Cybersecurity Guidance for Investment Advisers Managing ERISA plans

Jun 03, 2021 03:51 pm | by Jaqueline Hummel, Partner and Managing Director, Hardin Compliance

For Investment Advisers and Broker-Dealers

DOL issues Cybersecurity Guidance.  On April 14, 2021, the U.S. Department of Labor (“DOL”) Employee Benefits Security Administration (“EBSA”) issued cybersecurity guidance directed towards ERISA plan sponsors and ERISA fiduciary advisors.  While the guidance appears similar to SEC’s advice, there is one noticeable difference:  the DOL says firms “should” have a reliable annual third-party audit of security controls.  As part of this audit, EBSA expects to see audit reports, audit files, penetration test reports, and any other analyses or reviews of cybersecurity practices.  EBSA also wants documented corrections of any weaknesses identified in the independent third-party analyses.  What are the implications to firms subject to this guidance?  Will the DOL consider it a breach of fiduciary duty if a firm does not hire a third party to conduct an audit of its security controls?  Can a firm do this assessment internally?  Time will tell if this is a best practice or a requirement.

In addition to the third-party review, the DOL provided these best practices that ERISA plan service providers “should” follow:

  1. Implement a well-documented cybersecurity program.
  2. Conduct a prudent annual cybersecurity risk assessment.
  3. Clearly define and assign informational security roles and responsibilities.
  4. Establish robust access control procedures.
  5. Ensure that any assets or data stored in a cloud or with a third party are subject to appropriate security assessments.
  6. Conduct periodic cybersecurity awareness training.
  7. Implement and manage a secure system development life cycle (SDLC) program.
  8. Establish an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
  9. Encrypt sensitive data stored and in transit.
  10. Implement strong technical controls that meet best security practices.
  11. Respond to any past cybersecurity incidents.

The DOL guidance was published in three separate pieces: Tips for Hiring a Service Provider with Strong Cybersecurity PracticesCybersecurity Program Best Practices, and Online Security Tips for Participants and Beneficiaries.  Contributed by Glenn R. Skreppen, Senior Compliance Consultant.

Posted in Uncategorized | Leave a comment


Many of you may have received the FINRA: New Request email below. It is a scam.

FINRA: New Request                        View Request
202106980000Request ID
3989971Date Requested
06/07/2021FINRA Requester
Ta’She Spencer-Clifton                                                                                                                                            Dear Eileen,A Firm Compliance Request has been issued by FINRA for your firm.Follow the information in the letter above to complete the request. Late submission may attract penalties.Please respond to this email for additional information. Sincerely,

Ta’she Spencer Clifton
Principal Compliance Examiner
Financial Industry Regulatory Authority (FINRA).
1735 K Street, NW
Washington, DC 20006
Posted in Uncategorized | Leave a comment

10 Remote Compliance Best Practices

from Cipperman Compliance Services

Today, we offer our “Friday List,” an occasional feature summarizing a topic significant to investment management professionals interested in regulatory issues. Our Friday Lists are an expanded “Our Take” on a particular subject, offering our unique (and sometimes controversial) perspective on an industry topic.

Several C-suite investment management executives have asked for our advice on how to ensure an effective compliance program with everybody, including the Chief Compliance Officer, working from remote locations. We’re glad they asked. Over the last 17 years, we have developed a very effective remote chief compliance services offering that has withstood SEC scrutiny through market highs, market lows, a variety of business models, multiple locations, and, now, a pandemic. Whether you are the CEO worried about what you don’t know or a CCO who is overly reliant on “water cooler compliance,” we offer 10 best practices that we follow to implement an effective remote compliance.

