The LGBT Bar: 2017 Lavender Law Conference

Finance Law Institute: Enforcement Panel

CLE Course MaterialsPresented by Jane Jarcho, Marc Fagel, Carlos Vasquez and Jonathan Shapiro

August 4, 2017

“Examination Priorities for 2017,” SEC Office of Compliance Inspections and Examinations

Page 4

“Cybersecurity: Ransomware Alert,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (May 17, 2017)

Page 9

“The Five Most Frequent Compliance Topics Identified in OCIE Examinations of Investment Advisers,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Feb. 7, 2017)

Page 11

“Multi-Branch Adviser Initiative,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Dec. 12, 2016)

Page 16

“Examining Whistleblower Rule Compliance,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Oct. 24, 2016)

Page 20

“Examinations of Supervision Practices at Registered Investment Advisers,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Sept. 12, 2016)

Page 23

“OCIE’s 2016 Share Class Initiative,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (July 13, 2016)

Page 26

“Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Nov. 9, 2015)

Page 29

“OCIE’s 2015 Cybersecurity Examination Initiative,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Sept. 15, 2015)

Page 36

“Broker-Dealer Controls Regarding Retail Sales of Structured Securities Products,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Aug. 24, 2015)

Page 44

- 2 -

“Cybersecurity Examination Sweep Summary,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (Feb. 3, 2015)

Page 51

“OCIE Cybersecurity Initiative,” SEC Office of Compliance Inspections and Examinations, National Exam Program Risk Alert (April 15, 2014)

Page 58

Panelist Profiles Page 67

1

EXAMINATION PRIORITIES FOR 2017

I. INTRODUCTION

This document identifies selected 2017 examination priorities of the Office of Compliance Inspections

and Examinations (“OCIE,” “we,” or “our”) of the Securities and Exchange Commission (“SEC” or

“Commission”). In general, the priorities reflect certain practices, products, and services that OCIE perceives to

present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.1

OCIE serves as the “eyes and ears” of the SEC. We conduct examinations of regulated entities to

promote compliance, prevent fraud, identify risk, and inform policy.2 We selected our 2017 examination

priorities in consultation with the Commissioners, senior staff from the SEC’s regional offices, the SEC’s policy-

making divisions, the enforcement division, the SEC’s Investor Advocate, and our fellow regulators.

Our 2017 priorities are organized around three thematic areas:

1. Examining matters of importance to retail investors;

2. Focusing on risks specific to elderly and retiring investors; and

3. Assessing market-wide risks.

With the objectives of being data-driven and risk-based, we have incorporated data analytics into the vast majority

of our examination initiatives to identify industry practices and/or registrants that appear to have elevated risk

profiles.

II. PROTECTING RETAIL INVESTORS

Retail investors face an evolving set of choices when determining how to invest their money. At the same

time, the financial services industry continues to offer an ever widening array of information, advice, products,

1 This document was prepared by SEC staff, and the views expressed herein are those of OCIE. The Commission has expressed no

view on this document’s contents. It is not legal advice; it is not intended to, does not, and may not be relied upon to create any

rights, substantive or procedural, enforceable at law by any party in any matter civil or criminal.

2 The population of registered entities that OCIE oversees consists of more than 4,000 broker-dealers (including approximately

162,000 branch offices and 640,000 registered representatives), more than 12,000 investment advisers (with nearly $67 trillion in

assets under management), approximately 850 fund complexes (representing close to 11,000 mutual funds and exchange-traded

funds), more than 400 transfer agents and over 650 municipal advisors. In addition, OCIE has oversight responsibility for 20

national securities exchanges, the Financial Industry Regulatory Authority (FINRA), the Municipal Securities Rulemaking Board

(MSRB), the Securities Investor Protection Corporation (SIPC), eight clearing agencies, and the Public Company Accounting

Oversight Board (PCAOB). The Dodd-Frank Wall Street Reform and Consumer Protection Act increased OCIE’s responsibilities

to include security-based swap dealers, security-based swap data repositories, major security-based swap participants, and

securities-based swap execution facilities. Additionally, the Jumpstart Our Business Act expanded OCIE’s responsibilities to

include oversight of crowdfunding portals.

2

and services for retail investors in response to their financial needs. We are pursuing a variety of examination

initiatives to assess potential risks to retail investors that arise in the increasingly complex investment landscape.

Electronic Investment Advice. Investors are increasingly able to obtain investment advice through

automated or digital platforms. We will examine registered investment advisers and broker-dealers

that offer such services, including “robo-advisers” that primarily interact with clients online and firms

that utilize automation as a component of their services while also offering clients access to financial

professionals. Examinations will likely focus on registrants’ compliance programs, marketing,

formulation of investment recommendations, data protection, and disclosures relating to conflicts of

interest. We will also review firms’ compliance practices for overseeing algorithms that generate

recommendations.

Wrap Fee Programs. We will expand our focus on registered investment advisers and broker-dealers

associated with wrap fee programs, which charge investors a single bundled fee for advisory and

brokerage services. We will likely review whether investment advisers are acting in a manner

consistent with their fiduciary duty and whether they are meeting their contractual obligations to

clients. Areas of interest may include wrap account suitability, effectiveness of disclosures, conflicts of

interest, and brokerage practices, including best execution and trading away.

Exchange-Traded Funds (“ETFs”). We will continue to examine ETFs, reviewing for compliance

with applicable exemptive relief granted under the Securities Exchange Act of 1934 and the

Investment Company Act of 1940 and with other regulatory requirements, as well as review ETFs’

unit creation and redemption processes. We will also focus on sales practices and disclosures

involving ETFs and the suitability of broker-dealers’ recommendations to purchase ETFs with niche

strategies.

Never-Before Examined Investment Advisers. We are expanding our Never-Before Examined

Adviser initiative3 to include focused, risk-based examinations of newly registered advisers as well as

of selected advisers that have been registered for a longer period but have never been examined by

OCIE.

Recidivist Representatives and their Employers. We will continue to use our analytic capabilities

to identify individuals with a track record of misconduct and examine the investment advisers that

employ them.4 For example, we will assess the compliance oversight and controls of investment

advisers that have employed such individuals, including those who have been subject to a regulatory

action or barred from associating with a broker-dealer.

Multi-Branch Advisers. We will continue to focus on registered investment advisers that provide

advisory services from multiple locations.5 The use of a branch office model can pose unique risks

3 See OCIE’s Letter to Never-Before Examined Investment Advisers, February 20, 2014,

http://www.sec.gov/about/offices/ocie/nbe-final-letter-022014.pdf.

4 See OCIE Risk Alert, “Examinations of Supervision Practices at Registered Investment Advisers,” Sept. 12, 2016,

https://www.sec.gov/ocie/announcement/ocie-2016-risk-alert-supervision-registered-investment-advisers.pdf.

5 See OCIE Risk Alert, “Multi-Branch Adviser Initiative,” Dec. 12, 2016, https://www.sec.gov/ocie/announcement/risk-alert-

multi-branch-adviser-initiative.pdf.

3

and challenges to advisers, particularly in the design and implementation of a compliance program and

the oversight of advisory services provided at branch offices.

Share Class Selection. We will continue reviewing conflicts of interest and other factors that may

affect registrants’ recommendations to invest, or remain invested, in particular share classes of mutual

funds.6 For example, we will identify and assess conflicts that certain investment advisory personnel

may have, such as those who also are registered representatives of a broker-dealer, which may

influence recommendations in favor of share classes that have higher loads or distribution fees. We

will also assess the formulation of investment recommendations and the management of client

portfolios.

III. FOCUSING ON SENIOR INVESTORS AND RETIREMENT INVESTMENTS

As the U.S. population ages and investors become more dependent than ever on their own investments for

retirement income, we are devoting increased attention to issues affecting senior investors and those investing for

retirement.

ReTIRE. We will continue our multi-year ReTIRE initiative, focusing on investment advisers and

broker-dealers along with the services they offer to investors with retirement accounts.7 This year,

these examinations will likely focus on, among other things, registrants’ recommendations and sales of

variable insurance products as well as the sales and management of target date funds. We will also

assess controls surrounding cross-transactions, particularly with respect to fixed income securities.

Public Pension Advisers. Pension plans of states, municipalities, and other government entities hold

a large amount of U.S. investors’ retirement assets. We will examine investment advisers to these

entities to assess how they are managing conflicts of interest and fulfilling their fiduciary duty. We

will also review other risks specific to these advisers, including pay-to-play and undisclosed gifts and

entertainment practices.

Senior Investors. Today’s Americans are more reliant on returns from their investment portfolios to

fund their retirement compared to previous generations. We will evaluate how firms manage their

interactions with senior investors, including their ability to identify financial exploitation of seniors.

Examinations will likely focus on registrants’ supervisory programs and controls relating to products

and services directed at senior investors.

IV. ASSESSING MARKET-WIDE RISKS

As part of the SEC’s mission to maintain fair, orderly, and efficient markets, we will examine for

structural risks and trends that may involve multiple firms or entire industries. In 2017, we will focus on the

following initiatives:

Money Market Funds. In 2014, the SEC adopted amendments to rules governing money market

funds to make structural and operational reforms to address redemption risks in money market funds,

6 See OCIE Risk Alert, “OCIE’s 2016 Share Class Initiative,” July 13, 2016, https://www.sec.gov/ocie/announcement/ocie-risk-

alert-2016-share-class-initiative.pdf.

7 See OCIE Risk Alert, “Retirement-Targeted Industry Reviews and Examinations Initiative,” June 22, 2015,

http://www.sec.gov/about/offices/ocie/retirement-targeted-industry-reviews-and-examinations-initiative.pdf.

4

while preserving the benefits of the funds for remaining investors.8 We will examine money market

funds for compliance with these rule amendments, which became effective in October 2016.

Examinations will likely include assessments of the boards’ oversight of the funds’ compliance with

these new amendments as well as review of compliance policies and procedures relating to stress

testing and funds’ periodic reporting of information to the Commission.

Payment for Order Flow. We will examine select broker-dealers, such as market-makers and those

that serve primarily retail customers, to assess how they are complying with their duty of best

execution when routing customer orders for execution.

Clearing Agencies. We will continue to conduct annual examinations of clearing agencies designated

systemically important and for which the Commission is the supervisory agency pursuant to the

requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Areas for review

will be determined through a risk-based approach in collaboration with the Division of Trading and

Markets and other regulators, as applicable. Once compliance is required, the staff will examine for

compliance with the Commission’s Standards for Covered Clearing Agencies.9

FINRA. We will enhance our oversight of FINRA, consistent with our aim to protect investors and

the integrity of our markets. In addition to continuing to conduct inspections of FINRA’s operations

and regulatory programs, we will focus resources on assessing the quality of FINRA’s examinations of

individual broker-dealers.

Regulation Systems Compliance and Integrity (“SCI”). We will continue to examine SCI entities

to evaluate whether they have established, maintained, and enforced written policies and procedures

reasonably designed to ensure their systems have levels of capacity, integrity, resiliency, availability,

and security adequate to maintain operational capacity and promote maintenance of fair and orderly

markets, and that they operate in a manner compliant with the Exchange Act.10 OCIE will also review,

among other things, controls relating to how systems record the time of transactions or events, how

they synchronize with other systems, as well as collection, analysis, and dissemination of market data.

Examinations will also assess entities’ enterprise risk management, including whether these programs

cover appropriate business units, subsidiaries, and related interconnected infrastructure.

Cybersecurity. In 2017, we will continue our initiative to examine for cybersecurity compliance

procedures and controls, including testing the implementation of those procedures and controls.

National Securities Exchanges. We will continue to conduct risk-based inspections of the national

securities exchanges. These inspections will focus on selected operational and regulatory programs.

Anti-Money Laundering (“AML”). Money laundering and terrorist financing continue to be risk

areas that are considered in our examination program. We will continue to examine broker-dealers to

assess whether AML programs are tailored to the specific risks that a firm faces, including whether

8 See Money Market Fund Reform; Amendments to Form PF, Release No. 33-9616 (July 23, 2014),

https://www.sec.gov/rules/final/2014/33-9616.pdf.

9 See Standards for Covered Clearing Agencies, Release No. 34-78961 (adopted Sept. 28, 2016),

https://www.sec.gov/rules/final/2016/34-78961.pdf (compliance date April 11, 2017).

10 See Regulation Systems Compliance and Integrity, Release No. 34-37639, (November 19, 2014),

http://www.sec.gov/rules/final/2014/34-73639.pdf.

5

broker-dealers consider and adapt their programs, as appropriate, to current money laundering and

terrorist financing risks. We will also review how broker-dealers are monitoring for suspicious

activity at the firm, in light of the risks presented, and the effectiveness of independent testing. We

will also continue to assess broker-dealers’ compliance with suspicious activity report (“SAR”)

requirements and the timeliness and completeness of SARs filed.

V. OTHER INITIATIVES

In addition to examinations related to the themes described above, we expect to allocate examination

resources to other priorities, including:

Municipal Advisors. We will continue to conduct examinations of municipal advisors to evaluate

their compliance with SEC and Municipal Securities Rulemaking Board rules. This initiative will

continue to include industry outreach and education.11

Transfer Agents. In addition to our examinations of transfer agents’ timely turnaround of items and

transfers, recordkeeping and record retention, and safeguarding of funds and securities, we will

examine transfer agents that service microcap issuers, focusing on detecting issuers that may be

engaging in unregistered, non-exempt offerings of securities.

Private Fund Advisers. We will continue to examine private fund advisers, focusing on conflicts of

interest and disclosure of conflicts as well as actions that appear to benefit the adviser at the expense

of investors.

VI. CONCLUSION

This description of OCIE priorities is not exhaustive. While we expect to allocate significant resources

throughout 2017 to the examination issues described herein, our staff will also conduct examinations focused on

risks, issues, and policy matters that arise from market developments, new information learned from examinations

or other sources, including tips, complaints, and referrals, and coordination with other regulators, as well as

regulatory developments.

OCIE welcomes comments and suggestions regarding how we can better fulfill our mission to promote

compliance, prevent fraud, monitor risk, and inform SEC policy. If you suspect or observe activity that may

violate the federal securities laws or otherwise operates to harm investors, please notify SEC Staff at

http://www.sec.gov/complaint/info_tipscomplaint.shtml.

11 See OCIE’s Industry Letter for the Municipal Advisor Examination Initiative, August 19, 2014,

https://www.sec.gov/about/offices/ocie/muni-advisor-letter-081914.pdf.

1

By the Office of Compliance Inspections and Examinations (“OCIE”)1

Volume VI, Issue 4 May 17, 2017

CYBERSECURITY: RANSOMWARE ALERT

Starting on May 12, 2017, a widespread ransomware attack, known as

WannaCry, WCry, or Wanna Decryptor, rapidly affected numerous

organizations across over one hundred countries.2 Initial reports indicate

that the hacker or hacking group behind the attack is gaining access to

enterprise servers either through Microsoft Remote Desktop Protocol

(RDP)3 compromise or the exploitation of a critical Windows Server

Message Block version 1 vulnerability.4 Some networks have also been

affected through phishing emails and malicious websites. To protect

against the WannaCry ransomware, broker-dealers and investment

management firms are encouraged to (1) review the alert published by the United States Department

of Homeland Security’s Computer Emergency Readiness Team — U.S. Cert Alert TA17-132A —

and (2) evaluate whether applicable Microsoft patches for Windows XP, Windows 8, and Windows

Server 2003 operating systems are properly and timely installed.

OCIE’s National Examination Program staff (the “staff”) recently examined 75 SEC registered

broker-dealers (“broker-dealers”), investment advisers (“advisers”), and investment companies

(“funds”) (collectively, “firms”) to assess industry practices and legal, regulatory, and compliance

issues associated with cybersecurity preparedness (the “Initiative”).5 The staff observed a wide

range of information security practices, procedures, and controls across registrants that may be

tailored to the firms’ operations, lines of business, risk profile, and size. The staff observed firm

practices during this Initiative that the staff believes may be particularly relevant to smaller

registrants in relation to the WannaCry ransomware incident, including: 1 The views expressed herein are those of the staff of OCIE, in coordination with other staff of the Securities and

Exchange Commission (“SEC” or “Commission”). The Commission has expressed no view on the contents of this

Risk Alert. This document was prepared by the SEC staff and is not legal advice.

2 The WannaCry ransomware infects computers with a malicious software that encrypts computer users’ files and

demands payment of ransom to restore access to the locked files.

3 RDP provides remote display and input capabilities over network connections for Windows-based applications

running on a server. RDP is designed to support different types of network topologies and multiple LAN protocols.

