The Wall Street Legal & Regulatory Feed

Securities Industry Commentator by Bill Singer Esq

January 25, 2022













http://www.brokeandbroker.com/6253/jpm-tro-solicitation/
It's another day and, not surprisingly, another erstwhile wirehouse brokerage firm asks a court for a temporary restraining order ("TRO") against one of its former employees. In today's iteration, we got J.P. Morgan Securities ("JPMS") alleging that Timothy Logsdon needs to be restrained from disclosing confidential information and soliciting the firm's clients. 

http://www.brokeandbroker.com/6252/finra-bequest-widow/
It is always disconcerting when elderly customers change their wills in order to leave eye-opening bequests to their stockbrokers or financial advisors. There are many decent men and women on Wall Street, and they often service their elderly customers with affection and unimpeachable rectitude. On the other hand, there are many predators on the Street. In a recent FINRA regulatory settlement, we seem to have a swirl of considerations involving a stockbroker and an elderly widow. Frankly, it's next to impossible to reconcile FINRA's allegations with FINRA's sanctions, which raises many questions. 

https://www.justice.gov/usao-sdfl/pr/former-ubs-financial-advisor-charged-defrauding-over-5-million-dollars-his-ubs-clients
-and-
https://www.sec.gov/news/press-release/2022-8

In an Information filed in the United States District Court for the Southern District of Florida, former UBS Financial Services Inc. advisor German Nino was charged with defrauding over $5 million from a family who maintained several accounts at UBS. As alleged in part in the DOJ Release:

[F]rom about 2012, and continuing to 2020, Nino, a resident of Broward County, was a financial advisor working at a branch office of UBS Financial Services Inc. in Miami.  Nino oversaw and managed UBS investment accounts for various customers, including three victims who were related and who had various investment accounts at UBS.  Nino was the financial advisor assigned to oversee and manage the victims' money in the accounts.

It is alleged that from about May 2014 to February 2020, Nino made a total of 62 unauthorized transfers from three UBS accounts belonging to the victims, which totaled $5,833,218.59.  To accomplish the wire fraud scheme, Nino made materially false and fraudulent statements to his victims and concealed and omitted material facts including misrepresenting the true performance, balance, and rate of return of the accounts he managed; forging the signature of his clients on documents purporting to authorize transfers out of the accounts; preparing a fraudulent land purchase contract and forging a victim's signature on the land purchase contract to make it appear that the victim was purchasing land in Colombia by using money from the victim's account; removing one of the victim's email from the victim's UBS email account profile so that the victim would not receive email notifications from UBS about unauthorized transfers; and preparing fraudulent UBS account statements and client review statements, which falsely inflated the balance and value of the victims' accounts, says the information.  

The SEC's complaint alleges that Nino, of Weston, Florida, stole the investment funds from his client's accounts over nearly a six-year period and used the majority of the money, $4.2 million, on gifts for several women with whom he had romantic relationships. Nino allegedly employed various methods to conceal his misconduct from his client, including creating fake account statements, forging signatures on letters of authorization, and altering UBS's records for an affected account to prevent electronic notifications of wire transfers.

"As a financial advisor, Nino was entrusted with millions of dollars belonging to his client," said Eric I. Bustillo, Director of the SEC's Miami Regional Office. "As alleged in our complaint, Nino took advantage of that trust by abusing his access to his client's accounts for personal gain."

In addition to spending the money on vacations, luxury cars, and private school tuition for his romantic partners, Nino also allegedly used the remaining $1.6 million to repay funds he had taken from another client.

https://www.justice.gov/usao-me/pr/texas-man-sentenced-investment-fraud-scheme
Russell Hearld pled guilty in the United States District Court for the District of Maine to conspiring to commit wire fraud, and he was sentenced to 29 months in prison plus three years of supervised release. As alleged in part in the DOJ Release:

[I]n 2017 and 2018, Hearld participated in a scheme to defraud involving investments in Standby Letters of Credit (SBLCs). Investors were promised that they could receive a portion of the value of an SBLC, worth millions of dollars, for a much smaller initial investment. Investors were promised returns equal to many times the amounts of their initial investments in a matter of weeks. They were also promised that their money would remain in the attorney trust account of a co-conspirator-who at the time was a licensed attorney in Florida-until confirmation was received that the SBLC had been issued.

