increasing bad news, the impact of the failure of Lehman in the UK followed by hysteric headlines over the next few weeks about the impending collapse of whole financial system destroyed what little faith the public and even financial and regulatory professionals had in the system. The then near collapse of RBS, one of the UK’s big four banks combined with the government arranged shotgun marriage of another big four bank with the fifth largest, resulting in one big four bank becoming Government majority owned and the other as good as, meant that action was needed.c) FSA Response – Tactical The tactical response by the FSA to both of the above was limited; it stopped rubber stamping the appointment of Senior Management and Compliance Officers, instead reviewing the appointments fully, telling firms in some cases to withdraw the applicant as either not fit or proper in integrity or potentially not competent to perform the required function. Those still considered are now regularly called for interview and may well be required to withdraw and return once better prepared. Additionally, many aspects of non compliance found during routine examinations that previously would have been self certifiable report points, now result in compulsory investigations by competent third parties (s166 reports) back to the FSA, at considerable cost and business disruption (as well as increased chance of full enforcement action) Finally for those firms put through

A CHANGE IN UK REGULATION(Continuedfrompage15)

NSCP Currents November/December 201017full enforcement, the fines (until now frequently less than $1m, the publicity itself being deemed sufficiently punitive) suddenly became a lot larger.d) FSA Response – Strategic The Chairman of the FSA, Lord Turner, took personal responsibility for the main Report to emerge from the crisis, addressing amongst other issues the concept that Retail Banks were being brought to collapse by their hard to control and overpaid Investment Banking divisions. Thus Turner examined (and eventually brought in) the first restrictions on bonuses, whilst formally raising the possibility of the enforced separation of Investment Banking. Turner also examined whether the UK should adopt the “twin peaks” model of Regulation - i.e. separate Conduct of Business Rules from Prudential requirements (e.g. mainly the Capital Adequacy and Financial Stability) before concluding probably not. IV. CHANGES PROPOSED 2009 TO DATE a) Build Up In Summer 2009, the Tory leader David Cameron and future Chancellor George Osbourne went to the Bloomberg HQ in the City of London to announce that were they to be elected, they would undo the regulatory regime brought in by the then Chancellor and now finally Prime Minster Gordon Brown, which in their view had failed badly. This would not only involve returning the responsibility for Prudential Regulation to the Bank of England (Brown’s major reform of 1997) but break up the FSA “he’d created,” setting up a new Consumer Protection Agency, conveniently forgetting that Banking aside, the rest of the FSA was a rearrangement of a Tory creation initially. This was greeted as political grandstanding for cheap points directly off the now Labour Prime Minister that probably wouldn’t be followed through. In fact at a parliamentary debate in November 2009 the future Minster who had been given responsibility for

Financial Regulation took considerable criticism from both Labour and Liberal Democrat representatives that this was merely “rearranging the deck chairs on the Titanic” (also including giving responsibility for the Insurance sector, an area where London was still a world leader, to the Bank of England too despite lack of any previous experience or ongoing synergy). However it also had the actual real time effect of damaging the morale (whilst the sector was still trying to recover) of the already besieged FSA staff whilst the lack of comment on the future regulation of Securities Trading and Investment Management added uncertainty to the future direction of these key areas during a period of needed recovery.b) Government Change To little surprise, after 13 years, Labour did lose the May 2010 election (albeit with the Tories needing the support of the Liberal Democrats to form a Government). However despite the easy opportunity to back down from their radical restructuring plans (given the Liberal Democrats had been against it) nonetheless the new Government soon announced they were still planning to break up the FSA. c) The New Regime Thus the current proposals for implementation in 2012 are as follows; i) The Bank of England, as well as their ongoing responsibility for macro supervision of the banking sector, will have responsibility for the oversight and safety (micro supervision) of banks and insurersii) A new Consumer Protection and Markets Authority will have responsibility for Investor Protection, Market Supervision and Regulation and the Business Conduct of Banks and Financial Services firms generally Then only in late November the Government confirmed that the CPMA would not only have listing responsibility, but also Criminal Enforcement (currently held by the FSA) would stay with the CPMA (rather than be added in with a new super combined anti crime agency

