May 24, 2019

May 23, 2019

Subscribe to Latest Legal News and Analysis

May 22, 2019

Subscribe to Latest Legal News and Analysis

May 21, 2019

Subscribe to Latest Legal News and Analysis

SEC Chastised; Cybersecurity; Hacking; Supervision; Compliance Outsourcing; the Cloud - Bridging the Week: November 9 - 13 and 16, 2015 [VIDEO]

In a week punctuated by a horrific Friday-night tragedy in Paris, far less important news dominated regulatory and legal developments for financial services firms. A New York regulator appears poised to introduce cybersecurity regulations for many types of financial institutions, while criminal complaints were filed in New York and Atlanta against major hackers of financial services firms. Separately, a federal judge in New York severely criticized the Securities and Exchange Commission over its handling of a case that caused a foreign bank to fail. As a result, the following matters are covered in this week’s edition of Bridging the Week:

  • Court Chastises SEC for Causing Unwarranted Collapse of Foreign Bank (includes My View);

  • NYS Previews Likely New Cybersecurity Regulations for Financial Institutions While Urging Coordination by Other Regulators (includes Compliance Weeds and Totally Irrelevant (But Is It?));

  • Criminal Charges Filed for Massive Cyber Hack of Banks, Brokers and Other Companies;

  • ICE Futures US Sanctions FCM for Failing to Record and Maintain Oral Communications in Connection With Block Trades; Other Firms Fined for Wash Sales and Position Limits Violations;

  • Broker-Dealer Self-Detects Reg SHO System Problem, Suspends Broken System and Self-Reports but Still Sanctioned by FINRA (includes My View);

  • Outsourcing of Compliance Functions by IAs May Be Okay but Be Mindful Says OCIE;

  • FIA Operations Issues Guide to Help FCMs Better Process Exchange and Clearing Fees (includes My View); and more.

Court Chastises SEC for Causing Unwarranted Collapse of Foreign Bank:

A federal judge in New York severely criticized the Securities and Exchange Commission over its handling of a lawsuit against Caledonian Bank Ltd., Caledonian Securities Ltd. (together, “Caledonian”) and others that resulted in Caledonian’s bankruptcy and liquidation.

According to the judge – the Hon. William H. Pauley III – the SEC initially filed a complaint against Caledonian, a bank and broker-dealer in the Cayman Islands, on February 6, 2015, in which it alleged that the defendants sold large quantities of worthless stock as principals (not agents for customers) without filing required registration statements with the agency. (Click here for a copy of the SEC complaint.)

After the SEC advised the Court that it had identified “recent transfers of funds” by Caledonian and another defendant – Verdmont Capital, S.A. – from certain of their US accounts, the court granted the agency’s application to freeze defendants’ assets. However, as soon as the following the day, noted the judge, counsel for Caledonian and Verdmont advised the SEC that each defendant had acted solely as a broker in the relevant transactions and not as a principal. This information was not shared with the court.

Unfortunately, a run on Caledonian began when news of the SEC’s allegations spread, “and panic ensued among depositors and investors,” said the judge. Within days, the Cayman Islands Monetary Authority placed both Caledonian entities into controllership and the bank began a process of voluntary liquidation.

It was not until May 2015, said the court, that the SEC advised it that Verdmont (and impliedly, Caledonian) had a far more limited role in the unlawful sales than previously described (Caledonian was no longer actively involved in the litigation by this time). Moreover, said the court, it turned out that other employees of the SEC – in other divisions and offices – had been aware that Verdmont had acted as a broker and not as a principal in the subject transactions at least five months prior to the filing of the SEC’s initial complaint. Unfortunately, the SEC attorneys involved in this action did not learn of this fact until the week of February 16, 2015, observed the judge.

Ultimately, the SEC filed an amended complaint that “blunted many of the harshest and categorical allegations in the original Complaint,” wrote the judge, “[b]ut here, the SEC’s failure to coordinate spawned more dire consequences than administrative inefficiency.” Caledonian was forced to liquidate.

The court criticized the SEC's investigation that prompted it to apply for the initial asset freeze order:

[t]he declarations submitted in connection with the SEC's motion to amend reveal an apparent failure to pose the appropriate inquiries to financial institutions before seeking crippling ex parte asset freezes. Prior to filing this action, the SEC asserted it had been "in frequent contact" with the legal departments of the U.S. financial institutions against whom it sought to enforce the asset freeze... However, it is not clear what questions the SEC asked to ascertain whether these assets belonged to the defendants – like Verdmont or Caledonian Bank – as opposed to their customers.

