Last week HKMA eventually announced the implementation of pre-investment cooling-off period (PICOP) in the sales of non-listed derivative products to retail investors since 1 January 2011.
Under the PICOP arrangements, after a bank has ensured that a non-listed derivative product is suitable for an eligible customer and adequately disclosed material product information to the customer, it should allow the customer at least 2 calendar days (of which the last day should be a business day) to understand the product, consider the appropriateness of the investment and consult with family members and friends. The price and terms of transaction will be fixed on the day when the customer gives instruction to the bank to confirm placement of an order (i.e. upon the end of the PICOP). The bank must arrange the customer to give specific confirmation of order placement on the execution day, supported by proper audit trail. Under no circumstances should the bank allow the customer to confirm the order before the execution day. Taking T as the sales day, execution day should be a business day on T+2 at the earliest.
It appears that if the customer keeps silent (i.e. no confirmation of the order) upon the end of the PICOP, the order would not be placed.
In determining whether PICOP should be applied to a particular dealing with a retail customer, the bank should consider the customer's age, asset concentrationand whether he/she is a first-time buyer of the same type of product as follows:
- For an elderly customer (aged 65 or above), PICOP should be mandatory except that the customer will be allowed to opt out from the PICOP arrangement if (i) the customer's asset concentration is below 20% and (ii) he/she is not a first-time buyer of the type of product in question.
- For a non-elderly customer, PICOP is not necessary except if (i) the customer's asset concentration is 20% or above and (ii) he/she is a first-time buyer of the type of product in question.
Asset concentration is the percentage of the customer's total net worth (excluding real estate properties) to be invested in the relevant transaction. The bank may rely on the customer's self-declaration to ascertain asset concentration.
Even one particular transaction does not exceed 20%, how about if the customer's total portfolio has been occupied by more than 20% by non-listed derivative products (including his/her previous transactions)?
In determining whether a customer is a "first-time buyer" of a particular type of product, a bank may take into account his/her actual investment(s) executed through the bank or another intermediary. If the customer has such investment experience with another intermediary, the bank should gather from the customer the relevant documentary proof (e.g. contract notes or monthly statements) and retain a copy for record purpose. Moreover, the bank should obtain the customer's signed declaration that he/she has such investment experience.
Recently US FINRA fined FINRA fined New York's Deutsche Bank Securities $575,000 and Boston's National Financial Services (NFS) $350,000 for executing numerous short sale orders in violation of Regulation SHO and for related supervisory violations.
Regulation SHO requires that a broker or dealer may not accept or effect a short sale order in an equity security without reasonable grounds to believe that the security can be borrowed, so that it can be delivered on the date delivery is due. Identifying a source from which to borrow such security is generally referred to as obtaining a "locate." Locates must be obtained and documented prior to effecting a short sale.
Both Deutsche Bank and NFS implemented Direct Market Access trading systems for their customers that were designed to block the execution of short sale orders unless a "locate" had been obtained and documented. But FINRA found that Deutsche Bank disabled its system in certain instances and NFS created a separate system for certain customers – so that in both instances, the systems no longer blocked some short sale orders that did not have valid, associated locates.
FINRA's review of a sample of short sale orders at both firms revealed that some short sale orders entered through the Direct Market Access trading systems were released for execution without any evidence that a locate had actually been obtained.
In Deutsche Bank's case, the firm's systems sometimes experienced outages that prevented the importing of locate data and, as a result, short sale orders placed for execution were automatically rejected, even when a client had already obtained a valid and properly documented locate. FINRA found that during these system outages, Deutsche Bank disabled the system's automatic block, permitting client short sale orders to automatically proceed for execution without first confirming the presence of an associated locate.
In addition to its automated process, NFS created a separate manual locate request and approval process for approximately 12 of the firm's prime brokerage clients, which preferred to obtain locates in multiple securities prior to commencement of the trading day. Requests for, and approvals of, the multiple simultaneous locates were transmitted via email exchanges with account representatives on the firm's Prime Services Desk, and were not required to be entered into the firm's stock loan system at the time of approval. Further, prime clients were allowed to enter and execute their orders through automated platforms that did not have the functionality to automatically block execution of a short sale order that did not have a valid and documented locate.
Neither Deutsche Bank nor NFS performed a meaningful post-trade date review of short sale orders to identify short sale orders executed without a valid, associated locate having been obtained or documented.
Further, both firms implemented inadequate supervisory systems in connection with their Regulation SHO compliance. Deutsche Bank was aware that its system to block short sale orders in the absence of locates was periodically disabled over a period of more than four years (from January 2005 through September 2009), but failed to devise or implement a replacement procedure. Similarly, NFS created a flawed system for certain customers that failed to ensure that certain short sale orders had valid and timely locates associated with them. NFS's flawed system operated for nearly four years (from January 2005 through August 2008).
Last week US FINRA has ordered Westpark Capital, Inc. to pay a total of $400,000 for supervisory system failures, and has suspended two officers for failing to supervise brokers in two now-closed Long Island branches who churned customer accounts and engaged in unauthorized and unsuitable trading in multiple accounts. The monetary sanction includes a $100,000 fine and $300,000 in restitution to affected customers.
