New Hacking Incident – be VERY Aware

A client recently sent me an email asking about a blank form he received in the mail. It was a MA-W Notice of Withdrawal form (it is a form for withdrawing registration as a municipal advisor).  It was sent without any cover letter or explanation.  Since he isn’t registered as a municipal advisor, I told him not to do anything with the form. However…it was all part of a very sophisticated attempt to defraud him.

I’m telling you all the details so that you can be on the lookout for something similar. The form arrived via USPS Priority Mail in a Flat Rate Mailing Envelope.  Don’t accept this delivery, if you have an opportunity to do so. More than likely it will be left in your mailbox.  The envelope was sent to the client’s home address with a legitimate tracking number from William Waters of Denison TX.

The day after he received the envelope he received an email from PayPal with details of his shipment (which he didn’t pay much attention to as he thought it was spam or a spoof).

The following day he was reconciling his financial information and noticed a strange charge of $577 to his American Express (AMEX) card.  He call AMEX to report the strange charge.  He was told that any investigation would have to come from AMEX’s back office and PayPay, but this can take up to 30 days.

He began to dig to see how this happened.  In doing so he noticed an email from Waterilliam (very similar to the weird form that had been mailed from William Waters (the blank MA-W Notice of Withdrawal form).

He checked the USPS tracking number from the envelope.  The envelope originated in Flint MI.  Once USPS sends notification of the delivery, the thieves show proof of delivery to PayPal and his AMEX is charged.

This is a sophisticated hacking incident where they are hiding behind PayPal.  At this point, my client isn’t clear as to how he was targeted.  He is thinking it could be a result of the Marriott data breach as this was the most recent AMEX purchase.

Suggestion – do NOT use the same password for anything.  I know that I have had a tendency in the past to use the same one for things that don’t seem to be a security issue…like say a hotel rewards card.  Use a password manager and review it for any duplicates…then change them.

Lastly, be on the alert for any emails from PayPal.  Review them before deleting to be sure they aren’t about a shipment coming your way.

Posted in Uncategorized | Tagged , , | Leave a comment

SEC Exams and the DOL Rule

If your Policies and Procedures Manual says you do ‘X’ then you should be doing it.  In the past year I have added a policy for the DOL Rule to client Policies and Procedures Manuals.  Examiners have been asking about those policies and what the firms have done to meet the requirements of those policies.

Many people believe the that DOL Rule is dead.  The 5th Circuit has not vacated the Rule, so it is still in effect.  What has become clear during the SEC examinations is that the examiners are using the Policies and Procedures Manual to determine if firms are meeting their DOL Rule requirements.

Be sure that you are doing what your Manual says you are doing, especially regarding the DOL Rule.

Posted in Uncategorized | Tagged , , | Leave a comment

DOL Fiduciary Rule – update

Although it appears that the federal court decision vacating the DOL Fiduciary Rule was supposed to take effect on May 7, 2018, the DOL releases a statement continuing its policy of non-enforcement given “uncertainty about fiduciary obligations.”

Firms that have compliance P&Ps to comply with the DOL’s impartial conduct standards are wise to keep them.  These standards seem to be similar to what may be required with the SEC’s proposed investment adviser fiduciary duty interpretation.

My recommendation is to maintain compliance with your firm’s P&P regarding the DOL Rule until there is official word.

Posted in Uncategorized | Tagged , , , | Leave a comment

News regarding DOL Fiduciary Rule

Yesterday, March 15, 2018, the U.S. Court of Appeals for the 5th Circuit voted 2-1 to vacate the DOL Fiduciary Rule.  HOWEVER,  the effect of the decision only applies to the following three states within the 5th Circuit’s jurisdiction – Louisiana, Mississippi, and Texas.

The next question is whether any party will appeal this decision to the U.S. Supreme Court.

So don’t rush to stop your compliance with the Impartial Conduct Standards that have been in effect since June 9, 2017.

Posted in Uncategorized | Tagged , , , | Leave a comment

Cybersecurity Training Options

Cybersecurity is once again on the SEC’s OCIE exam priorities list.  There are many things that a firm can do to counter the concerns of Cybersecurity.  One of the most difficult items to counter is an employee and their inadvertent opening of an email that could open up your firm data to the outside.

Several of my clients have started to work with a firm called KnowBe4.  They have a relatively inexpensive program that can handle several of your Cybersecurity concerns relative to employees:

  1. Cybersecurity Training
  2. Phishing

They maintain an online library of security awareness training that can assist with the Cybersecurity Training requirement.  These trainings can be automated and scheduled reminders sent to employees via email.  Which can be documented in the firm’s CRM.

They also have a  fully automated system that will send out simulated phishing attacks.  This will help you to know which of your employees may be susceptible to a phishing attack.  You receive the results of the “attacks” and can then train employees accordingly.

This is an easy, low-cost solution to a problem that isn’t going away.  Check out their demo at

Posted in Uncategorized | Tagged , , | Leave a comment

SEC Fines and Bars CCO for Ignoring Compliance Problems

from Cipperman Compliance Services

The SEC fined and barred an adviser’s Chief Compliance Officer from acting in a compliance or supervisory capacity because of his failures to remedy compliance deficiencies. The adviser hired an outside compliance consultant which recommended 59 compliance action items. The SEC alleges that the CCO failed to address many of the issues raised including failures to (i) ensure a surprise audit pursuant to the custody rule, (ii) retain emails and other electronic records, and (iii) implement policies to protect customer information. The SEC also charges the CCO with compliance program deficiencies including failures to update the compliance manual or conduct any meaningful annual review of the compliance program. The firm’s president/principal was also censured and fined.

OUR TAKE: The SEC doesn’t often prosecute standalone (i.e. not dual hat) CCOs without an underlying client loss, but it will if the CCO ignores obvious compliance deficiencies of which he has notice. This is what we call “compliance voodoo” i.e. an appearance of compliance infrastructure without an effective program. This CCO had a compliance manual, did some quarterly testing, and hired a third party consultant. But, neither the CCO nor the firm took any action to actually implement relevant procedures to address cited compliance deficiencies.


Posted in Uncategorized | Tagged , , , | Leave a comment

Three Firms Fined for Marketing Hypothetical Third Party Performance

from Cipperman Compliance Services, LLC

The SEC censured and fined three more investment advisers in connection with marketing F-Squared’s misleading hypothetical performance information. One of the firms agreed to pay $8.75 Million in disgorgement, fines, interest and another agreed to pay over $700,000, while the third firm, which has ceased its business, agreed to pay a $200,000 fine. The SEC alleges that the firms incorporated misleading F-Squared-provided performance information into their marketing materials without conducting adequate due diligence into the performance claims, despite significant red flags such as hypothetical backtested performance, outlier returns, lack of actual performance history, and lack of data transparency. The SEC charged the firms with failing to implement adequate compliance policies and procedures to verify third party performance claims and maintain required records. The defunct firm, which also sponsored a registered mutual fund, was also charged with several Investment Company Act violations including violations of Section 15, which requires a shareholder-approved written agreement with all sub-advisers. The SEC has previously brought several cases related to incorporating misleading F-Squared performance (see

OUR TAKE: Investment advisers must adopt and implement procedures to test performance claims made by third parties, and firms can’t claim ignorance and innocence if the third party refuses to provide backup data. Also, we do not believe firms should ever use hypothetical backtested performance data, because the SEC usually alleges that such information is too misleading.

Posted in Uncategorized | Tagged , , | Leave a comment