The court urged the SEC to self-reflect on its prosecution of this case and apply lessons-learned going forward:

[i]t is hard for this Court to believe that the SEC does not have systems in place to ensure that enforcement and regulatory staff are aware of investigations with common facts or the same individuals or entities … Given the high stakes in securities enforcement actions, and in the face of the workload the SEC describes as an “overwhelming burden,” a self-examination may be appropriate.

Judge Pauley’s commentary regarding Caledonian constituted the major portion of his 32-page ruling on a motion by Verdmont to summarily decide against the SEC in connection with its amended complaint. The court ruled such application was premature at this point.

My View: Sadly, this is not the first time over-zealous regulators have improperly caused the destruction of a company. After Arthur Andersen LLP – one of the top accounting firms of its time – was found guilty of obstruction of justice in 2002, following charges that it wrongfully destroyed documents in anticipation of an investigation by the Securities and Exchange Commission related to its dealings with Enron Corporation, the company gave up its licenses as certified public accountants and ceased conducting business. However, three years later, the US Supreme Court, in a unanimous verdict, overturned the firm's conviction (click here to access the Supreme Court decision). Unfortunately, the damage to Arthur Andersen was already too late to reverse, including the loss of jobs by 85,000 persons. As Judge Pauley pointed out in his decision in response to Verdmont Capital's motion, "the SEC's cannon of ethics cautions: 'The power to investigate carries with it the power to defame and destroy'." These are important principles that all regulators must consider before they pursue extraordinary relief against any corporation or individual.

Briefly:

  • NYSDFS Previews Likely New Cybersecurity Regulations for Financial Institutions While Urging Coordination by Other Regulators: The New York State Department of Financial Services issued a memorandum addressed to 18 federal and state regulatory organizations previewing new regulations to increase “cyber security defenses” by financial services firms and encouraged the organizations to collaborate on instituting “strong cyber security standards for financial institutions.” The NYSDFS indicated that its regulations would require financial institutions to adopt cybersecurity policies and procedures that must address certain enumerated topics. These would include, among other topics, information security, data governance and classification, access controls, business continuity and disaster recovery; capacity and performance planning, physical security, customer data privacy and incident response); third-party service providers; and the security of all applications used by a company. Financial services firms would also be required to appoint a chief information security officer; have adequate personnel to manage a firm’s cybersecurity risks; provide mandatory training to cybersecurity personnel; conduct annual penetration tests and quarterly vulnerability assessments; and to immediately notify the NYSDFS of any cybersecurity incidents. The NYSDFS previously included cybersecurity requirements in its regulations that established minimum standards for all financial intermediaries who engage in a virtual currency business activity from New York or to a NY resident. 

Compliance Weeds: Even before the New York State Department of Financial Services adopts any measures, expectations of regulators of registrants in both the securities and futures industry has been increasing during the past year regarding what cybersecurity protections should be in place to protect customer records and information. At the beginning of 2015, the SEC said it would focus on cybersecurity compliance and controls among its 2015 examination priorities for broker-dealers and investment advisers. In September 2015, the SEC provided specific guidance on what it would look at in connection with these reviews. The SEC said it would focus on registrants’ governance and risk assessment related to cybersecurity; access rights and controls; data loss prevention; vendor management; training; and incident response. Also at the beginning of 2015, the Financial Industry Regulatory Authority published a report identifying findings from its 2014 targeted examination of firms related to their cybersecurity practices and recommended practices broker-dealers should implement to minimize the impact of cybersecurity threats. Moreover, the National Futures Association recently adopted an Interpretive Notice requiring members to implement and maintain formal, written information systems security programs by March 1, 2016. Practically, any cyber breach that compromises customer personal information could leave an SEC or CFTC registrant vulnerable to an enforcement action if it had not previously adopted a written policy and procedure reasonably designed to minimize the threat of a cyber-attack and followed such procedure – whether or not an express requirement currently exists. Registrants should therefore ensure they have implemented such a policy and are adhering to it. (For additional information)

Totally Irrelevant (But Is It?): For years I told my Derivatives Regulation students that if they only learned one thing for the semester, remember it is the Commodity Futures Trading Commission, not the Commodities Futures Trading Commission. Alas, the NYSDFS should have taken my course. They misspelled the name of the CFTC in their memorandum referencing Commodities not Commodity! How embarrassing.

