Preparing for Backup
I own a registered investment advisor. I was talking to a friend who also owns an RIA about being backups for each other in case one of us is hit by the proverbial bus. As solo practitioners, we would like to reassure our clients that someone would be there if we were unavailable. What are the legal implications of this? Is the relationship something we must discuss in the ADVs (form required by the Securities and Exchange Commission—about a firm's officers and other matters)? Do we have to file anything with the regulators?
— N.L., via e-mail
If all you are doing is making an informal agreement with each other to step in, in case of a "disaster," then there's no need to involve the regulators or include anything in your ADV. You should, however, spell out the "plan" in your Policies and Procedures Manual as either a "Disaster Recovery Plan" or "Business Continuity Plan" (or both). I believe all the states now require that you have both a Disaster Recovery and Business Continuity Plan in place.
The difference between the two is that a Disaster Recovery Plan is envisioned as being temporary (if, for instance, a hurricane wipes out your office, how will clients get access to their money or make trades? And how is their information protected from loss?), while a Business Continuity Plan is the "hit by a bus" scenario (who services the client accounts if you die?). Having these plans in your Policies and Procedures Manual is a must and just good business practice. But there are, of course, legal ramifications in the event you (or your chosen backup) fails to comply with the plan. Much like selecting the guardian for your children, you want to select a backup who is willing and able to step in for you.
It's all very well if you have a trustworthy friend, but if he only services a handful of accounts while your firm handles hundreds, or if he only deals with individuals while you're managing pension plans for large corporations, then he may not be able to handle your business if you're "out of service."
My firm is currently an SEC-registered investment advisor. I have a question concerning the upcoming requirement that mid-size advisers register with the states rather than the SEC. We would like to remain with the SEC, but we don't think we'll meet the $100 million level in assets by the deadline. As a way of qualifying for an exemption, we thought that we could notice-file in the 16 states where we have clients, thereby qualifying for the exemption. In most of the states we have at least one client, but less than six. Would the exemption be available?
— H.K., Florida
Rule 203A-2(e) of the Investment Advisers Act of 1940 provides the so-called multi-state exemption that allows registered investment advisors to register with the SEC rather than the states; notwithstanding the inability to meet the assets under management threshold. Currently, the multi-state exemption is only available if you are "required" to be registered in 30 states.
But that number will decrease to 15 states beginning on January 1, 2012. To qualify for the exemption, you must be "required" to be registered in those states.
All states, except Texas and Louisiana, have a five-client de minimus exemption. In other words, you can have up to five clients in the state before you're required to register. In Texas and Louisiana, however, you need to register even if you have only one client.
So, for example, if you only have two clients in Georgia (and you're not actively advertising or "holding yourself out" as an RIA in that state), then you most likely would not be "required" to be registered there and would not be able to use that as one of the 15 states for the multi-state calculation.
But, if you have one client in Texas and six in Georgia, then you can claim that you would be "required" to be registered in those two states. Since you're also required to register in your home state, you would have a total of three states toward the 15 you need to qualify for the exemption.
Back when I was in college I was charged with a misdemeanor. I paid the fine, served probation and had the matter expunged. However, FINRA tells me I still have to disclose the matter on my CRD. Can you explain why?
— B.R., California
Generally, when a matter is "expunged" from your record it means that the matter is "deleted", as if it never happened.
Some states (like California) don't provide for true "expungement" of your record. The California statute, for example (Penal Code §1203.4), provides in relevant part that when "a defendant has fulfilled the conditions of probation...the defendant shall...be permitted by the court to withdraw his or her plea of guilty or plea of nolo contendere and enter a plea of not guilty; or, if he or she has been convicted after a plea of not guilty, the court shall set aside the verdict of guilty; and, in either case, the court shall thereupon dismiss the accusations or information against the defendant and except as noted below, he or she shall thereafter be released from all penalties and disabilities resulting from the offense of which he or she has been convicted..." (emphasis added).
But, the statute goes on to say: "the order does not relieve him or her of the obligation to disclose the conviction in response to any direct question contained in any questionnaire or application for public office, for licensure by any state or local agency, or for contracting with the California State Lottery."
Although the U4 form doesn't fit into one of those exceptions, the problem is that, as of 1997, FINRA modified its policy with regard to expungements (at least as they relate to statutory disqualifications) and determined that if an expungement statute does not completely set aside all consequences of the conviction, the person remains subject to statutory disqualification.
While your matter may not rise to the level of a statutory disqualification, it's unlikely that FINRA would view the California "record clearance" as a true expungement. Note that while you may still have to disclose the item, you could indicate that the status was "dismissed."
I read an article about the state of Massachusetts going after a bank for violating the Massachusetts privacy law. I have a few clients in Massachusetts but I'm not based there. How is Massachusetts privacy law different and do I have to comply with it?
— K.M, New York
In August, Belmont Savings Bank entered into an Assurance of Discontinuance and settled allegations by the Massachusetts Attorney General's Office that the bank had violated the state's data security regulations. This is the first settlement related to a violation of the new data security regulations since they went into effect on March 1, 2010.
The bank agreed to pay a civil penalty of $7,500 and to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General's Office, was likely incinerated by the bank's waste disposal company.
The regulations apply to persons and businesses that "own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts" and, among other things, prescribe requirements regarding the storage and transmittal of such "personal information."
So, to answer your question, if you have clients in Massachusetts, you are required to comply with the regulation. As for how it differs from other privacy laws, space limitations prohibit a detailed explanation other than to say it is more stringent that most other privacy laws. Massachusetts has put out a Compliance checklist which can be found online at: http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf.
Alan J.Foxman is an attorney in private practice in Boca Raton
and also an independent contractor for National Compliance Services, Inc.
in Delray Beach, Fla. He can be reached at this email address.