Play to Win Code MYMSURVIVOR 703 Compliance Land

Play to Win Code: MYMSURVIVOR 703 - Compliance Land Mines in the Financial Industry Presented jointly by Berkeley Research Group and the ACC Financial Services Committee David Abshier Managing Director Berkeley Research Group Emre Carr Director Berkeley Research Group Miriam Lefkowitz Chief Legal Officer Summit Financial Resources, Inc. / Summit Equities, Inc.

2016 ACC Mid-Year Meeting Session 703 – Compliance Landmines in the Financial Industry April 12, 2016 2: 40 p. m. – 3: 55 p. m.

Moderator Emre Carr, Director Managing Director, Berkeley Research Group (BRG) Panelists: David E. Abshier, Managing Director, Berkeley Research Group (BRG) Jonathan Halpern, Partner, Foley & Lardner, LLP Miriam Lefkowitz, Chief Legal Officer, Summit Financial Resources, Inc. /Summit Equities, Inc. 2

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Bank Supervision vs GAAP/SEC BSA/AML – Critical Developments FCPA Onboarding/Employment Ban the Box HIPAA Unfair, Deceptive or Abusive Acts or Practices Challenges for Dually Registered BDs/IAs Privacy/Security/Books and Records/Cybersecurity JOBS Act Issues Relating to Seniors Overseas Issues in General DOJ Enforcement Priorities 4 3

Bank Supervision vs GAAP/SEC • Reserves/Allowance for Loan and Lease Losses • Off-Balance Sheet exposures • Supervision Expansion – CFPB – Bleeding Down of “Best Practices” (Institutions below key thresholds) • Enforcement Actions – Public/Private Entities 5 4

BSA/AML – Critical Developments – NYDFS – Capable Systems/Data Validations – Know Your Customer/Source of Funds – Geographic Targeting Orders (Fin. CEN GTOs) – Officer/Bank Liability 5 6

BSA/AML – Critical Developments (Continued) – Correspondent Relationships – De-risk – Communicate, Communicate – BSA/Operations/ Credit/Board – Independent Testing – review of top 20 -50 Credit/Deposit Customers/Vendors 6 7

Aggressive Expansion of Foreign Corrupt Practices Act (FCPA) Enforcement • FCPA • Criminal and Civil Liability • DOJ and SEC (issuer) jurisdiction – Expansive extensive of U. S. territorial jurisdiction • Provisions: – Anti-bribery – Books and records – Accounting controls • Liability for Third-Party Conduct • Narrow exceptions • Stringent criminal, civil, and administrative penalties 7 8

DOJ FCPA Enforcement Focus on Individual Prosecution for Perceived Corporate Misconduct FCPA Pilot Program (April 5, 2016) Super “Mitigation Credit” Offered -Companies encouraged “to disclose FCPA misconduct to permit the prosecution of individuals whose criminal wrongdoing might otherwise never be uncovered or disclosed to law enforcement” • Voluntary self-disclosure • Full cooperation, including – Disclose relevant facts attribute misconduct to specific sources, subject to privilege – Cooperate proactively – Identify involved third-party companies and individuals • Timely and Appropriate Remediation • Limited and Full Credit Options 9 8

Onboarding/Employment • The Form U 4 is a required documents for brokers, but seeks information (criminal histories, age) which raise HR issues. • 1099 vs. W 2 representatives for brokers and advisers creates HR concerns • Non-solicit/non completes may violate FINRA Rule 2140 which prohibits interference with BD account transfers • Internal investigation requests for confidentiality (or separation agreements) may violation whistleblower rules • In the Matter of KBR, Inc. ADMINISTRATIVE PROCEEDING File No. 316466 (April 1, 2015) • Rethink how you deliver Upjohn warnings 9 10

Ban-the-Box Laws: Overview – State, county, and city laws that generally restrict employers from inquiring about an applicant’s criminal history in the early stages of hiring process – Intended to remove obstacles for individuals with arrest or conviction record – April 2016: 21 states and more than 100 cities and counties have adopted ban-the-box policies [Business Information Group] – Bans extended to cover private employers in several states (incl IL, MA, NJ) and cities (incl DC, NYC, Philadelphia, Seattle, SF) 10 11

