0SEC Settles Enforcement Proceeding over Broker-Dealer’s Failure to Comply with Reg. S P Requirements for Safeguarding Customer Information

The SEC settled an enforcement action against a firm registered as a broker-dealer and investment adviser for the firm’s failure to adopt policies and procedures reasonably designed to safeguard personal customer information under Rule 30(a) of Regulation S-P (the “Safeguards Rule”).   Since July 2001, the Safeguards Rule has required registered broker-dealers and advisers, and other entities subject to SEC regulation, to maintain policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, and are reasonably designed to insure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information.  In 2005, the SEC amended Regulation S-P to require that these policies and procedures be in writing.  (The SEC has since proposed amendments to Reg. S-P that create more specific standards under the Safeguards Rule, as discussed in a March 11, 2008 Goodwin Procter Client Alert.)  The SEC’s findings in this settled proceeding focus on the firm’s failure to maintain adequate written policies and procedures addressing the Safeguards Rule, and its failure to respond in a timely and appropriate manner to an internal audit that found weaknesses in the security of the Internet-based trading platform (the “Platform”) the firm’s registered representatives (“RRs”) used to enter customer trades.

Security Breaches in Web-based Trading Platform.   During the period July 2007 - February 2008, unauthorized persons accessed and traded, or attempted to trade, in customer accounts by gaining access to 13 RR accounts on the Platform.  Once logged on to the Platform, the unauthorized persons placed, or attempted to place, 209 unauthorized trades in 68 customer accounts, and may have had access to non-public information of at least 10,000 customers. Altogether, the unauthorized persons attempted to place over $700,000 in trades in securities of nineteen different companies.  The firm detected the unauthorized and inappropriate trade requests, most of which were blocked by the Platform. In some cases, however, unauthorized trades were executed through customer accounts.  The firm promptly reversed or eliminated the resulting customer positions and compensated the customers for the resulting trading losses, which totaled approximately $98,900. 

Inadequacy of Written Policies and Procedures.  The SEC found that the firm had failed to have a customer information policy for its employees and branch RRs describing its overall program that complied with the Safeguards Rule.  Although the firm had some documents addressing policies for safeguarding customer records and information, those documents did not constitute, either individually or in combination, a complete set of policies and procedures addressing administrative, technical, and physical safeguards reasonably designed to protect customer records and information at the firm’s branch offices.  Among other things, these documents included only limited and insufficient written materials (and, in some instances, only suggestions or recommendations, as opposed to mandates) regarding safeguarding customer information.  In addition, when Regulation S-P was amended in 2005 to require that policies and procedures for safeguarding of customer information be written, the firm failed to comply.

Internal Audit Report Identifies Deficiencies in Trading Platform Security. In mid-2006, the firm conducted an internal audit in mid-2006 that identified inadequate security controls to safeguard customer information at its branch offices.  The internal auditors identified the following weaknesses: (1) RR passwords did not meet industry standards for so-called “strong” passwords, because, among other things, the passwords had no requirements on length or alphanumeric/special character combinations; (2) passwords were not set to expire after a certain period of time; (3) users could not change their own passwords; and (4) there was no automatic lockout feature related to unsuccessful login attempts.  In addition, over 300 of the firm’s information technology employees had access to a list of Platform passwords, and a number of former employees likely had access to such a list before leaving the firm.  The firms’ internal auditors further observed that the Platform’s automatic session timeout limit of eight hours was believed to be significantly longer than the timeout periods used by other financial services firms for similar applications.  The audit concluded that weaknesses in the Platform’s security would increase the likelihood that unauthorized persons could obtain confidential information and make unauthorized trades. 

Failure to Take Prompt, Appropriate Corrective Action .  A written report of the internal audit was finalized and provided to the firm’s Chief Information Officer in December 2006.  In early 2007, the report was shared with members of the firm’s senior management, and later in May 2007, the report was presented to the firm’s executive risk committee.  Among the specific risks identified for both senior management members and the executive risk committee were risks that (a) an intruder could hack into the Platform and cause financial loss to advisers and customers; and (b) an unauthorized individual could steal client information or execute unauthorized trades.  The firm’s executives were further warned that more than 90% of all security breaches involved loss of information in digital form.   The firm’s enterprise risk management organization cautioned that further review of access control issues for the Platform identified in the audit report could lead to a finding or opinion by its independent auditors that the firm had ineffective controls.   The firm’s internal audit department reported that password complexity controls and session inactivity controls for the Platform could be implemented at an estimated cost exceeding $500,000.   In June 2007, the firm created a separate committee to evaluate and implement security for the Platform. 