FINRA suspended Westpark's former Chief Compliance Officer, William A. Morgan, for four months in any principal capacity and ordered him to pay a $5,000 fine. Chief Operations Officer Jason S. Stern has been suspended for three months in any principal capacity and fined $20,000.
In related actions, FINRA has barred and/or fined two brokers and a branch manager who were previously employed in Westpark's Long Island branch offices, and has filed a complaint against another former broker involved in the misconduct, charging him with churning accounts and other violations. Two additional former brokers involved have already been barred, by FINRA or SEC, for misconduct at other firms prior to or after their employment with Westpark.
Several of the brokers involved came to Westpark from broker-dealers that had lengthy disciplinary records and that FINRA has expelled from the securities industry, such as Stratton Oakmont, Inc., LH Ross & Co., Salomon Grey Financial Corp. and Continental Broker-Dealer Corp. When Westpark hired them, several of the brokers themselves had histories that included multiple customer complaints and/or disciplinary actions.
In its action against Westpark, Morgan and Stern, FINRA found that between February 2006 and July 2007, the firm failed to establish and maintain an adequate system for supervising its brokers. Among the supervisory system's deficiencies:
- Westpark failed to restrict the activities of certain Long Island brokers and failed to monitor their customer account activities, even though they had disciplinary histories and customer complaints that included unauthorized, unsuitable and excessive trading;
- The firm performed inadequate monitoring of excessive trading, failed to have standards for what constituted excessive trading and failed to prescribe any steps that would be taken if excessive trading were suspected; and
- The firm's system assigned front line supervisory responsibility to branch office managers, even though the Long Island managers were inexperienced or had previously been disciplined for failure to supervise.
Ddespite the fact that Westpark had placed all of the brokers in question on "heightened supervision," Morgan and Stern failed to supervise several brokers who committed serious sales practice violations – including unauthorized, unsuitable and excessive trading involving at least 19 customer accounts.
Morgan and Stern failed to adequately scrutinize the conduct of the Long Island brokers and to address red flags, including disciplinary and employment histories, customer complaints and questionable account activity, such as evidence of excessive trading, a high level of margin and frequent concentration of customer accounts in a single security.
In related actions, FINRA has taken the following actions against a former branch manager and former brokers at Westpark's former Long Island branches:
- Robert A. Bellia, Jr., a former branch manager, was barred permanently from association with any securities firm in a principal capacity and ordered to pay a $10,000 fine. Bellia failed to supervise three Westpark brokers who churned and executed unsuitable and unauthorized trades in at least 12 customer accounts.
- Dale R. Menendez, Jr., a former broker, was barred permanently from the industry by a FINRA Hearing Officer and ordered to pay over $110,000 in restitution to his customers. Menendez engaged in excessive and unauthorized trading, mischaracterized customer transactions to his firm and failed to appear for testimony during the FINRA investigation of his conduct.
- Michael Quattalaro, a former broker, was barred permanently from the securities industry. Quattalaro churned and engaged in excessively unsuitable trading in two customer accounts and exercised discretion in those accounts without prior written customer authority.
- Chanse K. Menendez, Sr., a former broker, has been charged in a FINRA complaint with excessive trading and churning activity in two customer accounts. Menendez mischaracterized "solicited" trades as "unsolicited" trades in an apparent attempt to conceal his misconduct in those accounts, as well as in a third account. In addition, the complaint alleges that Menendez failed to appear for testimony and provide documents during the FINRA investigation of his conduct. The case is pending.
Recently US FINRA fined D.A. Davidson & Co., $375,000 for its failure to protect confidential customer information by allowing an international crime group to improperly access and hack the confidential information of approximately 192,000 customers.
Prior to January 2008, D.A. Davidson did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The unprotected information included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. Furthermore, the firm's procedures for protecting that information were deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place.
On 25 and 26 December 2007, D.A. Davidson's database was compromised when an unidentified third party downloaded confidential customer information through a sophisticated network intrusion. To breach D.A. Davidson's system, the hacker employed a mechanism called "SQL injection," an attack in which computer code is repeatedly inserted into a Web page for the purpose of extracting information from a database. The hacker was able to access and download the affected customers' confidential information. While these attacks were visible on Web server logs, the firm failed to review those logs.
Between April 2006 and October 2007, the firm had retained independent auditors and outside security consultants to review and/or audit its network security. During the course of those consultations, the firm received recommendations for enhancements to its security systems. Although the firm implemented the majority of those recommendations, it failed to implement a recommendation, made in or about April 2006, that it install an intrusion detection system. The firm had not implemented such a system at the time the hack occurred in December 2007.
The breach was discovered through an email that was sent by the hacker on 16 January 2008, blackmailing the firm. Upon receiving the threat, D.A. Davidson reported the incident to law enforcement and assisted the Secret Service in identifying four members of an international group suspected of participating in the hacking attack of the firm. Three of those individuals have been extradited from Eastern Europe, arrested and are facing charges in federal court in Montana.
FINRA took into consideration the firm's quick response to protect its customers and cooperation with law enforcement authorities and the fact that do date, no customer has suffered any instance of identity theft when assessing the fine in this matter.
IT security risk is quite high today. Recently SFC also issued a circular on IT management to all licensed corporations, suggesting some control techniques and procedures in respect of the following key ideas:
- Information security policy;
- Access control;
- Encryption;
- Change management;
- User activities monitoring; and
- Data backup and continuity planning
