Regulatory Compliance E-newsletter – December 2018

Feature of the Month

Are you prepared for the end of the year?

With the fourth quarter coming to a close, we want to remind you that regulatory filings are critical to the management of your firm and to avoid non-compliant regulatory exposure. NRS can help by making sure you avoid missing critical filing deadlines by providing a partnership between you and a dedicated Consultant. By working with us, you will save time, mitigate risk and avoid overpayment if adviser or state registrations are no longer required for your firm. We offer two.

Annual Updating Amendment Package:

This package features IARD filing services, document revisions, reminders and regulatory alerts that may impact your business.

NRS will:

  • Act as the firm’s annual updating amendment filing agent
  • conduct a consistency review among the firm’s Form ADV, Parts 1 and 2 and notify the firm of discrepancies. Corrections of routine discrepancies will be made by NRS and included with the firm’s AUA filing*
  • *Routine corrections are included in the firm’s AUA if communicated timely to NRS by the adviser. Drafting or redrafting of Form ADV, Part 2 or Appendix 1 disclosures are charged separately.
  • provide a copy of the firm’s Renewal Statement and payment reminders via email
  • verify funding before the payment deadline and provide reminders to the adviser as appropriate
  • file additional notice filings, as necessary
  • provide a list of the firm’s representatives who are eligible for renewal for the firm’s review and confirmation
  • remind the firm of any supplemental state filing requirements, for example, financial statements
  • request and review the firm’s redacted list of clients by state of residence to confirm notice filing or state registration requirements
  • provide periodic Regulatory Alerts and Updates, as appropriate, over the course of the year

Partnership Program:

The NRS Partnership Program includes all the things you need in order to ensure that you maintain your year-end compliance needs and maintain a culture of compliance throughout the new year. This includes:

NRS Consulting Services encompassing:

  • Introductory call with your dedicated consultant.
  • Annual Updating Amendment service (Compliance Alliance Package)
  • During the course of the 12 month engagement, you will receive:
  • Compliance Program review focused on:
    • Policy and Procedures
    • Code of Ethics
    • Disclosures in Form ADV
    • Client Agreements
    • NRS consultant will schedule a conference call to review findings and provide a written summary.
  • In addition, you will receive ongoing telephone support from your dedicated consultant to ask questions as they arise. (6 hours per year)

Technology helps bring it all together. You will have a one-year subscription to NRS ComplianceGuardian™ software. ComplianceGuardian™ provides:

  • Policy and Procedure Management
  • Code of Ethics including attestation
  • Quarterly updates on changing policy requirements and industry guidance
  • Custom compliance calendar
  • Monthly compliance tasks and activities
  • Model documents library
  • Expert guides and checklists
  • Annual Review Management Tool
  • Attestation Management and Archiving

Training is an important part of a compliance program. You will have access to Three Live Webinars of your choice during the course of the year. Many of the course available will qualify for CE credits

(Top of page)

FIRE

What Is Causing the Increase in Cyber Attacks?

There are many factors contributing to the increase in firms’ exposure to cybersecurity threats. In an effort to increase efficiency and revenues, firms are becoming more dependent on devices, services, and applications that connect to the internet such as smartphones, email, social media, and cloud computing services. Through this dependence they become larger targets for cybercriminals looking to exploit technological vulnerabilities. Advances in technology, changes in how firms and their customers use technology, and changes in firms’ business models have all created new avenues of entry for cyber thieves and vulnerabilities in firms’ information technology systems. Online account access, firm web-based activities, and significant and increasing customer and employee use of mobile devices and laptops can all create opportunities for attackers to disrupt or gain access to firm or customer information.

  • Who Is Committing These Cyber Attacks?
  • While cybercriminals and their cyber tools are becoming more sophisticated every year, their personal profiles and motivations can be very different. FINRA describes a number of these “threat actors,” including:

    • Cybercriminals with the objective to steal money or information for commercial gain

      • Nation states that may acquire information to advance national objectives
      • Hacktivists whose objectives may be to disrupt or embarrass a political entity
      • Corporate insiders seeking personal gain
  • SEC Cybersecurity Risk Alert 2017
  • In 2015, the SEC began a Cybersecurity Exam Initiative to review the compliance practices associated with cybersecurity preparedness of 75 SEC registered firms. The exams focused on policies and procedures, including validation and testing, to ensure that they were implemented and followed. In particular, examiners focused on:

    • Governance and risk assessment
    • Access rights and controls
    • Data loss prevention
    • Vendor management
    • Training
    • Incident response
  • Firm Improvements
  • In the 75 firms examined, the SEC noted overall improvements, including:

