Financial Services Alert - October 13, 2009

The SEC settled an enforcement action against a firm registered as both a broker-dealer and an investment adviser (the “Registrant”) for the Registrant’s failure to adopt written policies and procedures reasonably designed to safeguard personal customer information under Rule 30(a) of Regulation S-P (the “Safeguards Rule”).  The Safeguards Rule requires registered broker-dealers and advisers, and other entities subject to SEC regulation, to maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, and that are reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information. 

Unauthorized Access.  In its order settling the enforcement proceeding, the SEC found that in or around November 2008 an unauthorized person accessed and traded, or attempted to trade, in customer accounts of the Registrant by using a computer virus to gain access to the login credentials of a registered representative (an “RR”) of the Registrant.  The credentials allowed access to the Registrant’s intranet (the “Intranet”), which provides access to a proprietary trading platform operated by the Registrant’s clearing broker (the “Trading Platform”).  Once logged on to the Intranet, the unauthorized person gained access to non‑public information for 368 customer accounts and used the Trading Platform to place, or attempt to place, eighteen unauthorized trades across eight customer accounts totaling over $523,000 in securities of one publicly traded company.  The clearing broker detected the unauthorized purchases within ten minutes and was able to block most of them; however, some unauthorized purchases were executed resulting in an aggregate loss of $8,000 that was absorbed by the Registrant. 

Registrant’s Practices.  The SEC noted that, at all relevant times, the Registrant recommended – but did not require – that its RRs maintain antivirus software on their personal computers, which the RRs used to access the Intranet and Trading Platform to trade for customer accounts.  The RRs are independent contractors and are responsible for providing their own computer hardware and software.  (The Registrant has approximately 1,600 RRs operating from approximately 1,069 branch offices.)  In the two months prior to the intrusions, the Registrant’s information technology help desk (the “Help Desk”) received several calls from the RR whose computer would suffer the unauthorized access in November 2008, indicating that the RR’s computer system had been compromised by a software virus.  During one such call in September 2008 the Help Desk noted that the RRs computer lacked anti-virus software and recommended that the RR install anti-virus software.  During a subsequent call which took place one day prior to the first known intrusion, the Help Desk noted that the RRs computer was infected with a “major virus” and recommended that the RR see his local computer technology person.  The Help Desk did not follow up with the RR in either case to determine whether the RR had taken appropriate action.  The SEC also found that the Registrant’s internal auditors did not audit branch office computers to determine whether antivirus software was installed, nor did the Registrant have procedures in place to follow up on potential computer security issues uncovered during branch audits or when RRs contacted the Help Desk for computer-related assistance.

Violations of the Safeguards Rule.  The SEC’s determination that the Registrant did not comply with the Safeguards Rule was based on findings that the Registrant: (1) failed to implement adequate procedures requiring RRs to maintain appropriate security measures on their personal computers where customer information was stored; (2) failed to maintain procedures requiring that RRs’ personal computers be monitored and/or audited to ensure that security measures were correctly implemented and maintained; and (3) failed to maintain procedures requiring proper follow up on potential security issues reported by RRs.  In making these findings, the SEC noted that although the Registrant’s written policies for customer records and information prior to the November 2008 intrusions addressed in certain respects the administrative, technical, and physical safeguards for the protection of its customer records and information, by (a) failing to require basic safeguards such as anti-virus software on all of the RRs’ computers conducting business using the Intranet and (b) failing to follow up, or have written procedures addressing the follow up, on security issues either uncovered in branch audits or reported to the Help Desk, the Registrant failed to adhere to the standards of reasonable design imposed by the Safeguards Rule.

Sanctions.  Under the terms of the settlement, which reflected the SEC’s consideration of the Registrant’s remedial efforts and cooperation, the Registrant is subject to a cease and desist order and censure, and is required to pay a penalty of $100,000.

The SEC issued for public comment its strategic plan (the “Plan”) for 2010-2015.  The Plan, which is required under the same 1993 legislation that requires the SEC to provide annual performance plans, identifies goals and performance measures for 70 initiatives relating to oversight, regulation, enforcement, international cooperation and internal SEC matters.  Comments must be submitted by November 16, 2009.

