conducting an annual compliance review – session … · copy of slides • to access a copy of...
TRANSCRIPT
Conducting an Annual Compliance Review – Session 10
– Business Continuity Plans & Information Security
Copy of Slides• To access a copy of the slides from today’s
presentation please go to:
www.RIA-Compliance-Consultants.com/BCP&InfoSecurity-Session10.html
Presenter
Bryan HillPresidentRIA Compliance Consultants
Tammy EmsickDirector of Business Development &Senior Compliance ConsultantRIA Compliance Consultants
Presentation Disclosures• Although the sponsor of this presentation, RIA Compliance Consultants, Inc. (“Sponsor”), is an affiliate of a law firm and
Sponsor may have an individual on its staff that is also licensed as an attorney providing legal services in a completely separate capacity, Sponsor is not a law firm and does not provide legal services or legal advice. A consulting relationship with Sponsor does not provide the same protections as an attorney-client relationship.
• This presentation is offered for educational purposes only and should not be considered an engagement with Presenter or Sponsor. This presentation should not be considered a comprehensive review or analysis of the topics discussed today. These materials are not a substitute for consulting with an attorney or compliance consultant in a one-on-one context whereby all the facts of your situation can be considered in their entirety.
• Despite efforts to be accurate and current, this presentation may contain out-of-date information. Additionally, Presenter and Sponsor will not be under an obligation to advise you of any subsequent changes.
• Information provided during this presentation is provided "as is" without warranty of any kind, either express or implied, including, without limitation, warranties and merchantability, fitness for a particular purpose, or non-infringement. Presenter and Sponsor assume no liability or responsibility for any errors or omissions in the content of the presentation.
• Information provide during this presentation relates solely to the Investment Advisers Act of 1940 and the rules thereunder and, at times, we may reference similar state securities rules and regulations specific to registration as an investment adviser. Certain circumstances or arrangements you may have may warrant you to consider other regulations that may apply including, but not limited to: the Investment Company Act of 1940; the Securities Act of 1933; the Securities Exchange Act of 1934; ERISA and other Department of Labor regulations; federal or state laws and regulations and self-regulatory (e.g., FINRA) rules for broker-dealers and registered representatives/securities agents of broker-dealers; and state insurance rules and regulations. The Sponsor of this presentation does not provide any advice or consulting services outside the scope of the Investment Advisers Act of 1940 or similar investment adviser state securities rules and regulations. If you need advice regarding any other rules or regulations, the Sponsor recommends that you consult with an attorney or consultant that specializes in those specific rules or regulations.
Presentation Disclosures• There is no guarantee or promise that concepts, opinions and/or recommendations discussed will be favorably
received by any particular court, arbitration panel or securities regulator or result in a certain outcome.
• To the extent that you provide RCC with your email address, it will be added to RCC’s electronic newsletter mailing list regarding compliance issues for investment advisors. You may opt out at any time by calling RCC at 877-345-4034 or clicking at any time the “unsubscribe” link on the electronic newsletter.
• Communication with today’s webinar presenter is not protected by attorney-client privilege. Please keep questions during this seminar in a hypothetical form. This seminar session and/or the presentation materials may be recorded, copied and/or shared with third parties and/or posted to our public website.
Not Information Security Experts• RIA Compliance Consultants Is Not An Expert In
Information Security or Wire Fraud.• RIA Compliance Consultants Doesn’t Provide
Information Security Risk Assessments or Audits of Information Security Plans.
• RIA Compliance Consultants Offers Following Practices & Techniques for the Attendee to Discuss with His or Her IT & Information Security Staff or Consultants.
Agenda• Overview of Regulations
– Gramm-Leach Bliley Act of 1999 (GLBA)– Regulation S-P– Investment Advisers Act Rule 206(4)-7– Investment Advisers Act Rule 204-2– State Requirements– Sample of Enforcement Actions
• Business Continuity/Disaster Recovery• Cybersecurity
– SEC March 2014 Request for Information List– Establishing an Information Security Program & Best Practice Tips
• Ongoing Compliance• Annual Compliance Review• Common Problems
Gramm-Leach Bliley Act of 1999 (GLBA)
• Created information privacy protections for customers of financial institutions
• Requires financial institutions to:– Provide notice to customers about privacy policy– Opportunity to opt-out of disclosure of non-public personal
information
• Directed the SEC to establish standards to:– Insure the confidentiality of customer info – Protect against threats or hazards to security of info– Protect against unauthorized access or use
Regulation S-P• Enacted by SEC to implement GLBA• Applies to investment advisers, broker/dealers &
investment companies registered with the SEC• Implement written policies to safeguard confidentiality of
customer information, protect against anticipated threats or hazards to security of customer information, and protect against unauthorized access or use of customer information that could result in substantial harm or inconvenience to any customer.
