*Originally Published on CrowdfundInsider.com (May 20, 2017)
With the one year anniversary of Crowdfunding under Regulation Crowdfunding occurring on May 16th, business executives and compliance officers at registered Crowdfunding Portals (CFPs) should be actively preparing for their first regulatory examination by the Financial Industry Regulatory Authority (FINRA).
FINRA’s 2017 exam cycle will for the first time include the examination of CFPs. FINRA will conduct examinations of each CFP within the first twelve months of membership and no less than once every four years thereafter. FINRA has considerable oversight and authority over the daily activities of its members and periodically exams its members to ensure compliance with both the FINRA rules and the federal securities laws.
As a self-regulatory organization, FINRA has the power to take disciplinary action against its members which range from fines, censure to full expulsion. Last year, FINRA brought 1,434 disciplinary actions resulting in $176.3 million in fines, $27.9 million in restitution to harmed investors, suspended 727 individuals, barred 517 persons from the industry and either suspended or expelled 50 firms.
Last year we saw UFP, LLC, a once registered crowdfunding portal, expelled from FINRA membership. UFP’s expulsion was a decisive move by FINRA and sent a clear message to the crowdfunding industry. With upcoming examinations and a possibility of regulatory action against member firms and their associated persons, this is an important time for CFPs to ensure that they are meeting compliance standards. FINRA will assess each CFP’s business and the risks associated with those activities. The level of risks, and the CFP’s management of those risks, is an important factor in FINRA determining how frequently the CFP will be examined going forward. After the first examination, CFP’s may be examined on a one, two, three or four-year cycle.
We expect that FINRA will be carefully examining how CFPs manage their day-to-day operations, ensure that their issuers are meeting the requirements of Regulation Crowdfunding (Reg CF), oversee issuer communications with investors on the portal, and develop their compliance infrastructure to address their specific business model and risks. The following are some key areas where we believe FINRA will focus its efforts.
Gate Keeper Responsibilities.
CFPs are viewed by regulators as “gate-keepers” with the primary goal of protecting investors from fraudulent and noncompliant offerings. The FINRA rules require CFPs to have a reasonable basis for believing that issuers posting offerings on their portals comply with applicable regulatory requirements, including Regulation Crowdfunding, and require CFPs to deny access to issuers that present the potential for fraud or otherwise raise investor protection concerns.
We expect extensive consideration of how CFPs are evaluating prospective issuers, and the scope and manner of detecting issuer noncompliance. There is growing industry concern that Form C filings and other offering materials being made available to investors may fall short of Regulation Crowdfunding. This ranges from offerings failing to provide the appropriate financial disclosures to offering materials appearing not to provide adequate disclosure about the business and the offering, including non-generic risk factors. One emerging trend includes issuers filing screenshots of the offering’s deal page on the CFP with the SEC as the Form C. These filings are often illegible and at times appear to be thin on disclosure of material information. If the disclosures provided in the Form C are on their face inadequate or fail to meet basic requirements, we can expect FINRA to inquire into effectiveness of the CFPs’ compliance procedures and controls.
Communications with the Public & Advertising
CFPs routinely communicate with the public to, among other things, market their services. All CFP communications or advertisements to the public, including written communications distributed to one or more investor, must be based on principles of fair-dealing and content must be fair and balanced.
CFP communication with the public may not include false, exaggerated, unwarranted, promissory or misleading statements or claims. This may be as subtle as a slogan, graphic or eye catching headline which is promissory in nature or hints at the potential future success of a specific offering or the offerings posted on the portal in general. Profit forecasts are prohibited, with the exception of a hypothetical illustration of mathematical principles, provided that it does not predict or project the performance of an investment.
CFPs are not permitted to make recommendations or provide investment advice. If there are any statements which are intended to act as an endorsement or suggest that an offering is of a higher quality, safer or worthier than others, it could be deemed a recommendation and a breach of the rules.
The scope of review extends beyond just the CFP to all forms of communication. For CFPs that post article, reports and other content prepared by third-parties, your compliance team must be mindful of whether such content is one sided. CFPs will be deemed to have adopted third-part content which may include impermissible investment advice or recommendations or contain misleading statements. Executives who choose to use the CFP to post their own blogs need to also be sensitive to this issue. Chief Compliance Officers (CCO’s) and supervisors need to carefully review all content posted on the CFP. FINRA’s recently published Notice to Members 17-18 provides valuable guidance on digital media communications.
One of the most important compliance tools CFPs are expected to use is email surveillance which is the periodic review of communications between the issuer or its agents and the public. We expect that FINRA will be evaluating how CFPs have been monitoring these communications, including how frequently and in what manner this review is conducted.
