The following is a guest post from Scott Andersen, principal at finLawyer.com, and George Georgiades, a securities and JOBS Act attorney and founder of Georgiades & Associates (www.AltFinEsq.com).
Crowdfunding portals will soon be getting a visit by their local FINRA examiner. FINRA conducts regulatory examinations of each crowdfunding portal within the first 12 months of membership and no less than once every four years thereafter. This is the first year that FINRA’s periodic examination of its member firms will include both broker-dealers and registered crowdfunding portals.
For many portals with compliance professionals new to the securities industry, this will be your first time interacting with a regulator that has the power to fine, censure or expel your firm – no pressure, right? Chief compliance officers (CCOs) will be expected to spearhead the process of responding to requests for documents and information, meeting with examiners to discuss compliance infrastructure and explaining how your compliance program meets the various regulatory requirements.
FINRA examinations are risk based, meaning FINRA assesses the member’s business and the risks associated with those activities. Crowdfunding portals are viewed by regulators as “gate-keepers,” the first line of defense against fraud. We expect that FINRA’s examination will include a review of how portals are fulfilling their regulatory obligations, including identifying and protecting investors from issuers that present the potential for fraud or otherwise raise investor protection concerns.
Crowdfunding portals are required to establish and maintain a system to supervise the activities of each associated person and transactions on the portal to ensure compliance with Regulation Crowdfunding, FINRA rules and other applicable provisions of the federal securities laws. We can also expect that FINRA will review a crowdfunding portal’s communications with the public to ensure that they meet principles of fair-dealing and contain content that is fair and balanced.
FINRA will review how portals are maintaining certain business records ranging from communications with the public to records relating to issuers that offer securities through the portal. These records must be maintained generally for a period of five years and preserved in the original, non-alterable format which prevents their alteration or destruction. Crowdfunding portals are expected to identify and mitigate risks which if left undetected may lead to supervisory breakdowns and investor harm.
The following are some tips for CCO’s to consider as you prepare for your first examination:
Get organized. First, it is important to ensure your books and records are organized and readily accessible so that you can promptly respond to FINRA’s requests for documents and information with comprehensive and well-organized responses. You should be able to promptly provide data regarding offerings, communication with the public, transaction histories as well as records regarding your employees.
When FINRA alerts you to the date of the exam, it will provide details regarding exam logistics, some risk areas that will be reviewed, and when it will issue its first document request. Make sure you are ready to go when FINRA makes a request or arrives at your office. Delays in responding to document requests or incomplete productions are never a good way to inspire confidence in your business. Determine which employees at the portal will be responsible for the exam and who may be interviewed. Submit documents to FINRA in an organized fashion identifying the specific request for which each response pertains. Communicate with your examiner early and often as to what he or she needs and get them that information.
Coordinate with your legal/regulatory advisors. Now is a great time for CCOs to discuss the examination process and your responsibilities with your legal or regulatory advisors . Typically, during the examination, the CCO is the contact person meeting with and corresponding with FINRA with the goal of a smooth and collaborative process. While exams frequently involve interaction and document requests between FINRA examiners and member firms, over the past few years, we have seen an increase in FINRA’s use of OTRs (on-the-record interviews), which are similar to a deposition but is testimony taken under oath by FINRA, and Rule 8210 requests. These are very powerful tools in FINRA’s arsenal and should not be taken lightly.
FINRA, as a self-regulatory organization (SRO), does not have subpoena power. It does have the ability to issue Rule 8210 requests calling for the production of documents and information, or a person’s appearance at an OTR. The failure to comply with a Rule 8210 request can lead to immediate enforcement action by FINRA with the standard sanction for a violation being a bar from the securities industry. Any false or misleading testimony before FINRA also frequently results in a bar from the securities industry.
Another recent trend in FINRA exams is the involvement of an enforcement attorney during the onsite examination. This may mean that the examination staff (who traditionally are not lawyers) may need legal advice to help guide their examination. Alternatively, it may mean that FINRA has identified serious issues which increase the likelihood of an enforcement referral at the conclusion of the exam. In many cases, the enforcement attorney will also appear at the OTR to examine witnesses under oath. It is important to be thoroughly prepared for challenging examinations that can become enforcement investigations overnight.
