Pastore attorneys successfully represented the former CEO of a broker dealer in a regulatory dispute with FINRA. When Pastore was retained, FINRA was seeking a multi-month suspension, thousands of dollars in fines, and was days away from serving a complaint. In the space of a few months, Pastore convinced FINRA to close the case without levying a dollar in fines or a single day of suspension.
In the wake of a recent spate of cybersecurity breaches, the practice of data-centric security has received renewed attention from business leaders concerned about the integrity of critical data. As defined by a PKWare white paper, data-centric security focuses on protecting data itself, rather than the systems that contain it.1 Central to the concept of data-centric security is the notion that the systems established to store and guard data sometimes crumble in the face of cyberattacks.1 Given that all manner of data storage systems have shown themselves to be vulnerable, it is hard to argue with this foundational principle. Rather than offering prescriptions for the improvement of systems, then, data-centric security places safeguards around the data itself – safeguards which are automatically applied and regularly monitored to ensure data security.1
Data-centric security strategies have several key advantages over the “network-centric” models currently employed by many firms.2 As discussed, data-centric strategies account for the proclivity of security networks to succumb to cyberattacks by securing the data itself. In addition, because security measures are built into data, “security travels with the data while it’s at rest, in use, and in transit,” a characteristic of data-centric strategies that facilitates secure data sharing and allows firms to move data from system to system without having to account for inevitable variations in security infrastructure.3 Moreover, data-centric security allows for easy access to data (a cornerstone of productivity in any firm) without compromising data security. In fact, Format-Preserving Encryption (FPE) – the specific type of encryption employed by many data-centric strategies4 – “maintains data usability in its protected form,” striking a balance between security and accessibility.5 Clearly, data-centric strategies provide stronger, more all-encompassing, and eminently manageable modes of data protection.
But perhaps the most important aspect of data-centric security is its essential role in any security regime compliant with New York State cybersecurity regulations. In fact, as the data security company Vera has noted, “the new rules are focused not just on protecting information systems but on securing, auditing and the disposition of data itself.”6 New York’s determination to advance data-centric security is evident in certain provisions of the recent cybersecurity regulation, the most important of which mandate that companies “restrict access privileges not only to systems but to the data itself.”6 Moreover, New York State’s cybersecurity regulations reflect the priorities of data-centric security because they require firms to “implement an audit trail system to reconstruct transactions and log access privileges,” a system which allows the security of individual pieces of data to be monitored automatically.6 New York regulators have already recognized the benefits of data-centric security strategies. Now, with the assistance of legal experts well-versed in cybersecurity compliance, companies concerned about their data security can too.
A recent cybersecurity breach involving one of the country’s largest financial services firms illustrates both the necessity of strong cybersecurity regulations and the imperative for credit card holders to jealousy safeguard their personal information. In a criminal complaint filed July 29th, 2019 at the U.S. District Court for the Western District of Washington, the federal government alleged that Paige A. Thompson, a computer engineer, had taken advantage of a gap in Capital One’s cloud security to obtain the personal financial records of millions of the company’s customers in the U.S. and abroad.1 Thompson, who used the online alias “erratic,” allegedly exploited a defect in Capital One’s firewall to access confidential financial information stored on the servers of the Cloud Computing Company, a Capital One service provider.1 Despite Capital One’s claim that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised,” the episode is a reminder that without robust cybersecurity measures and a broad-based commitment to personal data security, information stored with American financial institutions remains vulnerable to cyberattack.2 In fact, had Thompson been more careful to remain anonymous,3 the data breach could well have become catastrophic.
First, the data breach demonstrates the value of robust cybersecurity regulations. For example, if Capital One’s cybersecurity measures had met the stringent standards of the regulations issued by New York State’s Department of Financial Services that is now being enforced by the state’s new Cybersecurity Division, this problem may have been avoided. The DFS has committed itself to ensuring that “encryption and other robust security control measures” characterize the cybersecurity policies of the state’s financial services firms.5 Had Capital One encrypted or tokenized6 all of the data subject to the recent breach, it is possible that the effects of the cyberattack may have been less widespread. In fact, the criminal complaint against Thompson notes that “although some of the information” targeted by the cyberattack “has been tokenized or encrypted, other information[…]regarding their credit history has not been tokenized,” allowing “tens of millions” of credit card applications to be compromised.1 Of course, the cybersecurity regulations adopted by New York State are burdensome. But the alternative is even worse – especially considering that Capital One will “incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support,” a price tag that doubtless outstrips the costs of regulatory compliance.3
Pastore & Dailey is a leading firm in the drafting and implementation of procedures necessary to comply with federal and state securities and banking cybersecurity regulations and laws, which in this case could have saved Capital One millions if properly followed.