Contrary to these representations, Hearld routinely directed the co-conspirator attorney to withdraw investor funds as soon as they were deposited into the attorney's trust account. For example, in March 2017, an investor wired $500,000 from his bank account in Maine to the attorney's trust account in Florida. On the previous day, Hearld had sent the attorney an email, directing the attorney to disburse the investor's funds. At Hearld's direction, the attorney wired $200,000 to Hearld's bank account; $150,000 to the account of the attorney's law firm; $100,000 to the account of another co-conspirator; and $40,000 to the attorney's personal account.

While discussing the reasons for his sentence, Judge Woodcock noted that Hearld took the victims' money for "completely selfish reasons." He also noted that Hearld owed over $13,000 in past due child support, and said it was "just disgraceful" that Hearld had failed to meet his support obligations despite personally receiving over $2 million in the fraud scheme.

https://www.justice.gov/usao-me/pr/arizona-man-pleads-guilty-role-investment-fraud-scheme
Arthur Merson pled guilty in the United States District Court for the District of Maine to conspiring to commit wire fraud. As alleged in part in the DOJ Release:

[I]n 2017 and 2018, Arthur Merson, 67, of Scottsdale, Arizona, participated in a scheme to defraud involving investments in Standby Letters of Credit (SBLCs). Investors were promised that they could receive a portion of the value of an SBLC, worth millions of dollars, for a much smaller initial investment. Investors were promised returns equal to many times the amounts of their initial investments in a matter of weeks. They were also promised that their money would remain in the attorney trust account of a co-conspirator-who at the time was a licensed attorney in Florida-until confirmation was received that the SBLC had been issued.

In his role as an intermediary between investors and the principal members of the conspiracy, Merson falsely represented to investors that the investment was not risky and that he had been involved in similar successful deals in the past. In fact, he had not been involved in prior successful transactions of this sort, nor had he made any significant amount of money from them.

After co-conspirators fraudulently transferred investor funds, Merson relayed a variety of excuses from other members of the conspiracy for why the transactions had not occurred. He also falsely represented that he was an independent consultant who was only going to receive a small finder's fee, and claimed not to know the details of the transaction or the payouts the clients could expect. In fact, he had a significant independent financial interest in the investment transaction that he failed to disclose, and affirmatively misled investors about, as he responded to investor inquiries.

https://www.justice.gov/usao-sdny/pr/las-vegas-woman-sentenced-prison-10-million-tech-support-fraud-scheme-exploited-elderly
In response to an Information filed  in the United States District Court for the Southern District of New York https://www.justice.gov/usao-sdny/press-release/file/1404761/download, Romana Leyva, 38, pled guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to intentionally damage a protected computer; and she was sentenced to 100 months in prison plus three years of supervised release, and ordered to pay a $4,679,586.93 forfeiture and $2,707,882.91 in restitution. As alleged in part in the DOJ Release:

From approximately February 2015 through December 2018, LEYVA was a member of a criminal fraud ring (the "Fraud Ring") based in the United States and India that committed a technical support fraud scheme that exploited elderly victims located across the United States and Canada, including in the Southern District of New York.  The Fraud Ring's primary objective was to trick victims into believing that their computers were infected with malware, in order to deceive them into paying hundreds or thousands of dollars for phony computer repair services.  Over the course of the conspiracy, the Fraud Ring generated more than $10 million in proceeds from at least 7,500 victims.

The scheme generally worked as follows.  First, the Fraud Ring caused pop-up windows to appear on victims' computers.  The pop-up windows claimed, falsely, that a virus had infected the victim's computer.  The pop-up window directed the victim to call a particular telephone number to obtain technical support.  In at least some instances, the pop-up window threatened victims that, if they restarted or shut down their computer, it could "cause serious damage to the system," including "complete data loss."  In an attempt to give the false appearance of legitimacy, in some instances the pop-up window included, without authorization, the corporate logo of a well-known, legitimate technology company.  In fact, no virus had infected victims' computers, and the technical support phone numbers were not associated with the legitimate technology company.  Rather, these representations were false and were designed to trick victims into paying the Fraud Ring to "fix" a problem that did not exist.  And while the purported "virus" was a hoax, the pop-up window itself did cause various victims' computers to completely "freeze," thereby preventing these victims from accessing the data and files in their computer - which caused some victims to call the phone number listed on the pop-up window.  In exchange for victims' payment of several hundreds or thousands of dollars (depending on the precise "service" victims purchased), the purported technician remotely accessed the victim's computer and ran an anti-virus tool, which is free and available on the Internet.  The Fraud Ring also re-victimized various victims, after they had made payments to purportedly "fix" their tech problems.

