This week’s episode of Oyster Stew is Part 3 in a series discussing the SEC and FINRA 2020 Exam Priorities Letters. Oyster Consulting CEO Buddy Doyle, Director Evan Rosser and Consultant Joe Turner talk about Technology and Cybersecurity, Business Continuity Plans, Cash Management and Bank Sweeps.
Buddy Doyle: 0:29
Hi everybody. This is Buddy Doyle. I’m Chief Executive Officer of Oyster Consulting and welcome to this latest version of Oyster Stew, our podcast that we use to talk about the financial services industry. I’m fortunate enough today to be joined by Evan Rosser and Joe Turner, both of whom are former regulators, have worked in the broker dealer and investment advisor business for quite a while, and have transitioned to consulting as they go through their careers, and h ave been with Oyster Consulting for some time. So thank you Evan. Thank you Joe, for joining us. What we’re talking about today is the examination priorities, the SEC and FINRA. If you’re wondering what’s on their mind, it’s fortunate that they tell you every year. Joe, would you walk us through a little bit of what FINRA had to say about technology governance and c ybersecurity?
Joe Turner: 1:26
Sure, Buddy. First of all, I guess we all e xperience this daily. You turn on the news or you go to your favorite news source and there’s some article on cybersecurity, whether it’s in our own industry or some other industry, whether it’s dealing with personal information, whether it’s dealing with personal security or some form of ransomware. There’s always something in the news th at b rings this to our forefront. There’s also right behind that probably some advertisers saying that we’ve got some form of software to help you or we’ve got some a service that we can provide you to help prevent that. Now, certainly FINRA is going to be coming in and looking at your processes to make sure that you have policies and procedures that address how people are to handle personal identifiable information for their customers as well as how they’re go ing t o h andle certain system issues within the organization itself. We have the same type of issues here at Oyster as you have at your firms. We have client information. We’ve got to be very careful about that information. We’re always looking at new and better ways to protect that information. We just finished a few weeks ago our all associates training on cybersecurity, and we’re always testing for any possible issues that might cause us problems down the road with our own internal security. Those a re the types of things that F INRA is going to be looking at in your firm, and you need to be a step ahead of them on that. They’re g oing t o want to look at changes that have occurred in your business and have you adapted your internal security processes for any of those changes. If you’ve done technology changes, have you changed your policies and procedures or adapted those policies or procedures to properly address the changes that you’ve gone through? Have you tested those processes to make sure that those adjustments you’ve made are right? We’ve all gone through business continuity planning. That business continuity planning needs to be tested on a regular basis. You need to figure out how it’s going to impact your clients. If you have to go down that road and you have to adapt whatever BCP event you’re dealing with for your client base and have the minimal amount of impact on your clients. FINRA is going to be looking to see that you have a documented plan for when you make any changes to your systems . You know, you can’t just throw a switch and introduce a new system. You’ve got to go through some testing and planning. I’ve been through enough that I know that rarely does one go completely without some small glitch. The more testing you do, the better you’re prepared, the less chance there’s going to be that you’re going to have problems, which could result in an impact not only to your firm directly, but to your clients as well. So testing and and documenting your updates in advance is a clear item of concern to FINRA. And lastly, capacity. You know, are you planning for capacity? Do you have the integrity in your systems to deal with increased volume? Whether it’s from, say, a merger and acquisition, or just growth over the period of time. Be sure you’re regularly addressing the issues with that could impact your systems as you go through growth. Buddy, I know you’ve had an awful lot of experience in the cybersecurity area. Did you have anything you wanted to add?
Buddy Doyle: 5:47
Yes. I think one of the things that comes to my mind about cybersecurity that our clients hear from , and everyone should know, cybersecurity is not a technology problem. It is a people problem for the most part. The majority of breaches occur, some because of technology glitches, but many because people made a bad decision on what to do and responded to a cyber threat through social engineering or something along those lines. It’s actually fortuitous – today, we sent out an email that was a spoof email to everyone in our firm to see who would click on it, so that we could further our education with our employees. And we sent that out and very quickly, our HR person and our communication person sent out an email to the whole firm saying, don’t touch that email. And it wasn’t part of the plan to have them do that. So all that work that went into this scheme of saying how’s our training really doing when it comes to telling people don’t click on a link unless you’re expecting that. We made it from Oyster, we made it from the IT g roup about doing a software upgrade, and we have methods of how we communicate software upgrades, and it wasn’t this. And so, the t est really got foiled by a couple of thoughtful internal people who kept the rest of the firm from having a fair test. But these are things that I think you w ant t o do, to Joe’s point, on business continuity planning. It’s k ind o f similar. If you want to get to Carnegie hall, practice, practice, practice. If you want to have a good business continuity plan, you’ve g ot t o practice, practice, practice, and you’ve got to keep up with the fact that FINRA, just a couple of weeks ago, put out a notice on cybersecurity and terrorist threats. They don’t do that very often, but it came out along with the Coronavirus. So you’ve got pandemics in your business continuity plan. It’s not just technology problems. This is really about getting your people to be aware, understanding the environment that they’re in and being ready to do the right thing. But there is also other regulators besides FINRA and the SEC out there that have privacy rules as well. And there’s GDPR if you’re doing any business in Europe – that’s a privacy rule that interacts with the technology. It’s really about keeping private information private. And so if you’re in California, you might w ant t o think about looking at the California Consumer Protection Act, and understanding that.