Regulation S-PRule 30(a)
Every … investment adviser … must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
(1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
https://www.law.cornell.edu/cfr/text/17/248.30
Rule 206(4)-7• Investment Advisers Act of 1940 (“Advisers Act”)
Rule 206(4)-7 makes it unlawful for an investment adviser registered with the SEC to provide investment advice unless the investment adviser has implemented written policies and procedures reasonably designed to prevent violation of the Advisers Act by the adviser or any of its supervised persons.
Rule 206(4)-7• Rule 206(4)-7 does not specify specific elements
that have to be included in an investment advisers policies and procedures but the final rule release lists ten specific issues that at a minimum must be addressed in an investment advisers policies and procedures to the extent they are relevant to an investment adviser. The tenth item in this list is “business continuity plans.”
Rule 206(4)-7• Footnote 22 in the final rule release for Rule 206(4)-7
states, “We believe that an adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect the client’s interests from being placed at risk as a result of the adviser’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations.”
Rule 204-2• Under Rule 204-2 of the Advisers Act,
investment advisers have responsibilities to maintain certain books and records, which includes a requirement to maintain electronic storage media “so as to reasonably safeguard them from loss, alteration, or destruction.”
State Requirements• State registered RIAs are covered by FTC rules• Similar to Rule 30 of Reg S-P• GLBA permits states to enact tougher requirements
– MA and NV have enacted additional safeguard requirements
• On April 13, 2015, the North American Securities Administration Association (“NASAA”) adopted a module rule on business continuity and succession planning –Model Rule 203(a)-1A or 2002 Rule 411(c)-1A
http://www.nasaa.org/wp-content/uploads/2011/07/NASAA-Model-Rule-on-Business-Continuity-and-Succession-Planning-with-gu....pdf
State Requirements - Nevada• Requires encryption of personal information
– Prohibits transfer of information unless done through encrypted networks
– Requires portable storage devices to be encrypted
• Applies to business with clients located in Nevada
State Requirements - Massachusetts• Applies to any business handling “personal
information” of Massachusetts residents• Individuals first and last name or last name and
first initial, along with:– Social security number;– Driver’s license or state ID number;– Financial account number; or– Credit or debit card number
State Requirements –Massachusetts (Continued)
• Must design a program to protect against internal and external security threats– Identify reasonably foreseeable internal and external
risk– Assess likelihood and potential damage of risk– Monitor effectiveness of safeguards
SEC Enforcement – Unauthorized Trades• Branch trading system hacked
– Attempted to make more than $700,000 in trades– Previous internal audit revealed the weakness
• Charged with failure to adopt policies and procedures to safeguard clients’ personal info
• Fined $275,000 and ordered to hire a consultant to assess information security program
https://www.sec.gov/litigation/admin/2008/34-58515.pdf
SEC Enforcement – Stolen Laptops• Laptop computer of rep stolen (8/2006).
– Laptops contained customer names, addresses, telephone numbers, date of births and social security numbers.
– B/D filed police report but didn’t contact clients notifying of theft and no further action was taken by B/D.
• Another rep’s password stolen and unauthorized access to emails (1/2007).– B/D directed reps in the branch to change password but didn’t contact criminal
authorities or recommend other changes than scheduled new policy to require periodic password updates.
• Additional rep laptops were misappropriated but didn’t hold any confidential customer info (2/2008).
