Ceros Financial Services, Inc. has agreed to pay a fine of $75,000 as part of a settlement with the Financial Industry Regulatory Authority (FINRA).
From January 2018 through June 2021, Ceros did not have a reasonable supervisory system for business-related communications. Ceros’s written supervisory procedures prohibited registered representatives from communicating with customers from their personal email addresses.
FINRA notified Ceros by March 2018 that at least one of its registered representatives was regularly using personal email for business-related communications. Despite this notice, the primary system the firm implemented to prevent its associated persons from using external email for business-related communications was to create a list of employee personal email addresses and send automated warning emails when incoming emails to the firm’s system were sent from emails on that list.
The employee personal email list contained 16 email addresses of the firm’s 88 associated individuals as of June 2021. If an email was sent from the firm system to an email on the personal email address list, no automated warning was sent. This process was not documented in any written procedures.
During the relevant period, Ceros sent at least 67 automated warnings to individuals, with some individuals receiving repeated warnings. However, the firm did not review communications sent from or to emails on the employee personal email list unless those emails happened to meet other firm supervisory email review criteria. The firm also did not treat those communications as red flags that other external business-related communications might not be captured by the firm’s system. Other than automated warning emails, and one warning letter sent as a result of routine email review, the firm did not take steps to prevent associated persons from using external email. Nor did the firm take reasonable steps to ensure all business-related communications were preserved and retained.
From January 2018 through June 2021, several business-related emails were not preserved and retained by Ceros because the correspondence was directly between a representative’s personal email and a customer. Because these emails did not include a Ceros email address recipient, the firm cannot quantify how many business-related emails were not preserved and retained. Given its failure to identify or preserve these communications, Ceros also did not conduct supervisory reviews of this business-related correspondence.
Ceros has now implemented a firm-wide list of personal email addresses and blocks all communications to or from emails on the list.
As a result of its failure to reasonably supervise the use of external email for business- related communications and failure to preserve such communications, Ceros violated Exchange Act Section 17(a), Exchange Act Rule 17a-4, and FINRA Rules 4511, 3110, and 2010.
During the same period, Ceros failed to adopt written policies and procedures to safeguard customer records and information in violation of Rule 30(a) of Regulation S-P of the Exchange Act and FINRA Rule 2010.
From January 2018 through the present, Ceros also failed to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in violation of Regulation S-ID of the Exchange Act and FINRA Rule 2010.
On top of the fine, the firm has agreed to a censure.