  • Criminal Charges Filed for Massive Cyber Hack of Banks, Brokers and Other Companies: Federal prosecutors filed criminal charges against Joshua Aaron, Ziv Orenstein and Gery Shalon in New York, and Mr. Aaron, Mr. Shalon and an unnamed individual in Atlanta for “orchestrat[ing] massive computer hacking crimes against US financial institutions, financial services corporations and financial publishers, including the largest theft of customer data from a US financial institution in history” – involving 80 million customers – from 2012 to mid-2015. According to an indictment filed against these individuals in a federal court in New York, defendants also endeavored to artificially manipulate the price of certain stocks that they sought to market to customers whose personal information they stole. Additionally, Mr. Shalon is alleged to have coordinated computer network attacks against companies outside the financial sector to benefit other of his unlawful businesses, including internet casinos and a US-based exchange that traded Bitcoin – Coin.mx. In connection with the criminal action filed in Atlanta, the defendants were charged for hacking into the computers of E*Trade Financial Securities Corporation and Scottrade Financial Services, Inc, as well as other financial institutions and companies too. According to the indictment filed in Atlanta, more than 10 million customers of E*Trade and Scottrade were “compromised” by these attacks. In August 2015, civil charges were filed by the Securities and Exchange Commission against 32 defendants in connection with the hacking of the computer servers of three major newswire companies as part of an alleged elaborate illicit stock-trading scheme. Nine of these persons were also subject to criminal indictments filed in Brooklyn, New York, and Newark, New Jersey, by the US Department of Justice. (Click here for further details)

  • ICE Futures US Sanctions FCM for Failing to Record and Maintain Oral Communications in Connection With Block Trades; Other Firms Fined for Wash Sales and Position Limits Violations: BGC Financial, L.P. agreed to pay a fine of US $42,500 to resolve charges brought by a business conduct committee of ICE Futures U.S. that, on “multiple instances” in connection with block trades, it allegedly failed to record and maintain oral communications leading to the transactions’ execution; to report the correct execution time, and to adequately supervise brokers’ block trade activities. According to an IFUS rule (click here to access the relevant rule, Rule 6.07(b)), all members, non-member futures commission merchants and introducing brokers must “record and maintain” all oral and written communications leading to the execution of an exchange futures or options contract and related cash commodity “whether communication by telephone, voicemail … mobile device or other digital or electronic media.” Separately, three firms were charged with possibly engaging in wash sales in connection with transactions alleged to have been undertaken for the purpose of moving positions between different accounts of the same entity. In one action, involving Inertia Power VI, LLC, the firm agreed to a settlement of US $70,000 for engaging in such alleged transactions on “several occasions.” In another action, Christopher Mumm agreed to pay US $12,500 to resolve a charge that he possibly engaged in two wash trades to correct an error and move positions from one account of his employer to another. In the last action, Sean Matthews agreed to pay a fine of US $5,000 for allegedly engaging in one transaction to move positions between two accounts of his employer. Finally, Freepoint Commodities LLC also agreed to pay a fine of US $7,500 for allegedly holding a position “inadvertently” in the spot month of New York Mercantile Exchange natural gas futures while holding a position in excess of the spot month speculative position limit in the Henry LD1 Fixed Price futures contract during the February 2015 contract expiration. Holding a position in the corresponding NYMEX contract is prohibited by IFUS when a firm is subject to a conditional limit in excess of spot month limits on the Henry Hub Fixed Price Future.

  • Broker-Dealer Self-Detects Reg SHO System Problem, Suspends Broken System and Self-Reports but Still Sanctioned by FINRA: JP Morgan Securities LLC agreed to pay a fine of US $350,000 to the Financial Industry Regulatory Authority as a result of multiple violations of Securities and Exchange Commission Regulation SHO, principally between October 19, 2011, and January 27, 2012, caused by alleged “systems issues.” According to FINRA, the firm’s problem derived from a coding error in a change to the firm’s automatic market tool it used to assist traders make two-sided markets in securities. The coding error, said FINRA, caused the firm to execute over 21,200 short sales during the relevant time period without a “locate.” (Under Reg SHO, a broker-dealer accepting a short sale of an equity security from a customer (or engaging in a short sale in its own proprietary account) must first borrow the security, enter into a bona fide arrangement to borrow the security, or have reasonable grounds to believe the security can be borrowed before the delivery date, thus satisfying its so-called “locate requirement.”) After the problem was detected, JP Morgan “immediately” suspended use of the automated tool and a few months afterwards self-reported the problem to FINRA, acknowledged the regulator. FINRA said that US $250,000 of JP Morgan’s fine was attributable to “supervisory violations,” namely the failure of the firm’s supervisory procedures to “provide for a statement of supervisory step(s) to be taken by the person(s) responsible for supervision with respect to [the relevant provision of Reg SHO].” FINRA claimed the firm’s sanctions “significantly take into consideration the firm’s self-reporting … and the remedial measures taken by the firm … ”

