Bridging the Weeks by Gary DeWaal: December 17, 2018 – January 4, 2019, and January 7, 2019 (Examination Priorities; AML Fines; Effective Cybersecurity Practices)
Prior to having most of its routine work suspended because of the US government partial shutdown, the Securities and Exchange Commission’s inspection unit published its 2019 examination priorities. These included reviewing the offer and sale of digital assets by registrants, cybersecurity, and anti-money laundering programs. Separately, the Financial Industry Regulatory Authority published a report of effective cybersecurity practices by members. As a result, the following matters are covered in this week’s edition of Bridging the Weeks:
- Offer and Sale of Digital Assets and Cybersecurity Among the Focus of SEC OCIE 2019 Examination Priorities (Includes Compliance Weeds);
- Related Broker-Dealers Fined US $15 Million by the SEC, FINRA and FinCEN for Alleged AML Program Deficiencies; Unrelated BD Fined US $5.5 Million for Purportedly Selling IPOs to Industry Insiders (includes Compliance Weeds);
- FINRA Publicizes Effective Practices at Members to Mitigate Cybersecurity Risks (includes Compliance Weeds); and more.
Offer and Sale of Digital Assets and Cybersecurity Among the Focus of SEC OCIE 2019 Examination Priorities: In its annual report of examination priorities issued in late December 2018, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations said that digital assets, cybersecurity and anti-money laundering programs would be among its top focus during its 2019 reviews of registrants. Among other things, OCIE said it would “monitor” the trading, offer and sale and management of cryptoassets, and where digital assets were securities, review for regulatory compliance. OCIE indicated it would concentrate on the safety of client funds and assets; pricing of digital assets; and compliance and internal controls for firms actively engaged in cryptoasset markets.
OCIE noted that, in focusing on cybersecurity, it will key in on the “proper configuration of network storage devices,” information security governance, and policies and procedures concerning retail trading information security, among other matters. It will also especially review cybersecurity practices at investment advisers with multiple branch offices, as well as risk assessment, access rights and controls, vendor management, training, and incident response.
OCIE additionally said that, in 2019, it will prioritize on matters important to retail investors in its examinations, such as disclosure of fees and expenses and the costs of investing, conflicts of interest, and senior investors and retirement accounts and products. It will also review compliance and risk at critical market infrastructures (i.e., clearing agencies, transfer agents and national securities exchanges) and focus on select areas and programs of the Financial Industry Regulatory Authority and the Municipal Securities Rulemaking Board.
In other legal developments regarding cryptoassets:
Congressmen Propose Law to Exclude Certain Cryptoassets from the Definition of a Security: Just prior to the expiration of the 115th Congress in 2018, Congressmen Darren Soto and Warren Davidson proposed legislation that would expressly define a digital token and make clear that securities laws would not ordinarily apply to digital assets issued on behalf of a project using a blockchain application once it becomes functional. Under the proposed legislation, a digital token would expressly be excluded from the definition of a security under applicable securities laws provided it did not represent a financial interest in a company, including an ownership or debt instrument or revenue share. To potentially become a law, the proposed legislation will have to be reintroduced during the current 116th term of Congress.
NY May Reconsider BitLicense: New York State adopted a law to establish a task force to consider how to effectively regulate cryptocurrencies. The task force will consist of nine persons appointed by New York’s governor, state senate and state assembly, and will be required to submit a report that, among other things, will evaluate laws and regulations of other states and foreign countries, and potentially make legislative and regulatory recommendations “to increase transparency and security, enhance consumer protection, and to address the long-term impact related to the use of cryptocurrency.” The report is due by December 15, 2020. New York was the first state to comprehensively regulate persons engaged in a virtual currency business when it adopted its so-called “BitLicense” framework in 2015. (Click here for further background regarding NY’s BitLicense requirements in the article “New York BitLicense Regulations Virtually Certain to Significantly Impact Transactions in Virtual Currencies” in a July 8, 2015 Advisory by Katten Muchin Rosenman, LLP.)
