SEC Sues Dual Registrant for Reg S-P Failure

Posted on by

A dually registered broker-dealer and investment adviser (the “Respondent”) was sued by the SEC on September 29, 2009 for failing to require, among other things, that its registered representatives maintain antivirus software on the personal computers which were used to access customer account information on the firm’s intranet and trading platform.  In addition, the SEC claimed that the Respondent did not have adequate procedures in place to review its registered representatives’ computer security measures.   In particular, the SEC claimed that Respondent’s internal auditors did not audit branch office computers to determine whether anti-virus software was installed nor did they have adequate procedures in place to follow up on potential computer security issues uncovered during branch audits or when registered representatives contacted Respondent’s technology help desk for computer related assistance.

The SEC stated in the proceeding that failure to require such antivirus software left non-public customer information vulnerable to unauthorized access.   In fact, such attack did occur earlier in November 2008 when an intruder gained access to 368 customer accounts and entered unauthorized purchases in eight of such accounts before such illicit activity was detected by Respondent.  According to the SEC, although the Respondent absorbed the monetary losses, its failures to have a sufficient Reg S-P compliant program allowed an unauthorized party to have access to certain customer information relating to 368 of the representative’s customer accounts.

What is particularly interesting is that the Respondent did in fact have procedures in place to address administrative, technical and physical safeguards to protect client information, it did not require the implementation of such basic safeguards.    Ultimately, the SEC found that the Respondent willfully violated Reg S-P for failing to “adhere to the standards of reasonable design”.   The Respondent was ordered to pay a $100,000 fine and cease and desist and censure.

In light of this recent proceeding, there is certainly no better time than now to evaluate your Reg S-P controls and programs in place!

This entry was posted in Enforcement, SEC by HedgeOp. Bookmark the permalink.

About HedgeOp

HedgeOp Compliance, LLC focuses exclusively on helping investment managers meet their compliance and regulatory obligations and rise to meet operational challenges. HedgeOp has developed a successful business based on its proactive approach to servicing clients and a proven reputation. Our clients range from start-ups to large firms with well-established track records.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>