CFPs that include offerings outside of Title III Crowdfunding can likely expect questions and comments by FINRA staff pertaining to those offerings as well.
Supervisory Procedures & CFP Personnel
CFPs must establish and maintain a system to supervise the activities of each associated person and transactions conducted on the portal to ensure compliance with Regulation Crowdfunding, FINRA rules and the federal securities laws. As part of the FINRA New Membership Application (NMA), each CFP submitted to FINRA their Written Supervisory Procedures (WSPs). It is likely that the WSPs will be evaluated first to determine whether the cover all compliance and regulatory obligations, not only under Regulation Crowdfunding, but also other federal securities laws which CFP’s are required to meet.
We expect that FINRA will be evaluating how your WSPs have evolved since your NMA to address risks you have identified in the course of your business, whether the CFP is complying with the processes you represented were going to be implemented (i.e. daily, quarterly or annual reviews), how the CFP has responded to compliance issues and the overall effectiveness of your fraud detection process. Additionally, we expect discussions regarding the internal audit processes and requests for training material used by the CCO to ensure that staff both understand the CFPs’ compliance obligations and are timely executing procedures.
Regular testing is critical to enabling CFPs to identify and mitigate risks or inadequate controls which if left undetected may lead to supervisory breakdowns. A good compliance program requires routine internal audits to verify the effectiveness of the compliance structure and adjustment based on developments in the business. We expect that FINRA will be looking for records of such audits and reviews.
Books & Records
CFPs are required to keep a record of certain business records ranging from communications with the public to records relating to issuers that offer securities through the portal. These records must be maintained generally for a period of five years and preserved in the original, non-alterable format (also referred to as “Worm” or write once, read many) which prevents the alteration or destruction (17 CFR 240.17a-4). Both FINRA and the SEC view this obligation as being at the core of the investor protection function since the only way to properly regulate the securities industry is to have a record of your business activities. The scope of the rules goes beyond just email communication but also how other documents in your office are being preserved. As an example of how important strict compliance with this requirement is to regulators, in December 2016 alone, 12 broker-dealers were fined a total of $14.4 million for deficiencies relating to the preservation of customer records in a format that prevents alteration.
With news of data breaches and hacking becoming routine, expect that FINRA will be discussing with you how your CFP addresses cybersecurity risks. This may include an understanding of how you identify and assess cybersecurity, protect assets from cyber intrusions, detect when your systems and assets have been compromised and plan for the response when a data-breach occurs. Technology aside, regulators may look at potential weakness at your office, including whether USB drives on portal computers have been disabled to prevent data from being take off the system, password length and reset policies for staff computers, physical security of files in your office and vendor due diligence. For laptops, smart phones and other mobile devices that have virtual access to your files, consideration of whether you have systems in place to lock or delete data in the case of such devices being lost or stolen will also be considered. Regulators are looking to intermediaries to take this threat seriously. Although CFPs do not hold securities or customer funds, they do hold important customer information so we expect a meaningful evaluation of how CFPs are responding to the very real threat of a data breach.
For CFPs that have developed a culture of compliance and have developed a compliance program that meets requirements and addresses day-to-day business risks, your first FINRA exam will be a productive experience. CFPs which have not implemented the necessary procedures and controls should use this time now to address any shortcomings in preparation for their FINRA examination.
Scott Andersen is principal at finLawyer.com. He has also been Deputy Regional Chief Counsel at FINRA, Enforcement Director at FINRA and the NYSE, Co-Chief of the Securities Prosecutions Unit of the NY Attorney General’s office, and Asst. Attorney General for the State of NY. In these roles, he has investigated, prosecuted and supervised criminal, civil and regulatory enforcement actions for over nineteen years. He concentrates his practice on SEC, FINRA and state regulatory defense and securities regulatory counseling, as well as working with crowdfunding portals, funding platforms, broker-dealers and fintech providers on regulatory compliance matters He can be reached at sandersen@finLawyer.com.
George S. Georgiades is an experienced securities lawyer and founder of Georgiades & Associates (www.AltFinEsq.com), a boutique securities law firm based in New York City focusing its practice on alternative finance transactions such as Crowdfunding, Regulation A+, and other technology-driven financings. His prior experiences range from serving as in-house counsel to a leading middle-market broker-dealer, regulatory counsel to a multibillions-dollar real estate investment fund and capital markets associate at a leading New York City corporate finance law firm. We routinely advise startups, investment advisors, funding platforms and broker-dealers in the United States and abroad. He can be reached at firstname.lastname@example.org.
The information and materials in this article are provided for general informational purposes only and are not intended to be legal advice. The issues discussed include complicated areas of law and legal advice should be obtained from a securities attorney about your specific circumstances.