Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FINRA fines securities firm for failing to use an escrow agent


    Recently, FINRA released its letter of acceptance, waiver, and consent (AWC) against a securities firm for allegedly failing to use an escrow agent to custody customer funds. Among other things, the firm deposited investor funds for both offerings into accounts that its registered representative established and controlled, rather than with a bank. According to FINRA, these actions, discovered during a firm examination, violated the Exchange Act § 15(c)(2), Rule 15c2-4 thereunder, and FINRA Rule 2010. The firm further failed to both “promptly return customer funds” when the contingency was not met and changed material terms in its 2020 offering; violating Exchange Act §10(b), Rule 10b-9 thereunder, and FINRA Rule 2010. The firm consented to receiving a censure and a $20,000 fine.

    Securities FINRA Securities Exchange Act

  • FINRA fines annuity and fund distributor for causing payment of transaction-based compensation to unregistered entity


    On July 8, FINRA accepted a firm’s Letter of Acceptance, Waiver, and Consent imposing a censure and a $300,000 fine. The firm is a wholesale distributor of variable insurance products and mutual funds. Between March 2018 and September 2019, FINRA alleged that the firm caused around $2.9 million in compensation to be paid to an unregistered entity. More specifically, according to the AWC, the Firm had paid around $8.7 million in transaction-based compensation to an unaffiliated selling broker-dealer concerning the sale of variable life insurance, a securities product.  Of that, FINRA alleges that the Firm directed the unaffiliated broker-dealer to direct $2.9 million to an LLC that was not affiliated with the firm and that was not a FINRA member. As a result, FINRA alleged that the firm violated FINRA Rule 2040 which prohibits FINRA members from paying transaction-based compensation to any person not registered as a broker-dealer if receipt of such payment would require such person to register as such.

    Securities FINRA Securities Exchange Commission Insurance

  • FINRA fines firm for excess commission charges


    Recently, FINRA released a Letter of Acceptance, Waiver and Consent (AWC) against a securities firm for two alleged violative conducts from August 2018 to September 2022. First, FINRA alleged that the firm charged an unfair commission of at least $100 on 1,683 equity transactions. FINRA also alleges that the firm failed to maintain a supervisory system designed to monitor for unfair commissions, which engendered the unfair commissions, in violation of FINRA Rules 2121, 3110, and 2010. Second, FINRA alleged that the firm failed to file offering documents with FINRA “in connection with 14 private placements,” in violation of FINRA rules 5123 and 2010. In the AWC, the firm agreed to a censure, a fine of $65,000, and a restitution of $69,898.17 plus interest.

    Securities FINRA AWC Unfair Securities Exchange Commission

  • SEC files complaint against a digital platform for unregistered offer and sales of securities and acting as unregistered broker


    Recently, the SEC released its complaint against a digital platform that acted as an unregistered broker and seller of crypto-asset securities transactions. The SEC alleges that since 2020 the platform brokered over 36 million crypto-asset transactions between investors and third parties, collecting over $250 million in fees. Since at least 2023, the platform allegedly engaged in unregistered offers and sales of securities. The SEC alleged the platform was not registered as a broker despite operating as one in violation of Section 15(a) of the Securities Exchange Act of 1934. Additionally, the SEC alleged the platform also engaged in unregistered offers and sales of securities in violation of Sections 5(a) and (c) of the Securities Act of 1933. Further, the SEC alleged the platform acted as an underwriter and distributor of securities. The SEC seeks (i) to permanently enjoin the platform from violating these securities laws and (ii) payment of civil money penalties.

    Securities Securities Exchange Commission Cryptocurrency Digital Assets Securities Exchange Act

  • FINRA fines firm for insufficient ACH monitoring


    Recently, FINRA accepted a letter of acceptance, waiver and consent from a brokerage firm to settle alleged rule violations. The settlement concerns a series of unauthorized Automated Clearing House (ACH) transfers from a senior trust customer's brokerage account. Between December 2019 and April 2020, $332,457.73 was allegedly illegally transferred out of the account through 278 ACH transfers initiated by third parties that illegally obtained information relating to a checking feature attached to the consumer’s account. 

    According to the letter, FINRA Rule 3110(a) mandates that member firms must establish systems to supervise associated persons and reasonably ensure compliance with securities laws, regulations, and FINRA rules, including the responsibility to investigate and act on red flags indicating misconduct. The failure to do so also constitutes a violation of FINRA Rule 2010, which “requires a firm to observe high standards of commercial honor and just and equitable principles of trade in the conduct of its business.”

    The respondent firm allegedly failed to maintain an adequate system to review and monitor externally-initiated ACH transfers of consumer funds as their proprietary tool only monitored internally-initiated ACH transfers. As a result, none of the fraudulent transactions were flagged. The respondent firm also failed to identify several red flags in connection with such ACH transfers, including that the transactions were out of character for the customer, the volume of transactions as compared to any other account,  and not identifying five fraudulent transactions that were included on an end-of-year report.

    Despite these oversights, the bank processing the ACH transfers ultimately credited back all the stolen funds to the customer's account, and the respondent provided information to the bank to support the remediation.

    Respondent agreed to a censure and to pay a $225,000 fine.

