Firm Fined for Failing to Monitor Employee Emails
A firm settled with FINRA for failing to (i) supervise the use of personal email for business-related communications, (ii) retain certain business-related email communications and (iii) adopt written policies and procedures to safeguard customer records and information.
In a Letter of Acceptance, Waiver and Consent ("AWC"), FINRA said at least one of the firm's registered representatives was regularly using personal email for business-related communications. FINRA found that the firm monitored incoming external emails from an email list, which contained only 16 email addresses of the firm’s 88 associated individuals. FINRA said the firm sent at least 67 automated warnings to individuals for using personal emails for business communications; however, it did not review communications, nor did it take further action to prevent the use of external email or to ensure all business communications were adequately preserved and retained.
FINRA determined that the firm (i) did not have a reasonable process to prevent employees from sending customer information to unsecure locations outside of the firm’s system, (ii) did not have procedures for reviewing emails sent to or from employee personal email addresses for purposes of safeguarding customer information and (iii) failed to develop and implement a program designed to detect, prevent, and mitigate identity theft. As a result, FINRA said the firm violated SEA rules Section 17(a) ("Records and Reports), Rule 17a-4 ("Records to be Preserved by Certain Exchange Members, Brokers and Dealers"), and FINRA Rules 4511 ("General Requirements"), 3110 ("Supervision"), and 2010 ("Standards of Commercial Honor and Principles of Trade").
To settle the charges, the firm agreed to (i) a censure, (ii) a $75,000 fine and (iii) comply with the undertakings set forth in the AWC.