Second, the cyberattack bears out the importance of diligence in safeguarding financial information. According to Forbes, individuals worried about the security of their financial information can take a host of precautions: “[updating] passwords,” avoiding the use of e-mail accounts to share confidential information, “[establishing] two-factor authentication,” and so on.7 Cyberattacks like the one that recently struck Capital One have become a fact of life for many Americans who bank online, but they need not be costly. Common-sense precautions and security diligence can go a long way towards ensuring the integrity of your financial records.
Perhaps as a signal of its commitment to fight cybercrime and stringently enforce its cybersecurity regulations, New York State recently established a “cybersecurity division”1 within the state’s Department of Financial Services (DFS). The creation of the division marks yet another step taken by New York State to guard against the dangers posed by cyberattacks, perhaps motivated by its status as the home of many prominent financial services firms. In addition, the presence of the division strongly suggests that the cybersecurity regulation2 issued by DFS in Spring 2017 [WB1] cannot be taken lightly by the state’s largest and most important financial services firms. Aside from the comprehensive nature of the regulation and the sizable power afforded to the new cybersecurity division, the novelty of New York’s recent innovations in cybersecurity regulation suggests their importance and staying power. In fact, as JDSupra notes, the creation of the new division more or less completed a years long process that has made “New York[…]the only state in the country that has a banking and insurance regulator exclusively designated to protect consumers and companies from the ever-increasing risk of cyber threats.”1
Some financial services firms, conscious of their vulnerability to cyberattacks, will doubtless welcome these additional steps. As a report from the Identity Theft Resource Center notes, financial services firms “are reportedly hit by security incidents a staggering 300 times more frequently than businesses in other industries.”3 Far from being mere annoyances, these cyberattacks are often extremely costly. In fact, according to a study from IBM and the Ponemon Institute, the cost to a financial services firm per record lost in a cyberattack was more than $100 greater than the cost to the average company.4 Moreover, cyberattacks can also cripple consumer confidence in financial services firms, causing them to lose business and endure even greater costs.5 In general, then, cyberattacks can damage both a financial services firm’s sensitive records and its public image, making them a grave threat to any such company’s bottom line.
It would be a mistake, however, to think about DFS regulation purely in terms of cost reduction. Regulation also entails costs – not least because compliance with the 2017 regulation can be investigated and punished by DFS’ new cybersecurity division. In fact, these new developments indicate that cybersecurity will not come cheaply, especially because the regulation imposes a bevy of new security requirements on top firms, costing them a not insignificant amount of time and money. From multi-factor authentication to training programs to the appointment of a “Chief Information Security Officer,” the now fully enforceable regulation will force financial services firms to foot the bill for a host of cybersecurity measures.6
- https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 3
- IBM and the Ponemon Institute, The Cost of a Data Breach (2017), summarized in https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 6
- https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 8
- https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf, pg. 5
Pastore & Dailey LLC has an extensive RegTech practice, and Jack Hewitt, a P&D Partner, is one of the country’s authorities in this area. In line with this, P&D is pleased to announce that Bloomberg BNA has just published Mr. Hewitt’s new treatise, Technology Regulation in the Federal Securities Markets.
The treatise is structured into three major segments – cybersecurity, the new market technologies and blockchain. The cybersecurity segment provides a comprehensive review of all applicable federal and state regulations and guidelines while the market technology segment addresses, among others, the Cloud, robo-advisers and smart contracts. The final segment, Blockchain, includes cryptocurrency, tokens and ICOs. Mr. Hewitt, whose expertise extends to virtually all major business sectors, regularly reviews client cybersecurity and technology procedures and would be pleased to discuss performing one for your firm.
Please use the below link to view the Table of Contents and the chapters on Information Security Programs and ICOs of the new treatise.
Interest in cryptocurrency and its underlying technology has steadily rose over the past several years. The final week of 2017 alone saw the debut of over a dozen new cryptocurrencies within the market. Moreover, Bitcoin’s explosive increase in value in 2017 from $1,000 to almost $20,000 has made “Bitcoin” and “cryptocurrency” household terms. The accelerating rate of creation of new currencies and the fluctuation in value of various existing currencies have provided investors with substantial profit opportunities. Unsurprisingly, the financial services industry is making significant investments in the underlying block-chain technology. From individual programmers to large fintech firms, there is a race to secure the intellectual property rights for all aspects of block-chain and cryptocurrency technology.