LEYVA was a leader of the Fraud Ring.  Her roles in the scheme included: (1) creating several fraudulent corporate entities that were used to receive fraud proceeds from victims, (2) recruiting others (including through misrepresentations) to register fraudulent corporate entities that facilitated the activities of the Fraud Ring, and (3) assisting others in setting up fraudulent corporate entities and bank accounts, including coaching them to make misrepresentations to bank employees where necessary.

United Development Funding Executives Convicted of Fraud (DOJ Release)
https://www.justice.gov/usao-ndtx/pr/united-development-funding-executives-convicted-fraud
After five days of trial and almost 12 hours of deliberation, a jury in the United States District Court for the Northern District of Texast convicted UDF CEO Hollis Morrison Greenlaw, UDF Partnership President Benjamin Lee Wissink, United Development Funding ("UDF") Chief Financial Officer Cara Delin Obert, and UDF Asset Management Director Jeffrey Brandon Jester of ten counts, including conspiracy to commit wire fraud affecting a financial institution, conspiracy to commit securities fraud, and securities fraud. As alleged in part in the DOJ Release:

Founded in 2003 and headquartered in Grapevine, UDF utilized a family of five funds - UDF I, II, III, IV, and V - to invest in various residential real estate developers and private homebuilders.

When developers failed to repay money they borrowed from one fund, triggering multi-million dollar shortfalls, the defendants transferred money out of another fund in order to pay distributions to the original fund's investors, all without disclosing the transfers to the SEC and the investing public.

https://www.sec.gov/litigation/litreleases/2022/lr25314.htm
The United States District Court for the Southern District of Florida granted a Judgment
https://www.sec.gov/litigation/litreleases/2022/judgment25314.pdf to the SEC against Justin W. Keener d/b/a "JMJ Financial."  As alleged in part in the SEC Release:

The SEC's complaint alleged that Keener failed to register as a securities dealer with the SEC, or to associate with a registered dealer, when he bought and sold billions of newly issued shares of penny stock from at least January 2015 through January 2018. Keener obtained the shares directly from issuers after converting debt securities known as convertible notes. By failing to register, Keener avoided certain regulatory obligations for dealers that govern their conduct in the marketplace, including regulatory inspections and oversight, financial responsibility requirements, and maintaining books and records.

The court ruled that Keener met the statutory definition of dealer because he operated a regular business of buying and selling securities for his own account.  The court found that his failure to register as a dealer, or associate with a registered dealer, violated the dealer registration provisions of Section 15(a) of the Securities Exchange Act of 1934. The court also denied Keener's cross motion for summary judgment. The court ordered the parties to propose a briefing schedule for remedies.

https://www.sec.gov/litigation/litreleases/2022/lr25313.htm
The United States District Court for the Eastern District of Michigan entered a Final Judgment enjoins Viktor Gjonaj from violating the antifraud provisions of Section 17(a) of the Securities Act and Section 10(b) of the Securities Exchange Act and Rule 10b-5 thereunder. In light of a prior criminal conviction and 53-month-prison-sentence in a parallel matter, although Gjonaj was found liable for disgorgement and prejudgment interest of $21,128,466, that amount satisfied by the forfieture/restitution order in the parallel criminal matter. As alleged in part in the SEC Release:

[F]rom at least mid-2016 to 2019, Gjonaj raised approximately $26.4 million through the fraudulent offer and sale of investment contracts to at least 24 investors, most of whom were members of the Albanian-American community in Detroit. As alleged, Gjonaj falsely represented to investors that their money would be used to purchase, develop, and sell real estate projects. Instead, Gjonaj allegedly used at least $10 million of the investors' funds to play the Michigan State Lottery, at times buying as much as $1 million worth of lottery tickets in a single week. Gjonaj also allegedly directed millions of dollars of investors' money to his personal checking account. As further alleged, in order to maintain the fraud, Gjonaj repaid investors with lottery winnings, which Gjonaj falsely claimed were proceeds from real estate investments. According to the complaint, by August 2019, Gjonaj had lost all of his own and his investors' money, and owed the investors approximately $19 million.