Violations and Sanctions. The SEC found that the firm willfully violated the Safeguards Rule and in particular, that the firm’s failure to take immediate corrective action in response to the weaknesses identified in the internal audit by the time of the security breach in July 2007, constituted reckless disregard of its duties under the Safeguards Rule..  Under the terms of the settlement, which reflected the SEC’s consideration of the firm’s remedial efforts and cooperation, the firm is subject to a cease and desist order and censure, and will be required to pay a penalty of $275,000.  The firm also agreed to undertake the following remedial measures: (a) devising and implementing a policy and a set of procedures for training employees and RRs on safeguarding customer records and information; and (b) engaging an independent consultant to (i) review the firm’s written policies and procedures relating to the Safeguards Rule, and (ii) make recommendations designed to assure they comply with the Safeguards Rule.

0OFAC Issues Long-Anticipated Enforcement Guidelines

The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued its long-anticipated “Economic Sanctions Enforcement Guidelines” (the “Guidelines”).  The Guidelines supersede previously issued guidance regarding OFAC’s enforcement approach and, most importantly, set forth the factors that OFAC will consider in determining the appropriate enforcement response to apparent violations of OFAC’s various sanctions programs.  The Guidelines were eagerly anticipated, particularly in light of the sharply increased penalty authority granted to OFAC under the International Emergency Economic Powers Enhancement Act (“IEEPA Enforcement Act”) that was signed into law in October 2007.

OFAC administers the U.S. government’s economic sanctions programs against targeted foreign countries, organizations, and persons (such as terrorists and drug traffickers).  OFAC’s sanctions apply to all U.S. persons, entities organized under U.S. law and, in some limited circumstances, entities located abroad that are controlled by U.S. persons and entities.  OFAC sanctions programs implicate a wide range of financial and commercial transactions, and firms doing business on a cross-border basis need to ensure that they do not run afoul of OFAC’s sanctions programs.  Violations of OFAC sanctions are potentially punishable by significant civil and criminal penalties. 

The Guidelines clarify several aspects of OFAC’s enforcement approach and reflect several changes to prior enforcement guidance issued by OFAC:

  • First, rather than identifying “aggravating” and “mitigating” factors for OFAC penalties, the Guidelines set forth eleven “General Factors” that OFAC will consider in determining an appropriate enforcement response to an apparent violation and, if a civil monetary penalty is  warranted, in establishing the amount of that penalty.  The move away from “aggravating” and “mitigating” factors is intended to allow for a more “holistic consideration” of the facts and circumstances of a particular case.  Included among the General Factors are whether the conduct at issue involved a willful or reckless violation of the law, awareness of the conduct at issue, or harm to sanctions program objectives. 
  • Second, the Guidelines set forth seven types of enforcement actions that OFAC may take depending on the facts and circumstances of each case.  The Guidelines note that, in response to an apparent violation, OFAC may issue (a) a no-action letter, (b) a request for additional information, (c) a cautionary letter, (d) a finding of a violation, (d) a civil monetary penalty, (e) a criminal referral, or (f) other administrative actions (including license denial, suspension, or cease and desist order).
  • Third, in light of the enhanced maximum civil penalties established by the IEEPA Enhancement Act, the Guidelines distinguish between “egregious” and “non-egregious” civil monetary penalty cases.  Egregious cases are those representing the most serious sanctions violations, based on an analysis of all applicable General Factors, with substantial weight given to considerations of whether the violation involved willfulness or recklessness, awareness of the conduct giving rise to an apparent violation, harm to sanctions program objectives, and the individual characteristics of the subject person.  The Guidelines provide for significantly higher penalties for egregious cases. 
  • Fourth, where OFAC determines that a civil penalty is appropriate, the Guidelines set forth the manner for determining the penalty amount.  This process involves first determining a “base penalty amount,” based on two primary considerations:  first, whether the conduct giving rise to a violation is egregious or non-egregious; and second, whether the case involves a voluntary self-disclosure by the subject person.  OFAC stated that in keeping with its prior guidance on economic sanctions, the existence or lack of voluntary disclosure remains a major factor in establishing the penalty amount.  Accordingly, the base penalty amount will be reduced 50% or more in cases involving voluntary self-disclosure.  Once the base penalty amount is determined, it may be adjusted upward or downward based on the General Factors; the resulting amount is the proposed civil money penalty contained in a pre-penalty notice to the subject person.  The Guidelines contain a matrix that shows how penalty amounts are calculated.
  • Finally, the Guidelines also address the process for imposing penalties and settling allegations of violations.  If OFAC concludes that a violation has occurred and a civil monetary penalty is the appropriate response, it will issue a pre-penalty notice describing the alleged violation, identifying any relevant General Factors, and setting forth the proposed penalty.  Subject persons may respond to pre-penalty notices prior to the imposition of a final notice. 
Although the Guidelines became effective immediately, OFAC is seeking public comment.  The deadline for submitting comments is November 7, 2008.

