The Firm did not retain internal emails firm registered representatives sent or received for three years, and did not retain emails in a non-erasable, non-rewritable format.
The Firm used an internally created email retention system that retained email between firm registered representatives and individuals outside the firm, but did not retain internal email; instead, the firm retained internal email through the use of backup tapes, which the firm archived for less than the required three year period.
The firm implemented a new email retention system an outside vendor created to retain registered representatives’ emails, and for an unknown number of emails, there was a difference in the time the firm registered representative sent or received the email and the timestamp on the email as saved in the archive of the new email retention system; in some instances, the difference was a matter of seconds, and as a result, the timestamps on an unknown number of emails in the archive of the new email retention system differed from the times firm registered representatives sent or received those emails.
While attempting to gather emails in response to a FINRA investigation, the firm discovered that, due to a problem with the new email retention system, certain emails were being held in a database of the new system and were not moving to the archive portion of the system.The Firm performed certain upgrades to the new email retention system in an attempt to move those emails from the database to the archiving portion of the system; prior to performing the upgrade, the firm did not copy the contents of the database where the emails were being held. During the upgrade, a default configuration superseded the customized server configuration that the outside vendor had originally utilized for the system, which resulted in a loss of certain header information when those emails were moved from the database to the archiving portion of the system.
In addition, in a statement submitted to FINRA, the firm reported the problem that resulted in email being ingested in the new email retention system without certain header information. Moreover, the new system also malfunctioned during parts of a year, which led to gaps in its email retention and the loss of emails responsive to FINRA’s investigation; neither the firm nor the outside vendor was able to determine the cause of the malfunction or the total number of emails lost as a result of the malfunction.
Furthermore, the Firm did not retain or review emails firm registered representatives sent from firm-issued electronic devices to individuals outside the firm.
The Firm did not establish and maintain a supervisory system, including WSPs, reasonably designed to retain emails firm registered representatives sent or received for the required three-year period, to retain emails firm registered representatives sent from firm-issued electronic devices to individuals outside the firm, and to review electronic communications. The Firm did not establish a supervisory system, including WSPs, reasonably designed to detect and prevent malfunctions in the new email retention system.
The Firm failed to evidence any review of incoming or outgoing written and electronic correspondence; failed to review the incoming and outgoing electronic correspondence of its CCO’s personal email account that he used to conduct securities related business, and the CCO had business cards with his personal email address included.
The firm failed to maintain its electronic correspondence (email) and electronic internal communications (email) for almost two years, and failed to maintain the incoming and outgoing electronic communications of an individual’s personal email account used to conduct business. The firm failed to notify FINRA prior to employing electronic storage media.
The Firm failed to file an attestation by at least one third party who has access and the ability to download information from its electronic storage media to an acceptable media for such records that are exclusively stored electronically. The firm’s electronic storage media failed to have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved, and inputting of any changes to every original and duplicate record maintained and preserved.
The firm failed to evidence the disclosure of its privacy notice upon account opening and annually thereafter; although the firm produced a privacy policy and procedures, it failed to provide initial, annual and revised privacy notices.
The Firm did not have available, for examination by FINRA staff, facilities for immediate, easily readable projection or production of micrographic media or electronic storage media images and for producing easily readable images, as SEC Rule 17a-4(f)(3) (i) required. The firm maintained certain records in electronic formats but failed to notify its examining authority, FINRA, prior to employing electronic storage media. The firm did not have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved under SEC Rules 17a-3 and 17a-4 to electronic storage media. The firm was required to have the results of such an audit system available for examination by FINRA staff. The firm failed to provide the required access to allow a third-party vendor to download information from its electronic storage media and file the required undertakings with the proper authorities, including FINRA.
The Firm failed to:
The Firm reviewed cursory private placement memoranda (PPMs) for the offerings but failed to investigate red flags or analyze third-party sources of information or take affirmative steps to ensure the information in the offering documents was accurate.
The Firm failed to preserve electronic communications in a non-rewritable, non-erasable or “WORM” format that complied with books and records requirements, and the firm used third-party software for storing and retaining electronic communications that did not comply with the requirements of SEC Rule 17a-4(f). Although the Firm was informed that its electronic storage medium was non-compliant but did not take adequate remedial action to retain email properly.