SEC Obtains Final Judgment Against Binary Options Affiliate Marketer and Family Members Sharing in His Ill-Gotten Gains (SEC Release)
https://www.sec.gov/litigation/litreleases/2022/lr25312.htm
Without admitting or denying the allegations in an Amended Complaint filed in the United States District Court for the Middle District of Florida, Ronald C. Montano consented to the entry of a Final Judgment https://www.sec.gov/litigation/litreleases/2022/judgment25312.pdf permanently enjoining him from violating Sections 5 and 17(a) of the Securities Act  and Section 10(b) of the Securities Exchange Act and Rule 10b-5 thereunder. Further, the Final Judgment includes a conduct-based injunction that permanently enjoins Ronald C. Montano from directly or indirectly participating in the marketing, offer, or sale of securities over the Internet, and also orders him to pay $1 million in combined disgorgement and prejudgment interest and a civil penalty of $1.35 million. Finally, without admitting or denying the allegations of the Amended Complaint, Relief Defendants Romeo Montano, Elma Montano, Denise Montano, and REM Florida Properties, LLC consented to the entry of the final judgment ordering them jointly and severally liable for $900,000 of the combined $1 million in disgorgement and prejudgment interest that Ronald C. Montano is obligated to pay.  As alleged in part in the DOJ Release:

[B]etween September 2013 and December 2016, Ronald C. Montano launched or participated in affiliate marketing campaigns designed to induce investors to open and fund trading accounts with unregistered and unscrupulous online brokers peddling unregistered binary options. The amended complaint further alleged that these marketing campaigns tricked investors into opening trading accounts using email and web-based video advertisements promising investors would get rich trading binary options using software that did not actually exist. Ronald C. Montano allegedly received a payment from the online brokers for each investor opening and funding a trading account after viewing his misleading affiliate marketing campaigns. Finally, the amended complaint alleged that Ronald C. Montano shared his profits from these activities with family members, which it named as Relief Defendants.

SEC Remands Failure-to-Answer Rule 8210 Bar Back to FINRA
In the Matter of the Application of Bradley C. Reifler For Review of Disciplinary Action Taken by FINRA (SEC Opinion, '34 Act Rel. No. 94026; Admin. Proc. File No. 3-19589)
https://www.sec.gov/litigation/opinions/2022/34-94026.pdf
As set forth in part in the SEC Opinion [Ed: footnote omitted]:

On September 26, 2017, FINRA commenced a disciplinary proceeding against Reifler. In its complaint, FINRA alleged that Reifler had violated FINRA Rule 8210 by refusing to answer questions during the two OTRs. FINRA alleged further that Reifler violated FINRA Rule 2010 as a result of the Rule 8210 violation. 

FINRA held a hearing on June 26, 2018, to determine whether the evidence supported the complaint's allegations. At the hearing, FINRA's Department of Enforcement introduced excerpts from Reifler's OTRs showing the questions he refused to answer. A FINRA staff member testified that FINRA staff had been investigating potential violations of FINRA rules, that the investigation included periods when Reifler was associated with a FINRA member, and that FINRA staff believed that Reifler's OTR testimony would be valuable to understand FIT, as well as NCM's allegations in its litigation against Reifler. According to the staff member's uncontested testimony, Reifler's refusal to answer questions "halted" the investigation because FINRA staff had no alternative sources for the information it was seeking. 

FINRA's hearing panel subsequently found that Reifler had violated FINRA Rules 8210 and 2010 by refusing to answer questions at his OTRs. The hearing panel barred Reifler for this misconduct. In doing so, it treated his refusal to answer some but not all questions posed during the OTRs as a complete failure to respond to a Rule 8210 request under its Sanction Guidelines. Reifler appealed to FINRA's National Adjudicatory Council, which affirmed the hearing panel's findings of violations and the sanction it imposed. This appeal followed.

at Page 7 of the SEC Opinion

Upon review of FINRA's National Adjudicatory Council Decision, the SEC sustained FINRA's findings of violations; however:

Nonetheless, we remand FINRA's sanctions determination for additional consideration because FINRA misapplied its Sanction Guidelines. FINRA analyzed Reifler's refusal to respond to certain questions as a complete failure to testify under its Sanction Guidelines and imposed a bar as a result. But because Reifler answered some questions, and had earlier provided some answers to written inquiries, FINRA should have evaluated Reifler's refusal to answer questions as a partial failure to respond when determining whether to impose a bar.

at Page 2 of the SEC Opinion

In remanding back to FINRA, the SEC advised in part that [Ed: footnotes omitted]:

[W]e have sustained bars based on a partial failure to respond to requests for information, but we have done so only where FINRA justified the bar under the applicable sanction guideline.

On remand, FINRA should evaluate Reifler's refusal to answer questions at his OTRs as a partial failure to respond. Where, as here, an individual provides a partial but incomplete response to a Rule 8210 request, the Sanction Guidelines identify the following principal considerations in determining sanctions: (1) "Importance of the information requested that was not provided as viewed from FINRA's perspective, and whether the information provided was relevant and responsive to the request"; (2) "Number of requests made, the time the respondent took to respond, and the degree of regulatory pressure required to obtain a response"; and (3) "Whether the respondent thoroughly explains valid reason(s) for the deficiencies in the response." The Sanction Guidelines also provide that where an individual provides a partial but incomplete response, "a bar is standard unless the person can demonstrate that the information provided substantially complied with all aspects of the request." The Sanction Guidelines further provide that, where mitigation exists, adjudicators should consider suspending the individual in any or all capacities for up to two years.

