Ceros Financial fined for lacking supervision over personal email for business use

FINRA ruling notable due to inclusion of Identity Theft Red Flags Rule.

Ceros Financial Services, a brokerage platform and consultative partner to an investment management firm, was censured and fined by the Financial Industry Regulatory Authority (FINRA) on January 31 for what the regulator said was a failure to reasonably supervise and retain the use of personal email for business-related communications.

The disciplinary action was interesting for the inclusion of Regulation S-ID – the Identity Theft Red Flags Rule – as one of the alleged rule violations.

Ceros was fined $75,000, censured and required to take remedial action.

Personal emails blocked

The firm prohibited using personal email for business-related communications, but its primary system for ensuring compliance with this was to create a list of the personal email addresses of employees and “send automated warning emails when incoming emails to the firm’s system were sent from emails on that list”.

Only 16 email addresses of the firm’s 88 associated individuals were included in the list. If an outgoing email was sent from a firm address to a personal email address, no automated warning was sent. This entire process remained undocumented.

During the relevant period, FINRA said that Ceros sent at least 67 automated warnings to individuals, with some receiving repeated warnings. But the firm did not review communications sent from or to emails on the employee personal email list unless those emails happened to meet other firm supervisory email review criteria. The firm also did not treat those communications as red flags that other external business-related communications might not be captured by the firm’s system.

FINRA said the firm did not implement a program to detect or prevent identity theft. It relied on its privacy policy, which lacked practical details on how to respond to identity theft red flags.

Other than automated warning emails, and one warning letter sent as a result of routine email review, the firm did not take steps to prevent associated persons from using external email or take reasonable steps to ensure all business-related communications were preserved and retained, the agency said.

As a result of these shortcomings the firm did not preserve or retain a number of business-related emails between January 2018 through June 2021.

Reg S-P and Reg S-ID

FINRA said the firm did not have in place policies and procedures to safeguard customer information and “prevent employees from sending customer information to unsecure locations outside of the firm’s system”. The firm did not review over 10,000 emails sent to or from employee personal addresses. At least some of those emails included sensitive customer information including customer account numbers, names, and addresses along with trade information, the agency said. These lapses were in violation of the Safeguards Rule.

The Safeguards rule, or Reg-S-P, concerns the privacy of consumer financial information. It requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

In addition, FINRA also said the firm did not develop or implement a program to detect, prevent and mitigate identity theft. It relied only on its privacy policy, which lacked any practical details on how to respond to any identity theft red flags.

Regulation S-ID requires firms to “develop and implement a written Identity Theft Prevention Program … that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” A firm’s identity theft program must include reasonable policies and procedures to, among others, identify red flags of identity theft, detect those red flags, and respond appropriately to those detected.

In 2022, FINRA issued a Risk Alert addressing the SEC’s expectations for firms regarding Reg S-ID and based on patterns of errors its exams staff observed of its member firms.

With Ceros, FINRA says the business has already remediated its shortcomings by implementing a technology solution that encrypts emails containing personal identifiable information and revising its email review protocols.

One issue the Commission spotted was that some firms did not appear to have reasonable policies and procedures to detect and respond to relevant red flags and, instead, relied on pre-existing policies and procedures (such as anti-money-laundering procedures) to satisfy this requirement of its program, when such procedures were not designed to detect and respond to identity theft red flags. For example, such procedures did not include processes to detect whether the fraud was related to identity theft, such as the use of forged or false credentials.

This sounds like Ceros, which relied on a pre-existing privacy policy instead of having a true identity-theft detection process for its email oversight program, which seemed to have been lacking in true “sight.”

FINRA ordered Ceros, within 60 days, to have a member of its senior management certify in writing that, as of the date of the certification, it has remediated the Regulation S-ID issues identified in the action.

Supervising and preserving comms

Similar to the growing list of financial services businesses fined for recordkeeping failures involving at least some combination of texts, WhatsApp messages, and audio files, if not other communications formats, this case includes violations of the standard supervisory and recordkeeping rules, such as SEC Rule 17a-4 (for advisers) and FINRA Rules 4511 and 3110 (for brokers).

With Ceros, FINRA says the business has already remediated its shortcomings by implementing a technology solution that encrypts emails containing personal identifiable information and revising its email review protocols to include a search for personal identifiable information.

Full list of fines for comms recordkeeping failures since 2022.