Compliance audit and risk assessment. The best way to prepare for any examination is to practice. Regular testing of your compliance program is critical to enabling portals to identify and mitigate risks or inadequate controls which if left undetected may lead to supervisory breakdowns. CCOs should begin preparing by reviewing the portal’s written supervisory and compliance procedures to confirm that each compliance task is being completed in accordance with the schedule set forth (monthly, quarterly, or annually).
Secondly, if not already done, you should conduct an internal audit and consider working with your legal or compliance advisors to do an external audit. This may include reviewing the portal site and written supervisory procedures, making mock requests, and conducting mock interviews. This will allow you to meaningfully evaluate whether you are meeting your compliance obligations and fix any issues and implement improvements in advance of the FINRA examination. In any good compliance program, regulators expect to see enhancements to procedures to meet changes in the business, periodic reviews of written supervisory procedures, and action to redress any compliance issues found. A detailed record of your audit process and findings should be maintained and available to FINRA. Finding ways to improve your compliance program or identifying areas of noncompliance shows regulators that you are closely monitoring your Portal and its responsibilities.
Educate staff. CCOs should ensure employees of your crowdfunding portal understand the FINRA examination, although routine in nature, should be taken seriously. It is important portal staff understand the importance of fully cooperating and timely responding to requests. You want to ensure your staff approach the examination and examiners with professionalism. Executives and employees should be aware the CCO is the point of contact and documents submissions should be reviewed internally first to ensure they are accurate, comprehensive and fully responsive to requests. As CCO, it is important that you meet with executives to ensure that they understand the process and firm obligations.
Cybersecurity.With news of data breaches and hacking becoming routine, expect FINRA will be discussing with you how your crowdfunding portal currently addresses cybersecurity risks. This may include an understanding of how you identify and assess cybersecurity, protect assets from cyber intrusions, detect when your systems and assets have been compromised and plan for the response when a data breach occurs. Technology aside, regulators will look at potential weaknesses at your office, including whether USB drives on computers have been disabled to prevent data from being take off the system, password length and reset policies for staff computers, physical security of files in your office and vendor due diligence. For laptops, smart phones and other mobile devices that have virtual access, consideration of whether you have systems in place to lock or delete data in the case of such devices being lost or stolen will also be considered. Regulators are looking to intermediaries to take this threat seriously. Although crowdfunding portals do not hold securities or customer funds, they do hold important customer information so we expect a meaningful evaluation of how portals are responding to the very real threat of a data breach.
At the end of the day, FINRA is looking to ensure crowdfunding portals have developed a culture of compliance and a compliance program that meets requirements and addresses the portal’s compliance risks. The key objective is the portal meets the requirements of Regulation Crowdfunding and FINRA rules while they help small businesses raise capital to grow.
The information and materials in this article are provided for general informational purposes only and are not intended to be legal advice. The issues discussed include complicated areas of law and readers should consult their legal counsel.
Scott Andersen is principal at finLawyer.com. He has also been deputy regional chief counsel at FINRA, enforcement director at FINRA and the NYSE, co-chief of the Securities Prosecutions Unit of the NewYork Attorney General’s office, and assistant attorney general for the State of New York. In these roles, he has investigated, prosecuted and supervised criminal, civil and regulatory enforcement actions for more than 19 years. He concentrates his practice on SEC, FINRA and state regulatory defense and securities regulatory counseling, as well as working with crowdfunding portals, funding platforms, broker-dealers and fintech providers on regulatory compliance matters. He can be reached at [email protected].
George S. Georgiadesis an experienced securities lawyer and founder of Georgiades & Associates (www.AltFinEsq.com), a boutique securities law firm based in New York City focusing its practice on alternative finance transactions such as crowdfunding, Regulation A+, and other technology-driven financings. His prior experiences range from serving as in-house counsel to a leading middle-market broker-dealer, regulatory counsel to a multibillion-dollar real estate investment fund and capital markets associate at a leading New York City corporate finance law firm. He routinely advises startups, investment advisors, funding platforms and broker-dealers in the United States and abroad on regulatory compliance and capital formation transactions. He can be reached at [email protected].