being set up by merging other agencies, as had been proposed).d) Still Uncertain i) A Commission has been set up to examine whether Retail and Investment Banking should be formally split but given a year to report back, by which time more of the dust should have settled and there will be less media or political pressure to make tough decisionsii) Bonuses are still a moving target, with the rules changing as this is written and subject to EU codification V. CONCLUSION After one major reorganisation only nine years after the UK first brought in its first ever full Regulatory Regime which took nearly 5 years to implement, after less than 10 years of stability this whole structure will change again with resultant uncertainty in the whole sector (especially among the Regulatory staff who will probably be mainly retained at junior and middle management levels but given new titles, bosses and possibly offices) and of course banks and insurers who will suddenly have to cope with two sets of regulators, some completely new and no idea what to expect from them except, no doubt, overlapping demands for information. These may be potentially good times for Compliance Officers, however, who are paid to successfully oversee the change, as well as Compliance Consultants employed to implement a new raft of detailed rulebooks.

q


Your compliance questions answered

through the collective wisdom of NSCP’s

membership community.

Available to members only.

www.nscpforums.com

The NSCP Resource LibraryThe Resource Library is a

compendium of forms, policies, procedures, checklists and

articles useful to compliance professionals. Accessible only

through the Forum.


(Continuedonpage20)

What’s on the SEC’s Radar?by Jose Santiago

Jose Santiago is Senior Consultant at SEC3 Compliance Consultants.

Partoneoftwoparts. In her first public address as Chairman of the SEC, Mary Schapiro (“Schapiro”) noted that the market crisis put the SEC under a microscope. She admitted that “the crisis has exposed weaknesses and gaps in the regulatory system and areas where the SEC particularly must re-commit its resources and talents in order to restore investor confidence.” Ms. Schapiro offered that the challenges for the SEC “will take determination, hard work, toughness, and above all, an unrelenting will to stand up for investors.”1 In 2008, Lori Richards, the former Director of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), spoke of the SEC’s top 10 focus areas. In contrast, the current director of OCIE, Carlo di Florio said, in an interview with Dow Jones Newswires, “It’snever going to be quite clear that you can game the system by focusing on three issuesthat you know are hot topics.” Those two quotes provide some insight into the difference that two years can make. John Walsh, OCIE’s Chief Counsel, summed up the change between 2008 and 2010 quite succinctly when he said, “To put it bluntly, the world of compliance in 2008 is dead….I can assure you, the examination program is changing and will continue to change.”2 After an economic crisis and several highly-publicized frauds for which the SEC was criticized for not uncovering, the SEC is trying to change its examination practices while keeping its cards close to its vest. Given the lack of detail communicated by the SEC regarding focus areas, below we present updates regarding some past areas of focus and glean current areas of SEC concern based on SEC staff

comments and on recently-adopted legislation that impacts registrants with the SEC. Rather than discussing theory, we present steps for practical implementation and testing by investment advisers and their chief compliance officers (“CCO”). The areas presented below should be considered in an investment adviser’s risk assessment as part of its compliance program. Firms should be using the areas presented below and the SEC’s publicly-available and evolving request lists to conduct comprehensive mock examinations. A mock examination will give firms a feel for what will be requested and also give firms an idea regarding how long it will take to produce the documentation and information. If firms are unable to produce everything within a reasonable time, it is better to know this in advance, before the SEC is the party making the request. 1. SEC Examination Practices The SEC has shared that the staff is pursuing more focused examinations, targeted on areas of high risk, and based on tips, complaints and referrals. The days of the SEC trying to examine firms on a regular schedule every few years seem to be gone. The SEC has had a system named TCR (tips, complaints and referrals) for several years, but according to OCIE Associate Director Gene Gohlke, it will be used to select candidates for examinations. The SEC has stated it will increase the number of cause examinations conducted by its staff. Tips, complaints and referrals may come from a variety of sources including clients, investors, and employees. Resulting targeted exams will likely be a surprise to affected firms as they will probably not receive any prior notice. Exams planned without prior notice to the registrant are not a new phenomenon, but this approach is now apparently being revived in a more aggressive manner.