– B/D didn’t take further action.• SEC alleged CCO aided and abetted B/D’s violation of Reg S-P.• SEC censured CCO and ordered CCO to pay fine of $15,000
https://www.sec.gov/litigation/admin/2011/34-64220.pdf
Business Continuity/Disaster Recovery• On August 27, 2013, SEC Office of Compliance Inspections and
Examinations issued National Exam Program Risk Alert, “SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year.”
https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf
• In August 2013, SEC, FINRA, and CFTC issued joint review of Business Continuity and Disaster Recovery of Firms which addressed recommended best practices and lessons learned as a result of their findings from discussions with various firms impacted by Hurricane Sandy.
http://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf
Business Continuity/Disaster Recovery• At a minimum a business continuity/disaster
recovery plan should address the following:– Data back-up and recovery
• Hard copy records• Electronic records
– Key person(s) responsible for data back-up and recovery
– Requirement for storage of back-up data at a separate location from the original data and identify back-up location
Business Continuity/Disaster Recovery– Frequency of data back-up– Frequency of review and testing
o Documentation required to support testing completed and findings/results of testing
– Identify back-up telecommunication systems– Identify alternative office location, in case of disaster
or lack of access to adviser’s primary office location, that:
• Has access to mission critical software, data, online systems/accounts and client records
• Is physically diverse from the primary office location
Business Continuity/Disaster Recovery• Written plan for what will occur in case of death or
temporary or permanent incapacity of owner or a key member of the investment adviser firm
SEC’s Cybersecurity Risk Alerts• In April 2014, SEC’s Office of Compliance Inspections and Exams
(“OCIE”) issued a Risk Alert, “OCIE Cybersecurity Initiative,” addressing its initiative to assess cybersecurity preparedness of securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats. This Risk Alert included a sample request for information.
https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf
• In September 2015, SEC’s OCIE issued a Risk Alert, “OCIE’s 2015 Cybersecurity Examination Initiative,” addressing its continued focus on cybersecurity by conducting examinations of registered broker-dealers and investment advisers. Again, this Risk Alert includes a sample document request list.
https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
SEC’s Cybersecurity Request for Information
• Whether RIA has identified in writing devices, systems, software & connections for risk purposes
• Whether RIA has written information security policy• Whether RIA has conducted a cybersecurity risk assessment• Whether RIA has assigned cybersecurity duties to staff• Whether RIA has insurance coverage for cybersecurity
incidents• Whether RIA has established adequate controls & protections
for its networks
SEC’s Cybersecurity Request for Information (Continued)
• Whether RIA restricts users privileges within network as necessary for business functions whether RIA has system for timely installation of patches
• Whether RIA has process for disposing of pcs• Whether RIA has information security training for employees• Whether RIA has controls against misappropriation of data
from removable & mobile media• Whether RIA has data destruction policy• Whether RIA has cybersecurity incident response policy &
BCP
SEC’s Cybersecurity Request for Information (Continued)
• Whether RIA periodically tests functionality of back-up system• Whether RIA has compliance audit of information security policy • Whether RIA has protections against distributed denial of service
(DDoS) attacks for critical internet-facing IP addresses• Whether & how RIA uses encryption • Whether RIA verifies authenticity of emails seeking transfer of
client funds• If RIA provides online account access, what are security
procedures
SEC’s Cybersecurity Request for Information (Continued)
• Whether RIA conducts or requires cybersecurity risk assessments of vendors with access to RIA’s networks
• Whether RIA incorporates requirements related to cybersecurity risk into contracts with vendors & business partners
• Whether RIA has approval, logging and controls for any vendor with access to firm’s devices
• Whether RIA has systems for detecting unauthorized activity• Whether RIA has conducted penetration & vulnerability scans• Whether RIA been subject to a denial of service attack
SEC’s Cybersecurity Request for Information (Continued)
• Whether RIA’s network been breached by unauthorized user• Whether customer or vendor’s computer been compromised by
hacker to remotely access RIA’s network which resulted in fraudulent activity
• Whether RIA has received fraudulent emails purportedly from customers seeking direct transfer of customer funds & securities
• Whether RIA subject to an extortion attempt threatening to damage RIA’s data, devices, network or web services
• Whether such events were reported to law enforcement & regulators
Establishing an Information Security Program
• Written policies to safeguard customer information– Must address administrative, technical and physical
safeguarding of customer info– Designed to:
o Ensure security and confidentiality of client datao Protect against anticipated threats or hazardso Protect against unauthorized access or use
• Assign employee(s) to lead• Determine company risks
Establishing an Information Security Program
• Draft written plan and implement the safeguards– Designate employee to maintain WISP– Each employee should receive WISP and acknowledge
receipt in writing– Personal info collected limited to amount reasonably
necessary– Access to personal info limited to persons required to
know such info• Prepare plan for how to respond to privacy or
cybersecurity incident
Best Practices-Physical Security• Secure all entrances/exits.• Require all visitors to check-in at central location, require vendors to
present photo id, require all visitors wear guest badges and only allow visitor access to office areas with confidential client information on an escorted basis.
