Cash App Investing LLC has agreed to pay a fine of $375,000 as a part of a settlement with the Financial Industry Regulatory Authority (FINRA).
Between October 2019 and March 2022, Cash App Investing failed to establish and maintain a supervisory system reasonably designed to safeguard customer information.
In or around November 2019, Representative A designed and built the firm’s trade reconciliation database, which was maintained in a web-based account that was located outside of the firm’s data security network. The database contained customers’ nonpublic personal information, including names, account numbers, account values, and account holdings.
The database was subject to separate data security protections, including multi-factor authentication, and required separate access credentials. Representative A was the only individual who regularly accessed the database from October 2019 until he resigned from the firm in October 2021.
During the relevant period, the firm had a cybersecurity policy and written supervisory procedures that required the firm to immediately disable former employees’ access and monitor for unauthorized access of the firm’s databases and network. However, the firm’s supervisory system for disabling access credentials for departing employees did not account for the firm’s use of the trade reconciliation database.
In addition, the firm did not monitor the trade reconciliation database for unauthorized access. When Representative A left Cash App Investing, the firm did not terminate his access to the trade reconciliation system, although it terminated his access to other firm systems. Beginning in October 2021, the firm began to move the trade reconciliation system into the firm’s data security infrastructure.
However, in December 2021, before the transition was complete, Representative A accessed the trade reconciliation system and downloaded six reports that contained the names and account numbers for the firm’s approximately 8.2 million customers; the reports also contained account value and account holdings for approximately 3.4 million customers.
The reports accessed by Representative A did not include customers’ social security numbers, dates of birth, addresses, bank account information, payment card information, or information sufficient to log in to customers’ Cash App Investing accounts, such as usernames or passwords.
Cash App Investing did not detect Representative A’s unauthorized access of the trade reconciliation system until March 2022. The firm thereafter immediately terminated Representative A’s access to the system, followed its cybersecurity incident response policy, promptly notified affected customers and regulators, including FINRA, and took steps to enhance its cybersecurity controls and procedures.
By failing to establish a supervisory system reasonably designed to safeguard customer records and information as described above, Cash App Investing violated Rule 30(a) of Regulation S-P, and FINRA Rules 31 l0(a), 31 l0(b), and 2010.
In addition to the $375,000 fine, the firm has consented to a censure.
Cash App Investing has been a FINRA member since October 2007. The firm, which is headquartered in Portland, Oregon, employs approximately 30 registered representatives at one branch office. Since approximately October 2019, the firm has offered self-directed trading to retail investors through its mobile application.