4 See, U.S. Department of Homeland Security/ U.S. Computer Emergency Readiness Team (US-CERT), Alert

(TA17-132A), Indicators Associated with WannaCry Ransomware (May 12, 2017, last revised May 15, 2017)

(“U.S. Cert Alert TA-132A”).

5 See, OCIE Examination Priorities for 2015 (Jan.13, 2015) and National Exam Program Risk Alert, OCIE’s 2015

Cybersecurity Examination Initiative (Sept.15, 2015).

This Risk Alert

highlights the

importance of

conducting

penetration tests and

vulnerability scans

on critical systems

and implementing

system upgrades on

a timely basis.

2

Cyber-risk Assessment: Five percent of broker-dealers and 26 percent of advisers and

funds (collectively, “investment management firms”) examined did not conduct periodic

risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the

potential business consequences.

Penetration Tests: Five percent of broker-dealers and 57 percent of the investment

management firms examined did not conduct penetration tests and vulnerability scans on

systems that the firms considered to be critical.

System Maintenance: All broker-dealers and 96 percent of investment management firms

examined have a process in place for ensuring regular system maintenance, including the

installation of software patches to address security vulnerabilities. However, ten percent of

the broker-dealers and four percent of investment management firms examined had a

significant number of critical and high-risk security patches that were missing important

updates.

The Division of Investment Management and OCIE have provided guidance and information that

firms may wish to consider when addressing cybersecurity risks and response capabilities.6

Similarly, for its member firms, the Financial Industry Regulatory Authority (FINRA) has created a

webpage with links to cybersecurity-related resources, including a cybersecurity checklist for small

firms and a report on cybersecurity practices that highlights effective practices for strengthening

cybersecurity programs.7 The staff recognizes that it is not possible for firms to anticipate and

prevent every cyber-attack. The staff also notes that appropriate planning to address cybersecurity

issues, including developing a rapid response capability is important and may assist firms in

mitigating the impact of any such attacks and any related effects on investors and clients.

This Risk Alert is intended to highlight for firms the risks and issues that the staff has identified during examinations of

broker-dealers, investment advisers, and investment companies regarding cybersecurity preparedness. In addition, this

Risk Alert describes factors that firms may consider to (1) assess their supervisory, compliance and/or other risk

management systems related to cybersecurity risks, and (2) make any changes, as may be appropriate, to address or

strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Factors other than

those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a

particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory

requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may

supersede some of the factors or issues raised herein. The adequacy of supervisory, compliance, and other risk

management systems can be determined only with reference to the profile of each specific firm and other facts and

circumstances.

6 See, Division of Investment Management, IM Guidance Update: Cybersecurity Guidance (April 2015); OCIE,

National Exam Program Risk Alert, OCIE’s 2014 Cybersecurity Initiative (April 15, 2014), National Exam

Program Risk Alert, Cybersecurity Examination Sweep Summary (Feb. 3, 2015), and National Exam Program Risk

Alert, OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015).

7 See FINRA, Topic Page: Cybersecurity (last visited May 16, 2017).

1

By the Office of Compliance Inspections and Examinations1

Volume VI, Issue 3 February 7, 2017

The Five Most Frequent Compliance Topics

Identified in OCIE Examinations of Investment Advisers

I. Introduction

The Office of Compliance Inspections and Examinations (“OCIE”) is providing a

list of the five compliance topics most frequently identified in deficiency letters

that were sent to SEC-registered investment advisers (“advisers”).2 Within each of

these topics, a few examples of typical deficiencies are discussed to highlight the

risks and issues that examiners commonly identified. The five compliance topics

addressed in this Risk Alert are deficiencies or weaknesses involving: (1) Rule

206(4)-7 (the “Compliance Rule”) under the Investment Advisers Act of 1940 (the

“Advisers Act”); (2) required regulatory filings; (3) Rule 206(4)-2 under the

Advisers Act (the “Custody Rule”); (4) Rule 204A-1 under the Advisers Act (the

“Code of Ethics Rule”); and (5) Rule 204-2 under the Advisers Act (the “Books

and Records Rule”).3 This information is intended to assist advisers during their

compliance reviews.

II. Five Most Frequent Compliance Topics

Compliance Rule

The Compliance Rule makes it unlawful for an adviser to provide investment advice to clients unless the

adviser: (1) adopts and implements written policies and procedures reasonably designed to prevent

violation, by the adviser and its supervised persons, of the Advisers Act and the rules that the

Commission has adopted under the Advisers Act; (2) reviews, no less frequently than annually, the

adequacy of its policies and procedures and the effectiveness of their implementation; and (3) designates

1 The views expressed herein are those of the staff of OCIE. The Securities and Exchange Commission (the

“SEC” or the “Commission”) has expressed no view on the contents of this Risk Alert. This document was

prepared by SEC staff and is not legal advice.

2 This Risk Alert reflects issues addressed in deficiency letters from over 1,000 investment adviser examinations

that were completed during the past two years. Generalizations in this Risk Alert refer to observations within

this sample of examinations.

3 This Risk Alert does not discuss other types of deficiencies or weaknesses that are cited less frequently in

examinations but may result in significant harm to investors.

In this Alert:

Topic: The five most frequent compliance topics identified in deficiency letters sent to SEC-registered investment advisers.

Key Takeaways: Advisers should review their compliance programs and practices in light of the topics noted in this Risk Alert.

2

a chief compliance officer responsible for administering the compliance policies and procedures that the

adviser adopts.4

Below are typical examples of deficiencies or weaknesses in connection with the Compliance Rule

identified by the staff: 5

● Compliance manuals are not reasonably tailored to the adviser’s business practices. The staff

noted that certain compliance programs did not take into account important individualized

business practices such as the adviser’s particular investment strategies, types of clients, trading

practices, valuation procedures and advisory fees. Moreover, examiners continue to observe that

some advisers use “off-the-shelf” compliance manuals that have not been tailored to the adviser’s

individual business practices.

● Annual reviews are not performed or did not address the adequacy of the adviser’s policies and

procedures. The staff observed that certain advisers did not conduct annual reviews of their

compliance policies and procedures, as required by the Compliance Rule. In addition, the staff

identified advisers that conducted annual reviews that did not address the adequacy of the

advisers’ policies and procedures and the effectiveness of their implementation. Staff also

observed that advisers did not address or correct problems identified in their annual reviews.

● Adviser does not follow compliance policies and procedures. The staff observed that certain

advisers appeared to not be following their compliance policies and procedures, as required by the

Compliance Rule. Examples include advisers that do not perform certain internal reviews of their

practices required by their compliance manual and advisers that do not adhere to certain practices

relating to marketing, expenses or employee behavior required by their compliance manual.

● Compliance manuals are not current. The staff noted that certain compliance manuals contained

information or policies that are no longer current, such as investment strategies that were no longer

pursued or personnel no longer associated with the adviser and stale information about the firm.

Regulatory Filings

Advisers are obligated to accurately complete and timely file certain regulatory filings with the

Commission. Among other filing requirements, Rule 204-1 under the Advisers Act requires advisers to

amend their Form ADV at least annually, within 90 days of the end of their fiscal year and more

frequently, if required by the instructions to Form ADV. Rule 204(b)-1 under the Advisers Act requires

advisers to one or more private funds with private fund assets of at least $150 million to complete and file

a report on Form PF. In addition, Rule 503 under Regulation D of the Securities Act of 1933 generally

requires issuers to file Form Ds. Advisers typically file Form Ds on behalf of their private fund clients.

Generally, Form D is required to be filed no later than 15 calendar days after the first sale of securities in

the offering of a private fund.

Below are typical examples of deficiencies or weaknesses with respect to adviser regulatory filing

obligations identified by the staff:

4 Advisers Act Rule 206(4)-7. See Compliance Programs of Investment Companies and Investment Advisers,

Advisers Act Rel. No. IA-2204 (Dec. 17, 2003).

5 The examples in this Risk Alert are illustrative only and do not reflect all types of deficiencies or weaknesses.

3

● Inaccurate disclosures. The staff observed that certain advisers made inaccurate disclosures on

Form ADV Part 1A or in Form ADV Part 2A brochures, such as inaccurately reporting custody

information, regulatory assets under management, disciplinary history, types of clients and

conflicts.

● Untimely amendments to Form ADVs. The staff observed that certain advisers did not promptly

amend their Form ADVs when certain information became inaccurate or timely file their annual

updating amendments.

● Incorrect and untimely Form PF filings. The staff observed that certain advisers with an

obligation to file Form PF did not complete the form accurately or completely.

● Incorrect and untimely Form D filings. The staff observed that certain advisers did not accurately

complete and timely file Form Ds on behalf of their private fund clients.

Custody Rule

Advisers with custody of client cash or securities must comply with the Custody Rule.6 An adviser has

custody if it or its related person holds, directly or indirectly, client funds or securities or has any

authority to obtain possession of them.7 For example, an adviser that serves as the general partner,

managing member or other comparable position of a pooled investment vehicle (“PIV”) generally has

custody of client assets because the position typically gives legal ownership or access to client funds and

securities.8 An adviser also has custody if it has an arrangement under which it is authorized or permitted

to withdraw client funds or securities.9 The Custody Rule prescribes a number of requirements designed

to enhance the safety of client assets by protecting them from unlawful activities or financial problems of

the adviser.10

Below are typical examples of deficiencies or weaknesses with respect to the Custody Rule identified by

the staff:

● Advisers did not recognize that they may have custody due to online access to client accounts. An

adviser’s online access to client accounts may meet the definition of custody when such access

provides the adviser with the ability to withdraw funds and securities from the client accounts.

The staff observed that certain advisers may not have properly identified custody as a result of

them having access to online accounts using clients’ personal usernames and passwords.

● Advisers with custody obtained surprise examinations that do not meet the requirements of the

Custody Rule. The staff observed that certain advisers did not provide independent public

6 Advisers Act Rule 206(4)-2. See Custody of Funds or Securities by Investment Advisers, Advisers Act Rel.

No. 2968 (Dec. 30, 2009).

7 Advisers Act Rule 206(4)-2(d)(2).

8 Advisers Act Rule 206(4)-2(d)(2)(iii).

9 Advisers Act Rule 206(4)-2(d)(2)(ii).

10

Advisers Act Rule 206(4)-2. For more information regarding Custody Rule issues that have been observed

during OCIE examinations in the past, please see Significant Deficiencies Involving Custody and Safety of

Client Assets, OCIE Risk Alert (March 4, 2013).

4

accountants performing surprise examinations with a complete list of accounts over which the

adviser has custody or otherwise provide information to accountants to permit the accountants to

timely file accurate Form ADV-Es. In addition, staff observed indications suggesting that

surprise examinations may not have been conducted on a “surprise” basis (e.g., exams were

conducted at the same time each year).

● Advisers did not recognize that they may have custody as a result of certain authority over client

accounts. The staff observed that certain advisers did not appear to recognize that they may have

custody over client accounts as a result of having (or related persons having) powers of attorney

authorizing them to withdraw client cash and securities. Other examples of custody that appeared

unrecognized include when advisers or their related persons served as trustees of clients’ trusts or

general partners of client PIVs.

Code of Ethics Rule

The Code of Ethics Rule requires an adviser to adopt and maintain a code of ethics.11

The Code of Ethics

Rule sets forth a number of requirements, including that each adviser’s code of ethics must: (1) establish a

standard of business conduct that the adviser requires of all its supervised persons; (2) require an adviser’s

“access persons” to periodically report their personal securities transactions and holdings to the adviser’s

chief compliance officer or other designated persons; and (3) require that access persons obtain the

adviser’s pre-approval before investing in an initial public offering or private placement. In addition, an

adviser must provide each supervised person with a copy of the code of ethics and any amendments, and

require their supervised persons to provide the adviser with a written acknowledgement of their

receipt. An adviser also must describe its code of ethics in its Form ADV Part 2A brochure and indicate

that the code of ethics is available to any client or prospective client upon request.12

Below are typical examples of deficiencies or weaknesses with respect to the Code of Ethics Rule

identified by the staff:

● Access persons not identified. The staff observed that certain advisers did not identify all of their

access persons (e.g., certain employees, partners or directors) for purposes of reviewing personal

securities transactions.

● Codes of ethics missing required information. The staff observed that certain advisers’ codes of

ethics did not specify review of the holdings and transactions reports, or did not identify the

specific submission timeframes, as required by the Code of Ethics Rule.

● Untimely submission of transactions and holdings. The staff observed that certain access persons

submitted transactions and holdings less frequently than required by the Code of Ethics Rule.

● No description of code of ethics in Form ADVs. The staff observed that certain advisers did not

describe their codes of ethics in their Part 2A of Form ADVs and did not indicate that their codes

of ethics are available to any client or prospective client upon request.

11

Advisers Act Rule 204A-1. See Investment Adviser Code of Ethics, Advisers Act Rel. No. IA-2256 (July 2,

2004).

12

See Item 11A of Form ADV, Part 2A.

5

Books and Records Rule

The Books and Records Rule requires advisers to make and keep certain books and records relating to

their investment advisory business, including typical accounting and other business records as required by

the Commission.13

Below are typical examples of deficiencies or weaknesses with respect to the Books and Records Rule

identified by the staff:

● Did not maintain all required records. The staff observed that certain advisers may not have

maintained all the books and records required by the Books and Records Rule, such as trade

records, advisory agreements and general ledgers.

● Books and records are inaccurate or not updated. The staff observed that certain advisers had

errors and omissions in their books and records, such as inaccurate fee schedules and client

records or stale client lists.

● Inconsistent recordkeeping. The staff observed that certain advisers maintained contradictory

information in separate sets of records.

III. Conclusion

The examinations within the scope of this review resulted in a range of actions. Advisers took remedial

measures such as enhancing written compliance procedures, policies or processes, changing business

practices or devoting more resources or attention to the area of compliance. In addition, where

appropriate, the staff referred examinations to the Division of Enforcement for further action.

In sharing the information in this Risk Alert, OCIE hopes to encourage advisers to reflect upon their own

practices, policies and procedures in these areas and to promote improvements in investment adviser

compliance programs.

13

Advisers Act Rule 204-2.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert

describes risks that firms may consider to (i) assess their supervisory, compliance, and/or other risk management

systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems.

Other risks besides those described in this Risk Alert may be appropriate to consider, and some may not be applicable to

a particular firm’s business. The adequacy of supervisory, compliance and other risk management systems can be

determined only with reference to the profile of each specific firm and other facts and circumstances.

1

By the Office of Compliance Inspections and Examinations1

VOLUME VI, ISSUE 2 DECEMBER 12, 2016

MULTI-BRANCH ADVISER INITIATIVE

I. Introduction The Office of Compliance Inspections and Examinations’ (“OCIE”) 2016 Examination Priorities include examining the supervisory practices of SEC-registered investment advisers over advisory personnel in branch offices.2 OCIE is issuing this Risk Alert to provide additional information concerning its Multi-Branch Adviser Initiative. II. Background OCIE examines SEC-registered investment advisers to, among other things, determine whether they are in compliance with the federal securities laws, particularly the Advisers Act. In recent years, OCIE staff (the “staff”) has observed an apparent increase in the use of investment advisers employing a business model with numerous branch offices and operations geographically dispersed from the adviser’s principal or main office. The use of a branch office model can pose

unique risks and challenges to advisers, particularly in the design and implementation of a compliance program and the supervision of people and processes in branch offices. Accordingly, OCIE is launching the Multi-Branch Adviser Initiative to examine investment advisers operating out of multiple branch offices to determine whether they are in compliance with the federal securities laws in light of the additional and unique risks that arise as a result of operating in this manner.

1 The views expressed herein are those of the staff of the Office of Compliance Inspections and Examinations, in coordination with other Securities & Exchange Commission (“SEC or “Commission”) staff, including staff of the Division of Investment Management. The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice.

2 See OCIE, “Examination Priorities for 2016” (January 11, 2016). For purposes of this initiative, when using the term “branch” office the staff is generally referring to a place of business other than the adviser’s principal office and place of business at which the investment adviser regularly provides advisory services, solicits, meets with, or otherwise communicates to clients. Cf. Rule 222-1 under the Investment Advisers Act of 1940 (“Advisers Act”).

In this Alert:

Topic: Initiative to Examine Registered Investment Advisers Operating from Multiple Locations

Key Takeaways: Staff intends to focus on registered investment advisers that provide advisory services from multiple locations. The examinations will focus on evaluating the design and effectiveness of advisers’ compliance programs with respect to their oversight of advisory services provided at remote locations.

2

III. Examinations Multi-Branch Adviser Initiative examinations will focus on advisers’ compliance programs and the oversight of investment advisory services provided at branch offices. Additional focus areas may be chosen for review based on the activities or operations of a particular investment adviser.

