IV(g) GI- Due Diligence for Vendors and Service Providers

Transcription

1 IV(g) GI- Due Diligence for Vendors and Service Providers PANEL AGENDA Lisa Roth Keystone Capital Corporation Fred Shane Commonwealth Financial Network 1. Outsourcing Overview 2. Examples of Outsourced Products & Services Utilized by Broker Dealers and Investment Advisors 3. Common Risks Associated with Outsourcing 4. Why Broker Dealers May Utilize Third Party Service Providers and/or Vendors 5. Rules and Regulations Regarding Third Party Service Provider Due Diligence 6. Enforcement Trends Regarding a Broker Dealer s Obligation to and Monitor Outsourced Service Providers 7. What a BD/IA Should Consider Before Committing to a Third Party Vendor 8. Onboarding New Vendors: Focus Points, Methods and Techniques to Effectively Perform Due Diligence of New Service Providers 9. Due Diligence Lifecycle 10. Red Flags: Suggested Actions Risk Officers Should Consider when Red Flags are Identified 11. Understanding Section 15(c) of the Investment Company Act Methods for Enhancing a Firm s Due Diligence Infrastructure Resource Materials NSCP National Membership Meeting Washington DC- October 22-24, 2012

2 2012 NSCP Annual Meeting October 22 24, 2012 Workshop IV(g) GI- Due Diligence for Vendors and Service Providers Lisa Roth Keystone Capital Corporation Fred Shane Commonwealth Financial Third Panelist TBD RESOURCE MATERIALS Items Description

3 Notice to Members NASD Notice to Members FINRA (Securities Lawyer Handbook) paragraph (1), (3), or (4) of subsection (f) TEMPLATES & HANDOUTS Items Description BD Compliance Calendar Due Diligence Matrix Sample Policy Checklist Onsite Due Diligence Meeting Notes Sample Outsourcing Due Diligence Form RFP Due Diligence Sample DISCIPLINARY MATTERS Items Description Merrill Lynch, Pierce, Fenner & Smith Incorporated ( Merrill Lynch or the Firm ), Respondent Case Jimmy Wayne Freeman Jr. (CRD # , Registered Representative, Corpus Christi, Texas) SUGGESTED ARTICLES Items Description SEC Sues Fund Adviser for Fees Charged in Breach of Duty Under the Investment Company Act, June 2012 Regulatory Compliance Operations and Systems Outsourcing: Compliance Considerations for Broker Dealers

4 IV(g) GI- Due Diligence for Vendors and Service Providers By: Lisa Roth Fred Shane Vendor Moderator (TBD) Prepared For: National Society of Compliance Professionals October 23 rd, Outsourcing Overview Over the past 10 years financial firms have become increasingly reliant on external services providers to fulfill key functions within their organizations (BCJS). Reasons for increased usage of external services providers by BD s and IA s may stem from resource constraints, cost cutting initiatives and/or a shift toward segregation of duties. Despite delegation of key functional responsibilities, regulators such as the SEC and FINRA require that BD s and IA s conduct initial and ongoing due diligence of external vendors (05-48 and 11-14). 2. Examples of Outsourced Products & Services Utilized by Broker Dealers and Investment Advisors Banking o Trust Servicing o Custodial Services o Escrow or Omnibus Accounts o General Banking Services Compliance/Legal o CCO Function o Internal and Branch Auditing and Testing o Marketing Material, Advertising, Communications o Legal Representation o Procurement o Firm Element and Other Training o Pre-Hire Background Checks Due Diligence Consultation o Product and Related Due Diligence Accounting/Auditing o Financial Statement Preparation and o Auditing of a Firm s Internal Controls o Tax Preparation o Expense Reporting o General Accounting Consultation

5 Technology o Disaster Recovery o Data Storage o Help Desk o Data Security o System Development Project Management o Develop and Execute Project Initiatives Operations o Archiving and Record Storage o Transfer Agents and Third Party Administration o Trade Desk Sub Advisory Services 3. Common Risks Associated with Outsourcing Operational Risk: Operational risks that stem from vendor errors, employee wrong doing and/or lack of oversight by management. Operational risk could result in a monetary loss, procedural breakdown or risk of exposure through headline event. Examples of operational risk include a Transfer Agency whose customer service reps provide incorrect information to clients or a technical systems vendor that experiences a security breach, causing the firm to experience unanticipated outages or data tampering/loss. Legal Risk: Legal risk can be linked to contractual and/or litigation risk. An example of a contractual risk may be when a Broker Dealer signs an agreement without ensuring that terms and conditions of the agreement are compliant with industry regulations. For instance, a vendor s contract may allow for data sharing in contravention to industry requirements and/or the firm s own policies. Litigation risk may arise when an Investment Advisor is sued by clients who suffer a financial loss due to incorrect NAV valuations conducted by a custodian bank. Reputation Risk: Reputational risk occurs when the public s opinion changes toward a firm due to an action, event or situation that may arise due to a negative consequence. Broker Dealers and Investment Advisors assume a great deal of reputational risk when partnering with external service providers. In fact, firms rely on third party service providers to conduct themselves ethically to ensure client accounts are serviced accurately and correctly. Clients and regulators alike will question the validity of a BD/IA s business practices should a negative report regarding a third party service provider find its way to the front page of a news periodical.