10 Remote Compliance Best Practices:

1. Scheduled and consistent communication. The CCO must ensure a consistent flow of information. We formalize this process by conducting weekly compliance meetings that include detailed pre-meeting agendas and followed with written minutes.
2. Multiple touch points. Accessibility is crucial to an effective compliance program. Many in-house CCOs may now be distracted with home responsibilities and distractions. Our firm deploys a 2+ person team for every client so that somebody is always available to respond to compliance questions or issues. Our clients also can access other members of the team for support.
3. Online tools. Compliance officers can use key on-line technologies for effecting the compliance program. For example, we utilize BasisCode to vet employee trading and ensure Code of Ethics compliance. Other tools that are available in the industry include portfolio monitoring, trading compliance, and email reviews.
4. File sharing. All employees should have immediate access to compliance documents. We utilize Box, an online file sharing tool, so that our clients can review policies, testing, approved marketing materials and disclosure documents.
5. Responsiveness. The CCO should respond immediately to all requests on a 24/7/365 basis. Our firm policy is to respond within 120 minutes and provide an answer within 24 hours. This policy includes reviewing and revising marketing materials within 24 hours.
6. Testing. Much compliance testing can be done remotely. We have developed several compliance tests that involve transaction sampling, document reviews and interviews. We plan to use future on-site visits to confirm our findings.
7. Workload. Many firms have failed to devote sufficient resources to the CCO, who juggle many balls and roles during their workdays. The remote working environment throws the under-resourcing into relief as the remote CCO struggles to answer all the calls. Our firm, by monitoring workloads, hours and fees, makes certain that nobody is so overwhelmed that we can’t meet our service and quality standards.
8. Management involvement. Too many CCOs fail to include senior management in ongoing compliance matters, thereby becoming the proverbial tree that falls in the empty forest. We recommend that every client creates a compliance committee of senior leaders that meets quarterly to address compliance issues.
9. Accountability. What happens if the remote CCO fails to adequately perform his/her function because of other distractions? Is somebody adequately managing the CCO? Can you terminate without another option? By contrast, our firm assumes the CCO liability and executes a service level agreement that holds us accountable for our promises.
10. On-Site visits. Meeting in person helps to verify testing and complete due diligence. We commit to no less than 6 on-site visits per year for every client for whom we serve as CCO. During the pandemic, we will conduct on-site visits via videoconference but plan to go on-site to confirm testing and complete due diligence.
Posted in Uncategorized | Tagged , , , , , | Leave a comment

Update on PPP disclosure

FA Advisor magazine


Also, if you need to disclose the PPP loan on your ADV Part 2, it must be done within 30 days.  I believe that if the PPP is not disclosed, the SEC may be calling you to discuss why you haven’t disclosed.

Disclosure Of The PPP Loan On Form ADVs
On April 27, 2020, the Securities and Exchange Commission issued FAQs specific to advisors experiencing Covid-19 issues. In these FAQs, the SEC addressed whether an advisor who has received a PPP loan has to disclose the loan to its clients through an ADV filing. While the SEC does not directly answer this question in the affirmative, its guidance indicates that advisors are strongly urged to make the disclosure, and we agree. First, the SEC points out that advisors have a fiduciary duty requiring them to “make full and fair disclosure” to clients of “all material facts.” The SEC further states that “if the circumstances leading [the advisor] to seek a PPP loan or other type of financial assistance constitute material facts relating to [the advisor’s] advisory relationship with clients, it is the staff’s view that [the advisor] should provide disclosure of, for example, the nature, amount and effects of such assistance.” While the SEC lists two specific examples of situations requiring ADV disclosures (paying advisory personnel salaries and meeting contractual commitments to clients), we believe there are very few scenarios, if any, in which the acceptance of the PPP loan would be immaterial and not disclosable in an advisor’s ADV. Given that the PPP loan requires certification that the loan is necessary to support ongoing operations and can only be used for limited crucial expenses associated with the advisor, such as rent payments and utilities, the SEC would likely deem the acceptance of PPP funds as a material fact for purposes of the ADV. The reason why is because acceptance of the PPP funds is relevant to the financial condition of the advisor. If an advisor returns the PPP loan by the May 7 deadline, ADV reporting would likely be unnecessary.

Posted in Uncategorized | Tagged , , , | Leave a comment


The SEC has come out with an FAQ regarding the disclosure of PPP loans.  Please read below.  If you are a client and need to have your ADV Part 2A updated to include a PPP disclosure, please let me know.

