FINRA Fines Financial Firms $2.4 Million for Improper Customer Records Storage
On July 5, the Financial Industry Regulatory Authority (FINRA) announced that several investment firms agreed to pay fines totaling $2.4 million for allegedly failing to maintain customer records in an electronic format that cannot be altered or destroyed. The firms all signed FINRA’s letters of Acceptance, Waiver, and Consent (AWC) containing allegations and proposed settlement terms for the alleged violations. See agreements here, here, and here.
In the agreements, FINRA emphasizes that financial firms are storing more and more sensitive customer data. FINRA asserts that broker-dealer electronic records must be complete and accurate to assist FINRA and other regulators in examinations and to ensure that member firms can conduct audits. Increasingly aggressive hacking attempts also enhance the need for firms to keep these records in the required format. According to the allegations in the agreements, the firms violated Section 17(a) of the Exchange Act of 1934 (the "Exchange Act"), NASD Rule 3110 and FINRA Rule 4511 by not maintaining electronic brokerage records in non-erasable and nonrewritable format, known as “WORM” format. The electronic records contained information about millions of securities transactions, millions of customer account records, numerous financial records, and records regarding anti-money laundering compliance.
FINRA also asserts that the firms: (i) failed to give 90-day advance notice to FINRA before storing records electronically; (ii) failed to set up audit systems for retaining records electronically; (iii) failed to obtain attestation letters from vendors agreeing to provide all firm records to regulators, if needed; and (iv) failed to set up and enforce written procedures to ensure electronically stored records were retained in compliance with FINRA and federal securities laws.
In addition to monetary sanctions, the firms agreed to review and update policies and procedures to ensure compliance with FINRA and federal securities laws. Additionally, the firms must submit remediation plans to FINRA for approval.