The Plan acknowledges the Treasury’s issuance of recommendations and proposed legislation regarding financial regulatory reform in the areas of custody by registered advisers, regulation of credit rating agencies, money market fund reform and short selling, among others (as discussed in prior Alerts).  The Plan discusses initiatives in a variety of areas, including the following:

Expanded Whistleblower Incentives.  The Plan proposes that the SEC seek legislation to compensate whistleblowers who provide productive tips on violations of the federal securities laws similar to the compensation provided currently for tips relating to insider trading.

Improved Disclosure.  The Plan proposes the SEC consider additional disclosure requirements relating to risk management, executive compensation, director nominations and board governance.  The SEC recently proposed rules that would expand compensation and corporate governance disclosures for operating companies and investment companies (as discussed in the July 14, 2009 Alert).

Proxy Voting and Shareholder-Company Communications.  The Plan proposes that the SEC review proxy voting and shareholder-company communications, including the role of proxy advisory firms in the proxy voting process.

Beneficial Ownership Reporting.  The Plan proposes that the SEC modernize its beneficial ownership reporting requirements to address, among other things, the use of equity swaps and derivatives.

Broker-Dealer and Adviser Regulation.  The Plan proposes that the SEC harmonize broker‑dealer and adviser registration to better protect investors.  Specific steps cited in the Plan include (i) strengthening broker-dealer and investment adviser oversight, particularly in the area of adviser custody, (ii) amending the registration forms for broker-dealers and advisers to elicit information that would be useful in selecting investment professionals and (iii) considering whether to require investment professionals who provide advice to their clients to provide additional disclosure regarding their business practices, conflicts of interest and backgrounds.

Mutual Fund Distribution Fees.  The Plan recommends that the SEC continue its reconsideration of Rule 12b-1 under the Investment Company Act of 1940, which governs a mutual fund’s payment of distribution expenses, and review the factors that a fund’s board considers in approving the payment of those expenses.

OTC Derivatives.  The Plan recommends that the SEC consider how to fill regulatory gaps in the oversight of OTC derivatives, and how to harmonize oversight of economically equivalent OTC derivative instruments with the CFTC.

Money Market Fund Regulation.  The Plan recommends that the SEC consider how money market funds can be better positioned to meet the demands of investors who redeem on a short‑term basis.  The SEC has already proposed changes to its money market fund regulations that reflect in part the Treasury’s recommendations in this area (as discussed in the July 7, 2009 Alert).

ETFs.  The Plan recommends that the SEC consider how to streamline the process for introducing exchange‑traded funds (“ETFs”) to eliminate the delays associated with the current requirement to seek exemptive relief in order to launch an ETF.  The SEC currently has pending a rule proposal that would allow an ETF that meets certain conditions to commence operations without seeking individual exemptive relief (as discussed in the April 1, 2008 Alert). 

NRSRO Oversight.  The Plan recommends that the SEC strengthen its oversight of credit rating agencies registered with it as nationally recognized statistical rating organizations (“NRSROs”) to increase the transparency of ratings methodologies and performance, and improve disclosure of conflicts of interest.  The SEC has recently engaged in additional rulemaking relating to its oversight of NRSROs (as discussed in the September 22, 2009 Alert).

Point of Sale Disclosures.  The Plan recommends that the SEC consider whether broker-dealers selling mutual funds, variable annuities and 529 products should provide point of sale and internet disclosure regarding key product features and matters relating to their compensation and conflicts of interest.  The SEC has outstanding a proposal from 2004 regarding point of sale disclosures by broker‑dealers (as discussed in the February 3, 2004 and March 8, 2005 Alerts).

The Organization for Economic Cooperation and Development (“OECD”) issued a handbook (the “Handbook”) that provides guidance designed to help tax examiners and tax auditors detect and deter money laundering.  The Handbook is entitled The Money Laundering Awareness Handbook for Tax Examiners and Their Auditors. 

The Handbook provides extensive guidance on factors that a tax examiner or tax auditor should consider to help him or her identify possible cases of money laundering.  The Handbook discusses these indicators of potential money laundering activity: (1) by individuals, (2) in connection with real estate transactions, (3) in connection with cash transactions, (4) in transactions related to international trade, (5) in connection with loans, and (6) by professional service providers.  The OECD stresses in the Handbook that international cooperation and exchanges of information among tax administrators is essential to fighting money laundering most effectively.