On March 9, 2020, FINRA released Regulatory Notice 20-08 (the “Regulatory Notice”) providing guidance and limited relief to its member broker-dealers during the COVID-19 pandemic. In particular, the Regulatory Notice requests that broker-dealers evaluate their compliance with FINRA Rule 4370, which requires broker-dealers to create, maintain, and update upon any material change, BCPs (Business Continuity Plans) identifying procedures relating to emergency or significant business disruption.
Continue Reading FINRA Issues Notice Regarding Business Continuity Planning During COVID-19 Outbreak

On January 27, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) of the U.S. Securities and Exchange Commission (“SEC”) released observations on cybersecurity and resiliency (the “Observations”). In them, OCIE presented several key cybersecurity issues that industry participants should seek to address such as the construction and implementation of a comprehensive cybersecurity program, the prevention of unauthorized access to systems, the theft of information, responding to cyber incidents, and vendor management. In doing so, OCIE highlighted elements of successful cybersecurity efforts.

Continue Reading OCIE Releases New Observations on Cybersecurity and Resiliency

The Wall Street Journal reported on November 21, 2019, that the Federal Reserve is considering whether to begin examining data storage technology service providers (“TSPs”) of the banks that it regulates.  While financial regulators have long scrutinized TSPs generally, this report indicates a new interest by a federal regulator in direct oversight of TSPs, particularly those that provide data storage on media such as the cloud.
Continue Reading The Federal Reserve Is Considering Oversight of Data Storage TSPs

In the first post on this topic, we provided a simple answer to a question posed by the Director of the SEC’s Division of Investment Management (the “Division”):

To the extent a fund plans to hold cryptocurrency directly, how would it satisfy the custody requirements of the 1940 Act and relevant rules?”

Our simple answer was to treat cryptocurrencies as “financial assets” under Article 8 of the Uniform Commercial Code. In the second post, we explained how this simple answer may be hard to implement when it comes to trading cryptocurrencies, because their markets require trades to settle in the next block. Thus, rather than a custodian implementing a portfolio manager’s instruction to settle a trade, a portfolio manager trading a cryptocurrency will normally need to have immediate control over the transfer of the cryptocurrency, which is inconsistent with the custody requirements of the Investment Company Act of 1940 (the “1940 Act”).

In this post, we consider three potential solutions to the dilemma faced by an investment company that must hold cryptocurrency in compliance with the custody requirements of the 1940 Act while allowing its adviser to trade the cryptocurrency.


Continue Reading Why Blockchain Custody Is So Difficult—Paths Forward?

In our previous post, we provided a simple answer to the following question posed by Director Dalia Blass of the SEC’s Division of Investment Management:

To the extent a fund plans to hold cryptocurrency directly, how would it satisfy the custody requirements of the 1940 Act and relevant rules?”

Our simple answer was to treat cryptocurrencies as “financial assets” under Article 8 of the Uniform Commercial Code. But, as Director Blass knows, this is not the end of the questions relating to custody. Her letter included additional questions, such as:

If the fund may take delivery of cryptocurrencies in settlement, what plans would it have in place to provide for the custody of the cryptocurrency?”

This question relates to a core operation of investment companies: trading.


Continue Reading Why Blockchain Custody Is So Difficult—A Hard Part

This post continues our discussion of the 2018 examination priorities and guiding principles published by the SEC’s Office of Compliance Inspections and Examination (“OCIE”) on February 7.
Continue Reading Ask and Ye Shall Receive: OCIE’s 2018 Examination Priorities – Part 2 of 2

Industry professionals have noted that the SEC’s Office of Compliance Inspections and Examination (“OCIE”) was tardy in releasing their priorities list, although recent speeches from SEC officials have provided a preview of the issues in OCIE’s crosshairs. The full priority list was released on February 7.

The SEC’s examination priorities identify practices, products and services that reflect potentially heightened risks to investors and capital markets. As in prior years, the SEC’s priorities are thematic, covering:  retail investors, including seniors and retirement savers; compliance and critical market infrastructure; FINRA and MSRB activities; cybersecurity; and anti-money laundering. The first of these priority areas is summarized below.
Continue Reading Ask and Ye Shall Receive: OCIE’s 2018 Examination Priorities – Part 1 of 2

This post continues our discussion of the Risk Alert released on August 7, 2017, by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) regarding conclusions drawn from its yearlong review of the cybersecurity practices of 75 asset management firms and funds.  The sweep, deemed OCIE’s Cybersecurity 2 Initiative, covered broker-dealer, investment adviser, and investment company practices during the period from October 2014 through September 2015. 
Continue Reading SEC Offers More Guidance on Cybersecurity Best Practices and Pitfalls – Part 2 of 2

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert summarizing its conclusions from a year-long review of the cybersecurity practices of a 75 firms — including broker-dealers, investment advisers and investment companies.  The sweep, OCIE’s Cybersecurity 2 Initiative, ran from September 2015 to June 2016 and covered the review period from October 2014 through September 2015.  It follows OCIE’s 2014 Cybersecurity 1 Initiative, during which the staff examined a different group of firms from January 2013 to June 2014.  The Risk Alert that followed the first sweep was released in early 2015.

The focus of OCIE’s second sweep was asset management firms’ written cybersecurity policies and procedures and, critically, their implementation. While the Risk Alert acknowledges that cybersecurity preparedness has improved across the industry since the first sweep exam, it emphasizes that significant deficiencies persist.  The Risk Alert identifies common elements of policies and procedures that the staff regards as robust controls.  The Risk Alert also stresses that, going forward, OCIE will increase its review of firms’ implementation of appropriately-tailored policies; merely having well‑drafted  policies “on the books” but not applied will not suffice.
Continue Reading SEC Offers More Guidance on Cybersecurity Best Practices and Pitfalls – Part 1 of 2