0FRB Adopts Interim Final Rule Providing a Temporary Exemption to Banks from Limits of Section 23A of the FRA for Certain Loans to Affiliates

To address the impact of the recent economic downturn on the functioning of the U.S. tri-party repurchase agreement market (the “TPRA Market”), the FRB adopted an interim final rule (the “Rule”) to provide a temporary exemption (the “Exemption”), for certain types of transactions, to the limits in Section 23A of the Federal Reserve Act (“Section 23A”).  The Exemption facilitates the ability of an affiliate of a bank (such as a broker-dealer) (the “Affiliate”) to obtain financing, if needed, for securities or other assets that the Affiliate ordinarily would have financed through the TPRA Market.

The Exemption is subject to five conditions designed to protect the safety and soundness of the lending bank (the “Bank”):

  1. the Bank may only finance asset types that the Affiliate currently finances in the TPRA Market;
  2. the transaction must be marked-to-market daily and subject to daily margin requirements, and the Bank must be at least as over-collateralized as the Affiliate’s clearing bank was in its U.S. tri-party repurchase agreement transactions (“TPRA Transactions”) on September 12, 2008;
  3. the aggregate risk profile of the exempt transactions must be no greater than the aggregate risk profile of the Affiliate’s TPRA Transactions on September 12, 2008;
  4. the Bank’s top-tier holding company must guarantee the Affiliate’s obligation to the Bank (or provide other security to the Bank that is acceptable to the FRB); and
  5. the Bank may not use the Exemption if it has been advised by the FRB (after consulting with the Bank’s principal federal regulator) that the Bank may not use the Exemption.
The Rule is temporary and the Exemption expires on January 30, 2009.  Transactions using the Exemption remain subject to the market terms requirement of Section 23B of the Federal Reserve Act.  The Exemption became effective on September 14, 2008.  Comments on the Rule are due by October 31, 2008.

0Federal Banking Agencies Propose Rule Reducing Goodwill Deduction

The four federal banking agencies proposed to amend their capital rules to reduce the amount of goodwill that a bank must deduct from tier 1 capital in taxable transactions.  The proposal notes that currently in such transactions deferred tax assets are not permitted to be netted against goodwill and other intangible assets before goodwill is deducted from tier 1 capital.  As a result, the full or gross carrying amount of goodwill is deducted.

In response to industry request, however, the proposal would permit a bank to reduce the amount of goodwill it must deduct from tier 1 capital by the amount of any deferred tax liability associated with that goodwill.  This would permit a bank to reduce its regulatory capital deduction for goodwill to an amount equal to the maximum regulatory capital reduction that could result from the goodwill being completely impaired.  In other words, the amount of the tier 1 capital in such circumstances would be increased by the amount of the deferred tax liability recognized with respect to the goodwill.  The proposal also seeks industry comment as to whether the agencies should permit any additional intangible assets to be deducted from tier 1 capital net of associated deferred tax liabilities.  Comments on the proposal are due 30 days after its publication in the Federal Register.