6 Regulatory Risk: Regulatory risk can greatly increase for firms who are regulated by a government entity or government sponsored entity. BD/IA s assume a risk when partnering with firms who have to adhere to regulatory guidelines. Examples may include a Transfer Agent that is required to follow specific SEC rules regarding record keeping. Another example could be an auditing firm who is required to follow GIPS oversight standards. Partnering with a service provider who is under regulatory scrutiny can negatively impact a BD/IA s reputation, service to clients and open itself up to litigation. The opposite is also true. BDs and IAs also face significant risk when partnering with a non-regulated entity, or with a vendor whose policies do not take FINRA, SEC and State securities/advisory regulations into account. For instance, a data archiving vendor may be adequately secure from threat of intrusion, but it may not provide recordkeeping for adequate lengths of time, or in formats acceptable to securities regulators. Company Risk BD/IA s alike can suffer tremendous consequences from a corporate standpoint should a third party service provider experience a negative situation. Investors, clients and regulators alike rely on the BD/IA to conduct a reasonable due diligence to ensure third party vendors are ethical, compliant and capable of performing their assigned duties 4. Why Broker Dealers May Utilize Third Party Service Providers and/or Vendors Capital Constraints Limited Resources Access to Technology Ability to Expand Business Operations Quickly Separation of Business Functions (i.e. Checks and Balance) Expand Client Offerings of Product and Services 5. Rules and Regulations Regarding Third Party Service Provider Due Diligence NTM o o Outsourcing functions an activity or function to a third party service provider does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and NASD and MSRB rules regarding the outsourced activity or function (NTM 05-48). Rule 3010 requires NASD members to design a supervisory system and corresponding written supervisory procedures that are appropriately tailored to each member s business structure. If a member, as part of its business structure, outsources covered activities, the member s supervisory system and written supervisory procedures must include procedures regarding its outsourcing practices to ensure compliance with applicable securities laws and regulations and NASD rules. The procedures should

7 include, without limitation, a due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities (NTM 05-48). o After the member has selected a third-party service provider, the member has a continuing responsibility to oversee, supervise, and monitor the service provider s performance of covered activities. This requires the member to have in place specific policies and procedures that will monitor the service providers compliance with the terms of any agreements and assess the service provider s continued fitness and ability to perform the covered activities being outsourced. Additionally, the member should ensure that NASD and all other applicable regulators have the same complete access to the service provider s work product for the member, as would be the case if the covered activities had been performed directly by the member (NTM 05-48). NTM o o Proposed FINRA Rule 3190(a)(1) clarifies that a member firm s use of a third-party service provider (including any sub-vendor) to perform functions or activities related to the member firm s business as a regulated broker-dealer does not relieve the firm of its obligation to comply with applicable securities laws and regulations and with applicable FINRA and MSRB rules. Proposed Supplementary Material.01 (Scope of Third-Party Service Provider) clarifies that the term third-party service provider (including any subvendor) shall include any person controlling, controlled by or under common control with a member firm, unless otherwise determined by FINRA.4The proposed provision also prohibits a member firm from delegating its responsibilities for, or control over, any functions or activities performed by a third-party service provider. Proposed FINRA Rule 3190(a)(1) is consistent with FINRA s current guidance that a member firm s use of a third-party service provider for such activities does not relieve the firm of its ultimate responsibility to achieve compliance with all applicable securities laws and regulations and FINRA and MSRB rules, and that the ultimate responsibility for supervision of outsourced activities lies with thefirm.5additionally, FINRA Rule 3190(a)(3) clarifies that nothing in the proposed rule s provisions shall be construed to permit any person to engage in activities that require registration and qualification under FINRA rules without obtaining the necessary registrations and qualifications (NTM 11-14). Proposed FINRA Rule 3190(a)(2) requires each member firm, pursuant to its obligations under FINRA rules, to establish and maintain a supervisory system and written procedures for any functions or activities performed by a third-party service provider that are reasonably designed to achieve compliance with applicable securities laws and regulations and applicable FINRA and MSRB rules. Additionally, proposed FINRA Rule 3190(b) requires that a member firm include in these supervisory procedures an ongoing due diligence analysis of each current or prospective third-party service provider to determine, at a minimum, whether: (1) the third-party service provider is capable of performing the activities being outsourced; and (2) with respect to any activities being outsourced, the member firm can achieve compliance with applicable securities laws and regulations and applicable FINRA and MSRB rules. These provisions are consistent with existing guidance noting that, if a member firm outsources activities, its supervisory system and written supervisory procedures required by NASD Rule 3010 (Supervision) must include supervisory procedures for its outsourcing practices to ensure such compliance and that those procedures should include, without limitation, conducting a

