The Firm did not retain internal emails firm registered representatives sent or received for three years, and did not retain emails in a non-erasable, non-rewritable format.

The Firm used an internally created email retention system that retained email between firm registered representatives and individuals outside the firm, but did not retain internal email; instead, the firm retained internal email through the use of backup tapes, which the firm archived for less than the required three year period.

The firm implemented a new email retention system an outside vendor created to retain registered representatives’ emails, and for an unknown number of emails, there was a difference in the time the firm registered representative sent or received the email and the timestamp on the email as saved in the archive of the new email retention system; in some instances, the difference was a matter of seconds, and as a result, the timestamps on an unknown number of emails in the archive of the new email retention system differed from the times firm registered representatives sent or received those emails.

While attempting to gather emails in response to a FINRA investigation, the firm discovered that, due to a problem with the new email retention system, certain emails were being held in a database of the new system and were not moving to the archive portion of the system.The Firm performed certain upgrades to the new email retention system in an attempt to move those emails from the database to the archiving portion of the system; prior to performing the upgrade, the firm did not copy the contents of the database where the emails were being held.  During the upgrade, a default configuration superseded the customized server configuration that the outside vendor had originally utilized for the system, which resulted in a loss of certain header information when those emails were moved from the database to the archiving portion of the system.

In addition, in a statement submitted to FINRA, the firm reported the problem that resulted in email being ingested in the new email retention system without certain header information. Moreover, the new system also malfunctioned during parts of a year, which led to gaps in its email retention and the loss of emails responsive to FINRA’s investigation; neither the firm nor the outside vendor was able to determine the cause of the malfunction or the total number of emails lost as a result of the malfunction.

Furthermore, the Firm did not retain or review emails firm registered representatives sent from firm-issued electronic devices to individuals outside the firm.

The Firm did not establish and maintain a supervisory system, including WSPs, reasonably designed to retain emails firm registered representatives sent or received for the required three-year period, to retain emails firm registered representatives sent from firm-issued electronic devices to individuals outside the firm, and to review electronic communications. The Firm did not establish a supervisory system, including WSPs, reasonably designed to detect and prevent malfunctions in the new email retention system.

The Firm failed to evidence any review of incoming or outgoing written and electronic correspondence; failed to review the incoming and outgoing electronic correspondence of its CCO’s personal email account that he used to conduct securities related business, and the CCO had business cards with his personal email address included.

The firm failed to maintain its electronic correspondence (email) and electronic internal communications (email) for almost two years, and failed to maintain the incoming and outgoing electronic communications of an individual’s personal email account used to conduct business. The firm failed to notify FINRA prior to employing electronic storage media.

The Firm failed to file an attestation by at least one third party who has access and the ability to download information from its electronic storage media to an acceptable media for such records that are exclusively stored electronically. The firm’s electronic storage media failed to have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved, and inputting of any changes to every original and duplicate record maintained and preserved.

The firm failed to evidence the disclosure of its privacy notice upon account opening and annually thereafter; although the firm produced a privacy policy and procedures, it failed to provide initial, annual and revised privacy notices.

The Firm did not have available, for examination by FINRA staff, facilities for immediate, easily readable projection or production of micrographic media or electronic storage media images and for producing easily readable images, as SEC Rule 17a-4(f)(3) (i) required. The firm maintained certain records in electronic formats but failed to notify its examining authority, FINRA, prior to employing electronic storage media. The firm did not have in place an audit system providing for accountability regarding inputting of records required to be maintained and preserved under SEC Rules 17a-3 and 17a-4 to electronic storage media. The firm was required to have the results of such an audit system available for examination by FINRA staff. The firm failed to provide the required access to allow a third-party vendor to download information from its electronic storage media and file the required undertakings with the proper authorities, including FINRA.