The block-chain technology functions to increase security and decrease inefficiencies regarding cyber transactions. The software accomplishes this by securely hosting a transaction between two individuals without the requirement of a third party to transfer and record the exchange of funds (i.e. banks, credit card companies, etc.). The transactions are then publicly memorialized in a distributed ledger as a link in the chain’s archive. At its core, the block-chain model is a peer-to-peer system; because of this, the software has the potential to revolutionize the financial services industry by reducing the number of parties required to send and receive payments. This decentralized model is one of the characteristics that makes block-chain unique, and financial firms have recognized the tremendous value of the software.
As the value of the block-chain model became more apparent, the United States Patent and Trademark Office (“USPTO”) was flooded with new patent applications concerning block-chain and cryptocurrencies. At the end of 2017, Bank of America, Mastercard, Paypal and Capital One were leading the field in research and development, and represented the top four patent holding entities in the realm of block-chain and cryptocurrencies. The primary technological focus of these top four firms has been financial forecasting, digital data processing and transmission of secure digital data. In fact, Bank of America was recently issued its latest patent from the USPTO, which outlined a cryptocurrency exchange system that would seamlessly convert one digital currency to another. It may be no coincidence that the top four firms leading research and development on block-chain are those that stand to lose the most from the elimination of third-parties in cyber transactions. It is important, at this point in block-chain’s development, that such firms secure a position on the new playing field if cryptocurrency does displace traditional transaction models.
Internet Data Usage
The sprint to secure intellectual property rights does not, however, solely focus on the current block-chain technology; firms are also looking ahead on how to improve the software and how to benefit from future developments and applications. Several firms are focusing specifically on the distributed ledger aspect of block-chain in order to create a personal virtual identity for each of the software’s users. This concept has significant potential to allow individuals to begin to profit off of their personal data. Currently, websites such as Google, Amazon and Facebook track individual’s internet usage and gain considerable value from their personal data with little to no benefit to the user. The creation of an online avatar that hoards this data in a ledger, and makes it available only with the user’s permission, could bring significance to an individual’s internet browsing data. Users could begin to charge companies a fee to gain limited access to this information, even in miniscule amounts. Cryptocurrency effortlessly weaves itself into the system because currencies like Bitcoin are divisible to the hundredth of a millionth degree. This divisibility makes it possible for you to extract value from as little as 0.00000001 of a Bitcoin for a company to see that you have been looking at Volkswagens on Craigslist all afternoon.
This virtual identity system may not be too far off. In 2017, the state of Illinois launched a block-chain pilot for the digitization of personal data, such as birth certificates. The system has the potential to be the framework for the digital identities discussed above, and could further establish an extraordinarily convenient method of sharing verified personal documents. Although this system immediately raises the question of cybersecurity in the minds of most, block-chain technology is, in fact, vastly more secure than our current systems.
In 2017, Equifax saw one of the largest cyber security breaches in history. The current method of storing millions of individuals’ personal data is piling it together on the same system, which is then encrypted and secured. The issue, as illustrated by Equifax, is that once the security mechanisms are breached, the cyber burglar then has access to the entirety of the stored data. Block-chain, however, stores each individual’s data separately in its own encrypted and secured space. If a hacker wished to steal data from a block-chain, they would be required to decrypt each of the individual’s data separately; in the case of Equifax, the hacker(s) would have been required to bypass 140,000,000 encryptions. For this reason, cyber security firms are becoming increasingly involved in block-chain technology as well.
The cyber security and financial services industries are not the only industries honing in on the cryptocurrency craze. It is also worth mentioning the flood of new applications from the mobile software market. The rapid origination rate of mobile applications, no matter how redundant or superfluous they may seem, is compelling United States intellectual property filings. Cryptocurrency mobile applications can provide a wide range of services for their users: market information through applications such as zTrader, Bitcoin Checker and Bitcoin Price IQ; portfolio services through Cryptonator, CoinDex and Mycelium; and trading platforms through Coinbase, CEX.IO and CoinCap. More significantly, many of the most popular websites which provide mobile application support are beginning to accept cryptocurrency as a payment method. Notably, online retailer Overstock.com, online dating service OkCupid.com, electronics retailer Newegg.com, and travel booking agency Expedia.com are among the firms now accepting bitcoin as payment for their services. Cryptocurrency also has the potential to transform the mobile gaming industry.
