Timothy M. Simons, CFA, CIPM, CSCP
Focus 1 Associates LLC
December 26, 2017
Out With the Old, In With the New:
Happy Holidays to everyone.
There are a few things that have piqued my interest these last few weeks: (1) the SEC has five Commissioners for the first time in over two years; (2) FINRA has released a consolidated report of findings on recent exams (maybe the first time ever); (3) the interesting case involving Forum Financial Management.
On December 22, the full Senate confirmed Republican Hester Peirce and Democrat Robert Jackson as Commissioners at the SEC. Peirce and Jackson support the SEC moving forward on the fiduciary rule in coordination with the Department of Labor (“DOL”), but agree that other priorities may need to be dealt with first, such as increasing the number of investment adviser examinations. Over the last few years, the SEC has increased the number of examinations each year, but in some years the investment adviser population has increased by almost as many advisers as the additional exams conducted.
On December 6, the Financial Industry Regulatory Authority (“FINRA”) released its “Report on FINRA Examination Findings.” Traditionally, FINRA examination findings were provided only to the firm being examined and no one else. “Some firms have requested that FINRA make generally available a summary of observations from the cycle examination program, so that they can further improve their compliance functions based on the experiences of other firms, and better anticipate and address potential areas of concern well before their own cycle examinations. This report focuses on selected observations from recent examinations that FINRA considers worth highlighting due to their potential impact on investors and markets or the frequency with which they occur.”
Although I don’t normally reflect on issues in the BD world, I think it would be a worthwhile effort for us to at least read through this report, only 14 pages long, which includes selected examination findings. The one section of the report that I suggest everyone read is on Cybersecurity.
“FINRA has seen a significant increase in firms’ attention to cybersecurity challenges over the past two years, including at the executive management level. Awareness about cybersecurity risk has increased substantially. Most firms we examined have established, or were establishing, risk management practices, although the quality of those practices varied substantially both within and across firms. In some cases, firms adopted and executed, on an ongoing basis, formal risk management practices that executive management approved and applied on a consistent, firmwide basis. And some of the firms we regulate are leaders in developing and adopting cutting-edge cybersecurity practices.”
Selected examination findings in cybersecurity included:
Access Management – Firms did not address basic access management issues such as terminating departing employees’ access to firm systems on a timely basis. Firms did not implement procedures to detect anomalies such as a privileged user assigning herself or himself extra access rights, performing unauthorized work during off-hours or logging in from different geographic locations concurrently.
Risk Assessments – Some firms did not have formal processes to conduct ongoing risk assessments of their data, systems and applications, and could not effectively identify their critical assets and the potential risks to those assets.
Vendor Management – Some firms did not have formal processes to review a prospective vendor’s cybersecurity preparedness or to ensure new vendors have appropriate protections in place.
Segregation of Duties – Some medium- and small-sized firms did not segregate the responsibilities for requesting, implementing, and approving cybersecurity rules and systems changes.
Data Loss Prevention – FINRA observed that while larger- and medium-sized firms had implemented data loss prevention tools, there were opportunities to strengthen those implementations, including broadening rules that prevent transmission of Social Security numbers to include additional sensitive data such as customer account numbers, and establishing thresholds to flag or block large file transfers to outside and untrusted recipients.
There are also a number of good references in the Endnotes.
Forum Financial Management
“You know, it starts out small,” ex-Forum Financial Management partner William P. Carlson Jr. allegedly told the company’s compliance officer after he was caught. “You think you are going to pay it back.”
Carlson began stealing from his 63-year-old client in November 2012 and continued doing so until December 2016, according to the SEC. Upon noticing that her account with the firm’s custodian had only $48 left in it, rather than the $884,000 shown on a faked statement from Forum, the client triggered the investigation, prosecutors said. Investigators said Carlson arranged for the checks to be sent at times he knew his client would be away. He used tracking information from the custodian to pick up the checks from her home before she could see them, FBI agents said. In all, Carlson forged the victim’s signature on 16 different checks ranging from $6,500 to $97,000 for a total of $437,000 over three years, according to regulators. Carlson then used the fake endorsements to deposit the checks into his own account, investigators said.
The SEC charged Carlson, 53, in a parallel civil action with cheating his client out of at least $911,000 through 41 secret withdrawals from her account. His Chicago-area RIA firm fired Carlson and alerted the agency after finding out about the theft, according to the firm.
Carlson confessed to the scheme in a phone conversation with Forum’s compliance officer on Feb. 6, according to the FBI. The company then transferred $1.1 million into the victim’s account to compensate her for the stolen funds and other expenses, prosecutors said. Carlson himself gave the compliance officer a check for $200,000 and said he was willing to sign a promissory note for the rest of the funds. A review by the company indicated that no other accounts were affected.
Carlson told FBI agents that he preyed on his client “in order to support his lifestyle, because he was short of money,” according to the complaint. In addition to making restitution, Carlson will be adjusting his lifestyle while serving 4.5 years in federal prison.
I am really glad Congress decided to put the teeth back in the SEC, with a full complement of leadership to start the New Year.
Although I have little to do with FINRA, I am really glad that they decided to give member firms some perspective on the results of their examinations.
I am also glad that we have the SEC and the FBI to help us keep our industry clean. I know they can be difficult to deal with at times, especially when they appear to not understand how the industry works, but I like it when the bad guys have to pay restitution and serve prison time.
Best wishes for the New Year.