• Compliance Programs. The Advisers Act “Compliance Rule” requires registered advisers to adopt and implement written policies and procedures reasonably designed to prevent and detect violations of the Advisers Act and rules by the investment adviser and their supervised persons.3 The staff will evaluate the design and effectiveness of an adviser’s compliance program with respect to its oversight of advisory services provided at its branch offices. In particular, through interviews and the review of advisory records, the staff will assess, among other things, the:

o Implementation of policies and procedures in the main and branch offices;

o Supervision structure, including an assessment of how such supervision is tailored to the unique risks in particular branches;

o Role and empowerment of compliance personnel charged with overseeing branch offices, including their level of access to documents and relevant information; and

o Accuracy of information on the adviser’s filings regarding branch offices, including Form ADV, as compared to actual practices.

In addition, the staff may focus attention, based on the particular business activities of an examined adviser, on assessing compliance and testing controls in one or more of the following risk areas:

o Fees and Expenses. The adviser’s calculation of fees and other expenses, including the

effectiveness of controls over the billing and invoicing processes and communications with clients.4

o Advertising. Controls over advertisements, such as the adviser’s process for reviewing and approving advertisements, particularly those created or disseminated by its branch offices.5

o Code of Ethics. The implementation of the adviser’s code of ethics, including oversight and

monitoring of personal securities transactions and whether advisers have properly identified access persons at branch offices.6

3 Rule 206(4)-7 under the Advisers Act.

4 Advisers Act §§ 206(4) and 207; see also Rule 206(4)-7; In the Matter of WFG Advisors, L.P., Inv. Adv. Act Rel. No. 4441 (June 28, 2016).

5 Advisers Act § 206(4); Rule 206(4)-1. In addition, Sections 206(1) and (2) of the Advisers Act make it unlawful for any investment adviser using the mails or interstate commerce, directly or indirectly, “to employ any device, scheme or artifice to defraud any client or prospective client” or to “engage in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client.”

3

o Custody. Compliance with the Custody Rule, including controls related to the identification of

accounts over which the adviser maintains custody and the involvement of branch office personnel in making such determinations.7

• Investment Recommendations. As a fiduciary, an investment adviser has an obligation to act in the best

interests of its advisory clients and to identify and disclose any material conflict of interest.8 The staff will review the process by which investment advice, including the formulation of investment recommendations and the management of client portfolios, is provided to advisory clients from supervised persons located in branch offices. The staff will focus on policies and procedures and supervisory controls designed to address specific risks presented in a branch office model regarding the provision of advisory services to clients, such as the identification of potential conflicts of interest and the level of autonomy supervised persons have in providing advice.9 In addition, the staff may focus attention, based on the particular business activities of an examined adviser, on assessing compliance and testing controls in certain of the following risk areas:

o Oversight. Supervision and review of investment recommendations made to clients within specific branch offices and across branch offices, including processes and controls regarding investment authority, suitability of the investment advice, and any due diligence that the adviser has told clients is undertaken with respect to investments.

o Conflicts of Interest. Identification, management, and disclosure of conflicts of interest that arise through branch office activities and personnel, including conflicts arising from various compensation arrangements and supervised persons’ outside business activities.

o Allocation of Investment Opportunities. Allocation of investment opportunities among client accounts, including how branch offices’ trading activity is monitored and what disclosures are made to clients regarding trade allocation.

In addition to these primary focus areas, examiners may select additional areas for review based on other risks identified during the course of the examination.

6 Rule 204A-1 under the Advisers Act requires investment advisers to have codes of ethics setting forth, among other things, a business standard of conduct. The rule also requires advisers to have provisions in their codes of ethics requiring their supervised persons to comply with applicable Federal securities laws, as defined by the rule.

7 SEC-registered investment advisers that have custody of their clients’ funds or securities must safeguard those funds as required by the SEC’s Investment Adviser Custody Rule (Rule 206(4)-2). The Investment Adviser Custody Rule is designed to provide additional safeguards for investors against the possibility of theft or misappropriation by investment advisers who are registered with the SEC.

8 See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180 (1963).

9 See In the Matter of Michael A. Callaway, File. No. 3-13356 (Jan. 30, 2009).

4

IV. Conclusion

In sharing the focus areas for the Multi-Branch Adviser Initiative, OCIE hopes to encourage advisers to reflect upon their own practices, policies, and procedures in these areas and to promote improvements in investment adviser compliance programs.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes risks that firms may consider to (i) assess their supervisory, compliance, and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. Other risk besides those described in this Risk Alert may be appropriate to consider, and some may not be applicable to a particular firm’s business. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

1

By the Office of Compliance Inspections and Examinations1

VOLUME VI, ISSUE 1 OCTOBER 24, 2016

EXAMINING WHISTLEBLOWER RULE COMPLIANCE

Staff in the Office of Compliance Inspections and Examinations (the “Staff”) is examining registrants’ compliance with key whistleblower provisions arising out of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”). The Commission has brought several enforcement actions recently charging violations of Rule 21F-17 of the Commission’s whistleblower regulations.2 The Staff is examining registered investment advisers and registered broker-dealers, reviewing, among other things, compliance manuals, codes of ethics, employment agreements, and severance agreements to determine whether provisions in those documents pertaining to confidentiality of information and reporting of possible securities law violations may raise concerns under Rule 21F-17. This review is included in examinations as staff deem appropriate.

I. BACKGROUND

The Dodd-Frank Act amended the Securities Exchange Act of 1934 (“Exchange Act”) by adding Section 21F, entitled “Securities Whistleblower Incentives and Protection.” To implement Section 21F, among other things, the Commission adopted Rule 21F-173 under the Exchange Act, which provides that “no person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.” Rule 21F-17 became effective on August 12, 2011.

Recent Enforcement actions have identified certain provisions of confidentiality or other agreements required by employers as contributing to violations of Rule 21F-17 because they contained language that, by itself or under the circumstances in which the agreements were used, impeded employees and former employees from

1 The views expressed herein are those of the staff of OCIE, in coordination with other staff of the Securities and Exchange

Commission (“SEC” or “Commission”), including staff of the Division of Investment Management and the Division of Enforcement. The Commission has expressed no view on the contents of this Risk Alert. This document was prepared by the SEC staff and is not legal advice.

2 See, e.g., In the Matter of KBR, Inc., Release No. 34-74619 (April 1, 2015), https://www.sec.gov/litigation/admin/2015/34-74619.pdf; In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated et al, Release No 78141, (June 23, 2016), https://www.sec.gov/litigation/admin/2016/34-78141.pdf; In the Matter of Health Net, Inc. Release No 78590 (Aug. 16, 2016), https://www.sec.gov/litigation/admin/2016/34-78590.pdf; In the Matter of BlueLinx Holdings Inc., Release No. 78528 (Aug. 10, 2016), https://www.sec.gov/litigation/admin/2016/34-78528.pdf; In the Matter of Anheuser-Busch, Release No. 78957 (Sept. 28, 2016), https://www.sec.gov/litigation/admin/2016/34-78957.pdf.

3 “Implementation of the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934,” Release No. 34-64545, http://www.sec.gov/rules/final/2011/34-64545.pdf.

In this Alert:

Topic: Examinations of investment advisers’ and broker-dealers’ compliance with Whistleblower Rules.

Key Takeaways: OCIE is including in certain examinations a review of registrants’ compliance with rules impacting whistleblowers and potential whistleblowers that arose out of the Dodd-Frank Act.

2

communicating with the Commission concerning possible securities law violations.4 This potential chilling effect can be especially pronounced when such documents (e.g., severance agreements) provide that an employee may forfeit all benefits if he or she violates any terms of the agreement.

Remedial actions taken in recent Enforcement actions have included:

• revising documents on a going-forward basis to make it clear that nothing contained in those documents prohibits employees or former employees from voluntarily communicating with the Commission or other authorities regarding possible violations of law or from recovering a Commission whistleblower award;5

• providing general notice to employees, or notice to employees who signed restrictive agreements, of their right to contact the Commission or other authorities;6 and

• contacting former employees who signed severance agreements to inform them that the company does not prohibit them from communicating with the Commission or seeking a whistleblower award.7

II. EXAMINATIONS

In examinations where the Staff includes a review of registrants’ compliance with Rule 21F-17, the Staff is analyzing a variety of documents, including:

• Compliance Manuals;

• Codes of Ethics;

• Employment Agreements; and

• Severance Agreements.

In this review, the Staff assesses whether these documents contain provisions similar to those in agreements that the Commission has found to violate Rule 21F-17, including provisions that: (a) purport to limit the types of information that an employee may convey to the Commission or other authorities;8 and (b) require departing employees to waive their rights to any individual monetary recovery in connection with reporting information to the government.9

4 See In the Matter of Health Net, Inc. (respondent’s severance agreements included language requiring the signatory to waive his or her

right to any monetary recovery pursuant to Section 21F of the Exchange Act); In the Matter of BlueLinx Holdings Inc. (respondent’s severance agreements included language requiring the signatory to waive his or her right to any monetary recovery related to any government investigation); In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated et. al. (language found in Respondent’s form severance agreement limited the types of disclosures that the employees could make to the Commission or government authorities); In the Matter of KBR, Inc. (before interviewing employees in internal investigations into possible securities law violations, Respondent required witnesses to sign a confidentiality statement agreeing that they would not discuss the subject matter of the interview without prior approval of the Law Department); In the Matter of Anheuser-Busch (respondent’s separation agreement contained language that impeded an employee of respondent’s wholly owned subsidiary from communicating directly with Commission staff).

5 See, e.g., In the Matter of BlueLinx Holdings Inc.; In the Matter of KBR, Inc.; see also In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated et al.

6 See, e.g., In the Matter of KBR, Inc.; see also In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated et al. 7 See, e.g., In the Matter of Health Net, Inc.; In the Matter of BlueLinx Holdings Inc. 8 See, e.g., In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated et al. 9 See, e.g., In the Matter of Health Net, Inc.; In the Matter of BlueLinx Holdings Inc.

3

The Staff also assesses whether these documents contain other provisions that may contribute to violations of Rule 21F-17 in circumstances where their use impedes employees or former employees from communicating with the Commission, such as provisions that:

(a) require an employee to represent that he or she has not assisted in any investigation involving the registrant;

(b) prohibit any and all disclosures of confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations;

(c) require an employee to notify and/or obtain consent from the registrant prior to disclosing confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations; or

(d) purport to permit disclosures of confidential information only as required by law, without any exception for voluntary communications with the Commission concerning possible securities laws violations.10

When examining registrants’ compliance with Rule 21F-17, the Staff is citing deficiencies and making referrals to the Division of Enforcement where appropriate.

III. Conclusion

Registrants are encouraged to consider the issues identified in this Risk Alert to evaluate whether their compliance manuals, codes of ethics, employment agreements, severance agreements, and other documents contain language that may be inconsistent with Rule 21F-17.

The Staff welcomes comments and suggestions about how the Commission’s examination program can better fulfill its mission to promote compliance, prevent fraud, monitor risk, and inform Commission policy. If you suspect or observe activity that may violate the federal securities laws or otherwise operates to harm investors, please notify us at http://www.sec.gov/complaint/info_tipscomplaint.shtml.

10 See, e.g., In the Matter of KBR, Inc.; see also In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated et al.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes risks that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. Other risks besides those described in this Risk Alert may be appropriate to consider, and some may not be applicable to a particular firm’s business. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

1

By the Office of Compliance Inspections and Examinations1

Volume V, Issue 3 September 12, 2016

Examinations of Supervision Practices At Registered Investment Advisers

I. Introduction

The Office of Compliance Inspections and Examinations’ (“OCIE”) 2016 Examination Priorities include examining compliance oversight and controls of registered investment advisers that have employed or employ individuals with a history of disciplinary events, including individuals that have been disciplined or barred from a broker-dealer.2 Such individuals may present an increased risk of future misconduct,3 and thus can present harm to clients. OCIE is undertaking an initiative to examine the supervision practices and compliance programs of registered investment advisers that employ individuals with a history of disciplinary events in the financial services sector (the “Supervision Initiative”). These examinations will assess such advisers’ business and compliance practices, particularly those practices related to the firms’ supervision of higher-risk individuals.4 OCIE is issuing this Risk Alert to provide additional information concerning the Supervision Initiative.

1 The views expressed herein are those of the staff of the Office of Compliance Inspections and Examinations, in coordination with other Securities and Exchange Commission (“SEC” or “Commission”) staff, including staff of the Division of Investment Management (“IM”). The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice.

2 See OCIE, Examination Priorities for 2016 (January 11, 2016) (“OCIE 2016 Priorities”).

3 See, e.g., Mark Egan, Gregor Matvos, and Amit Seru, “The Market for Financial Adviser Misconduct,” National Bureau of Economic Research Working Paper No. 22050 (Feb. 26, 2016). While this study focuses on FINRA-registered broker-dealer representatives (“financial advisors”), the study’s principal conclusions regarding recidivist misconduct are relevant to investment advisory supervised persons. The study concludes that financial advisors with disciplinary histories are five times more likely to engage in misconduct than the average “financial advisor.” The study also states that while approximately half of the offenders lose their job after the misconduct, 44 percent of the offenders are reemployed in the financial services industry within one year.

4 As referenced in this OCIE Risk Alert, advisory “employees” or “supervised persons” include principals and officers of the adviser, and other individuals performing services on behalf of the adviser (other than clerical), regardless of whether these individuals are independent contractors or employees of the adviser. Also, see Section 202(a)(25) of the Investment Advisers Act of 1940 (“Advisers Act”), which defines “supervised person.”

Topic: Review of Compliance and Supervision Practices at Registered Investment Advisers.

Key Takeaways: OCIE staff intends to conduct examinations of registered investment advisers that employ or contract with supervised persons that have a history of disciplinary events. These examinations will focus on evaluating the effectiveness of advisers’ compliance programs, supervisory oversight practices, and disclosures to clients and prospective clients, particularly relating to the potential risk associated with financial arrangements initiated by supervised persons with a disciplinary history.

2

II. Background

Advisers that employ or hire supervised persons with disciplinary events should be mindful of their supervisory obligations and may want to consider heightened supervision of such individuals. This includes disciplinary events that occurred during the individual’s employment with the adviser and prior employment.

OCIE’s Supervision Initiative will focus on registered advisers’ compliance programs and particularly on the supervision of supervised persons that may pose increased risks to advisory clients. Examinations will assess whether registered advisers have implemented policies and procedures specific to the risks presented by employees with disciplinary history, focusing on the compliance cultures and tone at the top of the examined advisers.

III. Examinations

OCIE (the “staff”) is using OCIE’s analytical capabilities to evaluate information from a variety of sources to identify registered advisers for examinations under this initiative. These sources include SEC databases and filings as well as external sources. Examples of factors that the staff is using to identify exam candidates include: disciplinary information that is reported on an adviser’s Form ADV;5 information about other legal actions (e.g., private civil actions) not required to be reported on Form ADV, but which are nonetheless relevant to the advisory services offered to clients; and information from SEC enforcement actions, which barred or suspended individuals from certain financial industries.

The Supervision Initiative examinations will focus on the following key risk areas:

• Compliance Program. Rule 206(4)-7 under the Advisers Act requires each adviser to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. Examiners will review the registered adviser’s practices surrounding its hiring processes, ongoing reporting obligations, employee oversight practices, and complaint handling processes. An important component of the examinations is to evaluate whether the advisers foster robust compliance cultures and tone at the top. The tone at the top is critical to setting the ethical environment of the organization and preventing misconduct.

• Disclosures. As a fiduciary, an investment adviser has a duty to make full and fair disclosure of all material facts.6 Advisers Act Section 207 provides that, in any registration application or report filed with the Commission under Section 203 or 204, it is unlawful for any person willfully to make any untrue statement of a material fact or willfully to omit to state a material fact which is required to be stated therein. This standard applies to statements made in an adviser’s Form ADV Part 1 and brochure. An adviser must update its brochure at least annually (and more frequently, if required by the instructions to Form ADV) and notify clients of any material changes.7 Examiners will likely review registered advisers’ practices regarding their disclosures of regulatory, disciplinary, or other actions with a focus on assessing the accuracy, adequacy, and effectiveness of such disclosures.

5 See Form ADV (Item 11 of Part 1A; Item 9 of Part 2A, and Item 3 of Part 2B). The form requires advisers to disclose certain disciplinary events of the firm (and its advisory affiliates including the adviser’s supervised persons) occurring within the past 10 years, which are presumptively material.