A dimension of mobile applications which has received a lot of negative publicity over the past few years is predatory in-app purchases. Many mobile gaming applications, which are typically marketed to children and teenagers, are free to download and play, but incentivize frequent micro-transactions from the user. These aptly dubbed “freemium” games result in cases of young users racking up a bill in the range of several hundreds of dollars, to their parent’s surprise. In fact, many applications offer purchases of in-game currencies up to $99 per transaction. This model may change, for better or for worse, with the rise of cryptocurrency. As discussed above, the Bitcoin is divisible to the hundredth of a millionth degree. The mobile gaming industry could see a transition from incentivizing young players to make frequent large transactions, to mobile games charging a fraction of a Bitcoin per minute (or second) of game time. The application would likely request access to your Bitcoin wallet and simply deduct fragments of a Bitcoin for as long as the game remains active. Whether this will be a welcome change is to be determined.
Cryptocurrency and block-chain technology are causing us to rethink our current financial and cyber-social systems. The characteristics that make block-chain unique—the decentralized model, distributed ledger, individual security, sense of virtual identity—are quickly being applied in new and innovative ways. The result is a surge in new intellectual property from forward thinking firms as we move into what may be an important technological shift for many of our country’s industries.
 Coindesk, Bitcoin (USD) Price, Coindesk (last visited Jan. 2, 2018) https://www.coindesk.com/price/.
 Jay Sharma, How Bitcoin Became a Game Changer Overnight, IPWatchdog (Dec. 4, 2017), http://www.ipwatchdog.com/2017/12/04/bitcoin-game-changer-overnight/id=90519/.
 Nikhilesh De, Bank of America Wins Patent for Crypto Exchange System (Dec. 7, 2017, 3:00 UTC), https://www.coindesk.com/bank-of-america-outlines-cryptocurrency-exchange-system-in-patent-award/; the Bank of America patent granted by the USPTO is identified by United States Patent No. 9,936,790.
 Michael Mainelli, Blockchain Could Help Us Reclaim Control of Our Personal Data, Harvard Business Review (Oct. 5, 2017), https://hbr.org/2017/10/smart-ledgers-can-help-us-reclaim-control-of-our-personal-data.
 Michael del Castillo, Illinois Launches Blockchain Pilor to Digitize Birth Certificates, Coindesk (Aug. 31, 2017, 23:00 UTC), https://www.coindesk.com/illinois-launches-blockchain-pilot-digitize-birth-certificates/.
 See Mainelli, supra note 5.
 See Mainelli, supra note 5.
 Mariam Nishanian, 8 surprising places where you can pay with bicoin, Business Insider (Oct. 11, 2017 6:00 PM), http://www.businessinsider.com/bitcoin-price-8-surprising-places-where-you-can-use-2017-10/#expediacom-1.
On April 18, 2018, the SEC proposed “Regulation Best Interest,” which is the latest in a long and disputed line of proposed attempts by various governmental bodies to homogenize the duties owed by brokers and investment advisers to their respective clients. Professionals in the financial services industry and others should take note that they have until approximately July 23, 2018i to file a public comment on the proposed SEC rule, and investors should take this opportunity to educate themselves on the current differences between “brokers” and “investment advisers,” including the different standard of care that each owe their clients.
For decades, customers of the financial services industry have been confused by (if not outright unaware of) the different “standards of care” that their “brokers” and “investment advisers” have owed them.
On the one hand, “[a]n investment adviser is a fiduciary whose duty is to serve the best interests of its clients, including an obligation not to subordinate clients’ interests to its own. Included in the fiduciary standard are the duties of loyalty and care.”ii Investment advisers typically charge for their services via an annual fee assessed as a percentage of the “assets under management” (the so-called “AUM”) that the investment adviser “manages” for the client. The primary regulator of an investment adviser is either the SEC (usually for relatively larger investment advisers – i.e., those managing more than $100 million AUM) or a state securities commission (usually for relatively smaller investment advisers – i.e., those managing less than $100 million AUM).
On the other hand, brokers “generally must become members of FINRA” and are merely required to “deal fairly with their customers.”iii FINRA Rule 2111 requires, in part, that a broker “must have a reasonable basis to believe that a recommended transaction or investment strategy involving a security or securities is suitable for the customer, based on the information obtained through the reasonable diligence of the [broker] to ascertain the customer’s investment profile” (the “suitability” standard).iv Rather than a percentage of AUM, brokers’ compensation is typically derived from commissions they charge on each of the trades they execute for their clients. FINRA, a non-governmental organization, is the primary regulator for almost all brokers in the U.S.
