Compliance Building

Broker-Dealer and Investment Advisers Hit with Violation of Whistleblower Protections

In response to a Congressional mandate in Dodd-Frank, the Securities and Exchange Commission adopted Rule 21F-17 in August 2011, which provides:

(a) No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.

In prior enforcement actions, the SEC has aggressively pursued actions against firms who have tried to limit the ability of its customers or employees to report violations. Against CBRE, the SEC did not like its form of separation agreement that had a representation that the departing employee had not already filed a compliant. The SEC did not like that Monolith Resources tried to limit whistleblowers by allowing them to report, but not retain any financial rewards for reporting.

A recent case is the first I recall that is taken against a broker-dealer or investment adviser. The order found that Nationwide Planning Associates, Inc. and investment adviser NPA Asset Management, LLC, and state-registered investment adviser Blue Point Strategic Wealth Management, LLC, impeded brokerage customers and advisory clients from reporting securities law violations to the SEC.

The offending language:

“The Recipient represents that [she / he] shall forever keep completely confidential all of the above terms of this Agreement and shall direct all those in privity with them (including their attorneys, CPAs, etc.) to keep the same completely confidential. The Recipient further represent[s] that [she / he] will forever refrain from any discussion, narration, or disclosure of any transaction, circumstance, conversation, or any other aspect of the Recipient relationship with any and all of the Company, with any person or entity.” …

“The confidentiality and non-disclosure provision does not prohibit the Recipient from responding to any unsolicited inquiry (i.e., an inquiry not resulting from or attributable to any actions taken by Recipient or by any third party at Recipient’s direction) about the Agreement or its underlying facts and circumstances initiated by any state, federal or self-regulatory commission or authority that regulates the business or activities of registered investment advisers or their representatives.”

I believe its okay to have the confidentiality provision in the first paragraph, as long as you have a carve-out for reporting to regulators.

These firms tried to get cute by saying the confidentiality provision didn’t apply if the regulators initiated the inquiry. It would still prevent reporting to the regulators by the client.

That’s an impediment to reporting an a violation of Rule 21F-17.

Sources:

Explicit Anti-Money Laundering/Countering the Financing of Terrorism Rules Put in Place for Investment Advisers

Investments advisers had been excluded the definition of “financial institution” under the Bank Secrecy Act. At least until today. The Financial Crimes Enforcement Network at Treasury issued a final regulation today that changes that exclusion. Most registered investment advisers are now included in the definition and will have to comply with the strict requirements of the Bank Secrecy Act.

The compliance date is January 1, 2026.

“The final investment adviser rule will apply anti-money laundering/countering the financing of terrorism (AML/CFT) requirements—including AML/CFT compliance programs and suspicious activity reporting obligations—to certain investment advisers that are registered with the U.S. Securities and Exchange Commission (SEC), as well as those that report to the SEC as exempt reporting advisers. The rule will help address the uneven application of AML/CFT requirements across this industry.”

Registered investment advisers will need to get up to speed on filing Suspicious Activity Reports and the other requirements of the BSA.

Sources:

Another Terrible Pay-to-Play Case

Just in time for a governor to be selected to the presidential ticket, the Securities and Exchange Commission levied a big fine for violating the Pay-to-Play Rule for Investment Advisers.

Obra Capital Management was the sponsor and adviser to a closed-end, private fund. The Michigan Public Employees’ Retirement Fund made a $100 million commitment to the fund in 2017. The state had no right to withdraw from the Obra fund.

In 2019 Person1 made a $7150 campaign contribution to a Michigan government official. Person1 was not employed by Obra at this time. Presumably, the official was Governor Whitmer, although not specifically stated in the Order. The Governor meets the definition of an elected official who can indirectly influence investment decisions.

Six months later, in mid-2020, Obra hired Person1 to a position that would be considered a “covered associate” under the Pay-to-Play Rule. After being hired, Person1 sought return of the campaign contribution and was successful in getting it back.

That return of funds did not meet the requirements of the Rule.

Obra was censured and had to pay a $95,000 fine.

Seems like the SEC didn’t care that Michigan’s investment decision had already been made, or that the contribution was made well before employment, or that the contribution was made in accordance with state campaign restrictions, or that there was no evidence of deception, fraud or malfeasance.

Sources:

In the Matter of Obra Capital Management IA Rel 6662

Another Half-Billion in Fines for Texting

The Securities and Exchange Commission and the Commodity Futures Trading Commission levied another $475 million in fines against broker-dealers, investment advisers and commodities firms. Ameriprise, Edward D. Jones, LPL and Raymond James each paid a $50 million fine. Millions in fines because firm employees were texting with clients and business partners.

The order against P. Schoenfeld Asset Management LP provided some insight on the SEC’s approach toward investment advisers and fund managers. PSAM is registered as an investment adviser. It is not broker-dealer or dually registered as a BD-IA.

The SEC points out four areas of records that are required under the IA record-keeping requirements:

(a) any recommendation made or proposed to be made and any advice given or proposed to be given;
(b) any receipt, disbursement, or delivery of funds or securities;
(c) the placing or execution of any order to purchase or sell any security; or
(d) predecessor performance and the performance or rate of return of any or all managed accounts, portfolios, or securities recommendations.

