Safeguarding of Funds and Securities

Introduction

During the period of October 2014 through September 2017, the Office of Compliance Inspections and Examinations (“OCIE”) conducted 75 examinations of transfer agents (“TAs”) that also served as paying agents. 1 The staff examined for the possible misappropriation of funds and assessed the TAs’policies, procedures,and controls for paying agent activities.2This Risk Alert highlightssome of the risks and issuesassociated with paying agent activities, identifiessignificant exam deficiencies related to the safeguarding of funds and securitiesbypaying agents, and provides a listing ofsomecommon featuresof robust safeguarding policies,procedures,and controlsfor paying agents.II.Background TAs serve as agents for issuers and play a critical role in the settlement of securities transactions. Among their key functions, TAs are responsible for maintaining issuers’securityholder records, recording changes of ownership, canceling and issuing certificates, distributing dividends and other payments to securityholders, and facilitating communications between issuers and securityholders. Paying agent activities vary, but commonly include:Processing and disbursing principal, interest,and dividend payments to bondholdersor shareholders based on an issuer’s payment schedule;Administering direct stock purchase and dividend reinvestment plans;Handling escheatment and lost shareholder search and report filing;Managing interest bearing accounts or demand deposit accounts in the name of mutual funds for activities such as inflows and outflows from fund orders; andMaking distributionsfor mutual funds. In certain circumstances, TAs that serveas paying agents are unable to distribute shareholder funds as intended.For example, checks may be returned to the TA as undeliverable, shareholders may receive a check but never cash it, or electronic bankinginstructions may be inaccurate. In these situations, shareholder funds may remainin the TA’s bank accounts for years until the funds are escheated per relevant state law. Exchange Act Rule 17Ad-12 (the “Safeguarding Rule”) requires any registered TA in possession of funds or securities related to transfer agent activities to assure that:1A paying agent accepts payments from the issuer of a security and distributes the payments to the holders of the security. See Rule 17Ad-17 under the Securities Exchange Act of 1934 (“Exchange Act”). 2OCIE has prioritized examining forthe safeguarding of funds and securitiesbytransfer agents.See Examination Priorities for 2016,Examination Priorities for 2017, andExamination Priorities for 2018.Key Takeaway: Transfer agentsshould review their practices, policies,and procedures toensure funds and securities are protected while held at the transfer agent.  (1)the securities are held in safekeeping and are handled, in light of all facts and circumstances, in a manner reasonably free from the risk of theft, loss, or destruction; and (2)the funds are protected, in light of all facts and circumstances, against misuse. In evaluating which particular safeguards and procedures must be employed, two relevant factors are the cost of the various safeguards and procedures as well asthe nature and degree of potential financial exposure. Exchange Act Rule 17Ad-17 (the “Lost Securityholder/Unresponsive Payee Rule”) requires every TA that maintains an issuer’s master securityholder file3to conduct searches for lost securityholders within a defined time period and send notices to unresponsive payees within a defined time period. A TA must keep and maintain records to demonstrate compliance with the rule including written procedures that provide the TA’s methodology for complying with the rule.4III.Examination Observations and Compliance IssuesThe staff’s observationsfrom recent examinations of paying agents generally fall into two categories: (i) safeguarding of funds and securities and (ii) notification to unresponsive payeesandpolicies and procedures for lost securityholder searches. 1.Safeguarding RuleBelow are examples ofdeficienciesand weaknessesthat OCIE staffobservedin connection with the Safeguarding Rule: Misappropriation and Theft.OCIE staff observed the misappropriation of shareholder funds and the theft of physical certificates.5For example, in some instances, TA employees misappropriated issuer funds for personal use, andin other instances, a TA used shareholder funds to pay fees of the TA. The staff also observed TAs keeping physical certificates in unsecured locations for long periods of time, resulting in the reissuance of those certificates to different shareholders. Policies, Procedures,and Controls. OCIE staff observed that some TAsdid not have adequatepolicies,procedures, and controlsforthe safeguarding of funds and securities.In some instances, TAs did not have policies and procedures for any paying agent activities, while in other instances, their policies and procedures did not address the issuance and handling of checks, the distribution of dividends, bank account reconciliation, escheatment, or periodic redemption requests for limited partnerships.Some TAs had policies and procedures, but they lacked specificity, did not designate responsibility for performing or documenting reviews, or only quoted rule requirements. Some TAs did not havereasonable controls to protect funds from misuse when conducting typical disbursement activities, such as requiring confirmationfrom multiple individuals in order to move issuer funds.3Exchange Act Rule 17Ad-9(b) defines master securityholder file as “the official list of individual securityholder accounts.”4Exchange Act Rule 17Ad-17(d). 5The Commission has brought enforcement actions in this area. See, e.g.,Securities and Exchange Commission v. Robert G. Pearson and Illinois Stock Transfer Company d/b/a IST Shareholder Services(Litigation Release No. 23007, May 28, 2014) (complaintallegingIllinois Stock Transfer Company and itspresident, Robert Pearson,misappropriatedapproximately $1.3 million of issuer and shareholder funds).