At first blush, a layman retail client could easily be excused for struggling to understand the difference between the requirements of an investment adviser to “serve the best interests of its clients” and those of a broker to “deal fairly with their clients.” This confusion is exacerbated when a broker is also registered as an investment adviser, thus clouding what “hat” the advisor is wearing when dealing with a client.
Tortured Regulatory History
Regulator concern about this confusion has existed for decades. In 2004, the SEC retained consultants to conduct focus group testing to ascertain, in part, how investors differentiate the roles, legal obligations, and compensation between investment advisers and broker-dealers. The results were striking:
In general, [the focus] groups did not understand that the roles and legal obligations of investment advisers and broker-dealers were different. In particular, they were confused by the different titles (e.g., financial planner, financial advisor, financial consultant, broker-dealer, and investment adviser), and did not understand terms such as “fiduciary.”v
In 2006, the SEC engaged RAND to conduct a large-scale survey on household investment behavior, including whether investors understood the duties and obligations owed by investment advisers and broker-dealers to each of their clients. First, it should be noted, “RAND concluded that it was difficult for it to identify the business practices of investment advisers and broker-dealers with any certainty.”vi Second, RAND surveyed 654 households (two-thirds of which were considered “experienced”) and conducted six focus groups, and reported that such participants –
…could not identify correctly the legal duties owed to investors with respect to the services and functions investment advisers and brokers performed. The primary view of investors was that the financial professional – regardless of whether the person was an investment adviser or a broker-dealer – was acting in the investor’s best interest.vii
In 2010, the Dodd-Frank Act mandated the SEC to conduct a study to evaluate, among other things, “Whether there are legal or regulatory gaps, shortcomings, or overlaps in legal or regulatory standards in the protection of retail customers relating to the standards of care for providing personalized investment advice about securities to retail customers that should be addressed by rule or statute,” and to consider ”whether retail customers understand or are confused by the differences in the standards of care that apply to broker-dealers and investment advisers.”viii A conclusion of that study was as follows:
[T]he Staff recommends the consideration of rulemakings that would apply expressly and uniformly to both broker-dealers and investment advisers, when providing personalized investment advice about securities to retail customers, a fiduciary standard no less stringent than currently applied to investment advisers under Advisers Act Sections 206(1) and (2).
In 2013, the SEC issued a “request for information” on the subject of a potential “uniform fiduciary standard,”ix but never promulgated a rule after receiving more than 250 comment letters from “industry groups, individual market participants, and other interested persons[….]”x
Finally, on April 8, 2016, the U.S. Department of Labor adopted a new, expanded definition of “fiduciary” to include those who provide investment advice or recommendations for a fee or other compensation with respect to assets of an ERISA plan or IRA (in other words, certain “brokers”) (the “DOL Fiduciary Rule”). Many brokerage firms and others (such as insurance companies) made operational and licensing adjustments to prepare for the DOL Fiduciary Rule while various lawsuits were filed in attempts to invalidate the controversial rule. Most recently, the United States Court of Appeals for the Fifth Circuit vacated the DOL Fiduciary Rule on March 15, 2018.xi
“Suitability” Standard vs. “Fiduciary” Standard
The “suitability” standard of a broker is a far cry from the “fiduciary” standard of an investment adviser. As the SEC has stated, “Like many principal-agent relationships, the relationship between a broker-dealer and an investor has inherent conflicts of interest, which may provide an incentive to a broker-dealer to seek to maximize its compensation at the expense of the investor it is advising.”xii Put more bluntly, “there is no specific obligation under the Exchange Act that broker-dealers make recommendations that are in their customers’ best interest.”xiii
FINRA (including under its former name, NASD) has certainly striven to close that gap via its own interpretations and disciplinary proceedings, and has succeeded to a point. Specifically, a number of SEC administrative rulings have confirmed FINRA’s interpretation of FINRA’s suitability rule as requiring a broker-dealer to make recommendations that are “consistent with his customers’ best interests” or are not “clearly contrary to the best interest of the customer.”xiv However, the SEC has highlighted that these interpretations are “not explicit requirement[s] of FINRA’s suitability rule.”xv
This lower duty of care for brokers (as opposed to investment advisers, who have a fiduciary duty) has had and continues to have purportedly large and definitive financial consequences for retail investors:
Conflicted advice causes substantial harm to investors. Just looking at retirement savers, SaveOurRetirement.com estimates that investors lose between $57 million and $117 million every day due to conflicted investment advice, amounting to at least $21 billion annually.xvi
A 2015 report from the White House Council of Economic Advisers (CEA) estimated that –
[…]conflicts of interests cost middle-class families who receive conflicted advice huge amounts of their hard-earned savings. It finds conflicts likely lead, on average, to:
- 1 percentage point lower annual returns on retirement savings.
