The Firm failed to preserve, for a period of not less than three years, the first two years in an easily accessible form, all email correspondence relating to the firm’s business.

The emails involving research and emails viewed by the firm as administrative or technical were deleted, emails were not indexed and were not easily located; consequently, the firm was not able to locate various emails sent or received in one year in response to FINRA requests. The firm failed to preserve all emails relating to the firm’s securities business exclusively in a non-rewritable, non-erasable format as required by SEC 13 September 2011 Rule 17a-4(f)(2)(ii)(A). Not only were individual emails users able to delete emails, in which case, they would not be stored, the medium that the firm used to back-up and store emails was rewritable and erasable. FINRA found that the electronic storage media the firm used did not automatically verify the quality and accuracy of the storage media process, and the firm did not have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved by electronic storage media. FINRA also found that the firm failed to engage at least one third party who has access to, and the ability to, download information from the firm’s electronic storage media to another acceptable medium, and who undertakes to promptly furnish to FINRA information necessary for downloading information from the firm’s electronic storage system and provide access to information contained on its storage system. In addition, FINRA determined that the firm failed to retain records evidencing supervisory review of email correspondence of registered representatives relating to the firm’s securities business. Moreover, FINRA found that the firm failed to report transactions in TRACE-eligible securities to TRACE that it was required to report, and failed to report the correct price for transactions in TRACE-eligible securities to TRACE. Furthermore, FINRA found that in connection with corporate bond transactions, the firm failed to prepare brokerage order memoranda, in that order memoranda did not show the account for which the order was entered, the time the order was received, the order entry time, the execution time and the identity of each associated person responsible for the account. (FINRA Case #)

Dito obtained possession of a computer flash drive that contained non-public customer account information and mined out selected excerpts for his own use by emailing the information, on separate occasions, to his member firm email address. Among other things, the flash drive contained approximately 350 account statements of customers from a FINRA member firm -- each of the customer account statements contained in the flash drive displayed non-public financial information including customer names, addresses, account numbers, financial positions, broker identification numbers and account values. Subsequent to reviewing the contents of the flash drive, Dito copied customer account information from the non-public customer account information contained in the flash drive.

The first email he sent to his firm email address contained the names and addresses of approximately 300 customers, which Dito had copied directly from FINRA member firm customer account statements contained in the flash drive. Dito intended to use the customer account information contained on the first email to cold-call prospective customers.

The second email Dito sent to his firm email address consisted of a listing of financial positions on the flash drive that were for a FINRA member firm securities account a customer owned that showed the customer’s equity stock holdings and their total net value. 

Dito failed to fully cooperate with FINRA and answer all of FINRA’s questions at an on-the-record examination.

The Firm failed to evidence any review of incoming or outgoing written and electronic correspondence; failed to review the incoming and outgoing electronic correspondence of its CCO’s personal email account that he used to conduct securities related business, and the CCO had business cards with his personal email address included.

The firm failed to maintain its electronic correspondence (email) and electronic internal communications (email) for almost two years, and failed to maintain the incoming and outgoing electronic communications of an individual’s personal email account used to conduct business. The firm failed to notify FINRA prior to employing electronic storage media.

The Firm failed to file an attestation by at least one third party who has access and the ability to download information from its electronic storage media to an acceptable media for such records that are exclusively stored electronically. The firm’s electronic storage media failed to have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved, and inputting of any changes to every original and duplicate record maintained and preserved.

The firm failed to evidence the disclosure of its privacy notice upon account opening and annually thereafter; although the firm produced a privacy policy and procedures, it failed to provide initial, annual and revised privacy notices.

The Firm failed to properly archive its business-related electronic communications for individual users in some of its Offices of Supervisory Jurisdiction (OSJs).

The Firm stored these emails on stand-alone servers or individual machines only, which theoretically permitted individual users to delete incoming or outgoing emails, and thereby failed to properly preserve its business-related electronic correspondence.

The firm failed to

• review business-related electronic communications for the individuals and an additional user;
• evidence its review of individuals’ business-related electronic communications as the firm’s WSPs required; and
• provide notification and third–party attestation to FINRA regarding the use of electronic storage media 90 days prior to employing such media.

The Firm failed to preserve all of its business-related electronic communications. The Firm attempted to preserve such communications by burning them to a non-rewriteable, non-erasable disc on a monthly basis, but the process was deficient because it did not result in all such communications being saved to the disc. The Firm did not identify this deficiency in its audit of its electronic communications preservation system.

In contravention of its written supervisory procedures, permitted registered representatives to use outside or non-firm-sponsored email accounts to send and receive securities business-related emails. The firm’s preservation process did not capture these emails that were sent to or from those accounts; therefore, the firm did not retain and review them.

The firm relied exclusively on electronic storage media to preserve its business-related electronic communications but did not retain a third party who had the access or ability to download information from its electronic storage media.

The Firm did not have available, for examination by FINRA staff, facilities for immediate, easily readable projection or production of micrographic media or electronic storage media images and for producing easily readable images, as SEC Rule 17a-4(f)(3) (i) required. The firm maintained certain records in electronic formats but failed to notify its examining authority, FINRA, prior to employing electronic storage media. The firm did not have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved under SEC Rules 17a-3 and 17a-4 to electronic storage media. The firm was required to have the results of such an audit system available for examination by FINRA staff. The firm failed to provide the required access to allow a third-party vendor to download information from its electronic storage media and file the required undertakings with the proper authorities, including FINRA.

Karn allowed a customer to sign relatives’ names on life insurance applications, and before Karn submitted them for processing, she signed the insurance applications and certified that she had witnessed each of the proposed signatures on the insurance applications. Karn falsely certified on the Representative’s Information Supplement document for each insurance application that she had personally seen each proposed insured at the time the application was completed.

One of Karn’s clients completed an application to purchase a municipal bond fund by signing her name on an electronic signature pad, and later that same day, Karn signed the client’s name on the electronic signature pad and thereby affixed the client’s signature on an application without the client’s authorization, consent or knowledge. The application Karn’s member firm processed and sent to the client reflected the signature Karn had affixed rather than the client’s authentic signature. When the firm questioned Karn about the authenticity of the client’s signature, Karn initially stated it was the client’s original signature, but when questioned further, admitted she had signed the client’s name and in doing so, Karn misled her firm during its internal investigation into a customer complaint.

The Firm failed to:

• have reasonable grounds to believe that a private placement an entity offered pursuant to Regulation D was suitable for any customer, after it received red flags that the entity had financial issues and was not timely making interest payments, but continued to sell the offering to customers;
• enforce a supervisory system reasonably designed to achieve compliance with applicable securities laws and regulations, and NASD and FINRA rules in connection with the sale of private placements;
• conduct adequate due diligence of the private placements or confirm that its representatives were doing their own due diligence;
• conduct adequate due diligence of private placements other entities offered; and
• enforce a supervisory system reasonably designed to achieve compliance with applicable securities laws and regulations, and NASD and FINRA rules in connection with the sale of the private placements the entities offered pursuant to Regulation D.

The Firm reviewed cursory private placement memoranda (PPMs) for the offerings but failed to investigate red flags or analyze third-party sources of information or take affirmative steps to ensure the information in the offering documents was accurate.

The Firm failed to preserve electronic communications in a non-rewritable, non-erasable or “WORM” format that complied with books and records requirements, and the firm used third-party software for storing and retaining electronic communications that did not comply with the requirements of SEC Rule 17a-4(f). Although the Firm was informed that its electronic storage medium was non-compliant but did not take adequate remedial action to retain email properly.