    Securities FINRA ACH Enforcement Settlement Third-Party

  • FINRA issues regulatory guidance on members using generative AI tools

    Privacy, Cyber Risk & Data Security

    Recently, FINRA reminded member firms that existing rules and guidance apply to the use of artificial intelligence (AI), such as generative AI tools, just as they would with any other technology or other tools. FINRA noted that while generative AI can offer potential benefits, it can also pose risks related to privacy, bias, and misuse. FINRA emphasized that firms must ensure their use of generative AI complies with existing regulations, for example, those governing member supervisory systems for the review of electronic communications and public communications made using a technology tool. The rules applicable will depend on how each firm uses the technology. For example, FINRA noted that if a member firm uses generative AI tools as a part of its supervisory system, “its policies and procedures should address technology governance, including model risk management, data privacy and integrity, reliability and accuracy of the AI model.” FINRA noted it welcomes feedback on how it could update its rules to address the use of generative AI to maintain investor protection and market integrity.

    Privacy, Cyber Risk & Data Security FINRA Artificial Intelligence

  • California issues NPRM on its Delete Act to clarify terms

    Privacy, Cyber Risk & Data Security

    On July 5, the California Privacy Protection Agency (CPPA) issued its NPRM to amend sections of the Delete Act. As covered by InfoBytes here, the Delete Act was signed into law in 2023 as SB 362 and transferred the administration and enforcement of the state’s Data Broker Registry from the Office of the Attorney General to the CPPA at the start of 2024. Proposed amendments to the Delete Act will include details about the registration fees, defined terms, and clarifying registration requirements and website disclosures. The CPPA stated the anticipated benefits of these proposed regulations are to provide transparency about the data collection industry and grant consumers more rights on how their data will be used.

    On registration fees, the CPPA proposed a $400 fee plus any processing fees for electronic payments. Defined terms will include “minor,” “register,” “registration period,” and “reproductive health care data.” On requirements, the CPPA will clarify that each data broker business will be required to register uniquely. The CPPA will hold a virtual public hearing to facilitate oral or written statements on August 20. Oral statements will be presented at the hearing, while written comments must be submitted between now and the end of the public hearing.

    Privacy, Cyber Risk & Data Security California Data Protection

  • FINRA publishes alert on critical software vulnerability

    Privacy, Cyber Risk & Data Security

    Recently, FINRA issued a cybersecurity alert bulletin to all member firms regarding a critical vulnerability within a software company’s transfer software, specifically affecting its Secure File Transfer Protocol module. The vulnerability could potentially allow for authentication bypass, FINRA warned. The software developer has released a security bulletin advising firms to upgrade to the latest version of the software to address this issue.

    Additionally, a new risk has been identified in a third-party component within the company’s transfer software, which increases the risk of authentication bypass if not resolved. Firms are instructed to take precautionary measures, including blocking public inbound Remote Desktop Protocol access to the servers running the software and limiting outbound access to trusted endpoints only. The third-party will release a fix, which the software company will make available. The alert follows a similar incident in June 2023 for which FINRA also issued an advisory to member firms.

    FINRA also reminds firms to reference Regulatory Notice 22-29 from December 2022, which provides guidance on ransomware risks and offers considerations for evaluating cybersecurity programs in response to ongoing threats.

    Privacy, Cyber Risk & Data Security FINRA Third-Party Risk Management

  • Florida amends terms for consumer finance loans

    State Issues

    Recently, the Governor of Florida signed into law H1347 (the “Act”) which revises current exceptions to the state’s prohibition on usurious contracts for consumer finance loans of $25,000 or less where a lender charges an interest rate of 18 percent or greater per year. Under the Florida Consumer Finance Act, consumer finance loans typically cannot have interest rate exceeding 18 percent per year; however, the state’s Consumer Finance Act allows for an exception to this law. This new Act updates the terms to these exceptions, making the following changes:

    • For the first $10,000 of the principal amount, no consumer finance loan can carry an interest rate greater than 36 percent.
    • For that part of a principal amount between $10,000 and $20,000, no consumer finance loan can carry an interest rate greater than 30 percent.
    • For that part of a principal amount between $20,000 and $25,000, no consumer finance loan can hold an interest rate greater than 25 percent.

    The Act also extends the amount of time before a delinquency charge may be imposed from ten days to 12 days in default. The Act also amends a consumer lender’s obligations in the event of a FEMA disaster declaration, including among others, suspending application of delinquency charges, repossession of collateral, and filing civil actions for collections of amounts due on loans. The Act also imposes notice and reporting requirements, including notifying the Office of Financial Regulation (OFR) if any assistance programs are impacted because of the FEMA disaster declaration and providing annual reporting on loans issued during the previous year.

    State Issues Florida Consumer Finance Usury

  • DFPI has bank pay $63 million for crypto-exchange non-compliance

    State Issues

    On July 1, the California DFPI released a consent order against a bank holding company for allegedly making misleading statements about the bank’s BSA/AML compliance program related to its crypto-asset exchange network. The Fed issued a separate order with similar information. According to the orders, the bank holding company provided financial services to persons who wished to buy and sell crypto-assets. To facilitate these operations, the bank launched an internal payments platform that allowed customers to participate in its crypto-asset exchange network. However, in May 2023, the California DFPI had the bank enter a cease-and-desist order, requiring the bank to liquidate and cease these operations. In June of this year, the bank agreed to pay a civil money penalty of $43 million, in addition to a payment of $20 million as a department penalty, bringing the bank’s penalty package total to $63 million. The bank neither admitted nor denied any of the allegations made by the California DFPI.

    State Issues DFPI Bank Secrecy Act Anti-Money Laundering Federal Reserve


Upcoming Events