FINRA Fines BD $75K for Email Violations

News February 21, 2024 at 11:44 AM
Share & Print

The Financial Industry Regulatory Authority has censured and fined Ceros Financial Services $75,000 for business email-related infractions, including reps' using personal emails to conduct business and for failing to review emails from employees' personal email addresses to safeguard customer information.

According to FINRA's order, from January 2018 through June 2021, the Rockville, Maryland-based Ceros did not have a reasonable supervisory system for business-related communications.

Ceros' written supervisory procedures prohibited registered reps from communicating with customers from their personal email addresses. However, at least one of the firm's registered reps was regularly using personal email for business-related communications.

After being notified by FINRA about the issue, the firm created a list of employee personal email addresses and sent automated warning emails when incoming emails to the firm's system were sent from emails on that list, the order explains.

The employee personal email list contained 16 email addresses of the firm's 88 associated individuals as of June 2021.

If an email was sent from the firm system to an email on the personal email address list, no automated warning was sent. This process was not documented in any written procedures.

During the relevant period, Ceros sent at least 67 automated warnings to individuals, with some individuals receiving repeated warnings.

"However, the firm did not review communications sent from or to emails on the employee personal email list unless those emails happened to meet other firm supervisory email review criteria. The firm also did not treat those communications as red flags that other external business-related communications might not be captured by the firm's system."

Other than automated warning emails, and one warning letter sent as a result of routine email review, the firm did not take steps to prevent associated persons from using external email.

Nor did the firm take reasonable steps to ensure all business-related communications were preserved and retained.

From January 2018 through June 2021, several business-related emails were not preserved and retained by Ceros because the correspondence was directly between a representative's personal email and a customer.

Because these emails did not include a Ceros email address recipient, the firm cannot quantify how many business-related emails were not preserved and retained. Given its failure to identify or preserve these communications, Ceros also did not conduct supervisory reviews of this business-related correspondence. Ceros has now implemented a firm-wide list of personal email addresses and blocks all

Ceros, according to the order, has now implemented a firm-wide list of personal email addresses and blocks all communications to or from emails on the list.

Failure to Safeguard Customer Information

Ceros failed to adopt policies and procedures to safeguard customer information and failed to develop an identity theft program, as required by Regulation S-P or the Identity Theft Red Flags Rule.

From January 2018 through June 2021, Ceros failed to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer records and information, according to FINRA.

Ceros did not have "a reasonable process to prevent employees from sending customer information to unsecure locations outside of the firm's system," or procedures for reviewing emails sent to or from employee personal email addresses for purposes of safeguarding customer information "even though over 10,000 emails were sent between known employee personal email addresses and a Ceros email address during the relevant period," FINRA states.

One employee sent customer information for at least 256 customers from Ceros' email system to the employee's personal email address during the relevant period.

This information included account numbers, account names, account addresses, margin call information, available balances and account statements.

Further, according to the order, "a supervisor sent to their personal email address trade blotters that included 516 customer account numbers, names, addresses, and trade information."

Another employee "sent an email containing approximately 500 account numbers, names, and average daily balances to their personal email address," FINRA said. "Once this customer information was outside of the firm's system, Ceros could no longer monitor or protect the security of that information."

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center