Texas Clarifies Application of Money Transmission Requirements to Transactions Involving Virtual Currencies: The Texas Department of Banking clarified that not all transactions involving virtual currencies require licensing under the state’s laws pertaining to money transmission. According to the guidance, an exchange of cryptocurrency for fiat currency or one cryptocurrency for another is not money transmission. This is because there is no receipt of sovereign currency by either party with a promise to make it available at a later time. This would appear to exclude dealing type activities from licensing requirements. Likewise, the guidance indicated that transfers of virtual currencies by themselves are not money transmission, as the activity does not involve the receipt or exchange of fiat money or monetary value with a promise to make it available at a later time or different location. However, a cryptoasset exchange that receives fiat currency, holds it until a cryptocurrency transaction has been consummated and then sends the fiat currency to a third party would be required to obtain a money transmission license – not because of the virtual currency activity but because of the fiat currency activity. Issuance of a stablecoin backed by a fiat currency may require a money transmission license depending on the nature of the redemption rights for the sovereign currency (e.g., if the holder has a claim that can be converted into money or monetary value).
UK Issues Guidance on Taxation of Cryptoassets: The principal United Kingdom Tax Authority – Her Majesty’s Revenue & Customs – issued guidance on the tax treatment of cryptoassets for individuals. Generally, individuals holding cryptoassets as a personal investment hoping for an appreciation in value would be expected to pay capital gains tax when they liquidate their investment. Individuals who receive cryptoassets as a form of compensation from their employer will be liable to pay income tax and national insurance contributions. Cryptocurrencies awarded as part of mining activity or airdrops would be subject to different tax treatments depending on the circumstances of receipt.
Compliance Weeds: The beginning of every year provides a natural opportunity for registrants to review their written policies and procedures to ensure they still reflect actual practices. It is easy, over time, for policies and procedures to go stale. Unfortunately, if something goes wrong, it will not be helpful to have actual practices that are inconsistent with written policies, or written policies that are so generic they provide no real basis for actual practices. Ensuring that policies and procedures address hot-button issues identified by regulators in summaries of examination priorities – such as the OCIE’s 2019 examination priorities – is also advisable.
Related Broker-Dealers Fined US $15 Million by the SEC, FINRA and FinCEN for Alleged AML Program Deficiencies; Unrelated BD Fined US $5.5 Million for Purportedly Selling IPOs to Industry Insiders: UBS Financial Services Inc. and UBS Securities LLC (collectively, “UBS”), registered broker-dealers, agreed to pay a total of US $15 million in fines to the Securities and Exchange Commission, the Financial Industry Regulatory Authority and the Financial Crimes Enforcement Network of the US Department of Treasury to resolve allegations that they failed to establish and implement anti-money laundering programs reasonably designed to monitor high-risk transactions in customer accounts and report suspicious activities.
According to the regulators, from January 2004 through April 2017, some UBS customers maintained brokerage accounts that provided bank-like services, including authorization to move funds through wires, journals, check writing, ATM withdrawals, cash advances and ACH transfers. During this time period, however, UBS purportedly failed to detect and report suspicious activities in such accounts to FinCEN when they may have been used to move funds for shell companies involving countries UBS itself had identified as sensitive due to an increased risk of money laundering (e.g., Mexico, Venezuela and Panama), while engaging in little or no securities trading.
Moreover, UBS allegedly did not adequately monitor foreign currency-denominated wire transfers in commodities accounts and retail brokerage accounts because its surveillance system failed to capture “critical information” regarding such wires such as sender, recipient information, as well as country of origin and destination. According to FinCEN, “[t]he weaknesses in monitoring meant that it was possible for an unknown third-party residing in a country known for money-laundering risk to transfer foreign currency into a customer’s commodities account, and for that customer to then transfer these funds to another party in a country known for money-laundering risk, without the Firm’s surveillance system reviewing these transactions.”