PSAM’s policy was that ’employees were “prohibited from conducting PSAM business using any other electronic communication services . . . or accounts not provided by PSAM”’. That is probably broader than the SEC record-keeping rule requires.

Even with its stricter policy, PSAM appears to have breached the record-keeping requirements. The Order refers to “pervasive off-channel communications.” The SEC examiners found records in these other platforms that were required to be retained. As an example, off-channel communications were sent to and from PSAM clients, counterparties, and other financial industry participants.

It sounds to me like SEC examiners looked at personal devices.

More Reading:

The One with Insufficient Compliance Resources

The Bank Secrecy Act requires broker-dealers to file suspicious activity reports. Under the SAR Rule (31 C.F.R. § 1023.320(a)(2)), every broker-dealer has to file a report for a transaction of at $5000 that

Involves funds derived from illegal activity or is intended or conducted in order to hide or disguise funds or assets derived from illegal activity
Is designed to evade any requirements under the Bank Secrecy Act
Has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage
Involves use of the broker-dealer to facilitate criminal activity

That’s all a bit vague. So FINRA has produced a list of more actionable items, most recently compiled in FINRA Regulatory Notice 19-18 (May 2019).

There are vendors who sell software that will monitor transactions and flag those that meet the criteria in the FINRA Notice.

OTS Link used one of those automatic surveillance systems. For the first six months of 2021 the system raised over 1800 alerts for transactions to be reviewed. For those 300 alerts a month, the compliance team at OTS Link only devoted 5 hours a month. No surprise, they failed to investigate any or file any SARs.

In the Order, the SEC says that if OTS Link had properly surveilled transactions it would have spotted:

(a) a large volume of thinly-traded, low-priced securities;
(b) a sudden spike in investor demand for, coupled with a rising or decreasing price in, thinly-traded, low-priced securities;
(c) suspicious manipulative, pre-arranged or wash trading activity;
(d) subscribers who were publicly known to be the subject of criminal, civil or regulatory actions for crime, corruption, or misuse of public funds.

In response to the SEC exam, OTS Link added two people to its AML compliance team and hired a third-party compliance consultant to review the program.

The SEC order mandates additional reporting and levied a $1.19 million fine. You either pay for compliance or you PAY for compliance failure.

Sources:

The One with the Model Portfolio on the Website

The Marketing Rule, Advisers Act Rule 206(4)-1, Section (e)(1) defines hypothetical performance as “performance results that were not actually achieved by any portfolio of the investment adviser and includes, but is not limited to:

Targeted or projected performance returns with respect to any portfolio or to the investment advisory services with regard to securities offered in the advertisement.
Performance derived from model portfolios;
Performance that is backtested by the application of a strategy to data from prior time periods when the strategy was not actually used during those time periods; and
Targeted or projected performance returns with respect to any portfolio or to the investment advisory services with regard to securities offered in the advertisement.”

It’s okay to use hypothetical performance in your marketing materials, IF (that’s a big if) the adviser adopts and implements policies and procedures reasonably designed to ensure that the performance is relevant to the likely financial situation and investment objectives of the intended audience of the advertisement. (See section (d)(6)(i) of the Marketing Rule)

In the release, the SEC states

We believe that advisers generally would not be able to include hypothetical performance in advertisements directed to a mass audience or intended for general circulation. In that case, because the advertisement would be available to mass audiences, an adviser generally could not form any expectations about their financial situation or investment objectives. (See page 220)

Earlier this spring the SEC brought enforcement actions against five firms for publishing hypothetical performance on their websites. The SEC just found another firm who published returns from model portfolios on its website. See IA Release 6646.

It’s become very clear that model portfolio returns do not belong on a firm’s website.

Sources:

The One With the Fake Gatekeepers

If you’re going to commit financial fraud, you need to figure out a way not only to deceive your “investors” but also the gatekeepers involved in the process. Your auditor is going to ask questions and not issue financial statements if there is fraud. Your prime broker and custodian are going to ask questions. Hedonova found a way around this.

Lie about them. Say you are using Northern Trust as your custodian. Say you are using Deloitte as your auditor. But don’t actually engage them. At least that’s what the SEC claims in its complaint.

The pitch for investors is interesting. Be a part of group ownership of alternative investments: art, startups, wine, music royalties, real estate, agriculture holdings, litigation finance, etc. A fund full of alternative assets. Hedonova claims to be a “mutual fund.”

This sounds rife with problems to me. Valuations are challenging and sourcing opportunities is hard. Finding and retaining personnel is hard. Each of these alternative classes require their own expertise.

The SEC began poking around and found most of its claims about its gatekeepers were not true and had not been engaged by Hedonova.

The SEC has uncovered millions of dollars sent to Hedonova. It has not been able to identify it purchased much, if any, assets. The firm principals are oversees and, according to the SEC, are not cooperating.

As for the Hedonova website, it’s a buffet of items to stare at under the lens of the Marketing Rule. I might use it for my compliance class in the fall.