In applying the Sanctions Guidelines on remand, FINRA should review and include in the record the entirety of the transcripts of both OTRs. The existing record contains 70 of the 123 pages of the transcript of the first OTR (approximately 57% of the total) and 34 of the 179 pages of the transcript of the second OTR (approximately 19%). Consideration of the complete transcripts is necessary to apply the Sanction Guidelines because doing so will permit FINRA to determine what questions Reifler answered and not just those questions he refused to answer. Such an inquiry is relevant to, among other things, a determination of whether Reifler thoroughly provided valid reasons for not answering questions and whether the information he did provide substantially complied with all aspects of the request. 

at Page 15 of the SEC Opinion

https://www.finra.org/sites/default/files/fda_documents/2021070337201
%20Joseph%20LaScala%2C%20Jr.%20CRD%203070261%20AWC%20sl.pdf
For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Joseph LaScala, Jr. submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. The AWC asserts that Joseph LaScala, Jr. was registered in 1998 and by February 2012, he was registered with Aegis Capital Corp.  As alleged in part in the AWC's "Overview":

Between July 2014 and April 2016, LaScala violated FINRA Rules 2111 and 2010 when he engaged in excessive and quantitatively unsuitable trading in his customer's Aegis account. 

Between January 2015 and April 2016, LaScala also violated NASD Rule 2510(b) and FINRA Rule 2010 when he exercised discretionary authority to effect 139 trades in the same customer's firm account without having obtained prior written authorization from the customer or approval from Aegis to treat the account as discretionary. 

In accordance with the terms of the AWC, FINRA imposed on LaScala a $7,500 fine and a four-month suspension from associating with any FINRA member in all capacities.

https://www.finra.org/sites/default/files/fda_documents/2020067572701
%20Joshua%20D.%20Nicholas%20CRD%206529944%20AWC%20sl.pdf
For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Joshua D. Nicholas submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. The AWC asserts that Joshua D. Nicholas entered the industry in 2016, and he was first registered in February 2020 with Merrill Lynch, Pierce, Fenner & Smith Inc. As alleged in part in the AWC's "Background":

In April 2021, a National Futures Association (NFA) Hearing Panel accepted a settlement offer from Respondent and JDN Capital LLC, his wholly-owned limited liability company, to resolve a complaint in which the NFA alleged that Respondent and JDN Capital failed to cooperate with the NFA in connection with an investigation regarding investment funds OBA Customers A and B had entrusted to JDN Capital. The settlement barred Respondent from NFA membership with a right to reapply after eight years, and ordered Respondent not to act or become a principal of an NFA member at any time in the future.1
= = = = =
Footnote 1: The Hearing Panel imposed a deferred fine of $125,000, payable if Respondent applies for NFA membership or reapplies for NFA associate membership after the expiration of the eight-year period. 
 
As further alleged in the AWC's "Overview":

In May 2020, Respondent induced OBA Customers A and B3 to enter into a promissory note with his wholly-owned entity JDN Capital LLC, pursuant to which the customers lent JDN Capital $300,000 to invest in securities on their behalf. Instead of investing the funds as required, Respondent converted $58,000 of the funds to pay for his own personal expenses in violation of FINRA Rule 2010. 

In July 2020, the OBA customers asked Respondent to provide a copy of an account statement showing that JDN Capital had invested the proceeds of the promissory note in securities as it was obligated to do. In response, Respondent provided them with a fabricated account statement for a non-existent account containing material misrepresentations, in violation of FINRA Rule 2010. 

Respondent also failed to provide prior written notice to his member firm that he was engaging in an outside business activity through JDN Capital, in violation of FINRA Rules 3270 and 2010. Finally, Respondent failed to provide prior written notice or receive prior written permission from his member firm prior to participating in the note transaction with OBA Customers A and B, in violation of FINRA Rules 3280 and 2010. 

In accordance with the terms of the AWC, FINRA imposed upon Nicholas a Bar from associating with any FINRA member in all capacities.

Bill Singer's Comment: Compliments to FINRA on a superbly drafted AWC replete with sufficient content and context so as to render the regulator's case compelling and its sanctions justified.