The Firms failed to ensure that emails were retained and timely reviewed.
The Firms, all subsidiaries of the same parent company, implemented a new, third party system for email archiving and review. In order for the emails to be archived consistent with the requirements of SEC Rule 17a-4 and NASD Rule 3110, the firms relied on their personnel to properly code new and existing email accounts to ensure that emails were journaled from users’ email accounts in the new system, and when email accounts were incorrectly coded, the affected users’ emails were not retained consistent with SEC and NASD rules. Instead, both sent and received emails were retained for 30 days, unless an individual employee double-deleted the email (in which case it would not have been retained at all); after 30 days, any emails remaining in an individual employee’s email inbox or outbox would be retained for an additional 30 days; and all emails would be deleted from the new system after 60 days (unless the auto-delete function was disabled), and additionally, would not have appeared in the new system for compliance department reviews, unless an email user whose account was properly coded sent or received the email message.
The Firms did not properly code certain email accounts and did not have written guidance to ensure that all email accounts for associated persons of each firm were properly recorded, nor did the firms have evidence that they conducted any testing of the new system to ensure that email accounts were being set up properly to capture emails for compliance with SEC Rule 17a-4 and NASD Rule 3110. As a result of the failure to retain emails, the firms also failed to timely review emails of affected users. In addition, FINRA determined that the failure to properly archive and review emails was discovered after a MBSC Securities Corporation compliance department employee searched for an electronic copy of an email he knew to have existed, and failed to locate it; prior to that event, the firms did not know that they were failing to properly archive and review emails.
Moreover, following the discovery of the retention and review problem at the firms, the firms’ parent company retained an outside consultant to assess the scope of the retention failure, and the outside consultant determined that there were 725 affected users between the three firms, for whom emails were not retained consistent with SEC and NASD rules. Furthermore, the outside consultant estimated that the three firms may have lost as many as 4 million emails through the failure to properly code email accounts for journaling to the new system.
In determining the appropriate sanctions in this matter, FINRA took into consideration that the firms self-reported to FINRA their failure to review and retain certain emails and the steps the firms took to remedy those deficiencies.
MBSC Securities Corporation, BNY Mellon Capital Markets LLC and BNY Mellon Securities LLC: Censured; Fined $300,000 joint/several
The Firm failed to
record the identity of the person who accepted each customer order because it failed to update its order ticket form to reflect the identity of the person who accepted the order; and
to review Bloomberg emails and some firm employees’ instant messages
The Firm distributed a document, Characteristics and Risks of Standardized Options, that was not current, and the firm lacked procedures for advising customers with respect to changes to the document and failed to document the date on which it was sent to certain customers who had recently opened options accounts. Also, the firm’s compliance registered options principal did not document weekly reviews of trading in discretionary options accounts.
After the Firm became aware of deficiencies in its system for maintaining and preserving emails, and after approval of an AWC arising from the firm’s failure to maintain an adequate system for retaining emails, the firm’s response to correct the deficiencies was inadequate. The firm retained a vendor to provide services with respect to its email system, including, ostensibly, to provide email retention services; however, the firm never took steps, including after it executed the AWC, to test or ascertain whether or not the vendor had implemented a system to store email in a non-erasable, non-rewritable format. The firm did not store emails in a non-erasable, non-rewritable format; instead, the firm’s vendor merely established a “compliance folder” on the firm’s computer network where emails were automatically forwarded, and the vendor apparently maintained “spam” emails the firm received in a separate folder. This system permitted firm employees to delete emails from the “compliance folder.”
During the course of a cycle examination, the staff requested that the firm produce certain emails of a firm registered representative and, in response to the request, the firm was able to provide only “spam” emails the firm retained. The firm discovered its email retention deficiencies only after FINRA staff brought them to the firm’s attention. In addition, the firm intended to employ electronic storage media for its email retention but it failed to provide the required Member’s Notice to FINRA pursuant to SEC Rule 17a-4(f)(2)(i); failed to ensure that its third-party vendor provided the undertakings required by SEC Rule 17a-4(f)(3)(vii); and failed to file the required notice, and its third-party vendor did not provide an undertaking until FINRA staff brought the failures to the firm’s attention.