The Firm failed to:

• have reasonable grounds to believe that a private placement an entity offered pursuant to Regulation D was suitable for any customer, after it received red flags that the entity had financial issues and was not timely making interest payments, but continued to sell the offering to customers;
• enforce a supervisory system reasonably designed to achieve compliance with applicable securities laws and regulations, and NASD and FINRA rules in connection with the sale of private placements;
• conduct adequate due diligence of the private placements or confirm that its representatives were doing their own due diligence;
• conduct adequate due diligence of private placements other entities offered; and
• enforce a supervisory system reasonably designed to achieve compliance with applicable securities laws and regulations, and NASD and FINRA rules in connection with the sale of the private placements the entities offered pursuant to Regulation D.

The Firm reviewed cursory private placement memoranda (PPMs) for the offerings but failed to investigate red flags or analyze third-party sources of information or take affirmative steps to ensure the information in the offering documents was accurate.

The Firm failed to preserve electronic communications in a non-rewritable, non-erasable or “WORM” format that complied with books and records requirements, and the firm used third-party software for storing and retaining electronic communications that did not comply with the requirements of SEC Rule 17a-4(f). Although the Firm was informed that its electronic storage medium was non-compliant but did not take adequate remedial action to retain email properly.

The Firms failed to ensure that emails were retained and timely reviewed.

The Firms, all subsidiaries of the same parent company, implemented a new, third party system for email archiving and review. In order for the emails to be archived consistent with the requirements of SEC Rule 17a-4 and NASD Rule 3110, the firms relied on their personnel to properly code new and existing email accounts to ensure that emails were journaled from users’ email accounts in the new system, and when email accounts were incorrectly coded, the affected users’ emails were not retained consistent with SEC and NASD rules. Instead, both sent and received emails were retained for 30 days, unless an individual employee double-deleted the email (in which case it would not have been retained at all); after 30 days, any emails remaining in an individual employee’s email inbox or outbox would be retained for an additional 30 days; and all emails would be deleted from the new system after 60 days (unless the auto-delete function was disabled), and additionally, would not have appeared in the new system for compliance department reviews, unless an email user whose account was properly coded sent or received the email message.

The Firms did not properly code certain email accounts and did not have written guidance to ensure that all email accounts for associated persons of each firm were properly recorded, nor did the firms have evidence that they conducted any testing of the new system to ensure that email accounts were being set up properly to capture emails for compliance with SEC Rule 17a-4 and NASD Rule 3110. As a result of the failure to retain emails, the firms also failed to timely review emails of affected users. In addition, FINRA determined that the failure to properly archive and review emails was discovered after a MBSC Securities Corporation compliance department employee searched for an electronic copy of an email he knew to have existed, and failed to locate it; prior to that event, the firms did not know that they were failing to properly archive and review emails.

Moreover, following the discovery of the retention and review problem at the firms, the firms’ parent company retained an outside consultant to assess the scope of the retention failure, and the outside consultant determined that there were 725 affected users between the three firms, for whom emails were not retained consistent with SEC and NASD rules. Furthermore,  the outside consultant estimated that the three firms may have lost as many as 4 million emails through the failure to properly code email accounts for journaling to the new system. 

In determining the appropriate sanctions in this matter, FINRA took into consideration that the firms self-reported to FINRA their failure to review and retain certain emails and the steps the firms took to remedy those deficiencies.

MBSC Securities Corporation, BNY Mellon Capital Markets LLC and BNY Mellon Securities LLC: Censured; Fined $300,000 joint/several

The Firm failed to

• establish certain elements of an adequate AML program reasonably designed to achieve and monitor its compliance with the requirements of the Bank Secrecy Act and implementing regulations promulgated by the Department of Treasury;
  
• establish policies and procedures reasonably expected to detect and cause the reporting of transactions required under 31 USC 5318(g) by failing to provide branch office managers with reports that contained adequate information to monitor for potential money-laundering and red flag activity; and for the firm’s compliance department to perform periodic reviews of wire transfer activity, require either branch managers or the AML compliance officers to document reviews of AML alerts in accordance with firm procedures, identify the beneficial owners and/or agents for service of process for some foreign correspondent banks accounts, and establish adequate written policies and procedures that provided guidelines for suspicious activity that would require the filing of a Form SAR-SF;
  
• establish policies and procedures that required ongoing AML training of appropriate personnel related to margin issues, entering new account information, verifying physical securities and handling wire activity;
  