FinCEN also claimed that, during the relevant period, UBS failed to provide adequate resources to its chief AML compliance officer and failed to have sufficient staff to review suspicious activities.
In assessing their penalties, the SEC and FinCEN particularly noted UBS’s “significant” investment in AML staffing and technology to enhance its monitoring and reporting capability.
Unrelatedly, Merrill Lynch, Pierce, Fenner & Smith, Inc., also a registered broker-dealer, agreed to pay a fine of US $5.5 million to FINRA for allegedly selling shares offered in initial public offerings to industry insiders contrary to FINRA rules from 2010 through March 2018, as well as purportedly not responding reasonably when it learned by August 2013 that the firm had repeatedly sold IPO securities to family members of Merrill Lynch financial advisors. Under a FINRA rule, a member cannot sell IPO shares to “restricted persons,” defined to include associated persons or employees of broker-dealers and immediate family members associated with a selling member. To resolve FINRA's allegations, Merrill Lynch also agreed to disgorge profits of almost US $500,000 it earned in connection with its purportedly prohibited IPO sales. (Click here to access FINRA Rule 5130.)
Compliance Weeds: Not only traditional red flags of potential money laundering must be reported as suspicious activities to FinCEN, but also certain cybersecurity breaches and potential breaches.
In October 2016, FinCEN issued an advisory stating that covered financial institutions must file a suspicious activity report following certain cyber-events. Mandatorily reportable incidents are those where a financial institution is targeted by a cyber-event where it knows or has reason to suspect, the event “was intended, in whole or in part, to conduct, facilitate, or affect a transaction or series of transactions” that involves or aggregates or could involve or aggregate to US $5,000 or more in funds or other assets. It would not matter whether the transaction or series of transactions ended up actually occurring. (Click here for details regarding this FinCEN advisory in the article “FinCEN Issues Advisory Saying Cyber Attacks May Be Required to Be Reported Through SARs” in the October 30, 2016 edition of Bridging the Week.)
Recently, FINRA fined LPL Financial, LLC, a broker-dealer, US $2.75 million for not reporting as suspicious activities to FinCEN unsuccessful attempts by third parties to gain unauthorized access to customers’ email or brokerage accounts. According to FINRA, LPL mistakenly believed that only successful hacking incidents were subject to SAR reporting and advised its employees accordingly; however, this understanding was incorrect. As a result, FINRA concluded that LPL failed to investigate and file over 400 SARs with FinCEN from January 1, 2013, through May 31, 2016. (Click here for further details in the article “Broker-Dealer Fined US $2.75 Million by FINRA for Breakdowns in AML Program and Customer Complaint Reporting” in the November 4, 2018 edition of Bridging the Week.)
FINRA Publicizes Effective Practices at Members to Mitigate Cybersecurity Risks: The Financial Industry Regulatory Authority released a report on effective cybersecurity practices it observed at member firms related to branch office controls, phishing, insider threats, penetration testing, and mobile devices.
For branch offices, FINRA said that effective practices it has seen to minimize cybersecurity risks include establishing written supervisory procedures defining minimum cybersecurity controls for branches and formalizing their oversight; creating an inventory of branch-level data, as well as software and hardware assets; maintaining branch technical controls including identity and access management restrictions for salespersons and other staff to limit their access to only their own customers' data; and having a “robust” cybersecurity examination program.
For phishing, FINRA observed that some firms had express policies to address phishing; implemented email scanning and filtering to monitor and block phishing and spam; utilized especially trained staff regarding phishing, and conducted regular simulated phishing email campaigns, among other effective techniques.
FINRA noted that insider threats are a particularly heinous risk “because an insider typically circumvents many firm controls and may cause material data breaches of sensitive customer and firm data.” To mitigate against such risks, FINRA observed that some firms implemented measures to identify potentially abnormal user behavior within a firm’s network and imposed an identity and access management policy as well as heightened technical controls for individuals with privileged access to continuously align access rights to specific job functions.