Hedonova also has used a bunch of fin-fluencers. I found a bunch of junky stories on blogs and social media platforms spewing out the virtues of Hedonova. (I’m not going to bother linking to them.)

Sources:

SEC Alleges Fraudulent Securities Offering of Alternative Assets
Securities and Exchange Commission v. Hedonova LLC and Hedonova Advisors LLC, Civil Action No. 2:24-cv-05293
Complaint against Hedonova
Hedonova Form ADV Filing

Supreme Court Limits SEC Internal Tribunals

“When the SEC seeks civil penalties against a defendant for securities fraud, the Seventh Amendment entitles the defendant to a jury trial.”
SEC v. Jarkesy

The case presented three issues:

(1) Whether statutory provisions that empower the Securities and Exchange Commission to initiate and adjudicate administrative enforcement proceedings seeking civil penalties violate the Seventh Amendment.
(2) Whether statutory provisions that authorize the SEC to choose to enforce the securities laws through an agency adjudication instead of filing a district court action violate the nondelegation doctrine.
(3) Whether Congress violated Article II by granting for-cause removal protection to administrative law judges in agencies whose heads enjoy for-cause removal protection.

The Supreme Court ruled on the first item and didn’t address the other two. Fights for another day.

Dodd-Frank granted the Securities and Exchange Commission broader rights to use its internal administrative law tribunals for non-registered parties. [Section 929P(a)]. Of course with the addition of private fund managers by Dodd-Frank, the world of non-registered parties got smaller.

Mr. Jarkesy and his Patriot28 fund were investigated by the SEC for inflating the fund values and lying about its service providers prior to Dodd-Frank. It decided to charge them using the in-house tribunal by using its new authority under Dodd-Frank. Mr. Jarksey lost the decision in 2014 and has been fighting ever since.

The Supreme Court decision looks at the Public Rights Exception to Article III jurisdiction. This exception allows some matters to go through administrative law proceedings and don’t require Article III proceedings. The Supreme Court essentially determines that civil penalties are designed to punish and deter and not compensate. Therefore, a case seeking civil penalties can’t go through the in-house tribunal.

Sources:

SEC v. Jarkesy 2023
In conservative win, Supreme Court limits use of SEC in-house tribunals by Justin Jouvenal and Ann E. Marimow in The Washington Post
Writ of Certiorari in SEC v. Jarkesy

Quishing Attacks

This is a new term to me.

Quishing:

a business email compromise (BEC) attack that uses QR codes in embedded PDF documents to redirect victims to phishing URLs.

There is a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which apparently has a user-friendly interface to enable the orchestration of phishing attacks. Good to know there are services making it easy to launch cyber attacks.

This new approach uses QR codes embedded in PDF documents to direct victims to the bad URL. I think we are all getting better at spotting bad links and avoiding them. QR codes input the URL without you getting a good look at it. At interesting vulnerability. Plus you are likely using a mobile device to scan the QR code and redirect to the website. Most mobile devices are personal don’t have the robust enterprise protections of the office device.

This new Quishing Attack takes you to a face Microsoft 365 login page and has some hacks to get around two-factor authentication.

The Quishing attacks were first targeted at financial institutions. This must have included broker-dealers because FINRA published an alert.

Sources:

The One With Performance an Acre Apart from Reality

Reviewing the actions filed against other fund managers by the Securities and Exchange Commission helps me see what the SEC thinks are bad actions. When I started reading the case against Twenty Acre Capital I was hoping to gain some insight into the Marketing Rule.

Twenty Acre is a registered investment adviser and advises a private fund. Twenty Acre presented performance returns, as one does, in the marketing materials for the fund. The Marketing Rule applies. [Advisers Act Rule 206(4)-1 Release No. IA-5653 (Dec. 22, 2020) (effective May 4, 2021)]

The Marketing Rule prohibits and adviser from publishing an advertisement that would

“(1) Include any untrue statement of a material fact, or omit to state a material fact necessary in order to make the statement made, in the light of the circumstances under which it was made, not misleading; … or Include or exclude performance results, or present performance time periods, in a manner that is not fair and balanced.”
See Advisers Act Rule 206(4)-1(a)

Twenty Acre published “performance returns that were experienced by a single limited partner that had invested in the Fund at inception and was eligible for all Fund investments.” That sounded like this might be an insightful look at performance advertising. This one investor’s performance differed from the Fund’s overall performance because some IPO investments the Fund had made were credited to the investor’s capital account in greater proportion than other investors’ capital accounts. The investors that didn’t get the IPO investments were restricted by FINRA Rules 5130 and 5131.

Twenty Acre didn’t note that the performance presented was just for the one investor and not the fund as a whole. Of course, that seems like a mistake. But an enforcement action seemed like a lot for failing to footnote.

Then I read the difference and spit coffee all over my computer screen. The one investor achieved a 44.8% net performance in 2021. [Fantastic return!] Comparatively, the fund as a whole achieved a -5.7% return. [That is not fantastic.]

Okay, so that was more than not including a footnote. That’s a $100,000 fine.

Sources:

Order against Twenty Acre Capital