8 Rule 3190 due diligence analysis of all of its current or prospective third-party service providers to determine whether they are capable of performing the outsourced activities (NTM 11-14). o Specifically, proposed FINRA Rule 3190 (Use of Third-Party Service Providers) makes clear that: when a member firm outsources a function or activity related to its business as a regulated broker-dealer to a third-party service provider, it does not relieve the firm of its obligation to comply with applicable securities laws and regulations and FINRA and Municipal Securities Rulemaking Board (MSRB) rules; and (NTM 11-14). the firm cannot delegate its responsibilities for, or control over, any outsourced functions or activities (NTM 11-14). 6. Enforcement Trends Regarding a Broker Dealer s Obligation to and Monitor Outsourced Service Providers Merrill Lynch, Pierce, Fenner & Smith Incorporated ( Merrill Lynch or the Firm ), Respondent Case o Merrill Lynch outsourced some of its proxy functions for certain accounts of its advisory programs to a third party service provider. The Vendor misdirected proxy ballots, utilized outdated proxy delivery designations and conducted clerical errors. o Several other infractions were identified in this case associated with the firm s lack of adherence to Several NASD, FINRA and SEC rules. o Enforcement included Censure and $2.8 million Fine Jimmy Wayne Freeman Jr. (CRD # , Registered Representative, Corpus Christi, Texas) Without admitting or denying the allegations, Freeman consented to the described sanctions and to the entry of findings that he entered into a written contract with a company to sell note agreements, without providing notice to, nor receiving permission from, his firm to engage in any activities related to a company. The findings stated that Freeman lacked the proper license, a Series 7, to do so. The findings also stated that Freeman represented that the company s products were safe and the notes guaranteed a high return within five years, but he lacked any factual basis to make these claims; he did not have any experience with the company s products and failed to conduct adequate due diligence. The findings also included that while recommending the company s investments to his customers, Freeman provided them with the company s sales literature, which contained several unwarranted and misleading statements, failed to disclose any risks involved in the investments, and guaranteed the products would succeed. The statements helped form the basis of Freeman s recommendations to his customers, even though he did not verify these claims prior to recommending and selling the note agreements to his customers. Although Freeman did not write these statements or assist in the drafting of the sales literature, he should have known that

9 the statements were misleading. The suspension is in effect from March 5, 2012, through March 4, (FINRA Case # ) 7. What a BD/IA Should Consider Before Committing to a Third Party Vendor Risks Associated with Outsourcing o Do the benefits outweigh the risks associated with third party service providers performing key functions? o Will the firm s reliance on the Vendor be deemed reasonable by a regulator? o Will the firm s reliance on the Vendor be deemed reasonable by its clients and shareholders? Due Diligence Procedures o Does the BD/IA have policies, procedures and resources to effectively vet new/existing third party service providers? o Does the BD/IA employ at least one person adequately qualified to oversee the Vendor relationship? o Can a BD/IA manage third party relationships without it compromising the firm s ethical standards, business model, or client base, including periodic or ongoing due diligence? Contingency Plan o What would the impact be to a firm should they have to cancel their business relationship with an external service provider? o What steps and/or actions will be taken if a BD/IA has to terminate ties with a third party service provider? Regulatory Expectations o Does a BD/IA comply with applicable regulations pertaining to third party due diligence? o Does the Vendor meet or exceed relevant regulatory requirements? o Has the Vendor maintained a satisfactory level of compliance with its OWN regulators, or within its own industry standards? o Can a BD/IA enhance its oversight procedures quickly and correctly if required by regulators? 8. Onboarding New Vendors: Focus Points, Methods and Techniques to Effectively Perform Due Diligence of New Service Providers Centralization: The Due Diligence process can be effectively managed if there is a centralized resource who owns the due diligence procedure on behalf of a BD/IA. The centralized resource can be one person or a small group dedicated to ensuring all due diligence related items are gathered correctly, filed, tracked and reviewed by the appropriate parties. In addition, the due diligence specialist(s) can monitor the oversight process and make changes as needed to ensure compliance with applicable regulations. Another advantage to having a dedicated due diligence resource is that internal and external stakeholders will immediately know who to contact for questions relating to third party oversight. This can be extremely advantageous during a regulatory exam or internal audit. Lastly, centralization is also important when storing due diligence files. Documents should be store in a central area such as a computer drive or file cabinet. This will enable stakeholder to find information easily and provide them the ability to extract files quickly if needed.

10 Due Diligence Questionnaires: It is vital for BD/IA s to have due diligence questionnaires available so they can gather key information about a firm. This information is to identifying operational, financial, technology or legal risk. Questionnaires can also act as an attestation by having a vendor confirm in writing that the information they are providing is accurate and true. Lastly, due diligence questionnaires demonstrate to regulators that a vetting process is in place and utilized by the firm when warranted. Tracking Checklists: The due diligence process can produces an enormous amount of documents which have to be accounted for accurately. Excel spreadsheets are a useful tool to effectively track due diligence related documents. In addition, Excel checklists can provide management with a high level snap shot of the vetting process associated with third party service providers. Excel checklists should at least note vendor name, key dates, documents required, documents received as well as a section for miscellaneous comments. The great part about tracking sheets is that they can be tailored to meet the needs of the firm conducting due diligence. Written Supervisory Procedures (WSP s): FINRA Rule 3012 and SEC Regulation 206(4)7 requires that Broker Dealer s and/or Investment Advisors have written policies and procedures to evidence their supervisory oversight. WSP s should document the due diligence process by noting applicable steps taken during the vetting process. In addition, the WSP s should note the due diligence questionnaires, tracking spread sheets and any other form of documents utilized to conduct a third party review. Lastly, WSP s should be drafted in such a way that a firm can evidence each item noted in the procedures. WSP s should be reviewed at least annually or updated immediately should a new regulation warrant enhancing the procedures. Collaboration: The success of a due diligence program relies heavily on its ability to effectively communicate with internal and external stakeholders. A Due Diligence Officer should have the ability to provide clear expectations to external vendors to ensure they provide all required information. In addition, Due Diligence Officer s will need to effectively communication internally by providing a logical analysis (either written or verbatim) of a vendor to management. Due Diligence Officers should also have the ability to adhere to varying needs as each manager may have different needs regarding to their decision making process. Ongoing : A firm must continuously monitor a Vendor annually to ensure they are adhering to the service agreement and do not pose a risk to the firm.

