LPL Financial LLC, a registered broker-dealer (the “Broker-Dealer”), executed a Letter of Acceptance, Waiver and Consent (“AWC”) with FINRA regarding alleged violations of record retention and monitoring rules applicable to emails. The AWC details failures of the Broker-Dealer’s email review and retention system which resulted in the Broker-Dealer being unable to meet its obligations to review and retain emails and supervise its registered representatives. In settling this matter, the Broker-Dealer neither admitted nor denied FINRA’s charges, but consented to the entry of FINRA’s findings, which are summarized in this article.
Applicable Rules. NASD Rule 3010(a) requires Broker-Dealers to develop and maintain systems to supervise their employees that are reasonably designed to achieve compliance with applicable federal securities laws and FINRA Rules (including NASD Rules incorporated into the FINRA Rulebook). Additionally, NASD Rule 3010(d)(2) requires Broker-Dealers to develop procedures for monitoring both written and electronic correspondence with the public relating to its investment banking or securities business.
Background. According to the AWC, during the period between 2007-2013 the Broker-Dealer’s email review and retention system failed at least 35 times, preventing the Broker-Dealer from being able to access hundreds of millions of emails and to review tens of millions of emails.
FINRA found that many of the Broker-Dealer’s registered representatives operated using multiple “doing business as” (“DBA”) email addresses, however, the Broker-Dealer’s email review and retention system was designed to review only one DBA email address for each representative. As a result of this technical limitation, FINRA found that from 2008 to 2011 the Broker-Dealer failed to review and supervise 28 million DBA email messages sent and received from its registered representatives. FINRA also found that the Broker-Dealer was aware of the deficiencies in its email review and retention processes and procedures but failed to take adequate steps to address such failures. FINRA found that in May 2010 the Broker-Dealer initiated an internal audit of its email review and retention system; however, in September 2010 after the internal auditor reported that there were a number of inconsistencies between the email addresses subject to review and those being used by the registered representatives the audit was stopped by a senior audit executive without any written explanation and without consulting with the audit committee of the Broker-Dealer’s board. At the time the audit was stopped, the Broker-Dealer’s procedures did not include a requirement that the audit management seek approval of the audit committee to stop an audit. Additionally, FINRA found that the Broker-Dealer initiated, but never completed, a project in September 2010 to improve the Broker-Dealer’s email review and retention system, citing as key drivers of the project the “failure to properly surveil email…” and a contemporaneous enforcement action referral against the Broker-Dealer regarding DBA emails.
FINRA found that in March 2009, when the Broker-Dealer changed its email archiving provider, it experienced a number of significant issues with the new system, including losing access to 280 million emails for five months. FINRA found that the issues with the archiving system ultimately resulted in the Broker-Dealer providing incomplete responses to requests for emails from certain regulatory authorities and potentially to private parties in civil litigations and arbitrations. FINRA found that, in addition to failing to retain and monitor emails, the Broker-Dealer did not review or archive Bloomberg messages for the seven-year period prior to 2011 and had other email supervision failures.
According to the AWC, the Broker-Dealer reported the issues with the DBA emails to FINRA in September 2011 and in response to a request for additional information issued a letter to FINRA in January 2012 that included a chronology of the events regarding the discovery of the issue with the DBA emails. FINRA found that the Broker-Dealer made two misstatements in the January 2012 letter regarding its knowledge of its email retention and review issues. Specifically, the Broker-Dealer stated that it was not aware of the issues with the DBA emails until June 2011 and that it had conducted regular reviews of the DBA emails and had not identified any red flags. FINRA found, however, that the Broker-Dealer was aware of the issues with the DBA emails as early as 2008. While FINRA did not specifically find that there were red flags associated with the use of DBA accounts, it did find that there were numerous red flags relating to the adequacy of supervision of DBA accounts.
In making its findings, FINRA noted that the Broker-Dealer was in a period of rapid expansion during the relevant period and failed to devote sufficient resources to update its email systems, which became increasingly complex and unwieldy for the Broker-Dealer to manage and monitor effectively. FINRA also noted that in January of 2011 the Broker-Dealer entered into a separate Letter of Acceptance, Waiver and Consent with FINRA related to its failure to enforce its supervisory system and procedures that required the review of emails.
Violations. FINRA charged the Broker-Dealer with: (i) violating NASD Rules 3010(a) and (d)(2) and FINRA Rule 2010 (formerly NASD Rule 2110) by failing to maintain an adequate system and procedures to retain and review emails; (ii) violating the books and records requirements under Securities Exchange Act Rule 17a-4 and NASD Rule 3110(a) by failing to retain emails; (iii) violating NASD Rule 3010(a) and FINRA Rule 2010 by failing to adequately supervise its internal department; and (iv) violating FINRA Rule 2010 by making material misstatements to FINRA in its responses to the investigation.
Corrective Actions. In connection with the AWC, the Broker-Dealer submitted a statement of the corrective actions it has taken to address the issues raised in the AWC. According to the corrective action statement, the Broker-Dealer retained a third party email consultant to assist the Broker-Dealer in enhancing its email review system, initiated a plan to transition to a Microsoft Exchange environment to simplify the operational control and surveillance of emails and, working with a different third party consultant, developed a plan for enhancing the Broker-Dealer’s overall information technology organization to meet the needs of the growing company. Additionally, according to the corrective action statement, the Broker-Dealer has implemented changes to its internal audit department policies, requiring that, among other things, (i) audit plans be presented to the audit committee of the Broker-Dealer’s parent company for review and approval, and (ii) any decision to stop an audit be approved by the audit committee. The corrective action statement submitted by the Broker-Dealer does not constitute factual or legal findings by FINRA, nor does it reflect the views of FINRA, or its staff.
Sanctions. In addition to agreeing to a censure and a fine in the amount of $7.5 million, the Broker-Dealer agreed to establish a $1.5 million fund to compensate claimants potentially affected by the failure to produce emails, and to notify claimants of their right to receive compensation payments and to obtain emails relevant to their cases that were not previously produced. The AWC also requires the Broker-Dealer to provide FINRA with a list of all regulatory agencies that potentially received incomplete productions of emails in response to requests or subpoenas and to notify such regulatory agencies of the potentially incomplete productions of emails.