Ban-the-Box Laws: Overview – Variation in ban-the-box laws – Employers generally may conduct background checks, but later in the hiring process • E. g. , after invited to interview or conditional offer of employment – Employers generally are not obligated to hire individuals with a criminal record – Applicants may still be excluded if employers are so required by federal or state law, for particular jobs, e. g. : • Specified positions in a financial institution • Airport security • Working with children or elderly – EEOC Guidance 12 11

Ban-the-Box Laws: FDIC Limitations – FDIC Identification of Disqualifying Offenses – FDIA Section 19 applicable to federally-insured banks -– (1) Applies to convictions/pre-trial diversion program for prospective employees in specified offenses involving: • Dishonesty • Breach of trust • Money laundering – (2) Bars (without prior FDIC written consent) such persons from: • Becoming or continuing as an affiliate of the bank • Owning or controlling, directly or indirectly, a bank • Participating, directly or indirectly, in the affairs of the bank 12 13

Ban-the-Box Laws: FDIC Limitations – FDIC Section 19 Applies to: • • FDIC-insured institutions FDIC Institution-affiliated parties Participants in the affairs of the FDIC-insured institution Employees of FDIC-insured institution – FDIC Section 19 Does Not Apply to: • Employees of non-FDIC-insured institutions or to independent contractors, unless they are determined to be “de facto” employees of FDIC-insured institution – De Minimis exceptions • Bank subject to state and local anti-discrimination laws 14 13

HIPAA and Financial Services – Privacy Rule • • National Standards Use and disclosure of PHI Balance of important uses and privacy protection Covered entities – Business Associate Services • Types of services – E. g. , Financial, legal, consulting, accounting , management services 15 14

HIPAA and Financial Services Business Associate Services and Functions • Types of services – E. g. , Financial, legal, consulting, accounting , mgt services • Types of functions -- E. g. , Claims processing, data analysis, utilization review, quality assurance, billing, practice management 15 16

HIPAA and Financial Services – Business Associate • Providing services involving PHI to covered entity • Performing functions involving PHI for covered entity • HHS Examples (with access to PHI) – – – – TPA assisting HCP Accountant providing services to HCP Lawyer providing services to HCP Consultant performing certain reviews for hospital Health care clearinghouse Independent medical transcriber PBM 16 17

HIPAA and Financial Services – Business Associate • Is PHI accessible? • HCP enlisted by another HCP? – -- E. g. , help hospital teach or train medical students • Software vendor? – Not for simply selling or providing software to covered entity as long as vendor does not have access to PHI » N. B. : except for hosting software with PHI • Reinsurer? – Not for simply selling a reinsurance policy to a health plan or paying claims – Related to providing reinsurance benefits? 18 17

HIPAA and Financial Services – Financial Institutions: HIPAA Inapplicable • Traditional consumer financial transactions • Section 1179 payment processing activities excepted for banks and financial institutions • Examples: – Debit, credit or other payment processing transactions – Check clearing – ETFs – Transfer of funds to pay for health care/plan premiums • Takeaway re Section 1179 activities : – HIPAA rules and BA contract obligations inapplicable 18 19

HIPAA and Financial Services – Financial Institutions: HIPAA Applicable • “Functions above and beyond the payment processing activities” • Examples: – Accounts receivable services for health care provider – Lockbox services » Services for covered entity involving billing or financial records that reflect PHI – Clearinghouse services (covered entity) » Converting PHI to standard electronic format for processing claim for payment 19 20

HIPAA and Financial Services Financial Institutions Subject to HIPAA Liability: Requirements of A “Business Associate” • Documented comprehensive HIPAA privacy and security compliance system – Security risk assessment – HIPAA policies and procedures that cover use and disclosure of PHI – Adequate safeguards to deter, detect, and resolve security breaches • Business associate agreement (BAA) with more rigorous safeguarding provisions • Compliance with terms of BAA legally required 20 21

HIPAA and Financial Services Business Associate Agreements for Financial Institutions The Requirements: • Mandatory and in writing • Contract with covered entities, subs with access to PHI • Required and permitted uses of PHI identified • Barred use or disclosure of PHI outside contract, except as required by law • Appropriate safeguards required to prevent unauthorized use of disclosure of PHI • Reasonable steps required by covered entity to cure breach or end violation where material 22 21