• Utilize secure server room or secure/lock down servers.• Utilize security service or alarm system for office during nonbusiness
hours (if possible assign unique PINs to each employee).• Utilize recorded video surveillance
– covering at minimum entrance/exits during non-business hours– covering server(s), server room & file room (24 x 7) – store recorded video offsite or in secret location within office (not
server room)
Best Practices – Physical Security• Require vendor’s (e.g. maintenance & janitorial services) to conduct
background checks of workers• Develop rules ensuring reasonable restrictions upon physical access
to records with confidential client information• Store records with confidential client information in locked facilities,
secure storage areas or locked files• No open files with confidential client information on desks when not
present• Require employees to secure client files at end of day• When possible, use alternatives in place of social security numbers
& account numbers
Best Practices - Physical Security (Continued)
• Require shredding of all paper records which reference confidential client information. – If third-party utilized for shredding, obtain confirmation that
shredding has occurred.• Require physical destruction of hard drives of any computers and
printers before disposing of devices.• Encourage employees to report suspicious or unauthorized use of
confidential client information
Best Practices – Hardware• Inventory all physical devices
– Device name & type, serial no., purchase date, user’s name and name of any other devices/networks synchronized/connected and whether device stores or has access to confidential client information
• Install and update promptly firewalls, anti-spam, malware and virus software on every server, computer, laptop, tablet and mobile telephone. – Update security patches for operating systems– Consider utilizing systems so that can require and monitor that all devices
are updated independent of employee • Utilize software for the tracking of a lost/stolen hardware • Back-up daily and store offsite any mission critical data on hardware• Remove/restrict/secure open UBS ports CD-Rom on hardware
– Protect against introduction of malware into system or misappropriation of confidential client info via UBS Memory Stick
Best Practices – Portable Devices• Require employees to utilize company owned portable devices to
access or store confidential client information– Prohibit or discourage use of company owned portable devices for
personal use• Require password to access, use of auto-lock (after inactivity) and
encryption of portable devices with confidential client information such as laptops, tablets, mobile telephone or UBS memory stick
• Require portable device to use secured Internet connect to access confidential client information over Internet (no free WiFi at hotel or airport
• If possible, utilize software or features on portable device allowing for data to be wiped remotely in event lost or stolen
• Utilize software which allows for the tracking of a lost of stolen portable device
Best Practices - Passwords• Require use of unique password – do not permit use of same
password throughout systems• Require the unique password to be a non-dictionary alpha-numeric
password at least 12 character/digit long (the longer, the better)• Require re-set of password after 120 days• Require use of encrypted password manager• Require employees not to save passwords for auto-login via web
browser or other software• Require employees to log out of all online accounts or applications
when no longer using or leaving the office• Prohibit employees from writing down passwords and posting near
computer, in desk or storing in unencrypted CRM• Train employees on correct password protocols
Best Practices – WiFi Network at Office
• Use office’s WiFi network only for access to Internet– Do not access RIA’s network and do not place behind the firewall
• Give office’s WiFi network a generic name– Name of WiFi network shouldn’t reveal firm’s identity
• Require complex password to access office’s WiFi network• Set WiFi network router at WPA2 encryption• Require pre-approval of devices on WiFi
– IP address needs to be programmed into the router network – Only an option if not making available to guests
Best Practices – Network• Map all network resources, connections and data flows including where
confidential customer information is created, updated or stored.• Separated from Internet with firewalls and web filtering proxies and
monitored with anti-virus and intrusion detection systems. • Restrict an employee’s access to areas of network and confidential client
data based upon employee’s job function• Require unique (not used anywhere else), non-dictionary, long password to
