On December 21, 2016, the Financial Industry Regulatory Authority (FINRA) announced that it was fining 12 firms a total of $14.4 million for failing to comply with FINRA cybersecurity regulations, having identified “significant deficiencies relating to the preservation of broker-dealer and customer records in a format that prevents alteration.”
FINRA is an independent organization charged by Congress with protecting investors and market integrity by writing and enforcing regulations governing securities firms. Critically, FINRA—by invoking federal securities law—requires business-related electronic records to be preserved in a special “non-erasable, non-rewritable format” referred to as WORM (“write once, read many”) format. Specifically, FINRA Rule 4511 (General Requirements) states in pertinent part that “[a]ll books and records required to be made pursuant to the FINRA rules shall be preserved in a format and media that complies with SEA Rule 17a-4.” And SEA Rule 17a-4 (Records to be Preserved by Certain Exchange Members, Brokers and Dealers) states in pertinent part that “electronic storage media must . . . [p]reserve the records exclusively in a non-rewriteable, non-erasable format.”
FINRA’s WORM cybersecurity requirement is designed to “prevent the alteration or destruction of records stored electronically” and reflects FINRA’s “focus on ensuring that firms maintain accurate, complete and adequately protected electronic records.” FINRA recently observed that these requirements are necessary because “[o]ver the past decade, the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records.”
With respect to the 12 financial firms that were fined, FINRA’s investigation led the agency to conclude that the firms had failed to maintain electronic records in WORM format for long periods of time. FINRA further found that each of these 12 firms “had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records.” In addition, “FINRA also found that each of the firms had related procedural and supervisory deficiencies affecting their ability to adequately retain and preserve broker-dealer records stored electronically.” Finally, “FINRA found that three of the firms failed to retain certain broker-dealer records the firms were required to keep under applicable record retention rules.”
The following is a list of the 12 firms that were sanctioned by FINRA. Importantly, as with other consent settlements with regulators, these firms neither admitted nor denied the charges, but merely consented to the imposition of the sanctions in order to settle the matter. The affected firms were:
- Wells Fargo Securities, LLC and Wells Fargo Prime Services, LLC were jointly fined $4 million;
- RBC Capital Markets LLC and RBC Capital Markets Arbitrage S.A. were jointly fined $3.5 million;
- RBS Securities, Inc. was fined $2 million;
- Wells Fargo Advisors, LLC, Wells Fargo Advisors Financial Network, LLC, and First Clearing, LLC were jointly fined $1.5 million;
- SunTrust Robinson Humphrey, Inc. was fined $1.5 million;
- LPL Financial LLC was fined $750,000;
- Georgeson Securities Corporation was fined $650,000; and
- PNC Capital Markets LLC was fined $500,00.
These developments are critical for industry participants to understand because they may reflect that FINRA will be adopting an increasingly aggressive stance towards its cybersecurity regulations. Industry participants would benefit from ensuring that they are compliant with all applicable cybersecurity requirements, and especially in light of this enforcement action, firms should review their security policies to ensure that all business-related records are maintained in WORM format.