From True North Networks
WARNING – There is currently an aggressive attack campaign underway against a previously undisclosed vulnerability in Microsoft Word, which can be used to quietly install different kinds of malware — even on fully-patched computers. The bug can be exploited on all versions of Microsoft Office, including the latest Office 2016 version running on Windows 10.
The vulnerability cannot bypass the Office Protected View, which should be turned on by default. You can verify those settings using the following steps:
Step 1: Start Word, click File and then choose Options
Step 2: Click Trust Center and then Trust Center Settings
Step 3: Click Protected View, all three of the options listed there should be checked
Step 4: Click OK and you’re done!
Unlike most document-related vulnerabilities, this zero-day bug doesn’t rely on macros (macros use built in code to execute pre-scripted command actions) — in which Office typically warns users of risks when opening macro-enabled files. There is currently no patch for this bug, but Microsoft is expected to release a fix with its next round of security updates. Once released, you will receive the patch within your regularly scheduled patch window. In the meantime, be extra cautious when opening Microsoft Word attachments.
The Department of Labor (“DOL”) published its final rule delaying the applicability dates of its rule changing the definition of the term “fiduciary” (the “Fiduciary Rule”) by 60 days, as proposed. The new timeline for compliance with the Fiduciary Rule is as follows:
- June 9, 2017 – The Fiduciary Rule becomes applicable.
- June 9, 2017 – Firms relying upon the BIC Exemption must comply with Impartial Conduct Standards but no additional conditions.
- June 9, 2017 through December 31, 2017 – the Transition Period (discussed below). During the Transition Period, DOL will review the Fiduciary Rule and report on the factors outlined in the Presidential Memorandum.
- January 1, 2018 – Firms relying upon the BIC Exemption must come into full compliance.
As noted above, the final rule adopted a 60-day delay of the applicability date of the Fiduciary Rule from April 10, 2017 to June 9, 2017. The applicability dates of the Best Interest Contract Exemption (the “BIC Exemption”) were also extended to June 9, 2017.
The BIC Exemption already provided for a “Transition Period” between the original applicability date of the Fiduciary Rule and January 1, 2018, the date when fiduciaries relying on such exemptions are expected to be in full compliance. The final rule does not change the full compliance date for those exemptions.
The final rule does simplify compliance with the BIC Exemption during the Transition Period. During the Transition Period, fiduciaries will only be required to comply with the “Impartial Conduct Standards” and not the other conditions of such exemptions, such as the affirmative disclosure requirements. The Impartial Conduct Standards require that fiduciary advisers make recommendations that are in the customer’s best interest (subject to a prudence and loyalty standard), receive no more than reasonable compensation, and not make materially misleading statements.
The final rule also delays the applicability date for the streamlined “Level Fee Fiduciary” exemption within the BIC Exemption until June 9; however, during the Transition Period, Level Fee Fiduciaries that are eligible for the Transition Period relief under the full BIC Exemption may comply with those conditions (i.e., only the Impartial Conduct Standards) instead.
The future of the Fiduciary Rule continues to be uncertain. DOL has requested comments from interested stakeholders on the issues raised by the Presidential Memorandum by April 17. Next steps will remain unclear until senior DOL officials are confirmed. Further delays are possible, followed by modifications or rescission of the rule.
Some things to consider when you receive a request for a wire transfer or check from a client:
- Confirm the request with the client via phone BEFORE you send them anything to sign. If a hacker is controlling their email, they will see the request and have the client’s account number and any other information included in the request.
- Confirm all information regarding the wiring bank with the receiving party BEFORE completing the wire request paperwork. Scenario – hacker obtains control of real estate agent’s email, changes the wiring instructions that are sent to your client for that transfer to escrow for the new home they are buying. You receive the instructions and confirm with the client. You, the real estate agent and the client are unaware that you are about to send all that money to someone other than the escrow company. My recommendation is that all such instructions should be confirmed directly with the escrow or receiving agency.
A few minutes of work up front can save a nightmare and a lot of time down the road. Do the due diligence.
