Ceros Financial Services, Inc. agreed to pay a $75,000 fine as part of a settlement with the Financial Industry Regulatory Authority (FINRA).

From January 2018 to June 2021, Ceros did not have a reasonable monitoring system in place for business-related communications. Ceros’ written supervisory procedures prohibited registered agents from contacting customers from their personal email addresses.

FINRA notified Ceros by March 2018 that at least one of its registered agents regularly used personal email for business-related communications. Despite this notification, the main system the company implemented to prevent its affiliates from using external email for business communications was to create a list of employees’ personal email addresses and send automated warning emails when incoming emails to the system of the company was emailed to this list.

The employee personal email list contained 16 email addresses of the company’s 88 connected people in June 2021. If an email was sent from the company system to an email on the personal email list, no automated alert was sent. This procedure was not documented in any written procedure.

During the relevant period, Ceros sent at least 67 automated warnings to individuals, with some individuals receiving repeated warnings. However, the company did not review communications sent from or to emails on the employees’ personal email list, unless those emails met other screening criteria for the company’s surveillance emails. The company also did not treat these communications as red flags that other external business-related communications might not be captured by the company’s system. Other than automated warning emails and a warning letter sent as a result of routine email screening, the company took no steps to prevent connected individuals from using external email. Nor did the company take reasonable steps to ensure that all business-related communications were preserved and maintained.

From January 2018 to June 2021, many business-related emails were not retained and retained by Ceros because the correspondence was directly between an agent’s personal email and a customer. Because these emails did not include a recipient Ceros email address, the company cannot quantify how many business-related emails were not retained and retained. Given its failure to identify or preserve these communications, Ceros also did not conduct supervisory reviews of this business-related correspondence.

Ceros has now implemented a company-wide list of personal email addresses and blocks all communications to or from emails on the list.

As a result of its failure to reasonably monitor the use of external email for business-related communications and its failure to maintain such communications, Ceros violated Section 17(a) of the Exchange Act, Rule 17a-4 of the Exchange Act, and Rules 4511 , 3110 of FINRA, and 2010.

During the same period, Ceros failed to adopt written policies and procedures to safeguard customer records and information in violation of Section 30(a) of Regulation SP of the Exchange Act and FINRA Rule 2010.

From January 2018 to the present, Ceros also failed to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate identity theft in violation of the Exchange Act’s Regulation S-ID and FINRA Rule 2010.

In addition to the fine, the company agreed to a reprimand.


Leave a Reply

Your email address will not be published. Required fields are marked *