Q. I am a small advisory firm that meets the requirements of the Paycheck Protection Program (PPP) established by the U.S. Small Business Administration in connection with COVID-19. If I receive or have received a PPP loan, what are my regulatory reporting obligations under the Investment Advisers Act of 1940 to my firm’s clients?

A. As a fiduciary under federal law, you must make full and fair disclosure to your clients of all material facts relating to the advisory relationship. If the circumstances leading you to seek a PPP loan or other type of financial assistance constitute material facts relating to your advisory relationship with clients, it is the staff’s view that your firm should provide disclosure of, for example, the nature, amounts and effects of such assistance. If, for instance, you require such assistance to pay the salaries of your employees who are primarily responsible for performing advisory functions for your clients, it is the staff’s view that you would need to disclose this fact. In addition, if your firm is experiencing conditions that are reasonably likely to impair its ability to meet contractual commitments to its clients, you may be required to disclose this financial condition in response to Item 18 (Financial Information) of Part 2A of Form ADV (brochure), or as part of Part 2A, Appendix 1 of Form ADV (wrap fee program brochure). (Posted April 27, 2020)

Posted in Uncategorized | Tagged , , , , , | Leave a comment

Coronavirus and Fraud

Be aware that opportunistic criminals are using the coronavirus pandemic to steal people’s money and identities. Here are some of the strategies you should be aware of:

  • ƒ  Outbreak maps. Don’t click on any link that purports to show a map of the COVID-19 outbreak unless you absolutely trust the source. The Johns Hopkins interactive map at https:// is one legitimate source. Some scammers have used bogus online maps to spread malware and capture usernames, passwords, credit card numbers, and other information. Be careful about what you click!
  • ƒ  Email campaigns. Criminals have put a coronavirus spin on email phishing, using infected attachments or downloads to steal information. Remember: The email may look like it is from a legitimate source like a bank, but it’s best to go to the bank website directly or give them a call.
  • ƒ  Charitable giving. Be on the alert for scammers posing as representatives of legitimate charitable organizations. You may also receive an urgent request from someone you know seeking financial help. Make sure to contact the person directly to verify that the request really was from them.
  • ƒ  Testing scams. Finally, officials aren’t likely to knock on your door as part of a coronavirus outreach and response. Instead, it’ll probably be a scammer trying to take advantage of people’s fears by selling them expensive products or otherwise getting their personal information. Don’t let them in the house, and don’t give them information.

    It’s important that we all stay vigilant in these uncertain times. If you have any questions, call
    a local agency or do your research from only legitimate sites on the internet. The Federal Trade Commission has more information on coronavirus- related scams and what you can do.

    Your financial well-being is our priority. We will keep you informed of important developments in the fight against cybersecurity threats.

    In the meantime, we wish you continued health, and we look forward to meeting you in person once more after the outbreak ends.

    Compliments of HC Financial Advisors

Posted in Uncategorized | Tagged , , , | Leave a comment

 I know these are very tough times, with the markets down and towns going into quarantine mode. Here are a few tips from Jen Goldman of Jen Goldman Consulting, most which you all know.
    1. make sure everyone knows how to log into 365 or G Suite online and access their email, calendar and Office software (Excel, Word, PowerPoint) (and email signatures are setup properly with a clickable phone number to call)
    2. have everyone bring home video call devices (webcam, headset)
    3. pre-schedule a daily huddle video call with your team to check on their mental state and help get them into work mode (side benefit: this huddle will build a great habit of getting dressed for work, which calms the nerves as it makes staff feel like they are in control of something and have a purpose beyond worrying about the world and their health)
    4. make sure mobile apps are setup for the online CRM, Document, Video Call, IM, and Project Management tools
    5. for investment management staff, make sure they can log into the custodian and investment management/trading software from home
    6. learn how to setup your phones to forward to cell phones (and be ready to put that into place)
    7. start a group text on mobile devices and ask everyone to keep it on their phones indefinitely and to NOT use it for regular chatter. It is only to be used for urgent messages that everyone needs to know. IM is for the regular intraday chatter.
Posted in Uncategorized | Tagged , , | 1 Comment