6 See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180 (1963). See also General Instructions to Part 2A of Form ADV. 7 See Section 204 of the Advisers Act and Rules 204-1(a) and 204-3, thereunder. See also Form ADV, Part 2A, Instruction 4; In the

Matter of Everhart Financial Group, Inc. et al, Advisers Act Release No. 4314, (Jan. 14, 2016).

3

• Conflicts of Interest. As a fiduciary, an investment adviser has a duty to make full and fair disclosure of all material facts, including all material conflicts of interest that could affect the advisory relationship.8 Examiners will assess the conflicts of interest that a registered adviser or supervised person may have. Particular attention will be given to conflicts that may exist with respect to financial arrangements (e.g. unique products, services, or discounts) initiated by supervised persons with disciplinary events.

• Marketing. Advisers frequently use marketing materials to solicit new clients or retain existing clients. Rule 206(4)-1 under the Advisers Act prohibits an adviser from including certain representations in its advertisements or marketing materials. Examiners will review a registered adviser’s advertisements including pitch-books, website postings, and public statements to identify any conflicts of interests or risks associated with supervised persons with a history of disciplinary events.

IV. Conclusion

In sharing the focus areas for the Supervision Initiative, OCIE hopes to encourage advisers to reflect upon their own risks, practices, policies, and procedures in these areas and to consider making improvements in their advisory compliance programs where necessary.

8 See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180 (1963). See also, General Instructions to Part 2A of Form ADV.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes risks that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. Other risk besides those described in this Risk Alert may be appropriate to consider, and some may not be applicable to a particular firm’s business. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

1

By the Office of Compliance Inspections and Examinations1

Volume V, Issue 2 July 13, 2016

OCIE’s 2016 Share Class Initiative I. Introduction The Office of Compliance Inspections and Examinations’ (“OCIE”) 2016 Examination Priorities include examining matters of importance to retail investors.2 OCIE’s retail investor protection focus includes examining advisory activities under various initiatives for, among other things, conflicts of interest, recommendations made to clients, fees charged, and disclosure practices.3 Consistent with these priorities, OCIE is undertaking an initiative to address the risk that registered advisers may be making certain conflicted investment recommendations to their clients. Specifically, OCIE is seeking to identify conflicts of interest tied to advisers’ compensation or financial incentives for recommending mutual fund and 529 Plan share classes that have substantial loads or distribution fees (“Share Class Initiative”). Examples of conflicts of interest related to share class recommendations include situations where the adviser is also a broker-dealer or affiliated with a broker-dealer that receives fees from sales of certain share classes, and situations where the adviser recommends that clients purchase more expensive share classes of funds for which an affiliate of the adviser receives more fees. OCIE is issuing this Risk Alert to provide additional information concerning the Share Class Initiative. II. Background The Commission has stated that an investment adviser has failed to uphold its fiduciary

duty when it causes a client to purchase a more expensive share class of a fund when a less expensive class of that fund is available.4 As a fiduciary, an adviser has an obligation to act in its client’s best interest and to disclose material conflicts of interest such as the receipt of compensation for selecting or recommending mutual fund share classes. Additionally, the Commission has highlighted the need for advisers making mutual fund share class selections to adopt and implement

1 The views expressed herein are those of the staff of the Office of Compliance Inspections and Examinations, in coordination with other

Securities and Exchange Commission (“SEC” or “Commission”) staff, including staff of the Division of Investment Management (“IM”). The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice.

2 See OCIE, Examination Priorities for 2016 (January 11, 2016) (“OCIE 2016 Priorities”).

3 OCIE 2016 Priorities. 4 See Investment Advisers Act of 1940 (“Advisers Act”) Release No. 3686, Manarin Investment Counsel, Ltd. (October 2, 2013). FINRA also has

taken action for failures by broker-dealers to apply eligible sales charge waivers to mutual fund transactions made by charitable institutions and retirement plans. See FINRA News Release FINRA Fines Merrill Lynch $8 Million; over $89 Million Repaid to Retirement Accounts and Charities Overcharged for Mutual Funds (June 16, 2014); FINRA Orders Wells Fargo, Raymond James, and LPL Financial to Pay More Than $30 Million in Restitution to Retirement Accounts and Charities Overcharged for Mutual Funds (July 6, 2015); and FINRA Orders an Additional Five Firms to Pay $18 Million in Restitution to Charities and Retirement Accounts Overcharged for Mutual Funds (October 27, 2015). FINRA further addresses this issue in its 2016 Regulatory and Examination Priorities Letter, which reiterates the concern FINRA expressed in its 2015 letter about failures to provide appropriate sales charge waivers and discounts.

In this Alert:

Topic: Share Class Examination Initiative

Key Takeaways: OCIE staff intends to focus on certain registered advisers and their associated persons that may be receiving undisclosed compensation or other financial incentives. Such examinations will likely focus on the following topics applicable to the adviser’s share class recommendation practices: fiduciary duty and best execution; disclosure; and compliance policies and procedures.

2

written policies and procedures that are reasonably designed to prevent violations of the Advisers Act including those that govern their selection process.5 III. Examinations The staff will focus on the adviser’s practices related to share class recommendations and compliance oversight of the process. The staff will conduct focused, risk-based examinations of high-risk areas, including: • Fiduciary Duty and Best Execution. An investment adviser has a fiduciary duty under Section 206 of the Advisers

Act that obligates it to act in the client’s best interest, and to seek best execution for client transactions (i.e., “to seek the most favorable terms reasonably available under the circumstances”).6 Examiners will likely review advisers’ investment practices to determine whether they are acting in their clients’ best interest and seeking best execution when recommending or selecting mutual fund and 529 Plan investments to clients. Examiners will review advisers’ books and records to identify share classes held and purchased in clients’ accounts and any compensation received by the adviser or any of its associated persons related to such investments.

• Disclosures. As a fiduciary, an investment adviser has a duty to make full and fair disclosure of all material facts,

including all material conflicts of interest that could affect the advisory relationship.7 Registered investment advisers must provide narrative disclosure in their ADV Part 2 brochure to their clients and prospective clients regarding whether the adviser or its supervised persons accepts compensation for the sale of securities or other investment products, including asset-based sales charges or service fees from the sale of mutual funds.8 Registered investment advisers must also explain the conflict of interest such compensation creates and how the adviser addresses the conflict, including the adviser’s procedures for disclosing the conflict to its clients.9 An adviser must update its brochure at least annually (and more frequently, if required by the instructions to Form ADV) and notify clients of any material changes. 10 Examiners will likely review an adviser’s practices surrounding its selection of mutual fund and 529 Plan investments in its clients’ accounts with a focus on assessing the accuracy, adequacy, and effectiveness of the adviser’s disclosures regarding compensation for the sale of shares and the conflicts of interest created.

• Compliance Program. Advisers must adopt and implement written policies and procedures reasonably designed to

prevent violations of the Advisers Act and the rules thereunder.11 Examiners will likely review the adviser’s practices surrounding its selection of mutual fund and 529 Plan share class investments in clients’ accounts and assess the adequacy and effectiveness of the adviser’s corresponding written policies and procedures.

While these are the primary focus areas for the Share Class Initiative, examiners may select additional topics based on other risks identified during the course of the examination.

5 See Advisers Act Release No. 4351, In re Royal Alliance Associates, Inc., SagePoint Financial, Inc. and FSC Securities Corporation et al

(March 14, 2016).

6 See Advisers Act Release No. 2713, In re Fidelity Management Research Company and FMR Co., Inc. (March 5, 2008). See also, Advisers Act Release No. 3057, In the Matter of James C. Dawson, A. (July 23, 2010) (adviser barred from associating with any other adviser after the Commission found that he had engaged in “cherry-picking,” allocating a disproportionate percentage of profitable trades to his own account, rather than those of his clients).

7 See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180 (1963). See also, General Instructions to Part 2A of Form ADV. 8 See Part 2A of Form ADV, Item 5.E. 9 Id.

10 See Section 204 of the Advisers Act and Rules 204-1(a) and 204-3, thereunder. See also Form ADV, Part 2A, Instruction 4; Advisers Act Release No. 4314, In re Everhart Financial Group, Inc. et al (January 14, 2016).

11 Rule 206(4)-7 under the Advisers Act.

3

IV. Conclusion

In sharing the primary focus areas for the Share Class Initiative, OCIE encourages advisers to reflect upon their own practices, policies, and procedures in these areas and to make improvements in their advisory compliance programs where necessary.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

1

By the Office of Compliance Inspections and Examinations (“OCIE”)1

Volume V, Issue 1 November 9, 2015

Examinations of Advisers and Funds That Outsource Their Chief Compliance Officers

OCIE staff (the “staff”) have noted a growing trend in the investment management industry: outsourcing compliance activities to third parties, such as consultants or law firms.2 Some investment advisers and funds have outsourced all compliance activities to unaffiliated third parties, including the role of their chief compliance officers (“CCOs”).3 Outsourced CCOs may perform key compliance responsibilities, such as updating firm policies and procedures, preparing regulatory filings, and conducting annual compliance reviews. The staff conducted nearly 20 examinations as part of an Outsourced CCO Initiative that focused on SEC-registered investment advisers and investment companies (collectively, “registrants”) that outsource their CCOs to unaffiliated third parties (“outsourced CCOs”). The purpose of this Risk Alert is to share the staff’s observations from these examinations and raise awareness of the compliance issues observed by the staff.

1 The views expressed herein are those of the staff of OCIE, in coordination with other staff of the Securities and Exchange

Commission (“SEC” or “Commission”), including staff of the Division of Investment Management and the Division of Enforcement. The Commission has expressed no view on the contents of this Risk Alert. This document was prepared by SEC staff and is not legal advice.

2 See Charles Schwab & Corp., Independent Advisors’ Revenue and Assets Rebound for Record Year, Says 2011 Charles Schwab RIA Benchmarking Study (July 5, 2011). The study recorded that 38% of firms are outsourcing some aspect of their compliance function, which was up over ten percent from 27% the previous year. This survey covered 820 RIAs with more than $300 billion in combined assets, with the median study participant having ended 2010 with $212 million in assets under management. In a Charles Schwab Market Knowledge Tools synopsis regarding the 2012 Benchmarking Study, Charles Schwab stated that “[i]ncreased reliance on outside experts for compliance has been a strong trend…not only reducing expense but potentially lowering the risks of overlooking or misinterpreting evolving requirements.” (See, Charles Schwab & Corp., “Moving Forward in Uncertain Times: Insights From the 2012 RIA Benchmarking Study from Charles Schwab.”) By contrast, see Investment Adviser Association (“IAA”), Summary Report for the 2013 Investment Management Compliance Testing Survey (June 11, 2013). The survey reported that 99% of the firms surveyed did not outsource the role of the CCO. More than 92% of the participants in the 2013 IAA survey managed in excess of $500 million in assets, and the average firm managed between $1 billion and $20 billion.

3 Articles have been written and speeches delivered on the trend of outsourcing the role of the CCO. See, e.g., Rachel Louise Ensign, “Companies Are Outsourcing the Chief Compliance Officer Job,” WALL STREET JOURNAL (July 17, 2014); Nick Georgis, “The Outsourcing Boom: Compliance,” THINK ADVISOR (December 27, 2011); and Bettiny Eckerle, “Trend to Watch for 2012: Outsourcing Investment Adviser Compliance,” Eckerle Law (January 11, 2012).

In this Alert:

Topic: Staff observations regarding examinations of investment advisers and investment companies that outsource their chief compliance officer (“CCO”).

Key Takeaways: Advisers and funds with outsourced CCOs should review their business practices in light of the risks noted in this Risk Alert to determine whether these practices comport with their responsibilities as set forth in the Compliance Rules. Advisers with outsourced CCOs retain the responsibility for adopting and implementing an effective compliance program.

2

I. The Compliance Rules Rule 206(4)-7 under the Investment Advisers Act of 1940 (“Advisers Act”) and Rule 38a-1 under the Investment Company Act of 1940 (“Investment Company Act”), often referred to as the “Compliance Rules,”4 require registrants to:

• Adopt and implement written policies and procedures that are reasonably designed to prevent violations by the adviser and its supervised persons of the Advisers Act and its rules and violations by the fund of the federal securities laws and the rules under those laws, respectively;5

• Designate an individual as CCO to be responsible for administering the policies and procedures;6

and

• Review the policies and procedures at least annually for their adequacy and the effectiveness of their implementation.7 Fund CCOs must also prepare a written report for the fund’s board of directors.8

The Commission has provided guidance regarding the quality, experience, and empowerment of the CCOs to advisers. For example, the Commission has stated that an adviser’s CCO should be “competent and knowledgeable regarding the Advisers Act and . . . empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the firm [and] have a position of sufficient seniority and authority within the organization to compel others to adhere to the compliance policies and procedures.”9 Similarly, the Commission stated that a fund’s CCO should be “competent and knowledgeable regarding the federal securities laws and should be empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the fund.”10 Moreover, the Commission highlighted that fund and adviser CCOs “should have sufficient seniority and authority to compel others to adhere to the compliance policies and procedures.”11 4 See also SEC, Compliance Programs of Investment Companies and Investment Advisers, Release Nos. IA-2204 and IC-26299 (December

17, 2003) (“Adopting Release”). In the Adopting Release, the Commission stated that it is of critical importance that registrants have “strong systems of controls in place to prevent violations of the federal securities laws and to protect the interests of shareholders and clients.”

5 Rule 206(4)-7(a) under the Advisers Act and Rule 38a-1(a)(1) under the Investment Company Act. The Compliance Rule under the Advisers Act applies to advisers and their “supervised persons.” The term “supervised persons” is defined as “any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an investment adviser, or other person who provides investment advice on behalf of the investment adviser and is subject to the supervision and control of the investment adviser.” Section 202(a)(25) of the Advisers Act.

As noted in the Adopting Release, in designing its policies and procedures, each registrant should identify conflicts, and other compliance factors that create a risk exposure for the firm and clients in light of the firm’s particular operations and design policies and procedures to address these risks. An adviser should also consider its fiduciary obligations.

6 Rule 206(4)-7(c) under the Advisers Act (requiring that the CCO be a supervised person) and Rule 38a-1(a)(4) under the Investment Company Act.

7 Rule 206(4)-7(b) under the Advisers Act and Rule 38a-1(a)(3) under the Investment Company Act. 8 Rule 38a-1(a)(4)(iii) under the Investment Company Act. 9 Adopting Release, Section II.C.1. 10 Adopting Release, Section II.C.2. 11 Adopting Release, Sections II.C.1 and II.C.2.

3

II. Staff Examinations CCOs are integral participants in OCIE’s examinations of registrants. For example, each examination typically includes interviews with the CCO and other senior officers. During these interviews, the staff assesses the registrants’ tone at the top and culture of compliance.12 These assessments are important factors in the staff’s review of the effectiveness of the registrants’ compliance programs in which a CCO plays an important role. As part of the Outsourced CCO Initiative, the staff evaluated the effectiveness of registrants’ compliance programs and outsourced CCOs by considering, among other things, whether:

• The CCO was administering a compliance environment that addressed and supported the goals of the Advisers Act, Investment Company Act, and other federal securities laws, as applicable (i.e., compliance risks were appropriately identified, mitigated, and managed);

• The compliance program was reasonably designed to prevent, detect, and address violations of

the Advisers Act, Investment Company Act, and other federal securities laws, as applicable; • The compliance program supported open communication between service providers and those

with compliance oversight responsibilities; • The compliance program appeared to be proactive rather than reactive;

• The CCO appeared to have sufficient authority to influence adherence with the registrant’s

compliance policies and procedures, as adopted, and was allocated sufficient resources to perform his or her responsibilities; and

• Compliance appeared to be an important part of the registrant’s culture. III. Staff Observations During these examinations, the staff observed instances where the outsourced CCO was generally effective in administering the registrant’s compliance program, as well as fulfilling his/her other responsibilities as CCO. The staff observations regarding effective outsourced CCOs generally involved: regular, often in-person, communication between the CCOs and the registrants; strong relationships established between the CCOs and the registrants; sufficient registrant support of the CCOs; sufficient CCO access to registrants’ documents and information; and CCO knowledge about the regulatory requirements and the registrants’ business. More specifically, the staff observed the following:

• Communications: Outsourced CCOs who frequently and personally interacted with advisory and fund employees (in contrast with impersonal interaction, such as electronic communication

12 The staff’s assessment of the registrant’s tone at the top and culture, however, is not based solely on interviews with the CCO and other

senior officers, but can be informed by other factors.

4

or pre-defined checklists) appeared to have a better understanding of the registrants’ businesses, operations, and risks. As a result, at these registrants the staff noted fewer inconsistencies between the compliance policies and procedures and the registrants’ actual business practices. The staff also noted that these CCOs were typically able to effectuate compliance changes that they deemed to be necessary.

