FINRA fined a dozen firms $14.4 million for "significant deficiencies" in protecting broker-dealer and client data — affecting hundreds of millions of records, the regulator said.
Wells Fargo took the biggest hit, as FINRA fined the bank's securities and brokerage units a combined $5.5 million. Among the other firms facing penalties, RBC was fined $3.5 million, SunTrust $1.5 million and LPL Financial $750,000.
Cybersecurity has become a pressing issue in the financial services sector and beyond. Just this year, Russia has been accused of hacking email accounts of high profile members of the Democratic Party and Yahoo recently disclosed that more than 1 billion user accounts had been compromised in a 2013.
FINRA said its rules and federal securities laws require firms to maintain electronic records in a format known as "write once, read many," or WORM. This prevents the alteration or destruction of the data, according to the regulator.
Regulators say this requirement is necessary in order to protect investors from harm as the records facilitate compliance and regulatory monitoring. And such record keeping has only grown in importance over the past decade, as more and more documents are kept in electronic formats.
"These disciplinary actions are a result of FINRA's focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry," Brad Bennett, FINRA's chief of enforcement, said in a statement.
FINRA added that some of the firms supervisory systems contained deficiencies, which compromised firms' ability to detect record-keeping problems.
But it was not initially clear whether there had been any evidence of hacking or compromised records and communications. A FINRA spokeswoman was not immediately available for additional comment. But in RBC's case there was no evidence of hacking or cybersecurity breach, according to a person familiar for the matter.
-
The regulator sanctioned the brokerage firm for supervisory failures that stretched over a nearly two year period.
August 15 -
The regional brokerage is the latest to incur a penalty for failing to waive fees on Class A shares sold to eligible institutional clients.
September 9 -
The first-ever case of its kind is putting other broker-dealers on notice about the regulator's enhanced abilities to identify patterns of abuse.
September 28 -
A firm contest incentivized about 30 advisers to push lending products to clients and created conflicts of interest, according to officials.
October 3
An RBC spokeswoman declined to comment on the fines.
A spokeswoman for Wells Fargo says that the firm is confident about the security of its records, adding that there are no allegations of hacking or a data breach. "We take compliance with the records storage requirements very seriously. The firms self-reported these issues to FINRA, and continue to remediate as agreed,” she said.
A Suntrust spokeswoman similarly pointed out that the firm self-identified the matter and was already taking remedial action.
A spokesman for PNC, which was fined the smallest amount at $500,000, said the firm has addressed FINRA's concerns in this matter. "PNC zealously guards its books and records, and in this instance, we found there was no evidence that any records were modified or lost," the spokesman said.
Spokespersons for the other firms were not immediately available for comment.
But all 12 firms neither admitted nor denied the charges, but consented to FINRA's findings, the regulator said.