OCIE and FINRA Set Exam Priorities and FINRA Issues Cybersecurity Tips: Regulatory Update for February 2019

For Investment Advisers: SEC Actions

OCIE Announces 2019 Examination Priorities: The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 exam priorities on December 20, 2018.  OCIE’s priorities haven’t changed much from 2018, and include topics addressed in the 2018 Risk Alerts and the feedback received from OCIE’s outreach program.  OCIE’s six “themes” for 2019 are:

1. Protection of retail investors, including seniors and those saving for retirement;

2. Compliance and risk management for firms responsible for critical market infrastructure, such as clearing firms, securities exchanges, transfer agents, and compliance with Regulation SCI which requires written policies and procedures surrounding technology and systems infrastructure;

3. Oversight of FINRA & MSRB and their operations, regulatory programs and examination quality;

4. Scrutiny of broker-dealers, investment advisers, and trading platforms dealing with digital assets, including cryptocurrencies, coins, and tokens;

5. Cybersecurity issues, focusing on advisory firms with multiple branch offices and firms that have merged with other RIAs.  OCIE continues to stress the importance of risk assessments, access rights, vendor management, training, and data loss prevention.

6. Anti-Money Laundering Programs in broker-dealers, focusing on whether broker-dealers are filing Suspicious Activity Reports (SARs), independently testing their AML program and identifying suspicious and illegal activities.

As discussed in 2018 Risk Alerts, OCIE will continue to focus on disclosure of fees and expenses and conflicts of interest.  Unsurprisingly, the receipt of 12b-1 fees and mutual fund share class selection continue to be hot topics, along with arrangements with affiliated service providers.  A newer area of concern is securities-backed non-purpose loans and lines of credit.  OCIE will be reviewing the incentives received by advisers and broker-dealers for recommending these loans.  Financial exploitation of seniors is another area of concern, so firms should address this issue in their compliance programs.  Contributed by Heather Augustine, Senior Compliance Consultant

 Regulatory Review 2018: HCC put together a list of the top regulatory hot buttons from 2018 to help you focus your compliance efforts in 2019.

11 Key Takeaways for Updating your Compliance Program in 2019: HCC put together a review of the regulatory landscape in 2018, with a list of 11 recommendations for updating your compliance program.

Investment Advisers Compliance to Do List for 2019: For investment advisers, private and hedge fund managers:  a handy list of regulatory deadlines for 2019 for updating your compliance calendar.

Form ADV Update deadline: Procrastinators beware!  Investment advisers with a fiscal year end of December 31 have until Sunday, March 31, 2019, to file the Form ADV update.  IARD will be open on March 31, from 10am-6pm Eastern Time.  Consequently, the deadline for filing an annual updating amendment will NOT be extended to Monday, April 1, 2019.

For Broker-Dealers:  FINRA Actions 

FINRA Provides Additional Guidance to Enhance your Cybersecurity Program:  FINRA’s Report on Selected Cybersecurity Practices – 2018 is a follow-up to its initial Report on Cybersecurity Practices, published in 2015.  FINRA’s 2018 report highlights effective practices used by member firms to address emerging cybersecurity threats.  It focuses on member firms’ primary challenges and the most frequent examination findings.  These topics include branch office controls, social engineering by hackers, identification and mitigation of internal threats, penetration testing and managing mobile devices.  The Report’s Appendix is a great resource that provides a list of core cybersecurity controls for small firms.  As you review your cybersecurity program in 2019, consult FINRA’s Cybersecurity page for additional resources that will help you strengthen your program.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

Broker-Dealer Compliance to Do List for 2019: For broker-dealers, a list of regulatory deadlines for 2018.

Broker-Dealer 2018 Regulatory Year in Review: A summary of 2018 rule changes, enforcement actions and regulatory developments for broker-dealers for 2018.

Broker-Dealers! Be Sure to Whitelist noreply@finra.org:  FINRA announced, though Firm Gateway, that it will begin sending Information Request email notifications to firms using Amazon Simple Email Service (SES).  To ensure you continue to receive FINRA’s notices regarding Information Requests, FINRA suggests that you work with your IT department/provider to whitelist the email address, noreply@finra.org.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

2019 Annual Entitlement User Accounts Certification Process:  This year, the certification window will open on April 22nd and end on June 21st.  FINRA will send a notification to the firm’s Super Account Administrator (SAA) to complete the certification through WebCRD/IARD.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

FINRA 2019 Annual Risk Monitoring and Examination Priorities Letter FINRA:  On January 22, 2019, FINRA published its annual Examination Priorities Letter.  This year FINRA broadened the scope of its priorities letter to include specific areas of focus on risk monitoring.  As in prior years, the letter addresses specific examination topics but does not include many of the mainstay topics that have been repeatedly covered.  Stay tuned for our blog post on these priorities!  Contributed by Doug MacKinnon, Senior Compliance Consultant

For Hedge Fund Managers – NFA Member Firms  

NFA Members Need to Update Cybersecurity Programs: On January 7, 2019, the National Futures Association (“NFA”) amended its interpretative Notice 9070 on Information Systems Security Programs, (the “Cybersecurity Notice”).  The amendment states that NFA members are required to train their employees upon hiring and at least annually and identify the topics covered by the training program.   Members are also required to notify the NFA of cybersecurity incidents (1) resulting in a loss of capital, or a loss of customer or counterparty funds, and (2) if the NFA member is required to notify customers or counterparties under state or federal law.  The amendment also changed the approval requirements for a member’s Information System Security Program (ISSP).  The Cybersecurity Notice is effective on April 1, 2019. Contributed by Jaqueline Hummel, Partner and Managing Director

CPOs required to Implement Internal Controls:  The NFA issued Interpretive Notice “NFA Compliance Rule 2-9: CPO Internal Controls System” (the “Internal Controls Notice”) that requires Commodity Pool Operators (CPOs) to establish a system of internal controls designed to deter fraud, safeguard customer funds, and ensure the accuracy of financial reports.  The control system should also assure that the CPO complies with its regulatory requirements.  The Internal Controls Notice will be effective on April 1, 2019.  Contributed by Jaqueline Hummel, Partner and Managing Director MORE