CSG Law Alert: FINRA’s April 2024 Monthly Disciplinary Actions Report – A New Twist in Off-Channel Communications Cases

In a prior Alert, we noted FINRA’s focus on off-channel communications cases. It is no surprise, therefore, that FINRA’s April 2024 Monthly Disciplinary Actions Report contains a case against a broker-dealer for failing to supervise and preserve off-channel communications. What may be surprising are the two additional charges that FINRA leveled against the firm related to the same underlying misconduct.

In the Ceros Financial Services, Inc. AWC, FINRA found the firm did not reasonably supervise its representatives’ business-related communications. While the firm’s written supervisory procedures prohibited representatives from engaging in off-channel communications, the firm was aware that some of its representatives were sending business-related emails between their work email addresses and their personal email addresses. FINRA described these emails as a “red flag” that should have caused the firm to investigate further to determine if its representatives were engaged in other off-channel communications, such as emailing customers from their personal email addresses. Because at least one firm representative sent business-related emails from a personal email address to a firm customer and the firm did not capture those communications, FINRA charged the firm with failing to preserve business-related communications in violation of Exchange Act Rule 17a-4 and FINRA Rule 4511 (and for the related supervisory failure).

Notably, however, FINRA added two additional charges: (1) Rule 30(a) of Regulation S-P; and (2) Regulation S-ID.

Specifically, FINRA found that a number of the emails that firm representatives had sent from their work email addresses to their personal email addresses contained confidential customer information, including account numbers, account statements, and margin call information. Because the firm did not have a process to prevent employees from sending customer information to unsecure locations outside of the firm’s system, FINRA charged the firm with violating Rule 30(a) of Regulation S-P, which requires that firms “adopt written policies and procedures that address…safeguards for the protection of customer records and information.”

Also, because the firm did not have a written identity theft program, FINRA charged the firm with violating Regulation S-ID, which requires firms to “develop and implement a written Identity Theft Prevention Program…that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” FINRA found that the firm’s existing privacy policy did not suffice because, among other things, it did not detail what steps the firm would take to identify, and respond to, red flags of identity theft.

Firms can draw the following lessons from the Ceros case. First, firms should have supervisory systems and procedures reasonably designed to identify communications, including off-channel communications, that potentially could expose confidential customer information. Second, even if they have privacy or similar policies, firms should develop and implement written identify theft prevention programs that meet the requirements of Regulation S-ID.

FINRA has rarely charged firms with violations of either Rule 30(a) of Regulation S-P or Regulation S-ID. Its decision to add these charges to an otherwise routine off-channel communications case is worth noting.

Related Services

Securities Enforcement