• Resources: More significant compliance-related issues were identified at registrants with an

outsourced CCO that served as the CCO for numerous unaffiliated firms and that did not appear to have sufficient resources to perform compliance duties, especially given the disparate and dispersed nature of the registrants that the CCO serviced.

• Empowerment: Annual reviews performed by outsourced CCOs, who were able to

independently obtain the records they deemed necessary for conducting such reviews, more accurately reflected the registrants’ actual practices than annual reviews conducted by CCOs, who relied wholly on the firm to select the records subject to their review. In some instances, the registrants’ employees had discretion to determine which documents were provided to the outsourced CCOs. In these cases, the registrants’ ability to selectively provide records to the outsourced CCO may have affected the accuracy of these registrants’ annual reviews.

The staff’s observations with respect to the strength and effectiveness of the registrants’ compliance programs are described in further detail below.

A. Meaningful Risk Assessments

The staff observed that an effective compliance program generally relies upon, among other things, the correct identification of a registrant’s risks in light of its business, operations, conflicts, and other compliance factors. The compliance policies and procedures should then be designed to address those risks. The staff observed that certain outsourced CCOs could not articulate the business or compliance risks of the registrant or, to the extent the risks were identified, whether the registrant had adopted written policies and procedures to mitigate or address those risks. In some instances, the risks described to the staff by the registrant’s principals were different than the risks described by the outsourced CCO. In these instances, the staff identified several areas where the registrant did not appear to have policies, procedures, and/or disclosures in place necessary to address certain risks.

• Standardized checklists: The staff notes that some outsourced CCOs used standardized checklists to gather pertinent information regarding the registrants. While the use of questionnaires or standardized checklists may be a helpful guide to identify conflicts and assess risks at registrants, the staff observed the following:

o Some standardized risk checklists utilized by outsourced CCOs were generic and did not

appear to fully capture the business models, practices, strategies, and compliance risks that were applicable to the registrant.

o Some of the responses to the standardized questionnaires completed by the registrants included incorrect or inconsistent information about the firms’ business practices. The

5

outsourced CCOs did not appear sufficiently knowledgeable about the registrant to identify or follow-up with the registrant to resolve such discrepancies.13

• Policies, procedures, and disclosures: Several registrants did not appear to have the policies,

procedures, or disclosures in place necessary to address all of the conflicts of interest identified by the staff. These issues were identified in critical areas that affect the registrants’ clients, such as compensation practices, portfolio valuation, brokerage and execution, and personal securities transactions by access persons.

B. Compliance Policies and Procedures

Although the Compliance Rules14 do not expressly require compliance policies and procedures to contain specific elements, the Commission stated in the Adopting Release that it expects an adviser’s policies and procedures, at a minimum, to address ten core areas to the extent that they are relevant to the adviser’s business.15 The staff observed certain instances where the registrants did not appear to have adopted, implemented, and/or adhered to policies and procedures that were reasonably designed to prevent the violation of applicable regulations or that were relevant in light of the registrant’s business and operations, such as the following:

• Compliance policies and procedures were not followed: The staff observed instances in which compliance policies and procedures were not followed or the registrants’ actual practices were not consistent with the description in the registrants’ compliance manuals. These practices were observed in areas that are required to be reviewed by regulations (e.g., reviews required for the payment of cash for solicitation activities and personal securities transactions) and in areas that registrants included in their policies and procedures, but that are not expressly required to be reviewed by regulations (e.g., quarterly review of employees’ e-mails).16 In many instances, the outsourced CCOs were designated as the individuals responsible for conducting the reviews.

13 Similarly, in a recent enforcement action, the Commission’s Division of Enforcement alleged that the conduct of an adviser’s outsourced

CCO contributed to the firm making false filings with the Commission because the outsourced CCO “did not personally review [the adviser’s] records” to validate the information. Instead, he relied “exclusively on information provided to him by [advisory personnel].” See In re Aegis Capital LLC, Advisers Act Rel. No 4054 (March 30, 2015).

14 See Section I herein for definition of Compliance Rules. 15 Adopting Release. The ten core areas are: portfolio management processes; accuracy of disclosures made to investors, clients, and

regulators; proprietary trading; safeguarding of client assets from conversion or inappropriate use by advisory personnel; accurate creation and retention of required records; safeguards for the privacy protection of client records and information; trading practices; marketing advisory services; processes to value client holdings and assess fees based on those valuations; and business continuity plans.

16 Rule 206(4)-3(a)(2)(iii)(C) under the Advisers Act requires an adviser that pays a cash fee to a solicitor for solicitation activities to make a “bona fide effort to ascertain whether the solicitor has complied with the agreement, and has a reasonable basis for believing that the solicitor has so complied.” Rule 204A-1(a)(3) under the Advisers Act requires an adviser registrant to establish, maintain and enforce a written code of ethics that includes “[p]rovisions that require all of [registrant’s] access persons to report, and [registrant] to review, their personal securities transactions and holdings periodically.” Also, Investment Company Act Rule 17j-1(c)(2)(ii)(A) generally requires a fund and its adviser, among others, to, no less frequently than annually, furnish to the fund's board of directors a written report that describes, among other things, any issues arising under the fund’s code of ethics or procedures since the last report to the board of directors, including, but not limited to, information about material violations of the code or procedures and sanctions imposed in response to the material violations. The staff has observed that the CCO typically participates in the preparation of such reports.

6

• Compliance policies and procedures were not tailored to registrants’ businesses or practices: Several of the compliance manuals that the staff reviewed were created using outsourced CCO-provided templates. However, some of these templates were not tailored to registrants’ businesses and practices and, thus, the compliance manuals that had been adopted contained policies and procedures that were not appropriate or applicable to the registrants’ businesses or practices.17 Examples include:

o Critical areas were not identified, and thus certain compliance policies and procedures were

not adopted, such as reviewing third-party managers hired to manage client money, or safeguarding client information.

o Policies were adopted, but were not applicable to the advisers’ businesses and operations,

such as: monitoring of account performance composites when in practice the adviser did not monitor composites because it did not advertise performance; collecting management fees quarterly in advance when in practice clients were billed monthly in arrears; and referencing departed employees as responsible parties in performing compliance reviews or monitoring.

o Critical control procedures were not performed, or not performed as described, including:

oversight of private fund fee and expense allocations; reviews of solicitation activities for compliance with the Advisers Act; trade allocation reviews for fairness of side-by-side management of client accounts with proprietary accounts; oversight of performance advertising and marketing; personal trading reviews of all access persons; and controls over trade reconciliations.

C. Annual Review of the Compliance Programs

For the registrants examined, the outsourced CCOs were typically responsible for conducting and documenting registrants’ annual reviews, which included testing for compliance with existing policies and procedures. The staff, however, observed a general lack of documentation evidencing the testing.18 In addition, the staff notes that certain outsourced CCOs infrequently visited registrants’ offices and conducted only limited reviews of documents or training on compliance-related matters while on-site. Such CCOs had limited visibility and prominence within the registrants’ organization, which appeared to result in the CCOs also having limited authority within the organization to, among other things, improve adherence to the registrants’ compliance policies and procedures. Limited authority also appeared to affect the outsourced CCOs’ ability to implement important changes in disclosure regarding key areas of client interest, such as advisory fees.

17 In the Adopting Release, the Commission noted that investment advisers are too varied in their operations for the rule to impose a “single

set of universally applicable required elements” and that instead “[e]ach adviser should adopt policies and procedures that take into consideration the nature of that firm’s operations.” In describing how advisers should actually design their policies and procedures, the Commission suggested that each firm “should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations, and then design policies and procedures that address those risks.”

18 The staff notes that, while registrants must review their policies and procedures at least annually for their adequacy and the effectiveness of

their implementation, there are no specific requirements under the Compliance Rules regarding documentation. The staff notes, however, that there is a parallel recordkeeping requirement under Rule 204-2(a)(17)(ii) under the Advisers Act, which requires advisers to retain “any records” documenting the annual review conducted pursuant to the Compliance Rule.

7

IV. Conclusion During these examinations, the staff observed certain compliance weaknesses associated with registrants that outsourced their CCOs, as described in this Risk Alert. Advisers and funds with outsourced CCOs should review their business practices in light of the risks noted in this Risk Alert to determine whether these practices comport with their responsibilities as set forth in the Compliance Rules. The staff anticipates that, by sharing these examination observations, it will assist registrants in assessing whether their compliance programs have weaknesses, particularly with respect to identifying applicable risks and ensuring that the firm’s compliance program encompasses all relevant business activities. A CCO, either as a direct employee of a registrant or as a contractor or consultant, must be empowered with sufficient knowledge and authority to be effective. Each registrant is ultimately responsible for adopting and implementing an effective compliance program and is accountable for its own deficiencies. Registrants, particularly those that use outsourced CCOs, may want to consider the issues identified in this Risk Alert to evaluate whether their business and compliance risks have been appropriately identified, that their policies and procedures are appropriately tailored in light of their business and associated risks, and that their CCO is sufficiently empowered within the organization to effectively perform his/her responsibilities. The staff observed fewer compliance-related issues at the registrants examined that had developed appropriate controls in each of the areas identified in this Risk Alert. The staff welcomes comments and suggestions about how the Commission’s examination program can better fulfill its mission to promote compliance, prevent fraud, monitor risk, and inform SEC policy. If you suspect or observe activity that may violate the federal securities laws or otherwise operates to harm investors, please notify us at http://www.sec.gov/complaint/info_tipscomplaint.shtml.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

1

By the Office of Compliance Inspections and Examinations (“OCIE”)1

Volume IV, Issue 8 September 15, 2015

OCIE’s 2015 Cybersecurity Examination Initiative

I. Introduction

In March 2014, the SEC sponsored a Cybersecurity Roundtable where SEC Commissioners and staff, along with industry representatives, underscored the importance of cybersecurity to the integrity of the market system and customer data protection.2 In April 2014, OCIE published a Risk Alert announcing a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.3 In February 2015, OCIE published summary observations of the findings from these examinations, which discussed some of the legal, regulatory, and compliance issues associated with cybersecurity.4 Given the continued importance of cybersecurity and the positive response from broker-dealers and advisers on OCIE’s efforts, OCIE announced a focus on cybersecurity compliance and controls as part of its 2015 Examination Priorities.5 OCIE is issuing this Risk Alert to provide additional information on the areas of focus for OCIE’s second round of cybersecurity examinations, which will involve more testing to assess implementation of firm procedures and controls.

II. Examinations

In light of recent cybersecurity breaches and continuing cybersecurity threats against financial services firms, the Cybersecurity Examination Initiative is designed to build on OCIE’s previous examinations in this area and further assess cybersecurity preparedness in the securities industry, including firms’ ability to protect broker-dealer customer and investment adviser client

1 The views expressed herein are those of the staff of OCIE, in coordination with other staff of the Securities and Exchange Commission (“SEC or Commission”), including the Division of Trading and Markets and the Division of Investment Management. The Commission has expressed no view on the contents of this Risk Alert. This document was prepared by the SEC staff and is not legal advice.

2 SEC, Cybersecurity Roundtable (March 26, 2014). 3 OCIE, NEP Risk Alert, OCIE Cybersecurity Initiative (April 15, 2014). 4 OCIE, NEP Risk Alert, Cybersecurity Examination Sweep Summary (February 3, 2015). 5 OCIE, Examination Priorities for 2015 (January 13, 2015).

In this Alert:

Topic: Cybersecurity Examination Initiative

Key Takeaways: OCIE staff will continue its focus on cybersecurity by conducting examinations of registered broker-dealers and investment advisers. The examinations will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. To assist firms in assessing their cybersecurity preparedness, OCIE has included a sample document request in the Appendix to this Risk Alert.

2

(hereinafter referred to as “customer”) information.6 In addition, public reports have identified cybersecurity breaches related to weaknesses in basic controls.7 As a result, examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls. In order to promote better compliance practices and inform the Commission’s understanding of cybersecurity preparedness, this Initiative will focus on the following areas:

• Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.

• Access Rights and Controls: Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.

• Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.

• Vendor Management: Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

• Training: Without proper training, employees and vendors may put a firm’s data at risk. Some data breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or opening

6 Among other requirements, Regulation S-P requires financial institutions, including broker-dealers, investment

companies, and investment advisers, registered with the Commission to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer information and records.

7 See, e.g., Financial Industry Regulatory Authority, Report on Cybersecurity Practices, page 38 (February 2015).

3

messages or downloading attachments from an unknown source. With proper training, however, employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

• Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.

While these are the primary focus areas for the Cybersecurity Examination Initiative, examiners may select additional areas based on risks identified during the course of the examinations. As part of OCIE’s efforts to promote compliance and to share with the industry where it sees cybersecurity-related risks, OCIE is including, as the Appendix to this Risk Alert, a sample request for information and documents to be used in this Initiative. III. Conclusion

In sharing the key focus areas for the Cybersecurity Examination Initiative and the attached document request, the NEP hopes to encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

APPENDIX This document1 provides a sample list of information that the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) may review in conducting examinations of registered entities regarding cybersecurity matters. Some of the questions track information outlined in the “Framework for Improving Critical Infrastructure Cybersecurity,”2 released on February 12, 2014 by the National Institute of Standards and Technology. OCIE has published this document as a resource for registered entities. This document should not be considered all inclusive of the information that OCIE may review or the validation and testing we may perform of firm policies and procedures. Accordingly, OCIE will alter its requests for information it reviews, as well as whether it asks for production of information in advance of an examination or reviews certain information on site, as it considers the specific circumstances presented by each firm’s business model, systems, and information technology environment.

Governance and Risk Assessment

• Firm policies and procedures related to the following:

o Protection of broker-dealer customer and/or investment adviser client (hereinafter “customer”) records and information, including those designed to secure customer documents and information, protect against anticipated threats to customer information, and protect against unauthorized access to customer accounts or information; and

o Patch management practices, including those regarding the prompt installation of critical patches and the documentation evidencing such actions.

• Board minutes and briefing materials, if applicable, regarding: cyber-related risks;

cybersecurity incident response planning; actual cybersecurity incidents; and cybersecurity-related matters involving vendors.

• Information regarding the firm’s Chief Information Security Officer (“CISO”) or equivalent position, and other employees responsible for cybersecurity matters.

• Information regarding the firm’s organizational structure, particularly information regarding the positions and departments responsible for cybersecurity-related matters and where they fit within the firm’s organization or hierarchy.

1 The statements and views expressed herein are those of the staff of OCIE. This guidance is not a rule, regulation, or

statement of the Commission. The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice.

2 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity

(February 12, 2014).

2

• Information regarding the firm’s periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business and compliance consequences, if applicable, and any related findings and responsive remediation efforts taken.

• Information regarding the firm’s policies related to penetration testing, whether conducted by or on behalf of the firm, and any related findings and responsive remediation efforts taken.

• Information regarding the firm’s vulnerability scans and any related findings and responsive remediation efforts taken.

Access Rights and Controls

• Firm policies and procedures regarding access by unauthorized persons to firm network

resources and devices and user access restrictions (e.g., access control policy, acceptable use policy, administrative management of systems, and corporate information security policy), including those addressing the following:

o Establishing employee access rights, including the employee’s role or group

membership;

o Updating or terminating access rights based on personnel or system changes; and

o Any management approval required for changes to access rights or controls.

• Information demonstrating the implementation of firm policies and procedures related to employee access rights and controls, such as the following:

o Documentation evidencing the tracking of employee access rights, changes to

those access rights, and any manager approvals for those changes;

o Information related to former employees’ last date of employment and the date their access to the firm’s systems was terminated; and

o Information related to current employees who have been reassigned by the firm to a new group or function, including their date of reassignment and the date their access to the firm’s systems was modified.

• Information related to the systems or applications for which the firm uses multi-factor

authentication for employee and customer access as well as documentation evidencing implementation of any related policies and procedures and information on systems or applications for which the firm does not use multi-factor authentication.

• Firm policies and procedures related to log-in attempts, log-in failures, lockouts, and unlocks or resets for perimeter-facing systems and information regarding the process the firm uses to enforce these policies and procedures and to review perimeter-facing systems

3

for failed log-in attempts, deactivation of access, dormant user accounts, and unauthorized log-in attempts.

• Information related to instances in which system users, including employees, customers, and vendors, received entitlements or access to firm data, systems, or reports in contravention of the firm’s policies or practices or without required authorization as well as information related to any remediation efforts undertaken in response.

• Firm policies and procedures regarding system notifications to users, including employees and customers, of appropriate usage obligations when logging into the firm’s system (e.g., log-on banners, warning messages, or acceptable use notifications) and sample documentation evidencing implementation of these policies and procedures.