According to Gohlke, “We simply show up, because if there are allegations of wrongdoing we don’t want to give firms a good deal of lead time to clean up.” The staff of the SEC does not, as a matter of practice, disclose whether an examination is routine or for cause, and advisers will not be told whether an examination is the result of a tip, complaint or referral. In addition to TCR spearheaded exams, firms with higher risk characteristics will likely be the subject of increased scrutiny and more frequent examinations. Thus, firms with complex affiliations, custody of client securities, private fund clients, investments in alternative sectors, and/or solicitation arrangements will likely be considered high risk candidates. Lower-risk firms will, however, certainly not be free of SEC scrutiny. They will still be subject to routine examinations, albeit more traditional in nature with advance notice often ranging from two to four weeks. SEC examinations where the SEC finds a strong compliance culture and controls will likely reduce the frequency of future examinations for such lower-risk firms. SEC staff will likely continue to randomly pick newly-registered firms to undergo modified examinations or visits in order for the SEC to assess risk and culture of a firm and ascertain whether a more in-depth examination is warranted. More interesting and novel to the SEC, the staff is now sending targeted request letters to firms, a practice which somewhat resembles the traditional “sweep” exams. Like a traditional sweep exam, the SEC picks targeted firms with some underlying similarity. The SEC gathers information and works from their offices to determine which firms may justify deeper review. Unlike traditional sweep exams meant to gather intelligence and assist the

NSCP Currents November/December 2010 20WHAT’S ON THE SEC’S RADAR, PT 1(Continuedfrompage19)

SEC in understanding certain business activities more fully, the SEC’s approach during “targeted exams” is risk-based with the goal of covering more ground in less time. These targeted exams are intended to assess risk and identify future examination candidates based on the responses received. 3

In order to respond to the challenges, changes and complexities of financial services regulation in this changed world, the SEC is planning to acquire new staff with skill sets that are suited to the types of registrants the SEC will have under its purview. As was succintly put by SEC Commissioner Luis Aguilar, the “number of examiners needs to grow.” Expect more coordination among SEC units4 while at the same time expect the effective collapse of OCIE with its examiners placed in various divisions of the SEC based on registrant type, e.g., investment advisers and broker-dealers, a likely result of the recently-enacted financial reform discussed in greater detail below. What Should Firms be Doing?• Attend conferences, seminars, roundtables and other forums to familiarize the staff of a firm with new regulations, examination techniques, and trends.• Review recent publicly-available SEC request lists and maintain a current inventory of responses for those items that can be prepared prior to an SEC examination.• Perform regular testing of policies, procedures and practices.• Update policies and procedures to reflect actual practices of the firm.• Conduct mock examinations either internally or by engaging a third party.• Identify conflicts of interest and manage them.• Disclose conflicts of interest to clients and potential clients, including through Form ADV. Form ADV Part II disclosure requirements must now be

filed with the SEC and provided in a narrative disclosure document. Firms should use this narrative format to disclose conflicts and management of conflicts in a clear, concise manner.5

What Are SEC Examiners Reviewing?• Reviewing tips, complaints and referrals to target advisers for examination.• Reviewing Form ADV for disclosures that would suggest high-risk registrants.• Reviewing conflicts of interest and risks and their management once onsite to determine length of examination and need for a more in depth and lengthy examinations or additional examination(s).• Reviewing policies and procedures, and testing in relation to those policies, in order to ascertain compliance culture and risk posed by a firm with respect to its program designed to adhere to applicable regulations.2. Financial Reform As a result of the recent passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Act”) many investment advisers have to rethink aspects of their businesses and practices in light of the provisions of the Act. Some advisers may no longer be subject to SEC registration while others may have to register. Generally, advisers with greater than $100 million in assets under management will be required to register with the SEC, unless their only clients are private funds, while those under that amount will register with the state(s) unless the firm qualifies for certain exceptions. Advisers to private funds will now be required to register if the adviser has greater than $150 million under management. Advisers to private funds should also be aware that the primary residence of an investor in a private fund no longer counts, effective immediately, as part of the net worth of an investor for purposes of determining eligibility to invest in such funds. Among the exceptions are that the Act would require certain foreign advisers with no place of business in

the United States to be registered with the SEC if the adviser holds itself out to the public in the United States as an investment adviser, has 15 or more clients and private fund investors in the United States or has $25 million or more of assets under management from clients or investors in the United States regardless of the number of its clients/investors. Therefore, more foreign-domiciled advisers may be required to register given that this exemption is so limited. The Act also provides for an exemption for advisers to venture capital funds, a term that the Act requires the SEC to define. Venture capital funds will be subject to recordkeeping and reporting obligations under the Advisers Act even if not required to be registered. In the past, the SEC has distinguished between hedge, private equity and venture capital funds. However, it is not yet clear how the SEC will define the term “venture capital fund.”What Should Firms be Doing?• Reviewing assets under management to determine eligibility for registration with the SEC.• Reviewing whether exemptions apply to advisers, especially foreign-domiciled advisers, with respect to SEC registration.• Reviewing policies and procedures regarding registration to ascertain whether they should be revised to reflect new requirements.• Immediately review the status of eligibility of investors in private funds to exclude the primary residences of investors.What Will SEC Examiners Be Reviewing?• The amount of assets under management and types of clients and investors to ascertain eligibility for SEC registration.• Whether accredited investor status has been reviewed to exclude primary residences from net worth.• Foreign affiliates of advisers to determine whether they should be registered with the SEC.