FINRA said that, in issuing its “Report on Selected Cybersecurity Practices – 2018,” it was not creating any new legal requirement or changing any existing regulatory obligation.
Recently, the National Futures Association filed with the Commodity Futures Trading Commission proposed amendments to its 2016 guidance that requires all members to implement a written information systems security program to address unauthorized access or attacks on their information technology systems and how they will respond in such situations. The revised guidance is scheduled to go into effect early this year. (Click here for information on NFA’s amended ISSP requirement in the article “NFA Proposes Guidance Amendments to Enhance Cybersecurity” in the December 9, 2018 edition of Bridging the Week.)
Compliance Weeds: In 2015, the Securities and Exchange Commission issued a report on its own cybersecurity observations where it said that 88 percent of all broker-dealers and 74 percent of all investment advisers reported they had previously sustained cyber-attacks directly or through one or more of their vendors. Most attacks were the result of malware and fraudulent emails. According to the SEC, 54 percent of all broker-dealers and 43 percent of advisers specifically indicated they had received fraudulent emails to transfer customer funds. Where losses were sustained, 25 percent of the broker-dealers “noted that these losses were the result of employees not following the firms’ identity authentication process.”
Regrettably, it is likely not a matter of if a cyber breach may occur, but when and how severe. Financial services firms must continue their efforts to minimize the likelihood of cybersecurity breaches through periodic risk assessments, robust policies, procedures and governance, state-of-the-art technological defenses, ongoing monitoring, and employee training. Moreover, firms should develop, implement and periodically update response plans should a cyber breach occur. Unfortunately, it will.
Robo-Advisors Sanctioned by SEC for False Disclosures: For the first time since issuing guidance on robo-advisor best practices in 2017, the Securities and Exchange Commission sanctioned two registered investment advisors that offered robo-advisory services for false disclosures and misleading advertising.
Without admitting or denying the SEC’s charges, Wealthfront Advisers, LLC agreed to pay a penalty of US $250,000 and consented to a censure while Hedgeable, Inc. consented to a censure and a penalty of US $85,000. According to the SEC, from October 2012 through mid-May 2016, Wealthfront provided its robo-advisor clients with false statements regarding its tax-loss harvesting strategy by claiming that it would monitor client accounts for any transactions that might trigger a wash sale, an occurrence that has a negative effect on harvesting trading strategies. However, during this time, Wealthfront’s software did not monitor for such transactions, and wash sales occurred in roughly 31 percent of the firm’s tax-loss harvesting accounts. The SEC further alleged that Wealthfront violated applicable advertising and marketing regulations by using social media to promote testimonials that were made by persons who were incentivized by Wealthfront to make such statements without disclosing the financial interest of the authors.
Separately, the SEC alleged that Hedgeable, Inc. made false statements regarding the performance of its robo-advisor’s performance. According to the SEC, from 2016 until April 2017 Hedgeable created its own index to track and market the performance of its robo-advisor clients against two independent competitor robo-advisor platforms. However, said the SEC, Hedgeable’s index performance was misleading because the composite included only 4 percent of the firm’s robo-advisor clients for the relevant time period and the index was improperly calculated because the performance of the two independent robo-advisors did not utilize their actual trading models but relied on estimates of their performance.
Both Wealthfront and Hedgeable are registered with the SEC as investment advisors.
(Click here for background, on the SEC’s 2017 robo-advisor guidance in the article “SEC Division of Investment Management Issues Guidance Regarding Robo-Advisors” in the February 26, 2017, edition of Bridging the Week.)