11 9. Due Diligence Lifecycle 10. Red Flags: Suggested Actions Risk Officers Should Consider when Red Flags are Identified Follow the Red Flag Plan o o o A firm should draft WSP s that detail next steps action items in the event that a red flag is identified. The Red Flag Plan should be reviewed at least annually by applicable stakeholders. The Red Flag Response team should include senior level executives in Compliance, Legal, Operations and Investments. Document o o Save all supporting documentation that identified the red flag to a centralized location. Obtain additional evidence via the internet, onsite meetings or through verbal communication. Summary Analysis o Draft a Red Flag Summary Analysis that notes the risk identified, when it was discovered, documents that support the assumption and stakeholders who will review the report.

12 Stakeholder Meeting o o Conduct a meeting with applicable internal stakeholders to review the evidence and determine next steps. Establish a final action plan and assign a leader to ensure all steps are completed. Below are some examples of action items. Legal letter to Vendor officially terminating the relationship. Internal/External communication Search for a new Vendor Prepare for legal, compliance or customer fallout. o Document meeting notes and save to Vendor folder. Red Flag Action Item Checklist o o o o Note each step that needs to be completed to effectively terminate the relationship with the Vendor. Ensure each checklist item is complete. Save supporting documentation along with checklist to Vendor folder. Communicate with stakeholders until all action items have been addressed and the Vendor relationship has been legally terminated. 11. Understanding Section 15(c) of the Investment Company Act 1940 Approval of contract to undertake service as investment adviser or principal underwriter by majority of non interested directors. In addition to the requirements of subsections (a) and (b) of this section, it shall be unlawful for any registered investment company having a board of directors to enter into, renew, or perform any contract or agreement, written or oral, whereby a person undertakes regularly to serve or act as investment adviser of or principal underwriter for such company, unless the terms of such contract or agreement and any renewal thereof have been approved by the vote of a majority of directors, who are not parties to such contract or agreement or interested persons of any such party, cast in person at a meeting called for the purpose of voting on such approval. It shall be the duty of the directors of a registered investment company to request and evaluate, and the duty of an investment adviser to such company to furnish, such information as may reasonably be necessary to evaluate the terms of any contract whereby a person undertakes regularly to serve or act as investment adviser of such company. It shall be unlawful for the directors of a registered investment company, in connection with their evaluation of the terms of any contract whereby a person undertakes regularly to serve or act as investment adviser of such company, to take into account the purchase price or other consideration any person may have paid in connection with a transaction of the type referred to in paragraph (1), (3), or (4) of subsection (f) (Securities Lawyer Handbook).

13 SEC Sues Fund Adviser for Fees Charged in Breach of Duty Under the Investment Company Act FOR IMMEDIATE RELEASE Washington, D.C., June 26, 2012 The Securities and Exchange Commission today sued AMMB Consultant Sendirian Berhad (AMC), a Malaysian investment adviser, alleging that for more than a decade, AMC charged a U.S. registered fund for advisory services that AMC did not provide. The SEC alleges that by doing so, AMC breached its fiduciary duty with respect to compensation under the Investment Company Act of Kuala Lumpur-based AMC served as a sub-adviser to the Malaysia Fund, Inc., a closed-end fund that invests in Malaysian companies, whose principal investment adviser is Morgan Stanley Investment Management, Inc. (MSIM). The SEC alleges that AMC misrepresented its services during the fund s annual advisory agreement review process for each year for more than 10 years, and AMC collected fees for advisory services that it did not provide. AMC, a unit of AMMB Holdings Berhad, one of Malaysia s largest banking groups, agreed to pay $1.6 million to settle the SEC s charges, without admitting or denying the allegations. The case follows the SEC s recent related action against the Malaysia Fund s primary adviser, MSIM, and is part of an inquiry into the investment advisory contract renewal process by the SEC Enforcement Division s Asset Management Unit. We are committed to ensuring that advisers to registered funds adhere to their fiduciary duty with respect to the receipt of compensation. Here, AMC breached that duty by charging fees for services that were not rendered, said Bruce Karpati, Chief of the Asset Management Unit in the SEC s Division of Enforcement. AMC s advisory fees were approved each year from 1996 to 2007 as part of the 15(c) process, a reference to Section 15(c) of the Investment Company Act of 1940, which requires a registered fund s board to annually evaluate the fund s advisory agreements, and advisers to provide the board with information reasonably necessary to make that evaluation. 12. Methods for Enhancing a Firm s Due Diligence Infrastructure Centralize Due Diligence Function and Asses Existing Due Diligence Process and Procedures Create an Action Plan to Enhance Due Diligence Existing Program Conduct Independent Research o Regulatory websites o Industry conferences o News periodicals o Historical enforcement actions and legal cases Collaborate with Internal Stakeholders Build the Due Diligence Infrastructure o DDQ s o Tracking Spreadsheets