0Comptroller Dugan Discusses OCC’s Expectations with Respect to Fair Lending Compliance

Comptroller of the Currency, John C. Dugan, made a presentation at the 2008 OCC Fair Lending Conference in New Orleans concerning banks’ fair lending requirements.  Comptroller Dugan stressed that the US is undergoing a period of unusual turmoil in the financial markets.  In addition to and in part because of this disruption in the financial markets, the mix of products offered to consumers and the way business is conducted are undergoing drastic changes.  Comptroller Dugan warned that despite the challenges and the distractions that are currently presented to bankers regulators expect banks to continue to focus on still important priorities, such as fair access to credit.

The crux of Comptroller Dugan’s speech was the importance of statistical analysis and modeling in the regulation of fair lending policies by the OCC.  Particularly, in the case of large institutions, he said, such statistical analysis will play a greater, more crucial role in the OCC’s regulation in the years ahead.  The Comptroller touched upon the massive number of loan applications handled by the largest institutions, and noted that in order to be efficient both bankers and regulators need to use automated tools to examine fair lending procedures.

Comptroller Dugan stated that because of the very high number of loans that are originated, the OCC cannot review each loan application one by one, but rather needs to use a more systematic and efficient methodology, such as statistical analysis.  Comptroller Dugan noted that the empirical analysis that is being implemented by the OCC needs to be more than a simple comparison of denial rates and average spreads across groups.  He stated that accurate assessments require the application of more sophisticated methods of statistical analysis; including regression analysis.  Comptroller Duggan said that all variables that are valid and which reflect legitimate, non-discriminatory underwriting polices should be included in the OCC’s statistical approach, but he also noted that the picking of factors is still an art and not an exact science.  He stressed that there needs to be prudent judgment in the modeling and the analysis, as well as valid interpretations of the results.  The statistical analyses that are employed by the OCC vary from bank to bank based on the size of the lender, its complexity and its business profile.  He noted that in the case of smaller banks, simpler techniques are used and in some cases modeling is not used at all.  The OCC is considering a potential change to the fair lending screening process used for the largest national banks.  In the coming year, the OCC will use a pilot program, with large banks, that will test, among other things, loan-to value ratios, credit scores, and debt service ratios. 

In concluding, Comptroller Dugan stated that “there is an aspect of [fair lending] that goes beyond doing analysis and following the rules.  Institutions that are top performers in the area of fair lending do so because fair treatment of customers is a fundamental to how they do business.”  While the OCC will begin to implement more statistical analysis into their supervisions of fair lending, it is clear that the focus remains on ensuring that all consumers have fair access to credit.

0Goodwin Procter’s ERISA and Executive Compensation Group Issues Reminder on December 31, 2008 Deadline for Section 409A Compliance

As a reminder, all compensation arrangements that may be subject to Section 409A of the Internal Revenue Code (e.g., employment agreements, change in control agreements, deferred compensation plans, SERPs, discounted stock options, deferred or restricted stock units, bonus arrangements) must be amended by December 31, 2008 to be in compliance with Section 409A, or, in certain circumstances, amended to avoid being subject to Section 409A.  Employment agreements, in particular, should be reviewed for Section 409A compliance, regardless of whether the employer is public or private. Goodwin Procter’s ERISA and Executive Compensation practice group has extensive experience in addressing these issues.

0GAO Issues Report on Investment in Hedge Funds and Private Equity Funds by Pension Plans

The GAO issued a report examining trends in defined benefit pension plans investing in hedge funds and private equity funds.  The report’s examination of pension plans’ hedge fund investing discusses increased investing in hedge funds by plans, their goals in investing in hedge funds, their experience with and future intentions regarding hedge fund investing, challenges posed by hedge fund investing (e.g., transparency and liquidity) and how pension plans have addressed these challenges.  As for private equity funds, the report reviews challenges and risks faced by pension plans in making private equity investments (including the variation in performance of private equity funds and the difficulty of accessing top performing funds), the relatively long investment term of private equity funds, and the difficulties of interim valuation.  The report recommends that the Department of Labor provide guidance on investing in  hedge funds and private equity funds that is specifically designed for pension plans.

Contacts