Two items of interest this week for investment advisors and their clients in how they deal with internal controls relating to confidential data and email:
On May 23, 2013, the Securities and Exchange Commission ("SEC") charged charged proxy adviser Institutional Shareholder Services ("ISS") for failing to safeguard the confidential proxy voting information of clients participating in a number of significant proxy contests. According to the SEC press release:
An SEC investigation found that an employee at ISS provided a proxy solicitor with material, nonpublic information revealing how more than 100 ISS institutional shareholder advisory clients were voting their proxy ballots. In exchange for voting information, the proxy solicitor provided the ISS employee with meals, expensive tickets to concerts and sporting events, and an airline ticket. The breach was made possible in part because ISS lacked sufficient controls over employee access to confidential client vote information, as this employee gathered the data by logging into the ISS voting website from home or work and using his personal e-mail account to communicate details to the proxy solicitor.
The SEC's order finds that ISS willfully violated Section 204A of the Investment Advisers Act of 1940. The order censures the firm and requires ISS to pay a $300,000 penalty and engage an independent compliance consultant to review its supervisory and compliance policies and procedures. The consultant will evaluate whether ISS's procedures are reasonably designed to ensure that its proxy voting services business complies with the Advisers Act in its treatment of confidential information, communications with proxy solicitors, and gifts and entertainment.
Section 204A of the Investment Advisors Act of 1940 requires every investment advisor to establish and enforce policies and procedures to prevent the misuse of of material, nonpublic information.
The SEC Order is available here.
Also, on May 21, 2013, the Financial Industry Regulatory Authority ("FINRA") fined broker LPL Financial LLC ("LPL") $7.5 million for 35 separate, significant email system failures, which prevented LPL from accessing hundreds of millions of emails and reviewing tens of millions of other emails. Additionally, LPL made material misstatements to FINRA during its investigation of the firm's email failures. LPL was also ordered to establish a $1.5 million fund to compensate brokerage customer claimants potentially affected by its failure to produce email.
FINRA's website was down this morning, but the Securities Law Prof Blog has a nice entry here.