3. Account Reconciliation.

OCIE staff observed that some TAs did not haveadequate account reconciliation controls and procedures. For example, the staff observed the comingling of shareholder funds with TA operating funds without an adequate reconciliation process, as well as the commingling of funds in a single account despite policies and procedures stating that funds would be maintained in separate accounts designated for the benefit of each issuer. Security Protocols.OCIE staff observed instances where TAs did notsecure access to vaults, computers, and areas of the firm that handle disbursement operations, creating a risk of theft, loss, or destruction.2.Lost Securityholder Searches/ Unresponsive Payee NotificationsBelow are examples of deficienciesand weaknessesthat OCIE staff identified in connection with the Lost Securityholder/Unresponsive Payee Rule. Lost Securityholder Searches. OCIE staff observedTAsthatdid not complywith the database search requirements of the Lost Securityholder/Unresponsive Payee Rule. For example, the staff observed TAs that did not conduct lost securityholder searches, or if searches were conducted, they were not conducted within the propertimeframe.In addition, some TAs conducted searches for lost securityholders using only public resources instead of an information database service, as required by Rule 17Ad-17(a)(1). The staff also observed TAs that did not identify securityholders as lost and record the lost status in theirrecordsand, as a result, were unable to determine whether lost securityholder searches were required.Unresponsive Payee Notifications.OCIE staff observed TAs that failed tosend written notifications to unresponsive payees or had sent notifications aftertherequired timeframe set by Rule17Ad-17.Policies and Procedures.OCIE staff observedweaknesses with TAs’ policies and procedures under Rule 17Ad-17, includingwritten procedures that did not require database searches, address unresponsive payee notifications, designate responsibilityfor performing and documenting reviews, or outline the methodology utilized to comply with the rule. The staff also observed TAs that did not maintain records oftheir lost securityholder searches and unresponsive payee notifications. IV.Featuresof Robust Policies,Procedures,and Controls6During these examinations, the staff observed several TAs that appeared to have implemented robustwritten policies,procedures,and controlsrelated to the processing of funds, handling of physical certificates, lost securityholder searches,and unresponsive payee notifications.For example, these TAs engaged in the following practices:Safeguarding Funds.oUsingsegregated and specifically designated accounts for client fund deposits and payments topreventcomminglingof those fundswithfunds in theTAs’ operation accounts.oSegregation of duties among different individuals holding different positions at the TAto limit any one person having too much control or access over the funds and securities.oFrequent bank reconciliations.6This section is not intendedtobe a comprehensive listing of robust safeguarding policies,procedures,and controls.The adequacy of supervisory, compliance, and other risk management policies and procedures can be determined only with reference to the business profile of each specific transfer agent and other facts and circumstances.

4o Implementingaccounting controls such as the “positive pay system.”oRequiring all payment instruction changes be made in writing.oMaintaining logs of unissued and uncashed checks.oEstablishing specific deadlines or timeframes for each step in the paying agent process or certificate movement.oIdentifyingentities or positions responsible for specific tasksin the policies and procedures.Safeguarding Physical Securities.oThe use of locked vaults to store certificates, and vaultaccess was restricted to a limited number of personnel.oThe use of video cameras throughout the vault area.oThe requirement of multiple sign-offs on the certificate control log.oPeriodic audits of blank certificates and cancelled certificates.oThe use of passcodes and ID badges to restrict non-employees from entering the TA’s office.Lost Securityholder and Unresponsive Payee Practices. oEstablishing and maintaining written procedures that outline how the TA identifiesand records a lost securityholder in its recordkeeping system.oDiscontinuing the mailing of physical checks to securityholders that have been deemed lost.oMaintaining copies of dated, returned mail, including copies of the outer envelope.oIn addition to the required lost securityholder database searches, reviewing the list of lost securityholders, including non-natural persons, to determine if an updated address can be easily attained by searching information available in the public domain.oEstablishing and maintaining written procedures that outline the escheatment services provided to issuers and the requirements of each applicablestate.Transfer agents may wish to consider thesepracticesin the implementation of safeguarding policies,procedures,and controls. V.ConclusionOCIE staff believesthat safeguarding funds and securities is one of the highest risk areas for TAs because of the trillions of dollars that TAs control and distribute each year as paying agents. Theobjective in publishing this Risk Alert is to highlight significant exam deficiencies observed by the staff while also identifying robust practicesin order toencourage TAs to reviewand strengthen theirapplicable policies, procedures,and controls related to theirpaying agent operations. This Risk Alert is intended to highlight for firms risks and issues that OCIE staff has identified. In addition, this Risk Alert describes risks that firms may consider to (i) assess their supervisory, compliance, and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. Other risks besides those described in this Risk Alert may be appropriate to consider, and some issues discussed in this Risk Alert may not be relevant to a particular firm’s business. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.