- $17 billion of losses every year for working and middle class families.
SEC”S NEWLY-PROPOSED “REGULATION BEST INTEREST”
Despite the controversy over the DOL Fiduciary Rule and its recent, apparent defeat, the SEC has been working under the guidance of Chairman Jay Clayton since 2017 to finally rectify the confusion among investors as to the different standards of care applicable to brokers versus investment advisers.xvii
The latest development in that regard has been the proposal by the SEC of “Regulation Best Interest” (“Reg. BI”) on April 18, 2018.xviii The proposed rule is significant in its proposed breadth. Subparagraph (a)(1) of the proposed rule would provide as follows:
A broker, dealer, or a natural person who is an associated person of a broker or dealer, when making a recommendation of any securities transaction or investment strategy involving securities to a retail customer, shall act in the best interest of the retail customer at the time the recommendation is made, without placing the financial or other interest of the broker, dealer, or natural person who is an associated person of a broker or dealer making the recommendation ahead of the interest of the retail customer.xix
This is a sea change in the duty of care owed by brokers to their retail clients, as it would effectively enhance a broker’s duty of care to approximate that of an investment adviser’s (at least in regard to retail clients).xx
To satisfy the “best interest” obligation in subparagraph (a)(1), subparagraph (a)(2) of Reg. BI would impose four component requirements: a Disclosure Obligation, a Care Obligation, and two Conflict of Interest Obligations.xxi
For the “Disclosure Obligation,” subparagraph (a)(2)(i) of Reg. BI would require the broker to –
reasonably disclose to the retail customer, in writing, the material facts relating to the scope and terms of the relationship with the retail customer, including all material conflicts of interest that are associated with the recommendation.xxii
For the “Care Obligation,” subparagraph (a)(2)(ii) of Reg. BI would require the broker to “exercise reasonable diligence, care, skill, and prudence to” do the following:
(A) Understand the potential risks and rewards associated with the recommendation, and have a reasonable basis to believe that the recommendation could be in the best interest of at least some retail customers;
(B) Have a reasonable basis to believe that the recommendation is in the best interest of a particular retail customer based on that retail customer’s investment profile and the potential risks and rewards associated with the recommendation; and
(C) Have a reasonable basis to believe that a series of recommended transactions, even if in the retail customer’s best interest when viewed in isolation, is not excessive and is in the retail customer’s best interest when taken together in light of the retail customer’s investment profile.xxiii
Finally, for the two “Conflict of Interest Obligations,” subparagraph (a)(2)(iii) of Reg. BI would require the following:
(A) The broker or dealer establishes, maintains, and enforces written policies and procedures reasonably designed to identify and at a minimum disclose, or eliminate, all material conflicts of interest that are associated with such recommendations.
(B) The broker or dealer establishes, maintains, and enforces written policies and procedures reasonably designed to identify and disclose and mitigate, or eliminate, material conflicts of interest arising from financial incentives associated with such recommendations.xxiv
Furthermore, Reg. BI would expand the SEC’s records requirement rules (i.e., Rules 17a-3 and 17a-4) to provide that “[f]or each retail customer to whom a recommendation of any securities transaction or investment strategy involving securities is or will be provided,” a broker obtain and maintain for six years “[a] record of all information collected from and provided to the retail customer pursuant to [Reg. BI].”xxv
The SEC’s proposed “Regulation Best Interest” is a significant proposal that could have far-reaching impact across the securities brokerage and other segments of the financial services industries. Whether this latest regulatory effort to establish a more consistent standard of care for brokers and investment advisers will succeed is unknown, but the proposed rule is certainly an aggressive step in that regard.