CFTC Inspector General Criticizes Internal Stress Testing Methodologies Squabbles: In mid-December 2018, the Office of Inspector General of the Commodity Futures Trading Commission issued its semi-annual report to Congress for April 1 through September 30, 2018, in which it highlighted one report of investigation involving the development of stress testing capabilities within the Division of Clearing and Risk for cleared and uncleared swaps, whose public dissemination was apparently delayed for a significant time for redaction. The OIG report, which is now on the CFTC’s website in redacted form, details contentious infighting between DCR’s Chicago-based Risk Surveillance Branch and DCR’s Margin Model Group over stress testing methodologies that OIG claimed, “retarded the development of CFTC stress-testing capabilities, undermined efforts to improve the usability of uncleared swaps data, denied various employees access to certain IT resources, and overstated the independence and coverage of [the agency’s] existing stress-testing program.” Ultimately, claimed OIG, this infighting resulted in the “shut down and abandon[ment of] an impressive battery of full-evaluation tools created by the Margin Model Group” that the inspection team claimed was “motivated by little more than bureaucratic territoriality.” As part of its review, OIG engaged NERA Economic Consulting to help evaluate the different stress test models advocated by the Risk Surveillance Branch and Margin Model Group. OIG's review apparently was instigated by information initially provided by CFTC whistleblowers.
Additionally, OIG’s report to Congress referenced another investigation involving a “senior Government employee” where allegations of misconduct “were substantiated”; however, OIG indicated this investigation was currently confidential and provided no details in its report.
EC Sets Contingency Plan for No-Deal Brexit: The European Commission unilaterally implemented a “no-deal” contingency plan in the event that a Brexit withdrawal agreement is not signed by March 30, 2019. The contingency plan provided 14 measures in a limited number of sectors including financial services, transport, customs and the export of goods, and climate policy. To help ensure financial stability in the event of a “no-deal,” the EC adopted (1) a temporary and conditional equivalence decision for 12 months to ensure that there will be no immediate disruption in the central clearing of derivatives; (2) a temporary and conditional equivalence decision for 24 months to ensure that there will be no disruption in services provided by UK central securities depositories; and (3) two delegated regulations facilitating novation for 12 months of certain over-the-counter derivatives contracts with a counterparty established in the United Kingdom to replace that counterparty with a counterparty established in the European Union. The EC also cautioned UK and EU financial services firms to adopt policies and procedures to mitigate risks and ensure a stable transition for customers in case a “no-deal” occurs.
Company and Trader Agent Sanctioned by CBOT for Disruptive Trading: The Chicago Board of Trade brought and settled disciplinary actions against Ajax Trading, LLC and one of its trader agents for allegedly engaging in disruptive trading activities from September through November 2016. According to CBOT, during this time, the trader purportedly used user-defined spreads to enter orders on both sides of the market to be over-allocated futures with a price better than the prevailing outright market or to be under-allocated futures with a price worse than the prevailing outright market. To resolve his CBOT charges, the trader agreed to pay a fine of US $20,000 and to serve a 15 business day all CME Group exchanges access suspension. (Click here to access CME Group Rule 575.D.) Ajax Trading was also charged with violating just and equitable principles of trades and related violations, but solely on a strict liability basis for the actions of its agent. (Click here to access CME Group Rule 433 – Strict Liability for the Acts of Agents.) Ajax Trading settled its CME Group disciplinary actions by agreeing to disgorge trading profits of approximately US $86,100.
UK Bank and NY Branch Fined US $15 Million by NY DFS for Endeavoring to Identify Whistleblowers: The New York Department of Financial Services fined Barclays Bank PLC and its New York branch US $15 million for the 2016 efforts of Barclays’s CEO James Staley to discover the identity of two whistleblowers that wrote separate letters questioning the hiring and fitness of a top-level executive and whether Mr. Staley’s role in the hiring process was conflicted. NY DFS found that executives and board members did not follow the bank’s whistleblower policies and procedures when they failed to forward these letters to the bank’s Investigations and Whistleblower Team and instead circulated the letter among themselves including to Mr. Staley. In fining Barclays, NY DFS recognized Barclays’s cooperation during its investigation. In May 2018, the UK Prudential Regulation Authority and the Financial Conduct Authority fined Mr. Staley GB £642,430 (at the time, approximately US $870,000) related to this matter, while Barclays Group announced that, in light of this incident, it had determined to claw back GB £500,000 (at the time, approximately US $677,000) from Mr. Staley’s 2016 compensation. (Click here for additional information regarding this matter and Mr. Staley’s prior sanctions in the article “UK Bank Head Sanctioned Over US $1.5 Million Equivalent by Regulators and Employer for Potentially Undercutting Firm’s Whistleblower Process” in the May 13, 2018, edition of Bridging the Week.)