(Continuedonpage22)

• Whether policies and procedures and disclosure/registration documents, such as Form ADV and offering memoranda, are updated to reflect new requirements and status.3. Safeguarding Clients’ and Funds’ Assets The SEC has long been concerned with safeguarding client assets from conversion or improper use. Given that misappropriation of client funds played a prominent role in some recent high profile securities frauds, the SEC has taken additional steps designed to ensure that clients’ assets are safeguarded and not misused. In December 2009, the SEC amended Rule 206(4)-2 (“Custody Rule”) of the Investment Advisers Act of 1940 (“Advisers Act”) which imposes requirements on investment advisers that have custody or possession of client assets. Generally, an investment adviser must maintain client funds and securities at a qualified custodian. This recent rule amendment is significant in that it imposes surprise independent verifications and internal control reports with respect to advisers that have custody of client funds or securities, respectively, held outside of a qualified custodian and for which an affiliate is the qualified custodian. It also provided exceptions for certain privately-offered securities and private funds with respect to which an adviser has custody. The SEC is interested in whether advisers have effective policies and procedures for safeguarding their clients’ assets from theft, loss, and misuse. The SEC is also concerned with the analysis an adviser undertakes with respect to whether it has custody, under the new and complex requirements of the revised Custody Rule, and with an adviser’s implementation of applicable requirements. If an investment adviser only has custody because it deducts fees directly from client custodial accounts, it does not have to engage an accounting firm to conduct surprise verifications and prepare internal control reports.

What Should Firms be Doing? Advisers should establish procedures for dealing with the following issues arising under the Custody Rule:• An adviser should have procedures in place to assess its arrangements and determine whether it has custody under the Custody Rule. • If an adviser desires to limit its form of custody to certain circumstances, i.e., the deduction of advisory fees from custodial accounts, it should establish procedures to avoid having custody otherwise.• When opening an account for a new client, an adviser should check whether the client’s custodian is a “qualified custodian.” • An adviser should establish procedures to inform clients if it opens a new custodial account on a client’s behalf and that account statements are sent to clients by custodians. It is extremely important that the account statements are not routed through the adviser prior to delivery to the client. This helps ensure that advisory personnel do not have an opportunity to alter or falsify custodial statements.• Given that the revisions to the Custody Rule were also accompanied by changes to Part I of Form ADV related to custody, an adviser should review its Form ADV to determine whether any amendments are necessary. • An adviser should review its advisory contracts and third-party agreements to determine whether custody arrangements are appropriately disclosed. • If an adviser has custody through any means other than the ability to deduct fees from custodial accounts, it must ensure that it engages an accountant as required by the Custody Rule to conduct the applicable verification and/or prepare the appropriate internal control report by the deadlines imposed by the rule.• If an adviser manages private funds, and has custody via its relationship to such funds or its affiliates, it can avail

itself of the annual audit exception in the Custody Rule.• If an adviser has custody of other privately-offered securities, it can also avail itself of the applicable exception in the Custody Rule.An adviser may also wish to establish policies and procedures with regard to safeguarding clients’ assets.• The adviser should limit the personnel who are authorized to trade client accounts. The adviser could use passwords for electronic trading software and systems or provide custodians with a list of personnel authorized to provide instructions. Further, a compliance officer or designated individual should periodically review account trading patterns to monitor for signs of unauthorized trading.• The adviser should also have a system of reconciling custodial statements to its internal records and to resolve any differences. • An adviser’s policies and procedures could also provide for protecting client assets by requiring advisory personnel to maintain confidentiality when handling client account information.What Are SEC Examiners Reviewing? Examiners will focus on the following issues:• Whether the adviser has custody of clients’ funds and securities;• Whether the client is billed directly by the adviser;• Whether the adviser uses a qualified custodian to take custody of client assets;• Whether fees are deducted directly from the client’s account by a qualified custodian;• Whether the client agreement authorizes automatic withdrawal of advisory fees from the client’s account;• Whether the client receives a statement at least quarterly that shows the deduction of advisory fees;• Whether the adviser has a policy and procedure in place to prevent inadvertently taking custody of