14 o WSP s o Centralized Database Establish reasonable Time Frames for Performing Ongoing Due Diligence, and/or and Test Due Diligence Procedures at Least Annually Maintain a Vendor Inventory Questionnaires Tracking Checklists Due Diligence Officer WSP s Ongoing

15 VALUE [BROKERDEALER]COMPLIANCECALENDAR TASK ALLOCATION FREQUENCY MONTH DESCRIPTION ASSIGNED TO TIME Update Risk Annually 1 risk map and Assessment update as necessary Communications Monthly 1 , correspondence, Outside Accounts Update Firm Contact System (FINRA Gateway) Update Org Chart Schedule Annual Financial Audit Registration Renewals (Firm) Communications Outside Accounts Conduct Gap Analysis advertising Monthly 1 accounts, Report Annually 1 FINRA Gateway - must be done within 17 days of new year. Annually 1 Include Supervisor As Of, review for new RRs; New licenses Annually 1 For Dec fiscal YE firms Annually 1 Final Funding/Rebate if applicable Monthly 2 , correspondence, advertising Monthly 2 accounts, Report Annually 2 prior year report; interview principals and/or CCO,

16 VALUE [BROKERDEALER]COMPLIANCECALENDAR TASK ALLOCATION FREQUENCY MONTH DESCRIPTION ASSIGNED TO TIME update and file new Gap Analysis Limited Size and Annually 2 reaffirm if applicable Resource Exemption COE Annually 2 Coordinate meeting Certification between CEO and (3013 CCO to complete Certification) certification Communications Interim of Prior Year Examination Findings Outside Accounts Communications Outside Accounts Monthly 3 , correspondence, advertising Annually 3 Perform review to verify completion of plan to address deficiencies from prior year tests and inspections Monthly 3 accounts, Report Monthly 4 , correspondence, advertising Monthly 4 accounts, Report Clearing Annually 4 current list of

17 VALUE [BROKERDEALER]COMPLIANCECALENDAR TASK ALLOCATION FREQUENCY MONTH DESCRIPTION ASSIGNED TO TIME Firm available reports, Surveillance select applicable Reports reports Privacy Policy Delivery Schedule Client Mailings Communications Outside Accounts Schedule Internal inspections Communications Conduct Internal Inspections Annual 4 Deliver notice of privacy policy to customers Annual 4 BCP, CIP, Margin, Privacy, other as applicable Monthly 5 , correspondence, advertising Monthly 5 accounts, Report Annually 5 Schedule internal and branch office inspections; recommend other tests: AML Ind Test, BCP/Data Security Monthly 6 , correspondence, advertising Annually 6 1st of 2 reminders; Conduct branch inspections, home office inspection; other

18 VALUE [BROKERDEALER]COMPLIANCECALENDAR TASK ALLOCATION FREQUENCY MONTH DESCRIPTION ASSIGNED TO TIME inspections Outside Monthly 6 accounts, Accounts Report Communications Outside Accounts Plan Annual Assoc Persons s and Training AML Independent Test Onsite Internal s Communications Outside Accounts Monthly 7 , correspondence, advertising Monthly 7 accounts, Report Annually 7 Plan training, revise and update attestation, COE acknowledgement and other annual forms as applicable Annually 8 Conduct onsite independent test Annually 8 Conduct onsite inspection and fiduciary review Monthly 8 , correspondence, advertising Monthly 8 accounts, Report

19 VALUE [BROKERDEALER]COMPLIANCECALENDAR TASK ALLOCATION FREQUENCY MONTH DESCRIPTION ASSIGNED TO TIME AML Annually 9 Prepare written report Independent of independent test Test Report including plan to address any Annual/Fiduciary Report Assoc. Persons: Compliance Meeting, Training, Forms Communications Outside Accounts Communications Branch Inspection Outside Accounts deficiencies Annually 9 Prepare and deliver written report including plan to address any deficiencies identified in the report Annually 9 Deliver training and annual associated persons forms Monthly 9 , correspondence, advertising Monthly 9 accounts, Report Monthly 10 , correspondence, advertising Spot Check 10 status of branch inspections (completeness, trends) Monthly 10 accounts, Report

20 VALUE [BROKERDEALER]COMPLIANCECALENDAR TASK ALLOCATION FREQUENCY MONTH DESCRIPTION ASSIGNED TO TIME Communications Monthly 11 , correspondence, Outside Accounts Registration Renewals (Assoc. Pers) Registration Renewals (Firm) Registered Representative Update Registration Update CRD; U4 Communications Compliance Manual Update advertising Monthly 11 accounts, Report Annually 11 Gather information and update U4 or U5 amendments as needed (post-date to 12/31) Annually 11 Preliminary statements become available (Check FINRA website for Renewal Calendar) Spot Check 11 Deliver RR attestations; monitor for completeness Quarterly 11 Gather information and update form as necessary Monthly 12 , correspondence, advertising Annually 12 "Year in " summary report of compliance year past

