Investment Management

Posted on Friday, November 17 2017 at 8:38 am by

SEC Announces Enforcement Results, Sets New Priorities

By Paul Foley, John I. Sanders, and Lauren Henderson

On November 15, 2017, the SEC announced the results of its enforcement actions for fiscal year 2017 and stated its enforcement priorities for fiscal year 2018.

During fiscal year 2017, the SEC brought 754 enforcement actions, returned $1.07 billion to harmed investors, and obtained judgments and orders totaling $3.789 billion in disgorgement and penalties.[i] Of the 754 enforcement actions, 446 were standalone cases.[ii] Investment advisory issues, securities offerings, and issuer reporting each accounted for 20% of the standalone cases, roughly in line with fiscal year 2016 results.[iii]

In the current fiscal year, the following five core principles will guide the SEC’s enforcement actions:[iv]

  • Focus on Main Street (i.e., unsophisticated) investors
  • Focus on individual accountability (as opposed to organizational accountability)
  • Keep pace with technological change
  • Impose sanctions that most effectively further enforcement goals
  • Assess the allocation of resources

Both the enforcement results for the recently completed fiscal year and the stated priorities for the current fiscal year reflect Chairman Clayton’s oft-articulated dedication to the SEC’s mandates: protect investors, maintain fair and efficient markets, facilitate capital formation.

If you have any questions about the SEC enforcement actions or enforcement priorities, please feel free to contact us directly.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices. John I. Sanders and Lauren Henderson are associates based in the firm’s Winston-Salem office.

[i] SEC, SEC Enforcement Division Issues Report on Priorities and FY 2017 Results (Nov. 15, 2017), available at https://www.sec.gov/news/press-release/2017-210.

[ii] Id.

[iii] Id.

[iv] Id.

Posted on Wednesday, July 26 2017 at 8:58 am by

Six Ways to Improve Cybersecurity Policies and Procedures

By Paul Foley and John I. Sanders

The SEC has declared cybersecurity to be an examination priority for financial institutions (i.e., broker-dealers, investment advisers, and registered investment companies) in each of the past four years.[1]  While the SEC’s comments in these examination priority releases are helpful for financial institutions, we believe that the SEC may have provided more useful guidance concerning cybersecurity practices through investor bulletins designed to help investors avoid online fraud.[2]  This guidance reveals helpful insights into the SEC’s evolving approach to cybersecurity.  Accordingly, based on the SEC’s most recently issued guidance to investors, we identify six ways financial institutions could improve their cybersecurity policies and procedures below.[3]

1. Passwords. The SEC has recommended that investors choose a strong password (e., one that includes symbols, numbers, and both capital and lowercase letters) for online access, keep their password secure, and change it regularly.[4]  Consistent with this recommendation, financial institutions may want to consider requiring clients to choose strong passwords and change them regularly.

2.  Biometric Safeguards. The SEC has recommended that investors contact their financial institutions to determine whether they offer biometric safeguards (g., fingerprinting, facial and voice recognition, and retina scans) for mobile device access.[5]  Although biometric safeguards are not currently a standard security feature, financial institutions may want to consider ways they can add biometric safeguards as a feature of mobile device access for their clients.

3.  Public Computers. The SEC has recommended that investors avoid using public computers to access investment accounts.[6]  When an investor does use a public computer, the SEC recommends investors take the following precautions:  disable password saving; delete files, caches, and cookies; and log out of accounts completely when finished.[7]  Financial institutions could help investors follow the SEC’s helpful, but often forgotten, advice by, for example, requiring them to proactively check a box to enable password saving on each new device and automatically logging users out of their online accounts after relatively short periods of inactivity.

4.  Secure Websites. The SEC has recommended that investors not log in to an account unless the relevant financial institution’s website has a secure “https” address.[8]  Many financial institutions have a secure website already, but those that do not may want to consider implementing one.

5.  Links. The SEC has recommended that clients never click on links sent to them by financial institutions with which they do not have a relationship, and to confirm the legitimacy of links sent to them by their financial institutions by calling or emailing the purported sender.[9]  In response to this advice, financial institutions may want to use links judiciously, and ensure that those who will receive calls and emails from clients know what links have been sent to which clients and under what circumstances.  Without such knowledge, financial institution employees may be unable to confirm or deny the legitimacy of the link, undermining client confidence in the financial institution’s cybersecurity policies and procedures.

6.  Review Account Statements. The SEC has recommended that investors regularly review statements and trade confirmations for suspicious activity and contact their financial institution with a written complaint if there is suspicious activity.[10]  In response, financial institutions may want to evaluate their security procedures with respect to redemptions and distributions.  Adopting reliable technological innovations can help prevent suspicious activity and create a business advantage (g., using biometric safeguards or two-factor authentication may be more reliable and less time-consuming than requiring signature guarantees).

Please contact us if you have any questions about this article or the SEC’s cybersecurity guidance.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[1] SEC, Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; SEC, Examination Priorities for 2015 (Jan. 13, 2015), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf; SEC, Examination Priorities for 2016 (Jan. 11, 2016), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf;  SEC, Examination Priorities for 2017 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.

[2] SEC, Cybersecurity, the SEC and You (last visited July 25, 2017), available at https://www.sec.gov/spotlight/cybersecurity (containing a library of resources of both investors and securities industry professionals related to cybersecurity).

[3] SEC, Updated Investor Bulletin:  Protecting Your Online Investment Accounts from Fraud (April 26, 2017), available at https://investor.gov/additional-resources/news-alerts/alerts-bulletins/updated-investor-bulletin-protecting-your-online.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

Posted on Tuesday, January 17 2017 at 8:39 am by

SEC Announces 2017 Exam Priorities

By Paul Foley and John I. Sanders

Each year, the SEC’s Office of Compliance Inspections and Examinations (the “OCIE”) releases its priorities for the upcoming year.  For regulated entities such as investment companies and investment advisers, the release of the OCIE’s priorities is highly significant.  The reason, simply put, is that your regulator’s priorities must also be your own priorities.

Among the OEIC’s newly-released examination priorities for 2017 are the following:[i]

  • Never-Before Examined Investment Advisers
  • Cybersecurity compliance procedures and controls
  • Robo-advisors’ marketing, recommendation formulation, and security procedures
  • ETF exemptive relief compliance, sales practices, and risk disclosures
  • Elder abuse detection and prevention practices
  • Money market funds’ compliance with the newly effective rules
  • FINRA oversight

We agree with the OCIE Director who stated earlier this week that the release of examination priorities is an important opportunity for regulated entities to evaluate their own compliance programs and make the necessary enhancements prior to examinations.[ii]  Therefore, we encourage you to read the full text of the SEC announcement, consider your compliance programs in the prioritized areas, and contact us with any questions you may have.

 

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s New York and Winston-Salem, North Carolina offices.  John Sanders is an associate based in the firm’s Winston-Salem office.

[i] SEC, SEC Announces 2017 Examination Priorities (Jan. 13, 2017), https://www.sec.gov/news/pressrelease/2017-7.html.

[ii] Id.