HIPAA and Financial Services Business Associate Agreements for Financial Institutions The Requirements (cont): • Termination of contract where steps to cure or end violation are not successful • Required reporting to HHS OCR where termination is not feasible Other Issues: • Apportionment of risk • Indemnification • Liability limits • Notice provisions 23 22

HIPAA and Financial Services Exposure for Financial Institutions Subject to HIPAA Liability: Increased monetary penalties Referrals to DOJ for criminal investigation Expanded jurisdiction extending to state attorneys general Increasing number of HHS audits No private right of action under statute Increasing number of state courts have allowed negligence actions based on allegations of HIPAA violation 23 24

Unfair, Deceptive, or Abusive Acts or Practices • Customer Complaint Resolution • Compliance Committee – Board and Management – Organization Chart/Accountability Matrix – Agreements with Vendors/3 rd Parties with Consumer Interaction – Compensation/Incentive Programs – “Lookback”/Remediation/Resolution 24 25

Unfair, Deceptive, or Abusive Acts or Practices (Cont. ) • Internal Control Monitoring – Internal and External Testing – Policies and Procedures – Training Materials • Products and Services – Marketing and Advertisements – Collection Scripts and Call Records (Including 3 rd Party) 25 26

Challenges for Dually Registered BDs/IAs Generally – BD rules and requirements are very detailed, often picayune – IA rules are very broad and principles-based – In the Matter of Barclays Capital Inc. , Administrative Proceeding File No. 3 -16154 (September 23, 2014) 26 27

Challenges for Dual Registrants – cont’d • Custody – 15 c 3 -3 and 206(4)-2 have different requirements – Can be a non-custodial IA but violate BD net capital rules • Licenses/registrations for offices and associated persons – Most associated persons of brokers must have at least one license to conduct certain business activities even if those activities can be conducted by advisers without such registration. – Locations at which many BD activities are conducted must be registered • Advertisements/Communications – FINRA rule 2210 is very different than 206(4)-1 – Acceptable IA communications may need to be filed with FINRA by a BD 28 27

Challenges for Dual Registrants – cont’d • Outside businesses – FINRA Rule 3270 and Form U 4 vs. ADV 2 B – Complying with one will not satisfy the other • Private investments – NASD Rule 3050/NYSE 407 and 204 A-1 • Compensation – Fees and commissions on same assets – SEC and FINRA have differing views 28 29

Challenges for Dual Registrants – cont’d • Supervision – FINRA rule 3110 • Conflicts of Interests – Where to start? !? • Annual reviews – FINRA 3110(c) and 206(4)-7 are very different • Recordkeeping – 17 a-3 and 17 a-4 are very different than 204 -2 29 30

Privacy/Security/Books and Records • Caveat about sending password-protected documents in order to protect privacy – may run afoul of books and records 30 31

Cybersecurity - Data Protection & Management • Practical Pointers – Prevention/Maintenance/Oh Damn! – Cybersecurity – Data Governance – Internal Control Monitoring and Independent Testing (Customers, Employees, Vendors) 31 32

FTC Privacy and Safeguard Rules for Financial Institutions – Applies to companies “significantly engaged” in providing financial products or services – Limits disclosure on nonpublic personal information (NPI) to non -affiliated third parties – Companies to develop written information security plan to protect confidentiality and security of NPI – Companies to assess and address risks to customer information in all areas of operations – Companies to provide “clear and conspicuous” privacy and information-sharing notice to customers and to some consumers with “opt-out” rights 33 32

Cybersecurity Issues for Financial Institutions – SEC and FTC Oversight – Dual Focus: • Firms -- duty to protect client data and personally identifiable information (PII) • Hackers – prevent misappropriation and trading on MNPI – The fundamentals: • Conduct cybersecurity risk assessment – E. g. . , IRS alert re spoofing email scams – Periodic evaluation and monitoring • Implement written policies and procedures – Firewall protection – Encryption – Access rights and controls 33 34

Cybersecurity Issues for Financial Institutions – The Fundamentals (cont) • Implement appropriate standards required to protect consumer data and PII – – Mandatory antivirus software Encryption (GLB Act, SEC Reg S-P) Data loss management – transfers to and from external sources Vendor management • Test for internal controls and reports necessary to – Ensure accuracy of financial results unaffected by any security breach (as part of cyberattack response plan) • Implement appropriate incident response – Mitigation – Reporting 34 35