Global Investment Performance Standards (GIPS®) Workshop

Don’t miss this opportunity to reserve your seat at an interactive workshop that offers a practitioner’s view of the GIPS® standards. Sessions have been organized covering GIPS compliance fundamentals and how to create and maintain a GIPS compliance program, with an in-depth review of composite construction and calculations, GIPS compliance policies and procedures, GIPS compliant performance reporting and error correction. We hope you can join us and bring a colleague, but don’t delay – space is limited and early bird pricing ends 3/31/2019. Click here for registration details.

April 25, 2019  –  Portland Oregon

This workshop is being co-organized by Amy Jones of Guardian Performance Solutions.  If you are interested in GIPS compliance…this is the workshop to attend.




Posted in Uncategorized | Tagged , , | Leave a comment

Three Compliance Goals You Should Set for Your Financial Planning Firm

Compliments of Scott Gill, XY Planning Network

A new year presents the opportunity to reflect, reevaluate, and refocus for the benefit of our personal and professional lives. When it comes to setting resolutions, many financial planners focus on resetting financial planning goals for their clients, such as debt management or restructuring the household budget.

But what about goals for themselves?

From a business perspective, the new year is an ideal time for firms to evaluate their internal business practices and set goals accordingly.

Perhaps your goal for the year is to implement a new portfolio management solution by initiating a relationship with a new Custodian or TAMP. Or maybe it’s to grow your financial planning firm by “X” number of clients or “X” dollars of revenue.

There are so many areas of business where resolutions can be made. Let’s not forget about an often overlooked one—compliance.

Here are three important goals—or resolutions—that advisors can adopt to improve their compliance program this year.

#1. I Will Read My Compliance Documents

As strange as it may sound, there is evidence to suggest that countless financial advisors neglect this basic and most necessary task.

Often, compliance documents are drafted with the assistance of a compliance consultant upon initial registration.Then, the registration gets approved and the advisor is off and running.

Unless an audit or regulatory exam occurs, or another materially change is being implemented, an advisor can easily go an entire year without reviewing their compliance documents.

The ADV must be updated annually, so the tendency is to mentally bookmark this as an annual task and not look at or think about it again.

But what about your advisory contracts, compliance manual, or business continuity plan? Does your firm have a social media policy or a cybersecurity or data security policy?

There is no regulatory requirement to review these items annually, so many advisors don’t.

It may seem like a waste of time to review these additional documents, especially if there are no changes that need to be made. But just like every other neglected, seemingly mundane compliance task, there is extreme value in spending time exploring documents that may assist a compliance novice in moving forward towards the education needed to become a competent CCO.

#2. I Will Use My Compliance Task Management System

All firms would be wise to utilize technology to manage their compliance program.

As with every other function in business, be it accounting, client relationship management, trading, or invoicing, use of technology quite simply makes life easier.

For firms that have not yet begun a relationship with a compliance task management provider, this is the year to do so.

For those that have compliance task management software but are not consistently using it to update tasks and track deadlines, this is the year to start.

It is best practice to set aside a bit of time on the same date and time each month to log into the software and check for past due and upcoming tasks. If there are tasks that you don’t understand, spend your time researching and ask questions of regulators and compliance consultants to gain an understanding of the purpose behind the task.

There is no better way to get a grip on a compliance program than by leveraging task management software.

#3. I Will Communicate With My Clients and Business Partners About Compliance

In many ways, running an effective compliance program boils down the willingness and ability of the CCO to communicate about compliance.

Sure, clients hear about the big SEC takedowns of massive Ponzi schemes, and by way of these stories are acutely aware of compliance issues. But most clients have no idea how important compliance is to their financial advisor specifically because there is traditionally little-to-no mention of compliance by advisors.