All those interested will have until approximately July 23, 2018 to file a public comment on the proposed rule. Meanwhile, investors should take this opportunity to educate themselves on the current differences between “brokers” and “investment advisers,” including the different standard of care that each owe their clients.
i The specific date will be established once the proposed rule is published in the Federal Register.
ii Staff of the U.S. Securities and Exchange Commission, Study on Investment Advisers and Broker-Dealers As Required by Section 913 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Jan. 2011) (“Study”), at iii, available at www.sec.gov/news/studies/2011/913studyfinal.pdf.
iii Study at iv.
iv FINRA Rule 2111(a), available at http://finra.complinet.com/en/display/display.html?rbid=2403&record_id=15663&element_id=9859&highlight=2111#r15663, as of April 23, 2018.
v Study at 96.
vi Study at 97.
vii Study at 98.
viii Study at i.
ix See Request for Data and Other Information: Duties of Brokers, Dealers and Investment Advisers, Exchange Act Release No. 69013 (Mar. 1, 2013), available at http://www.sec.gov/rules/other/2013/34-69013.pdf.
x Regulation Best Interest, Exchange Act Release No. 34-83062 (April 18, 2018) (“Reg. BI Proposal”), at 20, available at https://www.sec.gov/rules/proposed/2018/34-83062.pdf.
xi Reg. BI Proposal at 27.
xii Reg. BI Proposal at 7.
xiii Reg. BI Proposal at 8.
xiv Reg. BI Proposal at 14, fn. 15.
xv Reg. BI Proposal at 8, fn. 6.
xvi Reg. BI Proposal at 20, fn. 28, quoting Letter from Marnie C. Lambert, President, Public Investors Arbitration Bar Association (Aug. 11, 2017) (“PIABA Letter”).
xvii Chairman Jay Clayton, Public Comments from Retail Investors and Other Interested Parties on Standards of Conduct for Investment Advisers and Broker-Dealers, Public Statement, June 1, 2017, available at https://www.sec.gov/news/public-statement/statement-chairman-clayton-2017-05-31.
xviii See Reg. BI Proposal.
xix Reg. BI Proposal, at 404.
xx In a related SEC proposal regarding investment advisers that was also dated April 18, 2018, the SEC stated that “[a]n investment adviser’s fiduciary duty is similar to, but not the same as, the proposed obligations of broker-dealers under Regulation Best Interest,” and that “we are not proposing a uniform standard of conduct for broker-dealers and investment advisers in light of their different relationship types and models for providing advice[….]” See Proposed Commission Interpretation Regarding Standard of Conduct for Investment Advisers; Request for Comment on Enhancing Investment Adviser Regulation, Investment Advisers Act Release No. IA-4889 (April 18, 2018), available at https://www.sec.gov/rules/proposed/2018/ia-4889.pdf.
xxi Reg. BI Proposal, at 404.
xxii Reg. BI, subparagraph (B), Reg. BI Proposal, at 404.
xxiii Reg. BI Proposal, at 404-405.
Subparagraph (b)(2) of Reg. BI would define “retail customer’s investment profile” as including, but not be limited to, “the retail customer’s age, other investments, financial situation and needs, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, risk tolerance, and any other information the retail customer may disclose to the broker, dealer, or a natural person who is an associated person of a broker or dealer in connection with a recommendation.” Reg. BI Proposal, at 406.
xxiv Reg. BI Proposal, at 405.
xxv Reg. BI Proposal, at 406-407
A Pastore & Dailey client recently prevailed in a FINRA Arbitration against a broker dealer firm regarding compliance failures and unsuitable investments solicited by the broker. The arbitration took place in Houston, Texas. Pastore & Dailey was co-counsel with a well known former general counsel of a large securities firm. Our client asserted claims arising from oil and gas master limited partnerships for breach of fiduciary duty, negligence, failure to supervise, unsuitability, misrepresentation, violation of the Florida Securities and Investor Protection Act, Fla. Stat. § 517.301, and breach of contract. Our client was ultimately awarded both damages and attorneys fees.
Last week, on January 8, 2018, the Securities and Exchange Commission (“SEC”) suspended trading of UBI Blockchain Internet, Ltd. (“UBI”) stock until January 22, 2018. UBI, formerly JA Energy, is a Hong Kong-based technology firm focusing on the Blockchain technology underlying cryptocurrency. Coincidently, one of the focuses of this over-the-counter traded company is on the application of the distributed ledger technology to trace food and drug products from the producer to the consumer. According to UBI’s legal counsel, the motivation behind this innovation is to prevent counterfeit products.
