The Securities and Exchange Commission (SEC) issued a decision in which it affirmed, in part, the findings of violations and remanded the proceeding back to the National Adjudicatory Council (NAC) for redetermination of the sanctions. The SEC affirmed Financial Industry Regulatory Authority’s (FINRA) finding that the owner associated with the firm while statutorily disqualified and suspended in all capacities, and that the firm allowed him to do so.
The SEC, however, set aside FINRA’s finding that the owner engaged, and the firm allowed him to engage, in activities requiring registration while he was suspended. The SEC held that a person who is suspended from associating with a FINRA member, but who is not ordered to requalify by examination, does not violate NASD Rule 1031 by engaging in conduct requiring registration while suspended. The SEC also affirmed FINRA’s finding that the owner and the firm maintained inaccurate books and records by misidentifying the representative of record on hundreds of transactions and that the firm willfully violated Section 17(a) and Rule 17a-3 of the Securities Exchange Act of 1934 by maintaining inaccurate books and records.
In addition, the SEC affirmed FINRA’s finding that the firm failed to maintain and enforce an adequate supervisory system. FINRA had barred the owner and expelled the firm for these violations. The SEC remanded the proceeding back to the NAC for redetermination of the sanctions given its finding that the owner and the firm did not violate NASD Rule 1031. The SEC also asked the NAC to clarify why the books and records violations warranted a bar for the owner and expulsion for the firm.
A firm was censured, fined $65,000, and required to notify customers whose identifying information was transmitted to an unauthorized email account; revise its Identity Theft Prevention Program to address the deficiencies identified herein and comply with Regulation S-ID of the Exchange Act, and enhance its email security systems.
The firm consented to the sanctions and to the entry of findings that it failed to develop and implement a written Identity Theft Prevention Program reasonably designed to detect, prevent and mitigate identity theft in connection with opening or maintaining customer accounts. The findings stated that the firm’s program failed to include reasonable policies and procedures to identify or detect red flags of identity theft, and its procedures for responding to suspected identity theft were not tailored to its business.
Although not formally titled Identity Theft Prevention Program, the firm had written procedures in place to respond to red flags of identity theft. However, the program failed to provide associated persons any guidance regarding steps to take in the event he or she suspected that an incident of identity theft had occurred. Moreover, the firm’s program consisted of generic policies and procedures and was not tailored to its actual business model.
The findings also stated that upon learning of an email security breach involving the firm email account of its CEO and CCO, the firm failed to implement the procedures set forth in its program to mitigate the risk of identity theft due to the exposure of its customers’ identifying information to an unauthorized third-party. After an outside email vendor informed its CEO and CCO that his firm email account had likely been compromised, the firm failed to take steps to mitigate the risk of identity theft resulting from the incident. It was not until FINRA inquired about email communications with this external email address during the firm’s cycle exam that the firm attempted to determine the scope of the breach.
To date, the firm has not notified any customers whose identifying information was exposed because of the incident. Some of the emails contained identifying information relating to the firm’s customers, including customers’ social security numbers, account numbers, driver’s license numbers and dates of birth.
Anti-Money Laundering (AML)
A firm was fined $55,000 and the owner was suspended from association with any FINRA member in all capacities for six months. Considering the owner’s financial status, no monetary sanction has been imposed. The firm and the owner failed to develop and implement an anti-money laundering (AML) program that was reasonably designed to achieve and monitor the firm’s compliance with the Bank Secrecy Act of 1970 and the implementing regulations thereunder.
FINRA found that the firm, through the owner, failed to establish, maintain and enforce a supervisory system, including Written Supervisory Procedures (WSP), reasonably designed to prevent a terminated representative from continuing to access his firm email, which contained customer records, including non-public personal information. The representative was a statutorily disqualified individual and a founding member of the firm.
Despite the representative’s termination, the owner decided to keep his firm email address active for nearly a year. During this time, the owner assumed responsibility for reviewing all incoming and outgoing communications from the representative’s firm email address daily. However, the owner did not document any written procedures on how such reviews were going to be conducted or documented.
Further, the firm did not have any written policies and procedures regarding email access of terminated representatives. The firm and the owner ignored several red flags that demonstrated that the representative continued to access his firm email address.
Unauthorized Communication Methods
A broker was assessed a deferred fine of $10,000 for using his personal cell phone to exchange numerous business and securities-related text messages with customers without providing copies to his member firms, thereby preventing the firms from preserving the communications. The findings stated that the broker confirmed orders, communicated regarding specific securities and related news, and texted the customer’s information about their profits and losses. The findings also stated that the broker sent text messages to a customer that included promissory, exaggerated, unwarranted and misleading statements.
A broker was barred from association with any FINRA member in all capacities. The broker refused to produce all the information and documents FINRA requested in connection with its investigation into the allegations that formed the basis of his termination from his member firm. The findings stated that the broker firm submitted a Form U5 terminating his registration and alleging that he altered identifying information, account balances and distributions in customer account statements, maintained comingled customer funds and used an unapproved email address. Initially, FINRA received a response to its requests from the broker, however, his production was substantially incomplete. Subsequently, the broker decided to cease complying with FINRA’s requests.