• Firm policies and procedures regarding devices used to access the firm’s system externally (i.e., firm-issued and personal devices), including those addressing the encryption of such devices and the firm’s ability to remotely monitor, track, and deactivate remote devices.

• Information related to customer complaints received by the firm related to customer access, including a description of the resolution of the complaints and any remediation efforts undertaken in response.

• Firm policies and procedures related to verification of the authenticity of customer requests to transfer funds.

• Information related to any reviews of employee access rights and restrictions with respect to job-specific resources within the network and any related documentation.

• Information related to any internal audit conducted by the firm that covered access rights and controls.

Data Loss Prevention

• Firm policies and procedures related to enterprise data loss prevention and information

related to the following:

o Data mapping, with particular emphasis on understanding information ownership and how the firm documents or evidences personally identifiable information (“PII”); and

o The systems, utilities, and tools used to prevent, detect, and monitor data loss as it relates to PII and access to customer accounts, including a description of the functions and source of these resources.

• Firm policies related to data classification, including: information regarding the types of data classification; the risk level (e.g., low, medium, or high) associated with each data

4

classification; the factors considered when classifying data; and how the factors and risks are considered when the firm makes data classification determinations.

• Firm policies and procedures related to monitoring exfiltration and unauthorized distribution of sensitive information outside of the firm through various distribution channels (e.g., email, physical media, hard copy, or web-based file transfer programs) and any documentation evidencing this monitoring.

Vendor Management

• Firm policies and procedures related to third-party vendors, such as those addressing the

following:

o Due diligence with regard to vendor selection;

o Contracts, agreements, and the related approval process;

o Supervision, monitoring, tracking, and access control; and

o Any risk assessments, risk management, and performance measurements and reports required of vendors.

• Information regarding third-party vendors with access to the firm’s network or data, including the services provided and contractual terms related to accessing firm networks or data.

• Information regarding third-party vendors that facilitate the mitigation of cybersecurity risks by means related to access controls, data loss prevention, and management of PII, including a description of the services each vendor provides to the firm and contractual terms included in vendor contracts involving cybersecurity-related services.

• Information regarding written contingency plans the firm has with its vendors concerning, for instance, conflicts of interest, bankruptcy, or other issues that might put the vendor out of business or in financial difficulty.

• Sample documents or notices required of third-party vendors, such as those required prior to any significant changes to the third-party vendors’ systems, components, or services that could potentially have security impacts to the firm and the firm’s data containing PII.

Training

• Information with respect to training provided by the firm to its employees regarding

information security and risks, including the training method (e.g., in person, computer-based learning, or email alerts); dates, topics, and groups of participating employees; and any written guidance or materials provided.

5

• Information regarding training provided by the firm to third-party vendors or business partners related to information security.

Incident Response

• Firm policies and procedures or the firm’s business continuity of operations plan that

address mitigation of the effects of a cybersecurity incident and/or recovery from such an incident, including policies regarding cybersecurity incident response and responsibility for losses associated with attacks or intrusions impacting clients.

• Information regarding the firm’s process for conducting tests or exercises of its incident response plan, including the frequency of, and reports from, such testing and any responsive remediation efforts taken, if applicable.

• Information regarding system-generated alerts related to data loss of sensitive information or confidential customer records and information, including any related findings and any responsive remediation efforts taken.

• Information regarding incidents of unauthorized internal or external distributions of PII, including the date of the incidents, discovery process, escalation, and any responsive remediation efforts taken.

• Information regarding successful unauthorized internal or external incidents related to access, including the date of the incidents, discovery process, escalation, and any responsive remediation efforts taken.

• Information regarding the amount of actual customer losses associated with cyber incidents, as well as information on the following:

o The amount of customer losses reimbursed by the firm;

o Whether the firm had cybersecurity insurance coverage, including the types of

incidents the insurance covered;

o Whether any insurance claims related to cyber events were filed; and

o The amount of cyber-related losses recovered pursuant to the firm’s cybersecurity insurance coverage.

1

By the Office of Compliance Inspections and Examinations (“OCIE”)1

Volume IV, Issue 7 August 24, 2015 BROKER-DEALER CONTROLS REGARDING RETAIL

SALES OF STRUCTURED SECURITIES PRODUCTS

I. Introduction OCIE’s National Examination Program staff (the “Staff”) examined ten branch offices of registered broker-dealers (the “broker-dealers” or “firms”) that distribute structured securities products (“SSPs”) issued by their parents or affiliates or issued by unaffiliated third parties.2 Using data analytics, the Staff assessed these firms’ compliance with suitability and supervision requirements in the Securities Exchange Act of 1934 (“Exchange Act”) and evaluated whether the firms effectively supervised and monitored activities and risks associated with sales of SSPs to retail investors. The Staff’s analysis of the implementation of controls across the branch offices of each firm revealed discrepancies in the practices within each firm and discrepancies in the effectiveness of the controls. Firms should note the importance of the implementation of controls as well as their design on the effectiveness of such controls.

SSPs are securities, often issued as corporate obligations of an affiliate of the underwriting broker-dealer. They derive their value from, and provide exposure to, a variety of underlying asset classes such as a single security, baskets of securities, indices, options, commodities, and/or foreign currencies. SSPs, which may or may not be listed on an exchange, typically have some form of embedded derivatives and may supply, among other things, principal protection, interest payments, or leveraged exposure to the referenced assets. This Risk Alert focuses on structured notes in particular.3

1 The views expressed herein are those of the staff of OCIE, in coordination with other staff of the Securities and

Exchange Commission (“SEC” or “Commission”), including the Division of Trading and Markets. The Commission has expressed no view on the contents of this Risk Alert. This document was prepared by the SEC staff and is not legal advice.

2 The examinations described in this Risk Alert did not cover exchange-traded products. 3 Structured notes are structured products that are comprised of a debt obligation and at least one embedded

derivative.

This Risk Alert summarizes deficiencies that OCIE staff observed in the controls that certain broker-dealers put in place to comply with obligations related to sales of structured securities products (“SSPs”) to retail investors, including 1) controls related to determining suitability of SSP recommendations and 2) written supervisory procedures related to reviews of representatives’ suitability determinations with regard to SSPs.

2

During these examinations, the Staff analyzed, in aggregate, over 26,600 sales of SSPs, totaling over $1.25 billion in principal transactions.4 By reviewing the account documentation of customers engaged in these transactions, including data on risk tolerance and investment objective, age, and any approval for options trading, the Staff was able to identify, on an aggregate basis, the predominant types of customers that had purchased SSPs at each firm and branch office. The Staff also reviewed resales of SSPs in these accounts in order to gauge the frequency and price at which SSPs were resold prior to maturity. Finally, the Staff analyzed the frequency with which each firm’s transactions exceeded internal policies and procedures governing suitability of recommendations to brokerage customers as well as supervisors’ documentation approving overrides of internal suitability guidelines with respect to suitability of recommendations. Among other things, the examinations revealed several significant deficiencies in the areas of suitability and supervision with respect to all of the examined firms’ sales of SSPs to retail investors. Specifically, all of the examined firms:

• Failed to maintain and/or enforce adequate controls relating to determining the suitability of SSP recommendations; and

• Failed to conduct both compliance and supervisory reviews of registered representatives’ (“representatives”) determinations of customer suitability in the SSPs, as required by their internal controls.

II. Overview of Broker-Dealer Obligations Regarding Sales of SSPs

A. SSPs

SSPs have been increasingly marketed to retail investors, who have been interested in generating income in the low-yield interest-rate environment that has persisted since the financial crisis. Additionally, SSPs may offer attractive attributes such as partial or full “principal protection” or exposure to a particular asset class. SSPs often provide for payments determined by reference to other assets or indices and may be more complex than a simple debt instrument with a stated interest rate.5

B. Suitability and Supervision Requirements A central aspect of a broker-dealer’s duty of fair dealing is the suitability obligation, which generally requires a broker-dealer to make recommendations that are consistent with the best interests of its customer.6 The concept of suitability has been interpreted as an obligation under

4 The review period for these examinations included the period of January 1, 2011 to December 31, 2012, unless

indicated otherwise herein. 5 For additional information on structured products and trends indicating increased sales to retail investors, see

OCIE’s “Staff Summary Report on Issues Identified in Examinations of Certain Structured Securities Products Sold to Retail Investors” (July 27, 2011).

6 See, e.g., In the Matter of the Application of Raghavan Sathianathan, Exchange Act Release No. 54722 at 21 (Nov. 8, 2006) (“NASD Conduct Rule 2310 requires that, in recommending a transaction to a customer, a

3

the antifraud provisions of the federal securities laws7 and also appears in specific SRO rules.8 As part of its suitability obligations for complex products, FINRA encourages firms to require that a registered representative has a reasonable basis to believe that “the customer has such knowledge and experience in financial matters that he may reasonably be expected to be capable of evaluating the risks of the recommended transaction, and is financially able to bear the risks of the recommended position.”9 The FINRA rules also require broker-dealers to supervise their associated persons, and the Exchange Act permits the Commission to sanction broker-dealers who fail reasonably to supervise, with a view to preventing violations of the federal securities laws by a person subject to their supervision.10 In addition, FINRA has released guidance to help assess the adequacy of controls with respect to SSPs and complex products that members should include in their supervisory and compliance procedures, such as provisions relating to a reasonable basis

registered representative ‘shall have reasonable grounds for believing that the recommendation is suitable for such customer upon the basis of the facts, if any, disclosed by such customer as to his other security holdings and as to his financial situation and needs.’ As we have frequently stated, a broker’s recommendations must be consistent with his customers’ best interests.”) (citations omitted). See also In the Matter of the Application of Dane S. Faber, Exchange Act Release No. 49216 at 23-24 (Feb. 10, 2004) (“Before recommending a transaction, NASD Conduct Rule 2310 requires that a registered representative have reasonable grounds for believing, on the basis of information furnished by the customer, and after reasonable inquiry concerning the customer’s investment objectives, financial situation, and needs, that the recommended transaction is not unsuitable for the customer. A broker’s recommendations must be consistent with his customer’s best interests, and he or she must abstain from making recommendations that are inconsistent with the customer’s financial situation.”); In the Matters of Powell & McGowan, Inc., Exchange Act Release No. 7302 (Apr. 24, 1964) (a broker has “an obligation not to recommend a course of action clearly contrary to the best interests of the customer”); see also FINRA Regulatory Notice 12-25 (“Additional Guidance on FINRA’s New Suitability Rule”).

7 See Hanly v. SEC, 415 F.2d 589, 596 (2d Cir. 1969). See also SEC Division of Trading and Markets, “Guide to Broker-Dealer Registration” (April 2008).

8 FINRA members’ general suitability obligations are set out in FINRA Rule 2111 (“Suitability”) and the accompanying Supplementary Materials. See also FINRA Regulatory Notice 11-25 (“New Implementation Date for and Additional Guidance on the Consolidated FINRA Rules Governing Know-Your-Customer and Suitability Obligations”), FINRA Regulatory Notice 12-25 (“Additional Guidance on FINRA’s New Suitability Rule”), and FINRA Regulatory Notice 12-55 (“Guidance on FINRA’s Suitability Rule”). From January 1, 2011 until July 8, 2012 during the review period, FINRA suitability obligations were set out in NASD Rule 2310 (“Recommendations to Customers (Suitability)”) and NASD Interpretive Materials, specifically IM 2310-1 (“Possible Application of SEC Rules 15g-1 through 15g-9”), IM 2310-2 (“Fair Dealing with Customers”), and IM 2310-3 (“Suitability Obligations to Institutional Customers”), as applicable. Broker-dealers have additional specific suitability guidance with respect to certain types of products or transactions. See, e.g., NASD Notice to Members 05-59 (“NASD Provides Guidance Concerning the Sale of Structured Products”) and FINRA Regulatory Notice 12-03 (“Heightened Supervision of Complex Products”).

9 FINRA Regulatory Notice 12-03 (“Heightened Supervision of Complex Products”) (citing Rule 2360(b)(19)(B)).

10 See Exchange Act Section 15(b)(4)(E), NASD Rule 3010 (“Supervision”), and NASD Rule 3012 (“Supervisory Control System”). On December 1, 2014, FINRA’s new consolidated rules governing supervision went into effect. The new Rules 3110 (“Supervision”), 3120 (“Supervisory Control System”), 3150 (“Holding of Customer Mail”), and 3170 (“Tape Recording of Registered Persons by Certain Firms”) replace NASD Rules 3010 (“Supervision”), 3012 (“Supervisory Control System”), 3110(i) (“Holding of Customer Mail”), and 3010(b)(2) (often referred to as the “Taping Rule”) and other corresponding NYSE rule provisions. See FINRA Regulatory Notice 14-10 (“SEC Approves New Supervision Rules”).

4

suitability determination; customer-specific suitability analysis; and training for registered representatives regarding the characteristics, risks, and rewards of SSPs.11 III. Examination Observations

A. Controls over Suitability Determinations

The Staff cited all of the examined firms for deficiencies in failing to maintain and enforce policies and procedures relating to determining the suitability of recommendations of SSPs. All of the examined firms had policies and procedures governing suitability, processes for product development and approval, and training of representatives. Leaving aside the question of the adequacy of the written policies and procedures, the Staff found instances in which such controls were inadequately or inconsistently implemented. The Staff began its analysis by using data analytics to conduct a review of all SSP sales at the examined firms during the review period. This analysis identified, on an aggregate basis, the predominant types of customers that had purchased SSPs at each firm and branch office, and it allowed the Staff to further scrutinize branch offices and representatives that had made high numbers of sales that merited further review. For example, the Staff’s review of all SSP trading at four branch offices of one firm12 revealed that the firm sold more SSPs to customers in its most conservative investment objective (“Income”) than it did to customers in its most aggressive investment objective (“Speculation”): approximately $96 million versus $11 million. While such observations did not necessarily indicate that there were unsuitable transactions, the Staff used this high-level information to identify and request further information from those branches and representatives that had conducted the highest numbers of such sales.

11 See FINRA Regulatory Notice 12-03 (“Heightened Supervision of Complex Products”) and NASD Notice to

Members 05-59 (“NASD Provides Guidance Concerning the Sale of Structured Products”), supra note 8. 12 The Staff observed that the SSPs most frequently sold were higher yield, short-term SSPs with maturities

ranging from three months to two years. These SSPs provided investors with an opportunity to receive contingent periodic payments of stated amounts of principal or interest if certain criteria were met. Upon maturity, investors would receive either cash in the original amount of the investment or a predetermined number of shares in an underlying company. Depending on market conditions, investors may receive no contingent periodic payments of principal or interest and may not recover the principal amount of their investment at maturity (e.g., receiving shares of an underlying company with a value below that of their original investment). In addition, neither the issuer nor distributor was obligated to repurchase these securities. Further, these SSPs generally were not listed on an exchange. As a result, these SSPs were often illiquid securities.

5

In this deeper review, the Staff reviewed e-mails indicating that representatives within one branch in particular were aggressively recommending SSPs to customers while appearing to mischaracterize the underlying attributes of the products in light of the goals of the investors, particularly to non-English speaking investors. The Staff’s analysis also revealed that at two of the examined firms there was significant SSP activity in the accounts of elderly customers and in the accounts of customers for whom the firm did not have any age information. Data from one of these firms revealed that the firm often did not collect, and therefore representatives could not consider, information about customers’ age when making suitability determinations. While the absence of certain customer specific factors, such as age, does not necessarily render a transaction unsuitable, together with other factors, such lack of consideration may warrant further inquiry.13 The Staff discovered such additional factors when it also reviewed further documentation at these firms and reviewed e-mails. The documentation and emails indicated that representatives at one firm had retroactively changed customers’ investment objectives in their account documentation, without the customers’ approval, in order to justify concentrated positions of SSPs in the portfolios. For each firm, the Staff also reviewed the volume and prices of repurchases of SSPs, often by broker-dealers affiliated with the issuer. While observations related to such reviews did not necessarily indicate that there were unsuitable transactions based on either the original recommendation for the customer to purchase or the subsequent recommendation for the customer to sell, the Staff used this high-level information to identify and request further information from those branch offices and representatives that had conducted liquidation transactions at well below face value (i.e., initial issuance price) of the SSPs. The Staff’s review of trade blotters indicated that various account types – including, but not limited to, trusts, individuals, and at least one employee benefits plan – had a large number of SSP purchases

13 See FINRA Regulatory Notice 12-25 at Q.17 (providing that the suitability rule “would not prohibit a broker-

dealer from making a recommendation in the absence of certain customer-specific factors as long as the firm has enough information about the customer to have a reasonable basis to believe the recommendation is suitable. The significance of specific types of customer information will depend on the facts and circumstances of the particular case.”).