The erratic behavior of UBI shares caught the eyes of the SEC in early December as the company’s stock sky-rocketed in price. On December 1, 2017, shares of UBI were trading at $6.12, and just eighteen days later, the value had swiftly rose to $83.00 per share, and even selling as high as $115.00 per share. The subsequent decline in value was just as precipitous. Within a week of its peak, the value of UBI stock had fallen to $29.00 per share and further down to $22.00 per share before the close of the 2017 year. The freeze on trading allows the SEC an opportunity to investigate the causes of the sudden and drastic changes in the firm’s stock activity.
The SEC is tasked with closely monitoring the trading activity of publicly traded companies. Spikes in value and in the volume of trades within the market, like those seen here with UBI, raise red flags for the SEC to act upon. Pursuant to Section 12(k) of the Securities Exchange Act of 1934, the SEC may temporarily suspend the trading in particular securities pending an investigation. In the case of UBI, the commission cited two distinct justifications for its suspension: concerns with (1) the accuracy of assertions dating back to September 2017 regarding the company’s business operations; and (2) the unusual and unexplained market activity in the company’s Class A common stock since November 2017. It remains to be seen whether the cause of the fluctuation was caused by SEC violations or by a frenzy as the market responded to UBI’s pharmaceutical application of the Blockchain technology.
 U.S. Securities and Exchange Commission, Securities Exchange Act od 1934: Release No. 82452, https://www.sec.gov/litigation/suspensions/2018/34-82452.pdf (last visited January 14, 2018, 3:05 PM).
 Matt Robinson, Crypto Stock That Surged 900% in 2017 is Hit With SEC Halt, Bloomberg (Jan. 8, 2018, 10:39 AM), https://www.bloomberg.com/news/articles/2018-01-08/crypto-stock-that-surged-900-percent-in-2017-gets-sec-suspension.
 Cory Johnson, How One Mysterious Startup is Riding the Bitcoin Wave, Bloomberg (Dec. 27, 2017, 12:17 PM), https://www.bloomberg.com/news/articles/2017-12-27/bedwetting-to-blockchain-how-one-startup-rode-the-bitcoin-craze.
 UBI Blockchain Internet Ltd., Marketwatch, https://www.marketwatch.com/investing/stock/ubia/charts (last visited January 14, 2018, 3:07 PM).
 See supra note 1.
 See supra note 1.
- Do you have an effective Vendor Management Policy?
- Do you have an effective Vendor Due Diligence Questionnaire?
- How frequently do you receive vendor compliance audits?
- Do you have an internal Cyber Management Structure?
- Do you have a CISO? Who does s/he report to?
All financial institutions rely on third-party service providers. This introduces cybersecurity risks through connected systems and insider threats. Regulators are placing heightened scrutiny on third-party risk management. As the FDIC says, “a bank can outsource a task, but it cannot outsource the responsibility.”
On Thursday, December 12, 2017, P&D Partner John “Jack” Hewitt will co-host a webinar on cybersecurity. Join our panel of highly-experienced financial and security experts to explore:
Cyber risks created by third parties
What regulators expect from community banks
How to confront cyber risks within your vendor risk management strategy
The webinar, entitled “Third-Party Cyber Risk: From Compliance to Enterprise Risk Management” will focus on cyber risks connected with financial institutions’ reliance on third-party service providers and the relevant regulatory requirements.
This webinar will address the increasing cyber risks involved in the use of third party vendors by banks. It will assess some of the most recent vendor breaches including the Scottrade Bank’s breach. This will include a detailed review of Vendor Management Policies that provide guidance to ensure the security of a firm’s network when being used by its Vendors. It will address all the applicable risk elements including compliance risk, strategic risk, operational risk and others.
Discussions will include due diligence in vendor selection including the development of an effective DDQ, the review of vendor’s cybersecurity program, their use of sub-contractors and insurance coverage. The discussion will review the analysis of all outsourced processes, procedures, and practices relevant to bank’s business to be monitored on a regular basis. This will encompasses all system resources that are owned, operated, maintained, and controlled by vendors and all other system resources, both internally and externally, that interact with these systems.
The panel will review vendor contract provisions that address: internal vendor controls, vendor audits, receipt of copies of all Vendor compliance audits, confidentiality and security procedures, encryption of PII, regulatory compliance, cyber-insurance coverage, business continuity planning, subcontracting, encryption, incident reporting, non-disclosure agreements, data storage, document retention and delivery, breach notification responsibilities, vendor employee access limitations, vendor obligations upon contract termination and an exit strategy.
Included in this will be a discussion of the NYS DFS Cybersecurity Regulation, the DFS Third-Party Service Provider Requirement.
For additional information and to register click here.