21 VALUE [BROKERDEALER]COMPLIANCECALENDAR TASK ALLOCATION FREQUENCY MONTH DESCRIPTION ASSIGNED TO TIME and look ahead (generic) Compliance Annually 12 "Year in " Manual Update summary report of compliance year past and look ahead Outside Accounts Registration Renewals (Firm) Annual Program Total (specific) Monthly 12 accounts, Report Annually 12 Fund the Renewal Account (Check for the deadline - usually the second week of December) Client Special Projects Total Engagement Summary

22 Firm Name Service Type Date TOB Requested TOB Requestor TOB Report Complete TOB ed by Legal TOB Letter Sent to TPSP Date Internal Communication Sent Date External Communication Sent (If Applicable) TOB Files Saved to Firm Folder Pine Tree Data Storage Technology 2/1/2012 President Complete Yes Yes 2/15/2012 2/17/2012 Yes

23 Misc. Comments Due Diligence Officer Sign Off All files saved, legal letters sent. Internal customer service and tech notified. Yes

24 Onsite Due Diligence Meeting Notes (Firm Name) (Date of Meeting) OnsiteMN_7/2012_Draft Page 1

25 Meeting Information Firm Name Address Length of Meeting Meeting Location Interview Notes 1. Meeting Attendees (Include Name & Title) Firm Overview History Executive Management Business Plan Future Business Plan Workforce Geographic and Statistics References 3. Products and Services Overview Persons Name & Title Contact Information Products and Services Details OnsiteMN_7/2012_Draft Page 2

26 4. Legal and Compliance Persons Name & Title Contact Information Legal or Compliance History Litigation or Enforcement Actions Pending or Finalized Regulatory (if applicable) Compliance and Legal Structure Department Size Process and Procedures 5. Operations Persons Name & Title Contact Information Department Structure Department Size Operational Process and Procedures Operational Internal Controls Checks and Balances Disaster Recovery Process Flow Internal Audit Sample Reports OnsiteMN_7/2012_Draft Page 3

27 6. Technology Persons Name & Title Contact Information Technology Departmental Structure Size of Department Process and Procedures Checks and Balances Disaster Recovery Process Flow Technology Oversight and Internal Controls 7. Financial Persons Name & Title Contact Information Accounting and Finance Departmental Structure Size of Department Process and Procedures Checks and Balances Internal and External Oversight and Controls Auditor (and Auditor Report) Financial Statement Sample Reconciliation Reports OnsiteMN_7/2012_Draft Page 4

28 Due Diligence Officer Summary Analysis (to be completed internally) Due Diligence Officer Name: Date Analysis Completed: OnsiteMN_7/2012_Draft Page 5

29 OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology: Operations/Support Functions: Other: 2. Is this service essential to the operation of the Firm (i.e. transaction order entry; custody and prime brokerage; service designed to promote rapid recovery of operations etc.)? Yes No APPROPRIATENESS OF OUTSOURCING 1. Potential impact on Firm if service provider fails to perform: Financial Impact: High Medium Low N/A Reputational Impact: High Medium Low N/A Operational Impact: High Medium Low N/A Customer Service Impact: High Medium Low N/A Potential Losses to Customers: High Medium Low N/A Comply with Regulatory Requirements: High Medium Low N/A Costs to Firm: High Medium Low N/A Degree of Difficulty Replacing Service Provider: High Medium Low N/A Comments: 2. Is there an affiliation or other relationship between the Firm and the service provider? Yes No If yes, please describe the relationship and any potential conflicts of interest: 3. Is the service provider a regulated entity subject to independent supervision? Yes No If yes, name of regulator: SERVICE PROVIDER INFORMATION 1. General Information Firm Name: Firm Address: Contact Name(s): CRD # (if applicable): Phone: Fax: Website: Outsourcing Due Diligence Form 1

30 (PAGE 2) 2. Is the service provider owned/controlled by a Parent Co.? Yes Name: No 3. Personnel: Approximate # of employees: Does the service provide hire independent contractors? Yes No 4. Background Information: How many years has the service provider been in business? How many years has the service provider provided the outsourced function? Is the service provider known to the Firm or employees of the Firm? Yes No If yes, please name the individual(s) and describe any prior experience each had with the service provider: DUE DILIGENCE 1. What methods did the Firm use to verify the service providers information? (Choose all that apply.) FINRA Public Disclosure Internet Research Entity Formation Documents SEC Public Disclosure Credit/Background Check Independent Research Form BD/ADV Media/News Reports Personal Referral Business Plan 10K RFP Policies Manual(s) Personal Interviews Marketing Materials Financials Onsite Inspection Sales Materials Other: Does the firm maintain evidence of the above methods used to verify the service providers information (i.e. copies of documents reviewed; notes from personal interviews and onsite inspections; printouts from public disclosure sites etc.)? Yes No If yes, please identify where this evidence is maintained: 2. Please list one or more qualified references; firms that use this service (if contacted personally, identify the name of the contact and the result of the contact): 3. Please describe the background and experience of individuals who will be performing the services: 4. Based on your review of the information, has the service provider and/or its principals been subject to any regulatory, criminal or civil disciplinary issues? Yes No If yes, please describe: Outsourcing Due Diligence Form 2

31 5. Based on your review of the information, please describe the service providers ability and capacity to perform the outsourced activities effectively, reliably, and to a high standard (include in your description relevant technical, financial, human resources, and/or other assets of the service provider): 6. Does the service provider have a business continuity plan? Yes No If yes, review a copy of the plan and comment on its adequacy: 7. Is privacy and protection of non-public information a factor in outsourcing? Yes No If yes, comment on the adequacy of the service providers for safeguarding non-public information: 8. After reviewing the information, are there any questionable issues or potential conflicts of interest? Yes No If yes, please describe: CONTRACTS AND AGREEMENTS 1. Has (or will) the Firm entered into a written agreement with the service provider? Yes No If yes, please identify the relevant provisions and disclosures in the contract (choose all that apply). Provides for Firm and regulator access to records Firm and client confidentiality Limitations on service providers ability to sub-contract Payment arrangements Defines responsibilities of all parties subject to contract Provide quality services measures Defines how responsibilities will be monitored Guarantees and indemnities Liability for unsatisfactory performance or other breach Information security provisions Requirement to maintain a disaster recovery plan Disclosure of breaches in security Time Commitment (Termination Date): Other relevant provision(s): 2. Was the written agreement reviewed by the Firms legal counsel? Yes No N/A If yes, name of legal counsel: Date of : 3. Was the written agreement reviewed by the principal responsible for outsourcing functions? Yes No If yes, name of principal: Date of : Outsourcing Due Diligence Form 3

32 OVERSIGHT AND PERIODIC REVIEW 1. List the name and title of the Firm Principal who is responsible for the periodic oversight and review of the outsourced service? 2. Please identify the individual(s) who will monitor the outsourced service if different from above. 3. Please identify the tools that will be used to monitor the outsourced service: Service delivery reports prepared internally Service delivery reports supplied by the service provider Publicly available resources Performance levels established in written agreement Internal auditor Onsite inspection External auditor Attestations by service provider Other 4. Frequency of monitoring: Daily Weekly Monthly Quarterly Annually Other 5. If deficiencies are found, are there procedures in place to respond to such deficiencies (i.e. communicate with the service provider; terminate the contract)? Yes No DOCUMENTATION REVIEW AND APPROVAL 1. Individual(s) responsible for completing this due diligence review: a. b. c. Firm Principal: I have reviewed the information contained in this Outsourcing Due Diligence Form and: The Firm has elected to use the service provider above. The Firm will not use the service provider above. Principal Signature Date Printed Name of Principal Outsourcing Due Diligence Form 4

33 Section x IS Security Policies mm/dd/yy -Effective mm/dd/yy -Revised Policy Checklist Information Services -Author Policy Checklist Required Published Approved Adopted Communicated Revised Acceptable Use <Yes / No> <Date> Account Management <Date> <By> <Date> <Date> <Date> Admin/Special Access Business Continuity Planning Change Management Data Encryption Incident Management Intrusion Detection Network Configuration Network Access Passwords Physical Security Portable Computing Privacy Security Monitoring Security Training Server Hardening Vendor Access Virus and Malware Protection IS Policy Checklist.doc 1 of 6

34 Section x IS Security Policies mm/dd/yy -Effective mm/dd/yy -Revised Policy Checklist Information Services -Author Analysis Matrix SECURITY ELEMENT IS Program Program Development and Evaluation Process INDUSTRY BEST PRACTICE LOCATION LAST Documented development process for the continual updating and review of security policies and procedures and compliance. Includes process for the continuous review and measurement of policy effectiveness. REVISION DATE IMPLEMENTATION Responsibilities and Roles Documented policies that define the roles and responsibilities of system administrators and their relation to the computer systems and network infrastructure in their care. Security Training Awareness and training program in information security and the protection of information resources for personnel who come in contact with sensitive resources. Security Training Policy Security Training Awareness and training program in information security and the protection of information resources for personnel who come in contact with sensitive resources. Change Management Software Updates Policies and procedures for the monitoring of patch and vulnerability information sources, their review, remediation, and the creation of new baseline information for updated systems. Change Management Policy Server Hardening Policy IS Policy Checklist.doc 2 of 6

35 Section x IS Security Policies mm/dd/yy -Effective mm/dd/yy -Revised Policy Checklist Information Services -Author Access Policies Acceptable Use Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Account Management Documentation requiring standards and procedures for the creation, distribution, revocation of user accounts. Passwords Documentation requiring standards and procedures for the composition, creation, distribution, use, and revocation of passwords. Internet Access Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Access and Use Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Network Access Policy Acceptable Use Policy Account Management Policy Password Policy Acceptable Use Policy Acceptable Use Policy IS Policy Checklist.doc 3 of 6

36 Section x IS Security Policies mm/dd/yy -Effective mm/dd/yy -Revised Policy Checklist Information Services -Author Voice Mail Access and Use Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Acceptable Use Policy Special Access Policy Secure Gateways Implemented, documented, and maintained gateways that implement security policy. Vendor Access vendor access and safeguarding agreements. Monitoring and Incident Management System Security Tools Intrusion Detection Security Monitoring Virus Detection Escalation Procedures Incident Reporting Incident Handling Incident Investigation Hardware Management Policies Portable Computing Policy The use of audit controls and tools to periodically review security compliance. Response plan for handling and resolving security incidents. Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Network Access Policy Network Configuration Policy Vendor Access Policy Security Monitoring Policy Intrusion Detection Policy Incident Management Policy Portable Computing Policy IS Policy Checklist.doc 4 of 6

37 Section x IS Security Policies mm/dd/yy -Effective mm/dd/yy -Revised Policy Checklist Information Services -Author Equipment Computer equipment is maintained in accordance with manufacturers recommendations. Records of faults or suspected faults are maintained. Critical systems are under maintenance contract in proportion to their significance. Server Hardening Policy Data Protection Policies Data Encryption Policies regarding encryption of data in transit and in storage. Privacy Documentation establishing responsibility and appropriate measures for protecting private and personally identifying information. Minimum efforts may be required by legislation. Privacy Policy Business Continuity Planning Documentation establishing responsibility for policies and procedures and mechanisms for the creation, testing, and revision of contingency plans for business critical systems. Backup/Disaster Recovery Policy Data Retention Documented policies and procedures for the archival and retention of sensitive data. IS Policy Checklist.doc 5 of 6

38 Section x IS Security Policies mm/dd/yy -Effective mm/dd/yy -Revised Policy Checklist Information Services -Author Backup Policies and procedures and mechanisms for the archival, retention, and recovery of data. Periodic testing of recovery schemes. Backup/Disaster Recovery Policy Off-Site Backup Copies of backup media and logs are stored off-site in a secured facility on a regular basis. Policies and procedures exist governing the transfer and handling of media. Backup/Disaster Recovery Policy Disposal of Sensitive Data Documented policies and procedures for the destruction of media containing sensitive data. Physical Security Basic Physical Security Controlled building access, mandatory access controls for information systems; policy for use of controls and penalties for noncompliance. Physical Security Policy IS Policy Checklist.doc 6 of 6

39 RFP (Annual) Due Diligence Questionnaire (FIRM NAME) RFP DDQ_7/2012_v1 Page 1

40 Company Information Firm Name Address Phone & Fax Website Address Primary Contact Information Company Business Partnerships Auditor Legal Bank Misc. Document Checklist Regulatory Reports Legal Reports Marketing Documents Company Presentation Overview Company Financials Business Continuity Plan Internal Ethics Report (COE) 3 References Operational Procedures Technology Procedures Compliance Procedures Auditor Letter Third Party Vendor Preparer Final Check & Sign-Off Name Title Contact Contact Number Date Click here to enter a date. RFP DDQ_7/2012_v1 Page 2

41 1. Firm Overview (Please provide a brief history of the firm) 2. Products and Services Overview (Please provide a brief overview of your firm s products/services) 3. Executive Management Overview and Bios 4. Legal/Compliance Have there been any arbitration, litigation, complaints, or regulatory organizations/exchange rules violations? If yes, please explain and provide documentation detailing the violation: Is your firm regulated by a government entity or government sponsored entity? If so which ones? Does your firm have any regulatory or legal actions pending? If yes, please explain and provide supporting documentation detailing the action pending. Has any principal or member ever been named in/or convicted of violating any law, federal or state, related to securities or banking? If yes, please provide details and documentation detailing the violation. RFP DDQ_7/2012_v1 Page 3

42 Please provide a summary of your firm s insurance coverage 5. Technology Please describe your firm s policies and procedures pertaining to employee/external access, web access and user id/password protocol (letters, numbers and change requests)? Has there been any privacy breaches in the past 3 years? If a privacy breach occurred, did your firm submit any filings or notices to state and/or federal regulators that disclosed the privacy breach? If a privacy breach occurred please note corrective actions taken to ensure a breach will not occur again: Please detail your firm s disaster recovery plan. 6. Operations Please provide an overview of your firm s operational structure. Please provide an overview of your firm s operational procedures. Please provide an overview of how your firm conducts testing to ensure the effectiveness of operational procedures. RFP DDQ_7/2012_v1 Page 4

43 Does your firm rely on third party service providers? If so, what s your firm s initial and ongoing due diligence process of these firms? 7. Confirmation of Due Diligence Please confirm that your firm conducts an annual review of the following processes Code of Conduct Operations Technology Compliance Entity Yes/No Comment Choose an item. Choose an item. Choose an item. Choose an item. 8. Financials/Accounting 1. Please confirm that your company will provide its most recent audited financial statements. Choose an item. Answer 2. If your company will not provide audited financial statements please explain why? 3. If your firm will not provide audited financial statements, please confirm that your company will provide its most recent unaudited financial statements as well as providing the name, address and telephone number of the accounting firm that prepared these statements: 4. Please confirm that your organization has effective oversight of its employees to prevent accounting activity that would be construed as illegal or in violation of regulatory and/or law enforcement. Choose an item. Answer RFP DDQ_7/2012_v1 Page 5

44 5. Please have your firm s CFO (or a Senior Finance official) confirm that the information provided in the Financial/Accounting section is accurate and true: Name Title Contact Date Click here to enter a date. Due Diligence Officer Summary Notes (to be completed internally) *To be completed internally Final Checklist: Confirm receipt of all documentation internal/ external stakeholders that DD review is complete. Choose an item. Choose an item. E Signature (Due Diligence Coordinator) Date Click here to enter a date. Choose an item. Signer RFP DDQ_7/2012_v1 Page 6