securities or checks;• Whether, if applicable, the adviser has engaged an accounting firm to conduct surprise verifications and prepare internal control reports;• Whether private funds managed by an adviser have undergone an annual audit and that the resulting financial statements have been disseminated to fund investors; and,• Whether books and records related for advisers with custody are maintained. In light of the Bernie Madoff Ponzi scheme and other frauds involving misappropriation of assets, the SEC is focusing on making sure managers actually have the assets that are being disclosed on clients’ statements by contacting custodians and clients to ascertain the accuracy of adviser records regarding assets managed and held by a firm.4. Information Protection The SEC expects investment advisers to adopt an “information security program” which would require the adoption of written policies and procedures to address administrative, technical, and physical safeguards and protection of customer records. The SEC’s goal is to ensure the security and confidentiality of personal information, protect against any anticipated threats or hazards to the security or integrity of personal information, and protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience. In addition to SEC expectations and requirements, states have adopted or are considering adopting their own information protection regulations that may, in effect, extend beyond state boundaries. State law may be stricter than SEC rules regarding what constitutes non-public information and reporting responsibilities. Massachusetts, for example, adopted strict standards for the protection of personal information with respect to its residents that affected investment

advisers both inside and outside the Massachusetts’ border. These standards appear to apply to businesses that have Massachusetts residents as clients or investors. Accordingly, investment advisers have revised their policies and practices to conform to these standards which require, among other things, encryption of certain electronic communications. What Should Firms be Doing? Given SEC’s expectations and the onset of applicable state regulations, many financial institutions may find a need to add sophisticated and/or costly measures to control the risk of personal information being accessed by hackers or other unauthorized persons. Firms should identify in writing their security risks, standardize their policies throughout all communications (employee manuals, Form ADV, etc.) and consider keeping some documents, such as executed contracts, longer than the SEC’s books and records rule requires. Some other tips include making sure laptops that contain sensitive client information require passwords, that employees’ thumb drives with confidential data are encrypted and that the firm notify the client and the SEC if such information is lost. Further, advisers should be aware that not all records destruction vendors are the same in the way they shred records. Advisers should ensure that their vendor uses cross-cut shredders. At least one company sells services that promise to re-assemble shredded documents, and a cross-cut technique would make this extremely difficult. A financial institution could send e-mails or post warnings on their internet site to alert customers of known e-mail and internet-related fraudulent schemes and to caution them against responding. Additionally, financial institutions could offer customers assistance when fraud is detected in connection with customer accounts. A centralized reporting system should be considered to monitor all privacy

breaches to detect and track patterns of potential fraudulent activity. Firms should also maintain a centralized file of all relevant documents pertaining to privacy breaches and keep a copy in the files for those customers who are impacted. Firms should also ensure that they are complying with applicable state requirements. They can avail themselves of information disseminated through investment adviser compliance roundtables, conferences and publications where the Massachusetts standards have been a topic of much interest and discussion. Firms can also consult with their attorneys and compliance consultants regarding applicable state regulations and their application to policies and practices. What Are SEC Examiners Reviewing? During on-site examinations, examiners look at whether advisers and their employees guard their clients’ privacy or act carelessly with regard to client confidentiality. Examiners look for various red-flags including, but not limited, to the following:• Employees have access to all files, not just the ones for which they have certain responsibilities;• The firm does not restrict access to private information to employees with a need to know;• Employees do not log off their computers when they leave their desk and change their passwords infrequently;• Files on desks and file drawers are left open where anyone may see or access them;• File cabinets and offices with private information are left unlocked; and/or,• Employees have conversations about client private information in open areas.Examiners also verify that formal policy requirements are being satisfied, such as:• Whether clients were provided a copy of the adviser’s privacy policy at the time the account was opened;• Whether the adviser shares client