The Department of Labor released a proposed rule to extend the applicability date of its fiduciary rule under ERISA. The proposal includes a 15-day comment period and would extend the rule’s April 10 compliance date to June. 9.
Fred Reish, partner in Drinker Biddle & Reath’s employee benefits and executive compensation practice group in Los Angeles, notes that a 6-month delay had been widely expected.
“During the shortened period, the DOL will take comments for 15 days on whether the proposed rule should be finalized and will take comments for 45 days on a list of questions about the impact of the fiduciary regulation and the exemptions,” Reish explains.
After the comments are received and reviewed, Labor will then issue a final rule extending the applicability date to June 9, Reish adds. “Once drafted, it will be sent to the Office of Management and Budget for another review. The goal is obviously to get the final rule on the extension of the applicability date approved and published by April 10. We expect that to happen at the end of March or early April.”
My take on this – once again another unclear message from the Department of Labor regarding the April 10th applicability date.
The No-Action Letter discussed in yesterday’s blog contains seven conditions that, if met, would allow an adviser to escape the need for a surprise exam:
1. The client provides an instruction to the qualified custodian, in writing, that includes the client’s signature, the third party’s name, and either the third party’s address or the third party’s account number at a custodian to which the transfer should be directed.
2. The client authorizes the investment adviser, in writing, either on the qualified custodian’s form or separately, to direct transfers to the third party either on a specified schedule or from time to time.
3. The client’s qualified custodian performs appropriate verification of the instruction, such as a signature review or other method to verify the client’s authorization, and provides a transfer of funds notice to the client promptly after each transfer.
4. The client has the ability to terminate or change the instruction to the client’s qualified custodian.
5. The investment adviser has no authority or ability to designate or change the identity of the third party, the address, or any other information about the third party contained in the client’s instruction.
6. The investment adviser maintains records showing that the third party is not a related party of the investment adviser or located at the same address as the investment adviser.
7. The client’s qualified custodian sends the client, in writing, an initial notice confirming the instruction and an annual notice reconfirming the instruction.
from Cipperman Compliance Services LLC
The staff of the SEC’s Division of Investment Management, in a recent No-Action Letter, has opined that an adviser has regulatory custody of client assets where a client grants even limited authority to transfer assets to a designated third party. As a result, an adviser who has received standing letters of authorization (SLOAs) from one or more clients must report those assets in its response to Item 9 of Form ADV. The staff will allow such an adviser to dispense with the custody rule’s surprise examination requirement so long as it meets several conditions including ensuring that the third party custodian appropriately verifies the SLOA, provides transfer of funds notices to the client, and sends the client annual reconfirming notices. In companion releases, the staff also provided guidance about transferring assets between custodians and inadvertent custody arising from custodial contracts.
OUR TAKE: The IM staff continues to take a hard line with respect to its broad view of the custody rule regardless of the underlying policy arguments. The relief from the surprise audit may be cold comfort, as we expect few custodians will be willing to spend the resources and subject themselves to additional liability to accommodate SLOAs (without additional fees).
from Cipperman Compliance Services
The SEC censured and fined an investment consultant and its principal $700,000 for lying about gifts received from recommended investment managers and performance information. The respondent’s marketing material claimed that neither the firm nor its principals took “so much as a nickel” from any investment manager. However, the firm’s Code of Ethics permitted gifts over $100 with pre-approval and under $100 without. The SEC asserts that personnel in the firm received tickets to the Masters Golf Tournament and other smaller gifts over a 4-year period, even where such gifts violated the Code of Ethics but the firm never imposed discipline. The SEC also accuses the firm of marketing hypothetical and back-tested performance without sufficient disclosure or backup.
OUR TAKE: Code of Ethics violations are an oft-cited SEC deficiency and should be remedied upon discovery (see Common OCIE Deficiencies). However, this firm compounded the problem by boasting about its Code of Ethics compliance in marketing materials. We do not recommend claiming 100% compliance with any rule as part of a marketing campaign.