Income (17%)

Aggressive Income (4%)

Cap Appreciation

(76%)

Speculation (2%)

Blank (1%)

SSP Activity by Investment Objective – Four Examined Branch Offices of Firm A

Income

Aggressive Income

Cap Appreciation

Speculation

Blank

6

during the two-year review period (from January 2011 through December 2012), and many of these SSPs were thereafter liquidated at well below face value of the SSP. Focusing on reverse convertible notes, the Staff found that the branch offices examined liquidated almost 25% of the purchases that representatives had sold to their customers. Over 35% of these liquidations were at prices below 80% of face value of the note, as shown in the table below.

RCN Liquidation Prices14 # of Liquidations Less Than 70 27 Between 70 and 80 45 Between 80 and 100 57 Greater than 100 72 Total Sales 201 % of Sales Below 80 35.8%

B. Supervision of Suitability Controls

The examinations revealed that all of the examined firms failed to enforce their written supervisory procedures relating to reviews of representatives’ determinations of suitability with regard to SSPs. Additionally, the implementation of the firms’ review procedures varied across branches of the same firm. For example, one firm’s written supervisory procedures stated that all SSP holdings should not exceed a certain percentage of the client’s stated liquid net worth. The Staff’s analysis, however, uncovered that, at one branch, more than 1,800 of the over 3,000 SSP transactions (approximately 60%) exceeded the firm’s concentration guidelines. In almost 10% of these transactions, the SSPs exceeded twice the total liquid net worth guideline (with some as high as 100% of liquid net worth). This rate was significantly higher than the firm’s other branch offices, where less than 15% of SSP transactions exceeded the concentration guidelines. Moreover, this firm had a system in place to alert representatives and supervisors of breaches of concentration guidelines. This system required, in part, a review and documentation of reasons for an override of the firm’s guidelines. At this particular branch, all of these transactions had been approved by the branch manager or complex risk officer with little or no documented explanation to support their approvals. For example, the branch manager and complex risk officer would use generic language that the transactions were approved by the branch, but the language was not specific to either the investor or the transaction and did not explain the basis for the override, contrary to the firm’s internal guidelines and observed practices at other branches. In contrast, branch managers and complex risk officers in the firm’s other branches who had approved overrides to transactions that breached the concentration guidelines typically documented lengthy and specific descriptions of their reviews and the reasons for the overrides.

14 For this table of liquidation prices, the face value of the note was 100.

7

IV. Conclusion In these examinations, the Staff observed not only indications that the examined firms’ suitability controls may be weak, but also significant weaknesses in supervision and implementation of internal suitability and supervisory procedures across branches of the same firm. This Risk Alert is intended to raise awareness of these types of weaknesses in order for registrants to consider them in their own compliance programs. The Staff welcomes comments and suggestions about how the Commission’s examination program can better fulfill its mission to promote compliance, prevent fraud, monitor risk, and inform SEC policy. If you suspect or observe activity that may violate the federal securities laws or otherwise operates to harm investors, please notify us at http://www.sec.gov/complaint/info_tipscomplaint.shtml.

This Risk Alert is intended to highlight for firms risks and issues that the Staff has identified. In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

1

By the Office of Compliance Inspections and Examinations (“OCIE”)1

Volume IV, Issue 4 February 3, 2015

CYBERSECURITY

EXAMINATION SWEEP SUMMARY

I. Introduction

OCIE’s National Examination Program staff (the “Staff”), recently

examined 57 registered broker-dealers and 49 registered investment

advisers to better understand how broker-dealers and advisers address

the legal, regulatory, and compliance issues associated with

cybersecurity (the “Cybersecurity Examination Initiative” or the “Initiative”).2 The examined

firms were selected to provide perspectives from a cross-section of the financial services industry

and to assess various firms’ vulnerability to cyber-attacks. Appendices A and B include

breakdowns of the types of broker-dealers and advisers examined.

In the examinations, the staff collected and analyzed information from the selected firms relating

to their practices for: identifying risks related to cybersecurity; establishing cybersecurity

governance, including policies, procedures, and oversight processes; protecting firm networks

and information; identifying and addressing risks associated with remote access to client

information and funds transfer requests; identifying and addressing risks associated with vendors

and other third parties; and detecting unauthorized activity. In addition to reviewing documents,

the staff held interviews with key personnel at each firm regarding its: business and operations;

detection and impact of cyber-attacks; preparedness for cyber-attacks; training and policies

relevant to cybersecurity; and protocol for reporting cyber breaches.3

The staff’s document reviews and questions were designed to discern basic distinctions among

the level of preparedness of the examined firms. The staff conducted limited testing of the

1 The views expressed herein are those of the staff of OCIE, in coordination with other staff of the Securities

and Exchange Commission (“SEC” or “Commission”), including the Division of Trading and Markets and

the Division of Investment Management. The Commission has expressed no view on the contents of this

Risk Alert. This document was prepared by the SEC staff and is not legal advice.

2 See OCIE, “OCIE Cybersecurity Initiative” (April 15, 2014), available at:

http://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf.

3 The Initiative’s review period for broker-dealers covered calendar year 2013; adviser examinations, which

began a few months after the broker-dealer examinations, reviewed firm practices in 2013 through April

2014.

This Risk Alert provides

summary observations from

OCIE’s examinations of

registered broker-dealers and

investment advisers, conducted

under the Cybersecurity

Examination Initiative,

announced April 15, 2014.

2

accuracy of the responses and the extent to which firms’ policies and procedures were

implemented. The examinations did not include reviews of technical sufficiency of the firms’

programs.

This Risk Alert provides summary observations from the examinations conducted under the

Cybersecurity Examination Initiative.

II. Summary Examination Observations

The vast majority of examined broker-dealers (93%) and advisers (83%) have adopted

written information security policies. Most of the broker-dealers (89%) and the majority

of the advisers (57%) conduct periodic audits to determine compliance with these

information security policies and procedures.

o Written business continuity plans often address the impact of cyber-attacks or

intrusions. Such written policies and procedures, for both the broker-dealers

(82%) and the advisers (51%), discuss mitigating the effects of a cybersecurity

incident and/or outline the plan to recover from such an incident.

o Written policies and procedures generally do not address how firms determine

whether they are responsible for client losses associated with cyber incidents.

The policies and procedures of only a small number of the broker-dealers (30%)

and the advisers (13%) contain such provisions, and even fewer of the broker-

dealers (15%) and the advisers (9%) offered security guarantees to protect their

clients against cyber-related losses.

o Many firms are utilizing external standards and other resources to model their

information security architecture and processes. Most of the broker-dealers

(88%) and many of the advisers (53%) reference published cybersecurity risk

management standards, such as those published by the National Institute of

Standards and Technology (“NIST”), the International Organization for

Standardization (“ISO”), and the Federal Financial Institutions Examination

Council (“FFIEC”).

The vast majority of examined firms conduct periodic risk assessments, on a firm-wide

basis, to identify cybersecurity threats, vulnerabilities, and potential business

consequences. These broker-dealers (93%) and advisers (79%) reported considering such

risk assessments in establishing their cybersecurity policies and procedures.

o Fewer firms apply these requirements to their vendors. A majority of the broker-

dealers (84%) and approximately a third of the advisers (32%) require

cybersecurity risk assessments of vendors with access to their firms’ networks.

Most of the examined firms reported that they have been the subject of a cyber-related

incident. A majority of the broker-dealers (88%) and the advisers (74%) stated that they

3

have experienced cyber-attacks directly or through one or more of their vendors. The

majority of the cyber-related incidents are related to malware and fraudulent emails.

o Over half of the broker-dealers (54%) and just under half of the advisers (43%)

reported receiving fraudulent emails seeking to transfer client funds. Over a

quarter of those broker-dealers (26%) reported losses related to fraudulent emails

of more than $5,000; however, no single loss exceeded $75,000. One adviser

reported a loss in excess of $75,000 related to a fraudulent email, for which the

client was made whole.

o One-quarter (25%) of the broker-dealers that had losses related to fraudulent

emails noted that these losses were the result of employees not following the

firms’ identity authentication procedures. The one adviser that reported a loss

also noted that its employees had deviated from its identity authentication

procedures.

o Almost two-thirds of the broker-dealers (65%) that received fraudulent emails

reported the emails to the Financial Crimes Enforcement Network (FinCEN) by

filing a Suspicious Activity Report (SAR),4 but only a small number of those

firms reported the fraudulent emails to law enforcement or other regulatory

agencies (7%). With the exception of the investment adviser loss in excess of

$75,000 related to a fraudulent email noted above, advisers generally did not

report incidents to a regulator or law enforcement.

o While firms identified misconduct by employees and other authorized users of the

firms’ networks as a significant concern, only a small proportion of the broker-

dealers (11%) and the advisers (4%) reported incidents in which an employee or

other authorized user engaged in misconduct resulting in the misappropriation of

funds, securities, sensitive client, or firm information, or in damage to the firms’

networks.

Many examined firms identify best practices through information-sharing networks.

Almost half of the broker-dealers (47%) were members of industry groups, associations,

or organizations (both formal and informal) that exist for the purpose of sharing

information regarding cybersecurity attacks and identifying effective controls to mitigate

harm. Many of the broker-dealers identified the Financial Services Information Sharing

4 See 31 C.F.R. § 1023.320(a)(2). Broker-dealers are obligated to report a transaction involving funds or

other assets of at least $5,000 that is conducted or attempted by, at, or through the firm if the firm knows,

suspects, or has reason to suspect, in part, that the transaction involves use of the broker-dealer to facilitate

criminal activity. The scope of these particular exams did not include a review of the broker-dealers’

compliance with this rule.

4

and Analysis Center (“FS-ISAC”) as adding significant value in this effort. While a few

of the advisers also identified FS-ISAC as a resource, advisers more frequently relied on

discussions with industry peers, attendance at conferences, and independent research to

identify cybersecurity practices relevant to their business and learn about latest guidance

from regulators, government agencies, and industry groups.

The vast majority of examined firms report conducting firm-wide inventorying,

cataloguing, or mapping of their technology resources. Such practices were reportedly

performed for the following devices, systems, and resources at the broker-dealers and

advisers, respectively: physical devices and systems (96% and 92%); software platforms

and applications (91% and 92%); network resources, connections, and data flows (97%

and 81%); connections to firm networks from external sources (91% and 74%);

hardware, data, and software (93% and 60%); and logging capabilities and practices

(95% and 68%).

The examined firms’ cybersecurity risk policies relating to vendors and business partners

revealed varying findings. Most of the broker-dealers incorporate requirements relating

to cybersecurity risk into their contracts with vendors and business partners (72%). In

contrast, few of the advisers incorporate such requirements (24%). Similarly, a slim

majority of the broker-dealers maintain policies and procedures related to information

security training for vendors and business partners authorized to access their networks

(51%), whereas a much smaller number of the advisers have such policies (13%).

Almost all the examined broker-dealers (98%) and advisers (91%) make use of

encryption in some form.

Many examined firms provide their clients with suggestions for protecting their sensitive

information. Of the broker-dealers with retail customers that offer online access (65%),

all firms (or their clearing firms or third-party vendors) provide their customers with

some form of information about reducing cybersecurity risks in conducting transactions

with the firm. Similarly, of the advisers that primarily advise retail clients and permit

those clients to access their account information on-line (26%), the majority (75%)

provide those clients with information about certain steps that can be taken to reduce

cybersecurity risks when conducting business with the firm. The information may be

directly addressed to clients on the advisers’ website or in periodic email or postal

distributions (i.e., newsletters or bulletins).

The designation of a Chief Information Security Officer (“CISO”) varied by the

examined firms’ business model. Approximately two-thirds of the broker-dealers (68%)

examined have an individual explicitly assigned as the firm’s CISO. In contrast, less than

a third of the advisers (30%) have designated a CISO; rather, the advisers often direct

5

their Chief Technology Officer to take on the responsibilities typically performed by a

CISO or they have assigned another senior officer (i.e., the Chief Compliance Officer,

Chief Executive Officer, or Chief Operating Officer) to liaise with a third-party

consultant who is responsible for cybersecurity oversight.

Use of cybersecurity insurance revealed varying findings among the examined firms.

Over half of the broker-dealers maintain insurance for cybersecurity incidents (58%). In

contrast, a small number of the advisers (21%) maintain insurance that covers losses and

expenses attributable to cybersecurity incidents. Out of the broker-dealers and advisers,

only one broker-dealer and one adviser reported that they had filed claims.

III. Conclusion

The staff is still reviewing the information to discern correlations between the examined firms’

preparedness and controls and their size, complexity, or other characteristics. As noted in

OCIE’s 2015 priorities, OCIE will continue to focus on cybersecurity using risk-based

examinations.5

The Staff welcomes comments and suggestions about how the Commission’s examination

program can better fulfill its mission to promote compliance, prevent fraud, monitor risk, and

inform SEC policy. If you suspect or observe activity that may violate the federal securities laws

or otherwise operates to harm investors, please notify us at

http://www.sec.gov/complaint/info_tipscomplaint.shtml.

This Risk Alert is intended to highlight for firms risks and issues that the Staff has identified in the course of

examinations of broker-dealers’ and investment advisers’ controls regarding cybersecurity and preparedness. In

addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or

other risk management systems related to cybersecurity risks, and (ii) make any changes, as may be appropriate, to

address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor.

Factors other than those described in this Risk Alert may be appropriate to consider, and some of the factors may

not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect

existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in

laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory,

compliance and other risk management systems can be determined only with reference to the profile of each specific

firm and other facts and circumstances.

5 OCIE, “Examination Priorities for 2015” (Jan. 13, 2015), available at:

http://www.sec.gov/news/pressrelease/2015-3.html.

6

Appendix A – Breakdown of Examined Broker-Dealers6

6 Figures in this Appendix are rounded approximations.

12.3%

22.8%

12.3%

28%

12.3%

12.3%

By Number of Registered Representatives (RR)

0-50 RR

51-200 RR

201-500 RR

501-2000 RR

2001-5000 RR

5000+ RR

10%

7%

7%

9%

5%

9%

37%

2% 14%

By Category/Peer Group Clearing

Foreign-Affiliated

Institutional

Insurance Co.-Affiliated

Online Services

Proprietary or Direct Market Access

Retail Brokerage

Small Diversified

US Bank-Affiliated

7

Appendix B – Breakdown of Examined Investment Advisers7

7 Figures in this Appendix are rounded approximations.

36.7%

26.5%

36.7%

By Assets Under Management (AUM)

Less than $400 Million AUM

$401-900 Million AUM

$900 Million+ AUM

12.2% 4.1%

14.3%

67.3%

2.0%

By Client Concentration

Diversified/Institutional

Pension

Private Funds

Retail/Individual

Registered InvestmentCompanies

67%

33%

By Custody

Have Custody

Do Not Have Custody

1

By the Office of Compliance Inspections and Examinations1

Volume IV, Issue 2 April 15, 2014

OCIE CYBERSECURITY INITIATIVE

I. Introduction

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) previously announced that its 2014 Examination Priorities included a focus on technology, including cybersecurity preparedness.2 OCIE is issuing this Risk Alert to provide additional information concerning its initiative to assess cybersecurity preparedness in the securities industry.

II. Background

On March 26, 2014, the SEC sponsored a Cybersecurity Roundtable. In opening the Roundtable, Chair Mary Jo White underscored the importance of this area to the integrity of our market system and customer data protection. Chair White also emphasized the “compelling need for stronger partnerships between

the government and private sector” to address cyber threats.3 Commissioner Aguilar, who recommended holding a Cybersecurity Roundtable, emphasized the importance for the Commission to gather information and “consider what additional steps the Commission should take to address cyber-threats.”4

1 The statements and views expressed herein are those of the staff of OCIE. This guidance is not a rule,

regulation, or statement of the Commission. The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice.

2 Examination Priorities for 2014, available at: http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf.

3 Chair Mary Jo White, “Opening Statement at SEC Roundtable on Cybersecurity” (March 26, 2014), available at: http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468.

4 Commissioner Luis A. Aguilar, “The Commission’s Role in Addressing the Growing Cyber-Threat,” Statement at SEC Roundtable on Cybersecurity (March 26, 2014), available at: http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541287184.

Topic: Cybersecurity Examinations

Key Takeaways: OCIE will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, focusing on areas related to cybersecurity. In order to empower compliance professionals with questions and tools they can use to assess their respective firms’ cybersecurity preparedness, OCIE has included a sample cybersecurity document request in the Appendix to this Risk Alert.