access network.• Consider two-factor authentication (password plus PIN or dynamic id
number) for access to network if highly sensitive information stored there.• Set server(s)/computers to automatically require re-login after 5 minute
period of inactivity• Require employees to lock computer when stepping away from work space.• Automatically lock network access to login after multiple unsuccessful
attempts
Best Practices – Email• Prohibit emailing of any confidential client information which is not
encrypted• If not utilizing encrypted documents/email, recommend utilizing
secured client portal to transmit any document with confidential client information
• Using email surveillance tools – spot check whether employees complying with this requirement
• Educate employees on risk and require them to exercise caution when opening attachments from known and unknown sources, clicking on links within emails or entering user id and passwords arrived at via clicking upon a link
Best Practices – Cloud Computing• Require confidential client information be encrypted while in transit
to the cloud computing service provider – look for “https://” in URL• Require cloud computing service provider to keep RIA’s data
confidential and refrain from using for its own purposes• Require the cloud computing service provider to implement firewalls,
socket security features, electronic audit trails and intrusion detection systems
• Require cloud service provider to encrypt RIA’s data stored on the cloud server
• Require cloud computing service provider to notify RIA of security breach related to RIA’s data
• Require cloud computing service provider to notify of subpoena and refrain from producing until RIA has time to respond
Best Practices – Cloud Computing (Continued)
• Require cloud computing service provider to have multiple data site locations with automatic data replication between sites
• Require cloud computing service provider’s data site locations be managed 365 days a year/24 hours a day by IT staff and equipped with fully redundant ISPs, networks, servers, storage power and cooing and security infrastructure
• Require the cloud computing service provider to provide cloud computing services in accordance with SSAE 16 (formerly known as Type 2 SAS 70) standards and audit
• Require the cloud computing service provider have business continuity and disaster recovery plan which are tested at least annually
Best Practices – Cloud Computing (Continued)
• Require method for restoring data accidentally deleted• Limit each user’s access to confidential client information based
upon job function• Set limits on each user with respect to ability to delete and download
data & set alerts on downloads by a particular user
Best Practices - Vendors• Conduct initial due diligence of service providers to ensure ability to
protect confidential client information• Contracts should requiring service providers to protect confidential
client information• Obtain certification each service provider has a written
comprehensive info security program which is tested annually• If vendor has access to RIA’s network, RIA needs approval, logging
and controls related to vendor’s access to network
Best Practices – Terminated Employees/Vendor
• Terminated employee/vendor must return all records containing confidential client information
• Terminated employee/vendor’s physical & electronic access must immediately be blocked– Require terminated employee/vendor to surrender all keys, IDs & codes
that permit access to premises. Cancel/re-set any codes/PINS/passwords and re-key any locks as necessary
– Block terminated employee’s remote access to voice mail, email & Internet• Advise applicable clients, employees and third-parties that terminated
employee/vendor is not longer affiliated with or working on behalf of RIA – Consult with legal counsel about how to avoid slander/defamation
Best Practices - Testing, Due Diligence & Training
• Internally test at least annually whether employees complying with information security program.
• Engage IT consultant to conduct an information security audit or risk assessment.
• Conduct at least annually ongoing due diligence on cloud computing providers with confidential client information and any vendors with access to confidential client information.
• Conduct mandatory information security training for all employees at least annually.
High Risk Scenarios for an RIA
• RIA Forwards a Fraudulent Third-Party Wire Request to Account Custodian Without Any Effort to Authenticate as Legitimate.
• RIA Forwards a Third-Party Wire Request to Account Custodian But Effort to Authenticate Third-Party Wire Is Inadequate.
• RIA Misrepresents to Account Custodian that Rep or Staff Spoke with Client & Verified Request.