• ensure that its third-party vendor verified new customers’ identities by using credit and other database cross-references, and after the firm determined that the vendor’s lapse was resolved, it failed to retroactively verify customer information not previously subjected to the verification process;
  
• establish procedures reasonably expected to detect and cause the reporting of suspicious transactions required under 31 USC 5318(g), in that it failed to include in its AML review the activity in retail accounts institutional account registered representatives serviced;
  
• review accounts that a producing branch office manager serviced under joint production numbers;
  
• evidence in certain instances timely review of letters of authorization, correspondence, account designation changes, trade blotters, branch manager weekly review forms and branch manager monthly reviews; failed to follow procedures intended to prevent producing branch office managers from approving their own errors;
  
• follow procedures intended to prevent a branch office operations manager from approving transactions in her own account and an assistant branch office manager from reviewing transactions in accounts he serviced;
  
• establish procedures for the approval and supervision related to employee use of personal computers and, during one year, permitted certain employees to use personal computers the firm did not approve or supervise,
  
• include a question on thefirm’s annual acknowledgement form for one year that required its registered representatives to disclose outside securities accounts and the firm could not determine how many remained unreported due to the supervisory lapse;
  
• follow policies and procedures requiring the pre-approval and review of the content of employees’ radio broadcasts, television appearances, seminars and dinners, and materials distributed at the seminars and dinners; representatives conducted seminars that were not pre-approved by the firm’s advertising principal as required by its written procedures; the firm failed to maintain in a separate file all advertisements, sales literature and independently prepared reprints for three years from date of last use; and a branch office manager failed to review a registered representative’s radio broadcast. A branch office manager failed to maintain a log of a registered representative’s radio broadcasts and failed to tape and/or maintain a transcript of the broadcasts and there was no evidence a qualified principal reviewed or approved the registered representative’s statements. Branch office managers did not retain documents reflecting the nature of seminars, materials distributed to attendees or supervisory pre-approval of the seminars; retain transcripts of a representative’s local radio program and TV appearances or document supervisory review or approval of materials used; and retain documents reflecting the nature of a dinner or seminar conducted by representatives or materials distributed;
  

• record the identity of the person who accepted each customer order because it failed to update its order ticket form to reflect the identity of the person who accepted the order; and

• to review Bloomberg emails and some firm employees’ instant messages

The Firm distributed a document, Characteristics and Risks of Standardized Options, that was not current, and the firm lacked procedures for advising customers with respect to changes to the document and failed to document the date on which it was sent to certain customers who had recently opened options accounts. Also, the firm’s compliance registered options principal did not document weekly reviews of trading in discretionary options accounts.

After the Firm became aware of deficiencies in its system for maintaining and preserving emails, and after approval of an AWC arising from the firm’s failure to maintain an adequate system for retaining emails, the firm’s response to correct the deficiencies was inadequate. The firm retained a vendor to provide services with respect to its email system, including, ostensibly, to provide email retention services; however, the firm never took steps, including after it executed the AWC, to test or ascertain whether or not the vendor had implemented a system to store email in a non-erasable, non-rewritable format. The firm did not store emails in a non-erasable, non-rewritable format; instead, the firm’s vendor merely established a “compliance folder” on the firm’s computer network where emails were automatically forwarded, and the vendor apparently maintained “spam” emails the firm received in a separate folder. This system permitted firm employees to delete emails from the “compliance folder.”

During the course of a cycle examination, the staff requested that the firm produce certain emails of a firm registered representative and, in response to the request, the firm was able to provide only “spam” emails the firm retained. The firm discovered its email retention deficiencies only after FINRA staff brought them to the firm’s attention. In addition, the firm intended to employ electronic storage media for its email retention but it failed to provide the required Member’s Notice to FINRA pursuant to SEC Rule 17a-4(f)(2)(i); failed to ensure that its third-party vendor provided the undertakings required by SEC Rule 17a-4(f)(3)(vii); and failed to file the required notice, and its third-party vendor did not provide an undertaking until FINRA staff brought the failures to the firm’s attention.