Outside Business Activities (OBA)
Another broker was assessed a deferred fine of $15,000 because he conducted an OBA when he worked for a tax and accounting service provider — for which he received nearly $63,000 in compensation without providing prior written notice to or receiving approval from his supervisory principal. The findings stated that the broker completed attestations at his member firm on which he did not disclose the OBA.
In addition, during the firm’s investigation of allegations by a customer that the broker provided consolidated statements and used outside email addresses, the broker misled the firm when he told them that he did not engage in an OBA. The findings also stated that the broker caused his firm’s failure to make and preserve books and records by using personal email accounts to send and receive emails without providing copies to the firm, thereby preventing the firm from capturing the securities-related communications.
The broker used outside email addresses, including one from his OBA, to exchange emails with a customer and her daughter about the customer’s accounts and investments. The broker attached consolidated account statements to three of the emails. In addition, the broker attached to emails spreadsheets of income the customer received, copies of correspondence from REIT companies, and copies of powers of attorney.
Private Securities Transactions
A broker was fined $7,500 because he participated in a private securities transaction by facilitating a $50,000 investment by his son in a convertible promissory note without providing prior written notice to his member firm. The findings stated that the broker forwarded his son, a firm customer, an email concerning an investment opportunity in a privately held medical device company.
Attached to the email was an investor overview, convertible note term sheet, and a subscription agreement. Using his personal email account, the broker sent the company’s placement agent his son’s residential address and date of birth. The broker used his personal email account to inform the placement agent that his son intended to invest $50,000 in the company. The broker asked his sales assistant to email the placement agent a scanned copy of his son’s signed subscription agreement for his investment, a completed investor profile and questionnaire, and a W-9 tax form.
The broker thereafter arranged through his branch office’s operations department to wire $50,000 from his son’s brokerage account to his personal bank account. The broker prepared and emailed his son a draft letter of instruction to his bank to wire the funds from his account to the company’s bank account, and his son completed his investment in the company. The broker did not receive any compensation in connection with his son’s investment.
The broker falsely attested in a compliance questionnaire that he had not participated in any private securities transactions. The findings also stated that the broker used his personal email account to send securities-related emails that were not monitored or retained by the firm. The broker attested in compliance questionnaires that he understood that he must use firm or approved email addresses for all business-related communications with all clients and prospects.
A broker was fined $20,000 because he participated in private securities transactions involving $1.75 million in sales to customers without providing written notice to his member firm. The findings stated that the broker used the firm’s email system to participate in these transactions. Amongst the findings, the broker failed to list his involvement with these private investments on firm annual certifications calling for him to disclose his involvement with securities transactions away from the firm.
Archive Communications to Mitigate Risk
These enforcement actions suggest employees are using unauthorized communication channels. Most of the time employees seek out unapproved tools in a good faith attempt to address real business needs. As firms have shifted to remote work and employees use various messaging applications, compliance concerns arise. Although these new messaging applications may confer many benefits in a remote working environment, firms should not underestimate the risks created by their unauthorized and unsupervised use. Unauthorized tools can limit a company’s ability to control data retention and privacy concerns.
Employees using unauthorized tools prevent firms from complying with their regulatory obligations. Encrypted platforms like WhatsApp and WeChat present compliance risks to financial firms. They employ an encryption protocol to protect the messages from being intercepted. The same technology has prevented firms from capturing all work-related WhatsApp messages and calls of their employees. This is an even greater challenge now.
So, while a prohibition policy may have worked before the pandemic — this is no longer a practical strategy for your business. Firms should be aware of the security and encryption settings of any communication platform their employees use and engage an electronic communications archiving provider to ensure sufficient data retention.
Written Supervisory Procedures (WSP) should provide for adequate electronic communication reviews, the methods and frequency of review, and documentation procedures. Outline whether employees are allowed to communicate via email through means other than their firm email address. Ensure all employees are trained and well-aware of all policy guidelines and permitted communication channels.
Firms are obligated to retain records of digital communications that relate to their “business as such” as required by Rule 17a-4(b). FINRA will hold firms and their associated persons accountable for violations of the securities laws and regulations.
Author: Marianna Shafir Esq. Regulatory Advisor at Smarsh
Marianna Shafir, Regulatory Advisor at Smarsh, is responsible for regulatory affairs worldwide. With her expertise in financial services industry, compliance and e-discovery, Marianna counsels Smarsh clients on meeting regulatory obligations, leveraging technology and guidance on best practices related to electronic communications supervision. Prior to joining Smarsh, Marianna worked for BNY Mellon and Invesco where she was an instrumental member on compliance teams.Marianna has also served as an adjunct professor at New York Career Institute where she taught Law Office Management and Real Estate Law. She earned her Juris Doctorate from Nova Southeastern University. She is a frequent speaker at industry conferences and a contributor to various online publications.
Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.