My View: Implicit in the odd wording used by FINRA to describe JP Morgan’s supervisory violation is that the firm had a procedure to oversee compliance with Reg SHO. It appears, however, the procedure may not have itemized the specific steps to be taken by supervisors in carrying out their supervision. Retrospectively, many procedure manuals are not likely to provide for every step necessary to preclude a potential violation. First, drafters of procedures manuals are likely not sufficiently clairvoyant enough to consider all potential breakdowns. And second, a procedures manual that is too comprehensive and detailed will likely be unread. Indeed, FINRA seems to recognize this as it explicitly requires members solely to have written compliance policies and written supervisory procedures reasonably designed to achieve compliance with applicable FINRA rules (click here to access FINRA Rule 3130) – not perfectly designed! Too often regulators charge failure to supervise as an adjunct to other charged substantive violations. However, not every problem is a result of improper supervision. Sometimes mistakes just happen because humans are flawed. 

  • Outsourcing of Compliance Functions by IAs May Be Okay but Be Mindful Says OCIE: The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations raised numerous concerns regarding outsourced compliance activities by investment advisers and funds – in particular the Chief Compliance Officer function — following a review of such practices. In general, OCIE found “generally effective” outsourcing where there was “regular, often in-person communications between the CCOs and the registrants; strong relationships established between the CCOs and the registrants; sufficient registrant support of the CCOs; sufficient CCO access to registrants’ documents and information; and CCO knowledge about the regulatory requirements and registrants’ business.” OCIE implied there was less effective outsourcing where third-party CCOs infrequently interacted personally with registrants and relied on impersonal means of communication (e.g., electronic communications and pre-defined checklists); were not able to access documents independently but relied on registrants to select documents for their review; and serviced multiple registrants when they did not have adequate resources. OCIE also found that there was a “general lack of documentation” supporting testing by outsourced CCOs of registrants’ mandatory annual reviews, including testing for compliance with firm policy and procedures. As part of its review of outsourcing of compliance activities, OCIE reminded investment advisers “[a] CCO, either as a direct employee of a registrant or as a contractor, must be empowered with sufficient knowledge and authority to be effective.”

  • FIA Operations Issues Guide to Help FCMs Better Process Exchange and Clearing Fees: The Futures Industry Association’s Operations Division issued a new publication to assist futures commission merchants that are clearing members of exchanges to better administer the processing of exchange and clearing transaction fees. Simultaneously, FIA launched a website (click here to access) for FIA members to obtain updates to its new publication. Among other things, the publication recommends that all clearing members draft written procedures addressing exchange and clearing transaction fee management that include, at a minimum, descriptions of how the firm undertakes reconciliations of exchange and clearing transaction fees charged to customers and how it handles potential discrepancies. In making its recommendations, FIA made clear that its descriptions of potential components of procedures “are not designed to set an industry standard. Rather each firm’s written procedures should be consistent with the firm’s business model and fee management processes and requirements.” FIA also recommends that managers responsible for overseeing a clearing member’s exchange and clearing transaction fee process “have the appropriate level of experience or training to fulfill their supervisory obligations.”

My View: Last year, Merrill Lynch, Pierce, Fenner & Smith Incorporated agreed to pay a fine of US $1.2 million to resolve charges brought by the Commodity Futures Trading Commission that, from at least January 1, 2010, through April 2013, the firm failed to employ “an adequate supervisory system” related to the processing of exchange and clearinghouse fees charged to the firm’s customers. This large fine was assessed despite Merrill apparently self-detecting its reconciliation issues and endeavoring to correct them through use of two outside consulting firms. Moreover, the CFTC acknowledged that Merrill’s unreconciled exchange and clearing fees amounted to less than $452,000 over the relevant period, compared to $318 million of total fees paid to relevant exchanges and clearinghouses (i.e., less than a .15 percent unreconciled rate). The FIA’s new publication provides sound guidance regarding steps clearing members should consider to help enhance their relevant policies and procedures and better ensure their customers are assessed correct exchange and clearing fees. However, no adopted measures are likely to ensure flawless compliance. 