Evan Rosser: 9:01
Or if you have any clients or customers in California.
Buddy Doyle: 9:06
Evan Rosser: 9:08
One of the things about that rule in GDPR , firms need to consider is getting an inventory of all the information they gather on their customers and clients, prospective customers and prospective clients, and under the CCPA, the California Consumer Protection Act, even your own employees. And I think those types of security laws and regulations that allow customers to both view the information you have on them and delete that information, if you are not required to hold it , they’re going to show up in States, probably every state eventually, and perhaps even federally. It’s a rule that’s really, I think, designed and targeted at the Googles and the Facebooks, and the Apples and Amazons, but it touches everyone, and you have to be aware of that.
Buddy Doyle: 10:07
I’m going to bring us around to one more topic. I think we want to keep these podcasts relatively brief. But one of the things that is also new out there was related to cash management. We haven’t heard FINRA talk a lot about cash and things like that. Rule 3012 and and ultimately 3120, have a lot to do with cash controls, but this is a little bit different. And so maybe you want to give us a little bit of an overview of what the thinking is in terms of cash management and bank sweep products.
Evan Rosser: 10:54
I mean, if they’re swept into a federally insured bank, they are protected by FDIC. That raises a few questions. I think back in, was it 2014, customers had to affirmatively opt into those programs. In doing that, firms have to consider whether they have really adequately communicated the nature of the arrangement. Have they implied that it’s not a brokerage account? And it’s not quite the same as a checking or savings account. And if they’ve identified (and this would be under Reg BI and the Form CRS), any revenue sharing they get from those types of sweep products, do they communicate that? If they are federally insured by FDIC, what is the limit of that protection? I believe it’s now $250,000. And if customer has more than $250,000 and it’s a cash management account , any amount over $250,000 may not be federally insured. So, it does raise a potential conflict issue. It raises a disclosable conflict issue for firms on both Reg BI and Form CRS. It’s an issue that really needs to be considered when firms are looking at those. And again are there alternatives to, there may not be, but it’s something firms need to look at as far as what the program is. And have they communicated all the material aspects in that program to their customers?
Buddy Doyle: 12:37
So I think it’s important that firms who have historically viewed these sweep programs as a convenience option for your customers to put money in a place where it earns interest for the customer when you’re taking money out of the markets. I mean, that is essentially the genesis of these programs – to get the money to the bank account for the customer. And so as you think about this as a broker dealer now, with the information and the letter from FINRA, it’ll give you some good, clear things to consider. As you’re looking at this, maybe with a new lens beyond “it’s so much more easy to do a sweep then to get a check and go to the bank and deposit it or even do ACH” instructions, and things like that. So even though it is a convenience, it can be a convenience with conflicts. Even though it is not an investment by most definitions, that is something that you as a broker dealer are doing with the retail customer who may think about that differently, and may think about the interest as an investment. And it’s also to the point of Reg BI, they conflict if you’re getting paid for that particular service by the bank, or by your clearing firm or someone else who helps facilitate that to offer your client. There is a conflict as you’re putting this together. So, a few things to keep in mind is as you go through this and maybe think about it in a different way than you did.
Joe Turner: 14:28
And the resounding theme, I think, and FINRA’s letter, is disclosure. Lay it out there and make sure the client understands exactly what they’re getting and what the limitations are, and any conflicts that might exist.
Buddy Doyle: 14:46
If you aren’t sure if you should disclose it or not, you should be, you should disclose it. It’s a safe way to be.
Evan Rosser: 14:55
First of all, I don’t know if it would be deemed a recommendation for Reg BI purposes, nor am I sure that, since it’s cash and not a security, whether that would be a securities related recommendation. But it’s very much a Form CRS issue. I’m not sure if it’s a Reg BI disclosure .
Buddy Doyle: 15:23
Well, with that, I would like to thank you all for your time. Joe. Evan, thank you so much. If you are looking for any guidance on your regulatory compliance program or the focus of the regulators, feel free to reach out to us and we will get back to you right away.
Thanks again for listening to the Oyster stew podcast. Don’t forget to subscribe so we can continue to bring you resources to help you make the best decisions for your firm. If you’re struggling with the topic and you’d like us to do a podcast on it, or you’d like a free consultation, feel free to reach out to us at (804) 965-5400. Or by visiting our website@Oysterllc.com.