(Continuedonpage24)

information;• Whether clients may opt out of any sharing of information arrangements;• Whether the policy is thorough and accurate;• Whether there is evidence of the delivery of an annual privacy notice to clients; and,• Whether a record is maintained to document delivery of initial and annual privacy notices.5. Conflicts of Interest, Insider Trading and Code of Ethics The purpose of the Code of Ethics (“COE”) rule and personal securities transactions reporting requirements is to ensure that an adviser complies with its fiduciary duty to keep clients’ security holdings and financial circumstances confidential. Each adviser must maintain and enforce procedures to prevent the misuse of material nonpublic information about the adviser’s securities recommendations, client securities holdings, and transactions. An adviser’s COE must also require the review of such reports in order to identify improper trades or patterns of trading by employees with access to such information. The COE should provide that, as a fiduciary, the adviser has an affirmative duty of care, loyalty, honesty, and good faith to act in the best interests of its clients. Compliance with this duty can be achieved by trying to avoid conflicts of interest and by fully disclosing all material facts concerning any conflict that arises with respect to any client. In addition, advisers may wish to impose a higher standard by providing that individuals subject to the COE must try to avoid situations that have even the appearanceof conflict or impropriety. Conflicts of interest can take many forms – access to inside information, gift incentives which may compromise sound judgment, ability and/or willingness to make questionable or unethical decisions and more. What Should Firms be Doing? Conflicts of interest may arise where the adviser or its personnel have reason to favor the interests of

one client over another, i.e.,larger over smaller accounts, accounts compensated by performance-based fees over accounts with standard advisory fees, accounts in which employees have material personal interest. An adviser’s COE should specifically prohibit inappropriate preference of one client over another client that would constitute a breach of fiduciary duty. Advisers may also wish to consider including the following additional types of conflicts of interest provisions in their COE:• Advisers should prohibit investment personnel from recommending or considering any securities transaction for a client without having disclosed any material beneficial ownership, business or personal relationship, or other material interest in the issuer or its affiliates. If a designated reviewer deems the disclosed interest to present a material conflict, the investment personnel may not participate in any decision-making process regarding the securities of that issuer. Advisers should consider having a policy by which employees have an affirmative obligation to disclose possible conflicts.• Even if already addressed in other policies and procedures, an adviser should include in the COE a provision requiring supervised persons to act in the best interests of the adviser’s clients regarding execution and other costs paid by clients for brokerage services. The COE should remind supervised persons to strictly adhere to the adviser’s policies and procedures regarding brokerage, including allocation, best execution, soft dollars, and directed brokerage. • Advisers should include a provision in the COE requiring supervised persons to disclose any personal investments or other interests in third-party service providers with respect to which the person negotiates or makes decisions on behalf of the adviser. • Advisers should include a provision stating that supervised persons are not permitted to intentionally sell to or

purchase from a client any security or other property. Included in an adviser’s COE and any separate insider trading policies and procedures should be a discussion of potential insider trading penalties, including civil injunctions, permanent bars from employment in the securities industry, civil penalties up to three times the profits made or losses avoided, criminal fines, and jail sentences. Advisers should also emphasize that all employees, officers, and directors are subject to insider trading policies and procedures and that it is not just applicable to those who come in contact with material nonpublic information on a regular basis. Advisers should tailor their insider trading policies and procedures to the circumstances of their firm, employees, and clients. For example, advisers with clients that are publicly-traded companies or clients who are insiders at public companies may need additional cautionary language in their COE. Advisers should consider information provided not only by insiders, but also by paid consultants and other third parties. An adviser’s policies and procedures should emphasize that the SEC considers the term “material nonpublic information” to apply not only to issuers, but also to the adviser’s client securities holdings and transactions. As part of, or in addition to, insider trading policies and procedures, an adviser should include a provision in their COE that governs the timing of the firm’s disclosure of fund or model portfolio holdings to clients, consultants, or prospective clients upon request. The provision should be designed to ensure that certain clients are not given enhanced transparency allowing them to receive portfolio information earlier than other clients. An adviser should also require consultants and other third-party service


providers to abide by confidentiality agreements and stipulate that trading on the information provided is prohibited. Depending on the size and nature of the adviser, an internal wall provision should prohibit access persons from disclosing nonpublic information concerning clients or securities transactions to non-access employees. If the adviser has any affiliates, it should include a provision prohibiting supervised persons from sharing information with employees of the affiliated entities, except for legitimate business purposes. The COE should also prohibit employees with access to nonpublic information from using knowledge about pending or currently considered securities transactions for clients to profit personally, directly or indirectly, by purchasing or selling such securities. Advisers are required to review personal securities transactions and holdings reports periodically. An adviser should designate an individual or position that is responsible for reviewing and monitoring personal securities transactions and trading patterns of access persons. Advisers should consider the following tests when reviewing an employee’s personal securities transactions. • Compare pre-clearances against quarterly reports or confirmations received from brokers.• Compare holdings reports against quarterly reports.• Check the timeliness of access persons’ reporting.• Check for compliance with any other internal policies and procedures, i.e., blackout periods.• Review transactions to ascertain whether access persons bought securities on the firm’s restricted list.• Sample completeness of required records.• Review list of access persons to make sure that it is being updated as