Cybersecurity and Securities Laws by SEC Chair Gary Gensler (Speech at Northwestern Pritzker School of Law's Annual Securities Regulation Institute)
https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124

Thank you. It's good to be with the Annual Securities Regulation Institute. As is customary, I'd like to note that my remarks are my own, and I'm not speaking on behalf of the Commission or SEC staff.

As some of you may know, I often like to talk about the founding of our nation's securities laws in the 1930s.

So again, today, I'd like to discuss the '30s - but this time, I actually mean the 1830s.

In 1834, exactly a century before the SEC was established, the Blanc brothers in Bordeaux, France, committed the world's first hack. The two bankers bribed telegraph operators to tip them off as to the direction the market was headed. Therefore, they gained an information advantage over investors who waited for the information to arrive by mail coach from Paris.

The brothers weren't convicted for their actions, as France didn't have a law against the misuse of data networks.[1] The Blancs thus pocketed their francs, point-blank.

You may be wondering what all this has to do with the SEC. Well, I think it's telling that the world's first cybersecurity attack involved securities.  

Nearly two hundred years after the Blancs stole information about the securities markets, the financial sector remains a very real target of cyberattacks. What's more, it's become increasingly embedded within society's critical infrastructure.

As the famous bank robber Willie Sutton purportedly once said, regarding why he robbed banks: "Because that's where the money is."[2]

The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating. State actors and non-state hackers alike sometimes try to target various entities and businesses. Why? To steal data, intellectual property, or money; lower confidence in our financial system; disrupt economies; or just demonstrate their capabilities. All this puts our financial accounts, savings, and private information at risk.

The economic cost of cyberattacks is estimated to be at least in the billions, and possibly in the trillions, of dollars.[3] Hackers have attacked broker-dealers[4], government agencies[5], meat processors, and pipelines.[6] These attacks can take many forms from denials-of-service to malware to ransomware.

It's not just the economic cost, of course. Cybersecurity is central to national security. The events of the past couple of weeks in Russia and Ukraine have once again highlighted the importance of cybersecurity to our national interest.

Team Cyber
Recently, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), said that "cybersecurity is a team sport." "Each and every one of us are a member of Team Cyber," she said.[7]

Folks from the private sector are on the front lines. As President Biden recently put it, "most of our critical infrastructure is owned and operated by the private sector, and the federal government can't meet this challenge alone."[8]

Other government entities, such as the Federal Bureau of Investigation and CISA, captain Team Cyber, but the SEC has a role to play as well.

Today, we participate in the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC). We work with our foreign counterparts in the Financial Stability Board (FSB), the International Organization of Securities Commissions (IOSCO), the G7 Cyber Experts Group, and elsewhere.

We have a key role as the regulator of the capital markets with regard to SEC registrants - ranging from exchanges and brokers to advisers and public issuers. Cyber relates to each part of our three-part mission, and in particular to our goal of maintaining orderly markets.

We have many rules that implicate cyber risk, including but not limited to business continuity, books and records, compliance, disclosure, market access, and antifraud.[9] Our Division of Examinations (EXAMS) has put out various Risk Alerts and statements regarding cybersecurity topics,[10] and issued a report in 2020 on Cybersecurity and Resiliency Observations.[11] This work helps SEC registrants and the public prepare for and manage some of these cyber risks.

Cyber incidents, unfortunately, happen a lot. History and any study of human nature tells us they're going to continue to happen. Given this, and the evolving cybersecurity risk landscape, we at the SEC are working to improve the overall cybersecurity posture and resiliency of the financial sector. 

Policy
Though plenty of this work takes place in the private sector and elsewhere in the government, when contemplating cybersecurity policy at the SEC, I think about it in three ways:
  • cyber hygiene and preparedness
  • cyber incident reporting to the government
  • in certain circumstances, disclosure to the public.
Our cybersecurity policy work relates to four groups of entities:
  • SEC registrants in the financial sector, such as broker-dealers, investment companies, registered investment advisers, and other market intermediaries
  • Public companies
  • Service providers that work with SEC financial sector registrants but are not necessarily registered with the SEC themselves
  • The SEC itself.
We look forward to collaborating on this work with CISA, FSOC, the private sector, and the rest of Team Cyber.

Financial Sector SEC Registrants
Let me first turn to our three projects related to financial sector registrants.

Regulation Systems Compliance and Integrity
First, I believe we have an opportunity to freshen up Regulation Systems Compliance and Integrity (Reg SCI).[12]

What is SCI? It's a rule, adopted in 2014, that covers a subset of large registrants, including stock exchanges, clearinghouses, alternative trading systems, self-regulatory organizations (SROs) and the like - financial infrastructure that is part of the backbone of the capital markets. The Consolidated Audit Trail (CAT), as a facility of each of the participant SROs, also is subject to Reg SCI.