Ongoing Compliance• Periodic (at least annually) review/testing of business
continuity/disaster recovery plans– Prepare documentation to support completion of review/testing– Document findings and changes or corrective actions taken as
result of the review/testing
• Training – Business continuity/disaster recovery– Information security and protection of confidential client
information
Ongoing Compliance• Notify appropriate parties (i.e., employees, vendors,
clients) of alternative telecommunication systems in case of failure of primary systems used
• Conduct background checks on all employees including unlicensed staff
• Monitor employee desks to make sure client files/information is safely stored overnight or when employee is away from his/her desk for an extended period of time
• Monitor to ensure proper destruction of documents or electronic records containing client information
Ongoing Compliance• Maintain inventory of all physical devices that store or
can access client information• Daily back-up of all electronically stored records• Email surveillance • Conduct initial and ongoing due diligence of service
providers to confirm service provider’s ability to protect confidential client information
• Obtain initial and annual certification from each service provider to confirm that it has a written comprehensive info security program which is tested annually
Ongoing Compliance• Upon voluntary or involuntary termination of
employment, eliminate employee’s access to customer’s information by making sure all keys, access cards, access codes, identification badges have been returned and all remote access to the firm’s network, voicemail, email and online accounts has been terminated
• Monitor & discuss latest cybersecurity trends with compliance and IT consultants (recommend at least 3x per yr.)– Correct any weaknesses or vulnerabilities
• Retain outside IT consultant to conduct cybersecurity audit
Annual Compliance Review• Confirm that periodic testing of disaster recovery was performed
– Review results/findings from testing and changes/corrective actions taken as a result of the review/testing to ensure that appropriate changes were made or corrective actions were taken
• Confirm that testing of effectiveness of implementation of information security plan was performed
– Review results/findings from testing and changes/corrective actions taken as a result of the review/testing to ensure that appropriate changes were made or corrective actions were taken
• Confirm that annual training was conducted for disaster recovery/business continuity and information security and protecting confidential client information
– Review material presented to confirm adequate training was provided– Review attendee list to ensure that all appropriate staff members participated in
training
Annual Compliance Review• Review list of any employees who have been terminated (voluntarily
or involuntarily) over the past year and ensure that appropriate steps were taken to eliminate the former employees access to customer information
• Review email surveillance reports to confirm that it is being conducted according to firm’s policies and procedures, perform review of sampling of emails to look for any problems that may be missed as a result of the current review process, and review results/findings of periodic reviews to ensure appropriate corrective actions were taken
• Conduct a review of employee work areas to make sure passwords are not being written down and stored near electronic devices that are used to access confidential client information
Common Problems – BCP• Not having business continuity/disaster recovery plan or
having inadequate plan• Failure to address a regional disaster in business
continuity/disaster recovery plan• Business continuity plan does not address what happens
in case of death or temporary or permanent incapacity of owner or one of key members of the firm
• No testing of business continuity/disaster recovery plan• No documentation to support testing performed
Common Problems – Info Security• No Written Information Security Procedures for Employees• No Written Identity Theft Red Flags Procedures – Verifying Identity of Client Request
Received Online• No Training of Employees on Information Security or Identity Theft • No Testing Employees on Phishing Scams• No Surveillance of Whether Employees Sending Confidential Client Data via Unencrypted
Email• Failure to Lock Up Client Files• Failure to Utilize Unique, Complex/Non-Dictionary Passwords• Failure to Encrypt & Utilize Remote Swiping on Portable Devices with Client Data• Failure to Promptly Notify Clients of Breaches & Provide Adequate Remedies to Clients• Failure to Adequately Verify Online Requests Supposedly from Clients for 3rd Party
Wires/Checks• Failure to Require Vendors with Confidential Client Data to Maintain Info Security Plan, Test
& Update and Notify RIA of Breach• Failure to Limit and Audit Vendors Access to RIA’s Internal Systems
Copy of Slides
• To access a copy of the slides from today’s presentation please go to:
www.RIA-Compliance-Consultants.com/BCP&InfoSecurity-Session10.html
About UsServe Over 500 Investment Adviser FirmsPrincipals Are Industry Experienced Working in
Compliance or Law Departments & Hold Professional Credentials
Consult with Retail & Institutional FirmsOffer Full Array of IA Compliance ServicesReasonably Priced at Midwest Rates
RIA Compliance Consultants, Inc. is not a law firm and does not provide legal services.
Thank YouSchedule Introductory Call via
Online Appointment System:https://my.timedriver.com/QQ21L
Tammy EmsickSenior Compliance Consultant
RIA Compliance Consultants, Inc.877-345-4034 x 102
Follow Us
• www.ria-compliance-consultants.com• www.Facebook.com/riacompliance• www.twitter.com/riacompliance• www.YouTube.com/riacompliance