necessary. While conducting its annual review of the compliance program, an adviser should do the following:• Assess the frequency of personal trades of adviser employees.• Assess the comparative performance of access persons’ accounts with clients’ accounts.• Compare trades of access persons with those of clients.• Analyze whether clients received terms as favorable as the access person when both are trading in the same securities.• Investigate any substantial disparities between the percentage of trades that are profitable for access person in their own account compared to the percentage that are profitable for clients.• Evaluate over time whether the timing or pattern of access persons’ trading raises any red flags, e.g., market timing.• Conduct the above tests for proprietary accounts as well. When reviewing client accounts against proprietary and access person accounts for performance disparities, calculate one and three year average annual total returns and compare and further analyze any wide discrepancies. When reviewing the number of profitable trades in each proprietary and access person’s account over the previous 12 months, calculate the average number of such trades for these accounts and compare to those in clients’ accounts to determine if there are significant discrepancies. Finally, advisers should train and educate supervised persons regarding the COE. The training should occur annually and require employees to attend all training sessions and read applicable materials.What Are SEC Examiners Reviewing? Examiners review whether an adviser has identified the source and type of non-public information to which employees may be privy, and whether the firm has crafted adequate procedures to maintain the

confidentiality of that information. Adequate policies and procedures will also attempt to identify false rumors. Gene Golke, the Associate Director of OCIE, has suggested certain forensic tests. He has recommended taking a sample of the most profitable trades over a period of time and check for any news or potential rumors that were circulating about the securities at the same time. In addition to conducting tests similar to the above with regard to personal securities transactions, the SEC will check to see if an adviser: • Provided a copy of the COE to all employees, including supervised persons, and received acknowledgment of receipt from them;• Identified all access persons including part-time employees, interns and independent contractors and obtained their initial holdings reports;• Received quarterly transaction reports from all access persons;• Stressed the importance of complying with the COE; and • Retained the appropriate books and records.• Has reviewed electronic mail and instant messages for evidence of trading on, or misuse of, inside information Examiners will always scrutinize an adviser’s Form ADV to make certain it makes full disclosure of potential conflicts of interest, such as soft dollar arrangements and best execution. If there is not full disclosure in the adviser’s Form ADV, the SEC examiners’ concern could increase and the review could be expanded.

q

END OF PART ONE


#1 Enabler of Cost Savings

203-340-2356 x806 [email protected]

www.financial-tracking.com

EmployeeTradeSphere Portfolio

Complianceor Suitability

InsiderTrading

Detection

BestExecution

Fair &Timely Idea

Allocation andFavoritism

CounterpartyRisk

PoliticalContributions

ValuationAlerts

CrossTrades

Analysis

WindowDressing/PortfolioPumping

AML

SingleDataSet

Compliance Multi-Tools(offered separately)


Katherine Addleman Lee D. AugsburgerTorstein M. Braaten A. Brad Busscher

Kerry E. Cunninghman David A. DeMuro Patricia E. Flynn

NSCP CURRENTSispublishedbythe

National Society of Compliance Professionals, Inc.22 Kent Road, Cornwall Bridge, CT 06754

(860) 672-0843 / [email protected]

NSCP Board of Directors

Bari HavlikDeborah A. Lamb

David H. Lui Martha J. Matthews Lynn M. McGrade

Selwyn J. Notelovitz

Diane P. Novak David W. Porteous Charles V. Senatore

David M. Sobel Craig R. Watanabe

Judy B. Werner Pamela K. Ziermann

Joan Hinchman, Executive Director, President and CEO

Editor & LayoutFrederick D. Vorck, Jr.

Editor Joan Hinchman

Are You A LAte Adopter?

Manage Risk, Not Paper

888-868-5848www.compliance11.com

Personal Trading | Affirmations | Gifts | Case Management | Firm Trading

NOVEMBER / DECEMBER 2010 CURRENTS NSCP NSCP Currents November/December 2010 Every employee associated with a broker-dealer shares a common responsibility for the firm and all its employees

Documents