And more briefly:

  • ESMA Chair Says Some Delays in MiFID II/MiFIR Roll-Out May Be Necessary: Steven Maijoor, Chair of the European Securities and Markets Authority, told the Economic and Monetary Affairs Committee of the European Parliament that it is likely that at least some delays are necessary to the roll-out of the Markets in Financial Instruments Directive II and the Markets in Financial Instruments Regulation now scheduled for January 2017. He said such delays may be necessary because final texts for some of the important requirements may not be finalized “well into 2016,” and “[t]he building of some complex IT systems can only really take off when the final details are firmly set … and some of the most complex IT systems would need at least a year to be built.”

  • Block Trade FAQs Updated by ICE Futures U.S. and ICE Futures Europe: Both ICE Futures Europe and ICE Futures U.S. updated their guidance related to block trades. In connection with ICEFE, the revised guidance addresses new Eris Interest Rates futures contracts which are scheduled to commence trading on November 16, 2015, while the IFUS revised guidance addresses requirements related to the new World Cotton futures contracts.

  • NFA Augments CFTC’s FAQs Regarding CPO Form PQR and CTA Form PR: The National Futures Association published guidance in the form of frequently asked questions related to commodity pool operators Form PQR and commodity trading advisors Form PR. The Commodity Futures Trading Commission published its own guidance last week. CPOs are required to file Form PQR each quarter to provide NFA information about their operations and the operations of pools they operate. CTAs are required to file Form PR each quarter to provide NFA information about themselves, their trading programs, the pool assets they direct and their principal carrying broker relationships, among other information.

  • FCA Proposes Guidance on Outsourcing to the Cloud: The Financial Conduct Authority has issued guidance for regulated firms to consider when outsourcing to cloud service providers. Among other things, firms must consider how the FCA will have “effective access” to data stored on the cloud. The FCA also urged firms to consider international developments that are likely to have an impact on using cloud services, including – for European-based entities – reform of the European Union Data Protection legislation. However, the FCA raises no fundamental objections to cloud usage by regulated firms. Indeed, FCA acknowledged that “[t]he use of outsourcing to the cloud and other third party IT services can have a positive impact on competition in financial services.” Comments will be accepted through February 12, 2016.

  • CFTC Extends Swap Data Reporting Relief to Certain Non-US Swap Dealers and MSPs: The Commodity Futures Trading Commission extended until potentially December 1, 2016, previously granted relief to certain non-US swap dealers and major swap dealers from swap data reporting requirements in connection with swaps with certain other non-US persons. The relief apples to non-US SDs and MSPs in Australia, Canada, the European Union, Japan and Switzerland, where the ultimate parent entity is not one of certain enumerated types of US financial institutions.

  • ESMA Updates Final Rules on Data Reporting: The European Securities and Markets Authority published an update of its final rules – known as technical standards – dealing with data reporting requirements related to derivatives trades. The new rules, among other things, incorporate many elements in previously issued questions and answers to clarify data fields (including descriptions and/or formats) and introduce new fields and values in response to regulatory requirements or market practice.

  • Banks Sign Relaunched ISDA Stay Protocol to Help Regulators Liquidate a Failed Bank: Twenty-one major global banks have already signed a relaunched stay protocol developed by the International Swap Dealers Association and other leading industry organizations in coordination with the Financial Stability Board. The purpose of the protocol is to help ensure the orderly resolution of a troubled bank by having firms voluntarily agree to abide by foreign resolution regimes in connection with cross-border transactions. A prior protocol was signed by 18 major banks in November 2014. The relaunched protocol increases the types of covered financial contracts.

©2019 Katten Muchin Rosenman LLP

TRENDING LEGAL ANALYSIS


About this Author

Gary DeWaal, Securities Attorney, Katten Law Firm, New York
Special Counsel

Gary DeWaal focuses his practice on financial services regulatory matters. He counsels clients on the application of evolving regulatory requirements to existing businesses and structuring more effective compliance programs, as well as assists in defending and resolving regulatory disciplinary actions and enforcement matters. Gary also advises buy-side and sell-side clients, as well as trading facilities and clearing houses, on the developing laws and regulations related to cryptocurrencies and digital tokens.

Previously, Gary was a senior...

212-940-6558