The rule helps ensure these large, important entities have sound technology programs, business continuity plans, testing protocols, data backups, and so on. The core goal of Reg SCI was to reduce the occurrence of systems issues and improve resiliency when they do occur.

A lot has changed, though, in the eight years since the SEC adopted Reg SCI. Thus, I've asked staff how we might broaden and deepen this rule. For example, might we consider applying Reg SCI to other large, significant entities it doesn't currently cover, such as the largest market-makers and broker-dealers?[13]

To that end, in 2020, the Commission proposed to bring large Treasury trading platforms under the SCI umbrella. At our next Commission meeting, we will consider whether to re-propose this rule.[14]  

Similarly, I think there might be opportunities to deepen Reg SCI to further shore up the cyber hygiene of important financial entities.

Funds, Advisers, and Broker-Dealers
Next, I'd like to discuss the broader group of financial sector registrants, like investment companies, investment advisers, and broker-dealers, beyond those covered by Reg SCI.

As I mentioned earlier, this group has to comply with various rules that may implicate their cybersecurity practices, such as books-and-records, compliance, and business continuity regulations. Building upon that, I've asked staff to make recommendations for the Commission's consideration around how to strengthen financial sector registrants' cybersecurity hygiene and incident reporting, taking into consideration guidance issued by CISA and others.

I think such reforms could reduce the risk that these registrants couldn't maintain critical operational capability during a significant cybersecurity incident.[15] I believe they could give clients and investors better information with which to make decisions, create incentives to improve cyber hygiene, and provide the Commission with more insight into intermediaries' cyber risks.

Data Privacy
The next arena involving financial sector registrants is around customer and client data privacy and personal information.

Congress addressed this issue in the Gramm-Leach-Bliley Act of 1999. The Commission adopted Regulation S-P in the wake of that law. It requires registered broker-dealers, investment companies, and investment advisers to protect customer records and information.[16] It's the reason that, to this day, a lot of us receive notices informing us about companies' privacy policies.

More than two decades since Reg S-P was adopted - an eternity in the cybersecurity world - I think there may be opportunities to modernize and expand this rule. In particular, I've asked staff for recommendations about how customers and clients receive notifications about cyber events when their data has been accessed, such as their personally identifiable information. This also could include proposing to alter the timing and substance of notifications currently required under Reg S-P.

Public Companies
Next, let me turn to public companies' disclosure with respect to cyber risk and cyber events.

The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.

Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.

Thus, I've asked staff to make recommendations for the Commission's consideration around companies' cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.

A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.

In addition, I've asked staff to make recommendations around whether and how to update companies' disclosures to investors when cyber events have occurred.

Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.[17]

Service Providers
Next, let me turn to service providers.

Service providers often play critical roles within our financial sector. These service providers go far beyond the cloud. They can include investor reporting systems and providers, middle-office service providers, fund administrators, index providers, custodians, data analytics, trading and order management, and pricing and other data services, among others. Many of these entities may not be registered with the SEC.

I've asked staff to consider recommendations around how we can further address cybersecurity risk that comes from service providers.[18] This could include a variety of measures, such as requiring certain registrants to identify service providers that could pose such risks. Further, it could include holding registrants accountable for service providers' cybersecurity measures with respect to protecting against inappropriate access and investor information. This could help ensure important investor protections are not lost and key services are not disrupted as financial sector registrants increasingly rely on outsourced services.

That being said, it's worth noting that banking agencies regulate and supervise certain banks' third-party service providers directly through the Bank Service Company Act. It might be worthwhile to consider similar authorities for market regulators.

The SEC
Finally, to state the obvious, the SEC is not immune to cyberattacks either.

Agency staff continue to work to protect SEC data and information technology, as well as the industry data we need to carry out our mission. This work aligns with President Biden's Executive Order on Improving the Nation's Cybersecurity[19] and directives from the Office of Management and Budget. 

In addition, we continue to evaluate our data footprint and improve our data collection processes so that we collect only the data we need to fulfill our mission.

Conclusion
In conclusion, we're living in a time of rapid technological changes subject to ever present cybersecurity challenges. These cyber risks have implications for the financial sector, investors, issuers and the economy at large. The SEC has a role to play, along with the rest of Team Cyber.

Nearly two centuries after that first cyber hack, I think we can think about how to protect ourselves against the cybersecurity pitfalls of the '30s - not the 1830s or the 1930s, but the 2030s.