In many cases, advisors communicate with clients about compliance with a grumble while having a client sign a form, as if they are banding together with the client in opposition to the evil “institutional compliance powers that be.”

When they do so, they are indirectly communicating to the client that compliance is not important to them.

In joining with third-party vendors, some financial planners may apologize for the inconvenience while having the business partner complete a process that is required by their compliance program.

Again, this portrays a general lack of concern about compliance.

These negatively-toned communication methods have been made popular in instances in which the advisor is not also the compliance officer. Then, the advisor can pawn off compliance inconveniences on the CCO of the firm. But when the advisor is the CCO of the firm, it becomes even more important that communication about compliance be made in a tone that is indicative of priority.

As a compliance obligation, each firm is responsible for executing third-party due diligence on all outside entities with which there is a professional relationship. This responsibility presents the opportunity to work on presenting compliance items with a sense of urgency.

This time of year, we frequently hear all types of promises and resolutions. But within just a few short months, this talk subsides and most resolutions have been abandoned. This year, I urge you to make—and keep—these three simple compliance resolutions. In doing so, you will build a stronger financial planning firm .


Scott-Gill-Square-ColorAbout the Author
Scott is a licensed Securities Principal with experience in both RIA and broker-dealer compliance. He began his financial services career in 2006 as a Registered Representative with E*Trade Financial in Alpharetta, GA. He has also worked with J.P. Morgan Private Banking in Chicago, IL and with Wells Fargo Advisors in Chapel Hill, NC.

Scott’s most recent role before joining Team XYPN was as Compliance Officer of Carolinas Investment Consulting, in Charlotte NC. He’s a graduate of The University of North Carolina at Chapel Hill and holds FINRA Series 63, 65, 24, 4 and 53 Licenses.

Scott lives in Charlotte, NC with his wife Meredith, and their two sons Tyson and Jackson and daughter Eva. In his free time, Scott enjoys watching sports, exercising, and operating the charitable organization he created upon his father’s passing.

Posted in Uncategorized | Leave a comment

New Hacking Incident – be VERY Aware

A client recently sent me an email asking about a blank form he received in the mail. It was a MA-W Notice of Withdrawal form (it is a form for withdrawing registration as a municipal advisor).  It was sent without any cover letter or explanation.  Since he isn’t registered as a municipal advisor, I told him not to do anything with the form. However…it was all part of a very sophisticated attempt to defraud him.

I’m telling you all the details so that you can be on the lookout for something similar. The form arrived via USPS Priority Mail in a Flat Rate Mailing Envelope.  Don’t accept this delivery, if you have an opportunity to do so. More than likely it will be left in your mailbox.  The envelope was sent to the client’s home address with a legitimate tracking number from William Waters of Denison TX.

The day after he received the envelope he received an email from PayPal with details of his shipment (which he didn’t pay much attention to as he thought it was spam or a spoof).

The following day he was reconciling his financial information and noticed a strange charge of $577 to his American Express (AMEX) card.  He call AMEX to report the strange charge.  He was told that any investigation would have to come from AMEX’s back office and PayPay, but this can take up to 30 days.

He began to dig to see how this happened.  In doing so he noticed an email from Waterilliam (very similar to the weird form that had been mailed from William Waters (the blank MA-W Notice of Withdrawal form).

He checked the USPS tracking number from the envelope.  The envelope originated in Flint MI.  Once USPS sends notification of the delivery, the thieves show proof of delivery to PayPal and his AMEX is charged.

This is a sophisticated hacking incident where they are hiding behind PayPal.  At this point, my client isn’t clear as to how he was targeted.  He is thinking it could be a result of the Marriott data breach as this was the most recent AMEX purchase.

Suggestion – do NOT use the same password for anything.  I know that I have had a tendency in the past to use the same one for things that don’t seem to be a security issue…like say a hotel rewards card.  Use a password manager and review it for any duplicates…then change them.

Lastly, be on the alert for any emails from PayPal.  Review them before deleting to be sure they aren’t about a shipment coming your way.

Posted in Uncategorized | Tagged , , | Leave a comment