2

III. Examinations

OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. As part of this initiative, OCIE will conduct examinations of more than 50 registered broker-dealers and registered investment advisers focused on the following: the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.

As part of OCIE’s efforts to promote compliance and to share with the industry where it sees risk, OCIE is including, as the Appendix to this Risk Alert, a sample request for information and documents used in this initiative.

IV. Conclusion

These examinations will help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats. The sample document request (see Appendix) is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness, regardless of whether they are included in OCIE’s examinations.

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.

APPENDIX

UNITED STATES SECURITIES AND EXCHANGE COMMISSION

OFFICE OF COMPLIANCE INSPECTIONS AND EXAMINATIONS 100 F STREET, NE

WASHINGTON, DC 20549

April 15, 2014

This document1 provides a sample list of requests for information that the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) may use in conducting examinations of registered entities regarding cybersecurity matters. Some of the questions track information outlined in the “Framework for Improving Critical Infrastructure Cybersecurity,”2 released on February 12, 2014 by the National Institute of Standards and Technology. OCIE has published this document as a resource for registered entities. This document should not be considered all inclusive of the information that OCIE may request. Accordingly, OCIE will alter its requests for information as it considers the specific circumstances presented by each firm’s particular systems or information technology environment.

Identification of Risks/Cybersecurity Governance

1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice; and, if not conducted firmwide, the areas that are included within the practice. Please also provide a copy of any relevant policies and procedures. • Physical devices and systems within the Firm are inventoried.

• Software platforms and applications within the Firm are inventoried.

• Maps of network resources, connections, and data flows (including locations where customer

data is housed) are created or updated.

• Connections to the Firm’s network from external sources are catalogued.

• Resources (hardware, data, and software) are prioritized for protection based on their sensitivity and business value.

• Logging capabilities and practices are assessed for adequacy, appropriate retention, and secure maintenance.

1 The statements and views expressed herein are those of the staff of OCIE. This guidance is not a rule, regulation, or

statement of the Commission. The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice.

2 National Institute of Standards and Technology, “Framework for Improving Critical Infrastructure Cybersecurity,” (Feb. 12, 2014), available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.

2

2. Please provide a copy of the Firm’s written information security policy.

3. Please indicate whether the Firm conducts periodic risk assessments to identify cybersecurity threats,

vulnerabilities, and potential business consequences. If such assessments are conducted: a. Who (business group/title) conducts them, and in what month and year was the most recent

assessment completed?

b. Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.

4. Please indicate whether the Firm conducts periodic risk assessments to identify physical security

threats and vulnerabilities that may bear on cybersecurity. If such assessments are conducted:

a. Who (business group/title) conducts them, and in what month and year was the most recent assessment completed?

b. Please describe any findings from the most recent risk assessment that were deemed to be

potentially moderate or high risk and have not yet been fully remediated.

5. If cybersecurity roles and responsibilities for the Firm’s workforce and managers have been explicitly assigned and communicated, please provide written documentation of these roles and responsibilities. If no written documentation exists, please provide a brief description.

6. Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists.

7. Does the Firm have a Chief Information Security Officer or equivalent position? If so, please

identify the person and title. If not, where does principal responsibility for overseeing cybersecurity reside within the Firm?

8. Does the Firm maintain insurance that specifically covers losses and expenses attributable to cybersecurity incidents? If so, please briefly describe the nature of the coverage and indicate whether the Firm has filed any claims, as well as the nature of the resolution of those claims.

Protection of Firm Networks and Information

9. Please identify any published cybersecurity risk management process standards, such as those issued by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), the Firm has used to model its information security architecture and processes.

3

10. Please indicate which of the following practices and controls regarding the protection of its networks and information are utilized by the Firm, and provide any relevant policies and procedures for each item.

• The Firm provides written guidance and periodic training to employees concerning information

security risks and responsibilities. If the Firm provides such guidance and/or training, please provide a copy of any related written materials (e.g., presentations) and identify the dates, topics, and which groups of employees participated in each training event conducted since January 1, 2013.

• The Firm maintains controls to prevent unauthorized escalation of user privileges and lateral movement among network resources. If so, please describe the controls, unless fully described within policies and procedures.

• The Firm restricts users to those network resources necessary for their business functions. If so, please describe those controls, unless fully described within policies and procedures.

• The Firm maintains an environment for testing and development of software and applications that is separate from its business environment.

• The Firm maintains a baseline configuration of hardware and software, and users are prevented from altering that environment without authorization and an assessment of security implications.

• The Firm has a process to manage IT assets through removal, transfers, and disposition.

• The Firm has a process for ensuring regular system maintenance, including timely installation of software patches that address security vulnerabilities.

• The Firm’s information security policy and training address removable and mobile media.

• The Firm maintains controls to secure removable and portable media against malware and data leakage. If so, please briefly describe these controls.

• The Firm maintains protection against Distributed Denial of Service (DDoS) attacks for critical internet-facing IP addresses. If so, please describe the internet functions protected and who provides this protection.

• The Firm maintains a written data destruction policy.

• The Firm maintains a written cybersecurity incident response policy. If so, please provide a copy of the policy and indicate the year in which it was most recently updated. Please also indicate whether the Firm conducts tests or exercises to assess its incident response policy, and if so, when and by whom the last such test or assessment was conducted.

• The Firm periodically tests the functionality of its backup system. If so, please provide the month and year in which the backup system was most recently tested.

4

11. Please indicate whether the Firm makes use of encryption. If so, what categories of data,

communications, and devices are encrypted and under what circumstances?

12. Please indicate whether the Firm conducts periodic audits of compliance with its information security policies. If so, in what month and year was the most recent such audit completed, and by whom was it conducted?

Risks Associated With Remote Customer Access and Funds Transfer Requests

13. Please indicate whether the Firm provides customers with on-line account access. If so, please provide the following information:

a. The name of any third party or parties that manage the service.

b. The functionality for customers on the platform (e.g., balance inquiries, address and contact

information changes, beneficiary changes, transfers among the customer’s accounts, withdrawals or other external transfers of funds).

c. How customers are authenticated for on-line account access and transactions. d. Any software or other practice employed for detecting anomalous transaction requests that

may be the result of compromised customer account access. e. A description of any security measures used to protect customer PINs stored on the sites. f. Any information given to customers about reducing cybersecurity risks in conducting

transactions/business with the Firm.

14. Please provide a copy of the Firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds. If no written procedures exist, please describe the process.

15. Please provide a copy of any Firm policies for addressing responsibility for losses associated with attacks or intrusions impacting customers.

a. Does the Firm offer its customers a security guarantee to protect them against hacking of

their accounts? If so, please provide a copy of the guarantee if one exists and a brief description.

Risks Associated With Vendors and Other Third Parties

16. If the Firm conducts or requires cybersecurity risk assessments of vendors and business partners with

access to the Firm’s networks, customer data, or other sensitive information, or due to the cybersecurity risk of the outsourced function, please describe who conducts this assessment, when it is required, and how it is conducted. If a questionnaire is used, please provide a copy. If assessments by independent entities are required, please describe any standards established for such assessments.

5

17. If the Firm regularly incorporates requirements relating to cybersecurity risk into its contracts with

vendors and business partners, please describe these requirements and the circumstances in which they are incorporated. Please provide a sample copy.

18. Please provide a copy of policies and procedures and any training materials related to information

security procedures and responsibilities for trainings conducted since January 2013 for vendors and business partners authorized to access its network.

19. If the Firm assesses the segregation of sensitive network resources from resources accessible to third

parties, who (business group/title) performs this assessment, and provide a copy of any relevant policies and procedures?

20. If vendors, business partners, or other third parties may conduct remote maintenance of the Firm’s

networks and devices, describe any approval process, logging process, or controls to prevent unauthorized access, and provide a copy of any relevant policies and procedures.

Detection of Unauthorized Activity

21. For each of the following practices employed by the Firm to assist in detecting unauthorized activity

on its networks and devices, please briefly explain how and by whom (title, department and job function) the practice is carried out. • Identifying and assigning specific responsibilities, by job function, for detecting and reporting

suspected unauthorized activity.

• Maintaining baseline information about expected events on the Firm’s network.

• Aggregating and correlating event data from multiple sources.

• Establishing written incident alert thresholds.

• Monitoring the Firm’s network environment to detect potential cybersecurity events.

• Monitoring the Firm’s physical environment to detect potential cybersecurity events.

• Using software to detect malicious code on Firm networks and mobile devices.

• Monitoring the activity of third party service providers with access to the Firm’s networks.

• Monitoring for the presence of unauthorized users, devices, connections, and software on the Firm’s networks.

• Evaluating remotely-initiated requests for transfers of customer assets to identify anomalous and potentially fraudulent requests.

6

• Using data loss prevention software.

• Conducting penetration tests and vulnerability scans. If so, please identify the month and year of the most recent penetration test and recent vulnerability scan, whether they were conducted by Firm employees or third parties, and describe any findings from the most recent risk test and/or assessment that were deemed to be potentially moderate or high risk but have not yet been addressed.

• Testing the reliability of event detection processes. If so, please identify the month and year of the most recent test.

• Using the analysis of events to improve the Firm’s defensive measures and policies.

Other

22. Did the Firm update its written supervisory procedures to reflect the Identity Theft Red Flags Rules, which became effective in 2013 (17 CFR § 248—Subpart C—Regulation S-ID)?

a. If not, why?

23. How does the Firm identify relevant best practices regarding cybersecurity for its business model?

24. Since January 1, 2013, has your Firm experienced any of the following types of events? If so, please provide a brief summary for each category listed below, identifying the number of such incidents (approximations are acceptable when precise numbers are not readily available) and describing their significance and any effects on the Firm, its customers, and its vendors or affiliates. If the response to any one item includes more than 10 incidents, the respondent may note the number of incidents and describe incidents that resulted in losses of more than $5,000, the unauthorized access to customer information, or the unavailability of a Firm service for more than 10 minutes. The record or description should, at a minimum, include: the extent to which losses were incurred, customer information accessed, and Firm services impacted; the date of the incident; the date the incident was discovered and the remediation for such incident.

• Malware was detected on one or more Firm devices. Please identify or describe the malware.

• Access to a Firm web site or network resource was blocked or impaired by a denial of service

attack. Please identify the service affected, and the nature and length of the impairment.

• The availability of a critical Firm web or network resource was impaired by a software or hardware malfunction. Please identify the service affected, the nature and length of the impairment, and the cause.

• The Firm’s network was breached by an unauthorized user. Please describe the nature, duration, and consequences of the breach, how the Firm learned of it, and how it was remediated.

7

• The compromise of a customer’s or vendor’s computer used to remotely access the Firm’s network resulted in fraudulent activity, such as efforts to fraudulently transfer funds from a customer account or the submission of fraudulent payment requests purportedly on behalf of a vendor.

• The Firm received fraudulent emails, purportedly from customers, seeking to direct transfers of customer funds or securities.

• The Firm was the subject of an extortion attempt by an individual or group threatening to impair access to or damage the Firm’s data, devices, network, or web services.

• An employee or other authorized user of the Firm’s network engaged in misconduct resulting in the misappropriation of funds, securities, sensitive customer or Firm information, or damage to the Firm’s network or data.

25. Since January 1, 2013, if not otherwise reported above, did the Firm, either directly or as a result of an incident involving a vendor, experience the theft, loss, unauthorized exposure, or unauthorized use of or access to customer information? Please respond affirmatively even if such an incident resulted from an accident or negligence, rather than deliberate wrongdoing. If so, please provide a brief summary of each incident or a record describing each incident.

26. For each event identified in response to Questions 24 and 25 above, please indicate whether it was reported to the following:

• Law enforcement (please identify the entity)

• FinCEN (through the filing of a Suspicious Activity Report)

• FINRA

• A state or federal regulatory agency (please identity the agency and explain the manner of

reporting)

• An industry or public-private organization facilitating the exchange of information about cybersecurity incidents and risks

27. What does the Firm presently consider to be its three most serious cybersecurity risks, and why? 28. Please feel free to provide any other information you believe would be helpful to the Securities and

Exchange Commission in evaluating the cybersecurity posture of the Firm or the securities industry.

08/01/2017 6:29 PM

The LGBT Bar 2017 Lavender Law Conference – Finance Law Institute

Enforcement Panel Speaker Profiles

Marc Fagel

Marc is a Partner in Gibson, Dunn & Crutcher’s San Francisco office. He is Co-Chair of the Firm’s Securities Enforcement Practice Group and a member of the White Collar Defense Practice Group. Mr. Fagel’s practice focuses on the representation of public companies and their officers and directors, as well as financial institutions, investment advisers, hedge funds, private equity firms, broker-dealers, accounting firms and others in investigations and examinations conducted by the Securities and Exchange Commission, as well as by the Department of Justice, FINRA, and other regulatory bodies. Mr. Fagel also conducts internal investigations and represents clients in related civil actions.

Prior to joining the Firm, Mr. Fagel spent over 15 years with the SEC's San Francisco Regional Office, most recently serving as Regional Director from 2008 to 2013. In his role as Regional Director, he was responsible for administering the SEC's enforcement and examination programs for Northern California, Washington, Oregon, Alaska, Montana and Idaho, managing a staff of more than 100 lawyers, accountants, and other professionals. Before his appointment as Regional Director, Mr. Fagel served as Associate Regional Director in charge of enforcement.

While at the SEC, Mr. Fagel conducted, supervised and oversaw hundreds of investigations in nearly every major subject area of the SEC's enforcement program, including public company disclosure and reporting; the Foreign Corrupt Practices Act (FCPA); insider trading; and investigations of major financial institutions, investment advisors, hedge funds and broker-dealers. He was at the forefront of the SEC's initiative on stock option backdating and oversaw some of the largest securities fraud cases filed in the Pacific Northwest.

Before joining the SEC, Mr. Fagel spent six years as an associate at a large national law firm, where he specialized in representing technology companies and their officers and directors in securities fraud class action litigation. Mr. Fagel received his undergraduate degree from Princeton University and graduated in 1991 with Honors from the University of Chicago Law School, Order of the Coif.

Mr. Fagel currently serves on the Board of Directors of Jewish Family and Children's Services of San Francisco and the Law Center to Prevent Gun Violence, as well as the Board of Advisors of the SEC Historical Society.

Jane Jarcho

Jane was named as the Deputy Director of the Securities and Exchange Commission’s Office of Compliance Inspection and Examinations (OCIE). In her role, she oversees approximately 1025 lawyers, accountants, and examiners. Previously, beginning in March 2013, she served as the National Associate Director of OCIE’s Investment Adviser/Investment Company (IA/IC) examination program, a role she continues to hold. Under Ms. Jarcho’s leadership, the IA/IC program has shown significant increases in year-over-year examinations and targeted areas such

- 2 -

as cybersecurity, never before examined investment advisers and investment companies, alternative mutual funds, fixed income funds, and retirement accounts.

Before being named National Director of the IA/IC examination program, Ms. Jarcho was an Associate Director of the IA/IC examination program in the SEC’s Chicago regional office. She began her SEC career in 1990 in the Division of Enforcement and held several positions, including Branch Chief, Senior Trial Counsel, and Assistant Regional Director, before joining OCIE in 2008. Ms. Jarcho has a bachelor’s degree from Middlebury College and a law degree from the University of Wisconsin Law School

Jonathan Shapiro

Jonathan’s practice at Baker Botts is focused on the defense of business and securities litigation and government enforcement actions. He has litigated class actions, challenges to corporate transactions and governance, and other matters regarding allegations of fraud and breach of fiduciary duty, including jury and bench trials.

Jonathan’s clients include public and financial services companies, officers and directors, and investment bankers. He also serves as counsel defending and conducting internal investigations to those subject to enforcement action under the Securities and Exchange Commission, the Department of Justice, FINRA, and other government agencies and self-regulatory organizations.

Carlos Vasquez

Carlos is Senior Counsel, Division of Enforcement, in the San Francisco Regional Office of the U.S. Securities and Exchange Commission. Carlos is responsible for the review and investigation of complaints directed to the San Francisco office. Carlos is also a member of the Division of Enforcement’s JOBS Act Task Force and one of the principal organizers of the SEC’s Silicon Valley Initiative program with the Stanford Rock Center for Corporate Governance. Before his current position, Carlos worked as a staff attorney and investigated a wide range of matters related to accounting fraud, stock options back dating, Ponzi schemes, the Foreign Corrupt Practices Act and other violations of the federal securities laws. Prior to joining the SEC, Carlos worked in private practice representing issuers, directors and officers in securities class actions and SEC investigations. Carlos received his Juris Doctor from Harvard Law School in 1994 and his Bachelor of Arts from the University of Texas at Austin in 1991.