Jumpstart Our Business Startups (JOBS) Act: Select Provisions – Objectives: • Promote job creation and economic growth by easing access to capital markets for small businesses • Reduce regulatory burdens of SOX (for limited term) • Balance investor protection vs. improved access to capital – Emerging Growth Company (EGC) (Title I) • Under $1. 0 billion in annual revenue • Remains EGC until earliest of four conditions • Eligible if first sale of registered equity securities was after December 8, 2011 35 36

Jumpstart Our Business Startups (JOBS) Act – Regulatory Advantages for EGCs: • Less financial information required to be submitted to SEC • SEC confidential review of draft registration statement permitted before public filing • “Test the waters” communications permitted with Qualified Institutional Buyers and institutions if accredited investors • Underwriting banks permitted to present research reports during public offering – Conflict of interest/communication rules inapplicable • New, revised accounting standards not currently required • Auditors exempted from required attestation reports on EGC internal controls for financial reporting • Reduced requirements re executive compensation disclosure 37 36

JOBS Act: Title II – Enhanced Access to Private Capital Markets Private Offerings: – Elimination of prohibition on general solicitation and advertising in private offerings • Securities required to be purchased only by QIBS or accredited investors • Reasonable measures required to ensure qualified purchasers 37 38

JOBS Act: Title III “Crowdfunding” Exemption to Offer and Sell Securities: Starts May 16, 2016 Annual investment limits based on individual income and net worth Offered through registered funding portal Securities bought generally may not be resold for one year Limited company disclosures to SEC, investors, and intermediaries Ineligible companies • Non-U. S. companies • Reporting under Exchange Act • Non-compliant • Lacking business plan or merger/acquisition with unidentified company – SEC alert of investor risks – – – 38 39

JOBS Act: Title VI – Banks and Bank Holding Companies – Act increases threshold to 2, 000 shareholders from 500 shareholders requiring banks and bank holding companies to register with the SEC – Registration and reporting obligations may be suspended if number of shareholders “of record” drops to below 1, 200 • Consequence of de-registering: reduction in regulatory costs – “Going private” opportunities (below 1, 200): • Stock repurchase, reverse stock split, etc. – Banks may be eligible to be an EGC 39 40

JOBS Act: Title VI Banks and Bank Holding Companies (cont) – Banks may take advantage of crowdfunding to raise capital efficiently in small sums from large number of investors • Opportunity to increase customer base – Act eliminated prohibition against “general solicitation and general advertising” in specified private offerings where purchasers are accredited investors – Section 3(b) of Securities Act amended under JOBS Act to increase aggregate offering amount to $50 million (from $5 million) that SEC exempts 41 40

Issues Relating to Seniors • Protecting seniors can raise other legal concerns – State and federal privacy laws • How to reach out to a family member/friend if you suspect diminished capacity? • How to reach out to a family member/friend if you suspect elder exploitation? – State “dignity” laws • Can you refuse to honor a POA that you think was given under duress? 42 41

Challenges and Risks For Companies with Operations Abroad • Limited application of attorney-client privilege • Challenges to cooperation with DOJ/SEC • Identifying, collecting, and obtaining discovery – Witness interviews – Document reviews – Privacy laws – Employment laws – EU restrictions 42 43

Developments in Justice Department (DOJ) Law Enforcement Priorities for Corporations • • Principles of Federal Prosecution of Business Organizations (USAM, 9 -28) Yates Memo Modification of Principles (September 2015) – Individual accountability for corporate wrongdoing – Cooperation credit requires disclosure of all relevant facts re individuals’ involvement in corporate misconduct – DOJ investigations to focus on individuals from outset – DOJ civil and criminal attorneys to communicate routinely – No protection from individual civil/criminal liability in corporate resolution, absent extraordinary circumstances – Resolution of individual cases viewed along with corporate disposition – Individual’s ability to pay is not the sole factor in considering civil suit 44 43

QUESTIONS? • • DAbshier@thinkbrg. com ECarr@thinkbrg. com JHalpern@foley. com MLefkowitz@sfr 1. com 44 45

Play to Win Code: MYMSURVIVOR Thank you! Presented jointly by Berkeley Research Group and the ACC Financial Services Committee David Abshier Managing Director Berkeley Research Group Emre Carr Director Berkeley Research Group Miriam Lefkowitz Chief Legal Officer Summit Financial Resources, Inc. / Summit Equities, Inc.