 
[1] See Tom Standage, "The crooked timber of humanity" (Oct. 5, 2017), available at https://www.1843magazine.com/technology/rewind/the-crooked-timber-of-humanity.

[2] See Federal Bureau of Investigation, "Willie Sutton," available at https://www.fbi.gov/history/famous-cases/willie-sutton.

[3] See Jacquelyn Schneider, "A World Without Trust: The Insidious Cyberthreat" (Jan./Feb.), available at https://www.foreignaffairs.com/articles/world/2021-12-14/world-without-trust.

[4] See "Robinhood Announces Data Security Incident (Update)" (Nov. 16, 2021), available at https://blog.robinhood.com/news/2021/11/8/data-security-incident.

[5] See U.S. Government Accountability Office, "SolarWinds Cyberattack Demands Significant Federal and Private-Sector Response" (April 22, 2021), available at https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic.

[6] See Financial Stability Oversight Council, "2021 Annual Report," available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf.

[7] See Jen Easterly, "Cybersummit 2021 Keynote Address" (Oct. 6, 2021), available at https://www.cisa.gov/cybersummit-2021-session-day-1-welcome-and-opening-remarks (see 3:32).

[8] See President Joe Biden, "Remarks by President Biden on Collectively Improving the Nation's Cybersecurity" (Aug. 25, 2021), available at https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/08/25/remarks-by-president-biden-on-collectively-improving-the-nations-cybersecurity/.

[9] See U.S. SEC, "Cybersecurity," available at https://www.sec.gov/spotlight/cybersecurity.

[10] See, e.g., "Cybersecurity: Ransomware Alert," available at https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf.

[11] See "SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices" (Jan. 27, 2020), available at https://www.sec.gov/news/press-release/2020-20.

[12] See U.S. SEC, "Spotlight on Regulation SCI," available at https://www.sec.gov/spotlight/regulation-sci.shtml.

[13] In fact, several commenters back in 2014 suggested that we might consider adding Reg SCI requirements to other entities, including security-based swap data repositories, security-based swaps execution facilities, and non-ATS broker-dealers. https://www.govinfo.gov/content/pkg/FR-2014-12-05/pdf/2014-27767.pdf, p. 72363-54.

[14] See "SEC Proposes Rules to Extend Regulations ATS and SCI to Treasuries and Other Government Securities Markets" (Sept. 28, 2020), available at https://www.sec.gov/news/press-release/2020-227.

[15] Broker-dealers that are Financial Industry Regulatory Authority (FINRA) members have business continuity plan obligations under FINRA. See "4370. Business Continuity Plans and Emergency Contact Information," available at https://www.finra.org/rules-guidance/rulebooks/finra-rules/4370.

[16] See "Regulation S-P," available at https://www.sec.gov/spotlight/regulation-s-p.htm.

[17] See "SEC Charges Issuer With Cybersecurity Disclosure Controls Failures" (June 15, 2021), available at https://www.sec.gov/news/press-release/2021-102, and "SEC Charges Pearson plc for Misleading Investors About Cyber Breach," available at https://www.sec.gov/news/press-release/2021-154.

[18] While focused on the most critical systems, eight years ago, the SEC addressed third-party relationships in adopting Reg SCI. SCI entities are "responsible for having in place processes and requirements to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on behalf of the SCI entity by a third party for certain financial sector entities." See Regulation Systems Compliance and Integrity, https://www.govinfo.gov/content/pkg/FR-2014-12-05/pdf/2014-27767.pdf p. 72276.

[19] See "Executive Order on Improving the Nation's Cybersecurity" (May 12, 2021), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

https://finra-unscripted.simplecast.com/episodes/deep-learning-the-future-of-the-market-manipulation-surveillance-program-rymxtpfn
As set forth in the "Episode Notes":

FINRA's Market Regulation and Technology teams recently wrapped up an extensive project to migrate the majority of FINRA's market manipulation surveillance program to using deep learning in what is perhaps the largest application of artificial intelligence in the RegTech space to date. 

On this episode, we hear from Susan Tibbs, senior vice president of Market Manipulation in the Market Regulation Quality of Markets group, and from C.K. Chow, principal developer with the Technology team, about how the use of deep learning is making FINRA's market surveillance data more digestible and increasing the efficiency and flexibility of the program. 

Permalink

Search RRBDLaw

Related Topics

Previous Entries

No Headlines Found

Tag Cloud

Securities Industry Commentator Bill Singer BrokeAndBroker RRBDLaw Securities Industry Commentator by Bill Singer Esq Bill Singer Esq securities industry commentator Bill Singer RRBDLAW