FINRA Fines BD $75K for Email Violations
From January 2018 through June 2021, several business-related emails were not preserved and retained by Ceros because the correspondence was directly between a representative’s personal email and a customer.
Because these emails did not include a Ceros email address recipient, the firm cannot quantify how many business-related emails were not preserved and retained. Given its failure to identify or preserve these communications, Ceros also did not conduct supervisory reviews of this business-related correspondence. Ceros has now implemented a firm-wide list of personal email addresses and blocks all
Ceros, according to the order, has now implemented a firm-wide list of personal email addresses and blocks all communications to or from emails on the list.
Failure to Safeguard Customer Information
Ceros failed to adopt policies and procedures to safeguard customer information and failed to develop an identity theft program, as required by Regulation S-P or the Identity Theft Red Flags Rule.
From January 2018 through June 2021, Ceros failed to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer records and information, according to FINRA.
Ceros did not have “a reasonable process to prevent employees from sending customer information to unsecure locations outside of the firm’s system,” or procedures for reviewing emails sent to or from employee personal email addresses for purposes of safeguarding customer information “even though over 10,000 emails were sent between known employee personal email addresses and a Ceros email address during the relevant period,” FINRA states.
One employee sent customer information for at least 256 customers from Ceros’ email system to the employee’s personal email address during the relevant period.
This information included account numbers, account names, account addresses, margin call information, available balances and account statements.
Further, according to the order, “a supervisor sent to their personal email address trade blotters that included 516 customer account numbers, names, addresses, and trade information.”
Another employee “sent an email containing approximately 500 account numbers, names, and average daily balances to their personal email address,” FINRA said. “Once this customer information was outside of the firm’s system, Ceros could no longer monitor or protect the security of that information.”