    • Use of periodic risk assessments, penetration tests, and vulnerability scans of critical systems to identify cybersecurity threats, vulnerabilities, and business procedures for regular system maintenance, including software patching, to address security updates
    • Implementation of written policies and procedures, including response plans and defined roles and responsibilities, for addressing cybersecurity incidents
    • Vendor risk assessments conducted at the outset of an engagement with a vendor and often updated periodically throughout the business relationship
  • Weaknesses Observed
  • Although the SEC complimented firms’ overall progress in the area of cybersecurity compliance, examiners noticed several areas where the majority of firms had not implemented satisfactory practices. Among these were:

    • Inadequate policies and procedures. Policies and procedures were not sufficient because they provided employees with only general guidance, or they did not articulate procedures for implementing the policies.
    • Firms did not appear to adhere to or enforce policies and procedures, or the policies and procedures did not reflect the firms’ actual practices. Examples included:
      • The required annual client protection reviews were conducted less frequently.
      • Ongoing reviews were too infrequent to determine if security protocols were appropriate.
      • Cybersecurity awareness training was required, but some employees did not take part.
      • Outdated operating systems were being used that were no longer supported by security patches.
  • Best Practices
  • At the conclusion of the sweep, the SEC recommended actions that represent what it believes are “best practices” for firms in the area of cybersecurity:

    • Maintenance of an inventory of data, information, and vendors
    • Detailed cybersecurity-related instructions regarding various aspects of cybersecurity including monitoring, auditing, and testing, as well as incident reporting
    • Maintenance of schedules and processes for cybersecurity testing
    • Establish and enforce controls to access data and systems such as “acceptable use” policies, mobile device usage, third-party vendor logs, and termination of access for former employees
    • Mandatory information security training for employees
    • Approval of cybersecurity policies and procedures by senior management

The SEC is encouraging firms to use this new information to continue to re-evaluate their cybersecurity practices and ensure that they are protecting both clients and the firm.

Was this excerpt everything that you thought it would be? Are there other cybersecurity issues that FIRE could report on or investigate for you? FIRE wants to hear all feedback regarding this excerpt. Click here to let us know your thoughts.

(Top of page)

Education

Compliance Certification Program for Investment Advisers

As a compliance professional, you are on call as a trusted guard, helping to protect the firm and its employees and investors. You are faced with the challenges of today’s compliance environment and now, you could be in a position to elevate your knowledge and career.

In 2019, make the commitment to become a certified compliance professional and gain industry-wide recognition for your knowledge and skills by earning the Investment Adviser Certified Compliance Professional (IACCP®) designation.

Developed by NRS and co-sponsored with the Investment Adviser Association (IAA,) the IACCP program helps to differentiate you from the rest, with demanding standards and a curriculum that covers all angles of investment adviser compliance, all taught and facilitated by expert instructors from the compliance, legal, regulatory, industry and academic sectors.
Key features and benefits of the Investment Adviser Certified Compliance Professional Program include:

  • Industry-wide recognition of an enhanced knowledge and skill level and increased credibility for you and your firm
  • Flexibility for completing coursework – take courses online and/or onsite at in-person events
  • Portability of CE Credits – with NRS’s array of Continuing Education partners, IACCP program coursework can be used to maintain CE for your other certifications, increasing the value of what you learn

Begin 2019 as a Compliance Frontrunner. Courses start January 10, 2019. Find out more by going here.

(Top of page)

Technology

Simplify Your Annual Review Process

Believe it or not, 2018 is almost over — and now is the perfect time to make sure your firm’s Policies and Procedures are up-to-date and to start working on your Annual Review. The new integrated compliance task list in NRS ComplianceGuardian™ for investment advisers provides a simple way to assign tasks and to track their completion.

Start with a customized policies and procedures manual that is automatically linked to a compliance task list that you can assign to individuals or groups within the firm. View this in a checklist or calendar format and set up email reminders with one click. The manual content is written and updated by NRS consultants to ensure that your firm meets current regulatory requirements. NRS’s Smart Update technology protects your custom content by not allowing it to be overwritten unless you so choose and with the new Microsoft Word editor, your changes are continually tracked.

Use the integrated Annual Review Tool for investment advisers to assist in the annual review process. Document the review, create workflows for taking corrective actions and automatically generate the annual review report. For broker-dealers, use the model documents and in particular the ‘Annual CEO Certification Language’ document as a guide for completing the annual review.

Learn more about the one tool that manages the annual review process by registering for a demo today.

(Top of page)