Cherry-Picking Winning Trades as Part of Post-Trade Allocation Scheme Costs Commodity Trading Firm and Principal US $315,000 in CFTC Fine: The Commodity Futures Trading Commission fined Jonathan Hansen and his company Newport Private Capital, LLC US $350,000 and permanently banned them from trading CFTC-overseen commodity interests and from registering with the Commission for engaging in a prohibited post-execution allocation “cherry-picking” scheme and failing to keep required records.
The CFTC order alleged that between September 2013 and January 2014, after the National Futures Association previously issued an order prohibiting respondents from withdrawing money from any trading accounts they controlled without NFA’s approval, Mr. Hansen caused an account to be opened in his spouse’s name. Afterward, Mr. Hansen entered bunched orders on behalf of his customers without specifying at the time which customer accounts were associated with the trades contrary to an applicable rule (click here to access CFTC regulation, Rule 1.35(b)(5)). Subsequently, if the bunched orders were profitable, Mr. Hansen would allocate those orders to the account owned by his wife (and not to customers) and eventually transfer these profits to a joint bank account in his and his wife’s name. In 2014, Mr. Hansen and Newport agreed to withdraw their NFA membership and never reapply to resolve an NFA complaint regarding this matter (click here for details).
Brokers dealing with Mr. Hansen and Newport have also been subject to enforcement and disciplinary actions related to this matter. (For further background, click here to access the article “Introducing Broker and Principal Sanctioned by CFTC for Not Overseeing Unlawful Post-Trade Allocations of CTA Client” in the September 23, 2018 edition of Bridging the Week; here for the article “CFTC and NFA Sanction FCM for Handling of Post-Trade Allocations by Trading Manager” in the August 5, 2018, edition of Bridging the Week; and here to review the article “Former FCM Fined by CFTC and NFA for Processing CPO Client’s Unlawful Post-Trade Allocations Despite Red Flags” in the June 3, 2018 edition of Bridging the Week.)
For further information:
CFTC Inspector General Criticizes Internal Stress Testing Methodologies Squabbles:
- NERA Report:
- OIG Report Re: Stress-Testing:
- OIG Report to Congress:
Cherry-Picking Winning Trades as Part of Post-Trade Allocation Scheme Costs Commodity Trading Firm and Principal US $315,000 in CFTC Fine:
Company and Trader Agent Sanctioned by CBOT for Disruptive Trading:
- Ajax Trading:
Congressmen Propose Law to Exclude Certain Cryptoassets from the Definition of a Security: http://www.scribd.com/document/396096529/Token-Taxonomy-Act-of-2018
EC Sets Contingency Plan for No-Deal Brexit:
FINRA Publicizes Effective Practices at Members to Mitigate Cybersecurity Risks:
Offer and Sale of Digital Assets and Cybersecurity Among the Focus of SEC OCIE 2019 Examination Priorities:
Related Broker-Dealers Fined US $15 Million by the SEC, FINRA and FinCEN for Alleged AML Program Deficiencies; Unrelated BD Fined US $5.5 Million for Purportedly Selling IPOs to Industry Insiders:
- Merrill Lynch:
Robo-Advisors Sanctioned by SEC for False Disclosures:
- Hedgeable, Inc.:
- Wealthfront Advisers, LLC, f/k/a Wealthfront, Inc.:
Texas Clarifies Application of Money Transmission Requirements to Transactions Involving Virtual Currencies:
UK Bank and NY Branch Fined US $15 Million by NY DFS for Endeavoring to Identify Whistleblowers:
UK Issues Guidance on Taxation of Cryptoassets: