State Regulations to Watch

With all eyes on the federal government’s various efforts at reforming the fiduciary rules for financial advisors and administrators, attention may have slipped from the States. A few states are trying their hands at fiduciary rules that are worth watching.  New Jersey has proposed a new rule in 2019 concerning common law fiduciary requirements and extension to broker-dealers. As stated, New Jersey’s securities regulation bureau “believes that the proposed new rule is necessary to ensure that persons involved in the securities markets are uniformly held to a high standard in their dealings with the general public….”  In addition, the North American Securities Administrators Association (NASAA) has proposed new model rules in May of 2019.

The NASAA’s proposed rules include one to enhance cybersecurity and protection of investor privacy, modeled similar to the guidance seen in 2017 from SEC and DOL on privacy. That is, the rule has a HIPAA like aspect of modifying its stringency based on the size and complexity of the advisor’s business. After requiring “physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information….” The rule goes on to state that “the policies and procedures must be tailored to the investment adviser’s business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser.”  This language may be problematic in implementation as it isn’t clear when an investment advisor has hit the mark. This may mean that investment advisors have to undertake risk assessments of their cybersecurity and privacy as a proactive measure to show that their policies meet the risks reasonably ascertainable.

The rule does provide five clear functions that must be met by an investment advisor’s privacy policy, namely “The physical security and cybersecurity policies and procedures must cover at least five functions: (A) Identify. Develop the organizational understanding to manage information security risk to systems, assets, data, and capabilities; (B) Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services; (C) Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event; (D) Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and (E) Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.”

NASAA also proposed model rules on prohibited conduct and unethical business practices. These rules seem to adopt FINRA suitability requirements and SEC and DOL requirements on reasonability of fees and prohibitions on advertisement of certain sales of securities.

NASAA also proposed a model rule to facilitate secondary trading, which provides a manual exemption from securities registration that does not recognize EDGAR as a source of the information that must be publicly available to investors under the exemption. The model rule would also provide an exemption for transactions where of issuers have previously sold securities in an offering qualified under Tier 2 of Regulation A and that are subject to and current in their ongoing reporting requirements thereunder.

Finally, the NASAA proposed a model rule concerning the records to be kept by investment advisors. This rule may go beyond state law rules concerning record retention and is worth reviewing as to the paper copies required (versus electronic copies). This includes “originals of all written communications” concerning a multitude of instructions from clients.

These model rules have been proposed in Michigan (in 2018). In addition, Michigan has proposed other administrative rules involving the registration exclusion for capital-raising intrastate “finders”, the “bad actor” disqualifications from Michigan securities offering exemptions, a new “merger and acquisitions broker” (business broker) exemption from Michigan broker-dealer registration, and new requirements for “private fund advisers” to remain exempt from Michigan investment adviser registration, among others.