SEC Settles Enforcement Proceeding Over Dually Registered Investment Adviser And Broker-Dealer's Failure To Comply With Regulation S-P Requirements For Safeguarding Customer Information

Profession:Goodwin Procter LLP
 
FREE EXCERPT

Developments Of Note

SEC Settles Enforcement Proceeding Over Dually Registered Investment Adviser And Broker-Dealer's Failure To Comply With Regulation S-P Requirements For Safeguarding Customer Information SEC Issues Strategic Plan For 2010–2015 For Public Comment Other Item Of Note

OECD Issues Handbook On Detecting Money Laundering DEVELOPMENTS OF NOTE SEC Settles Enforcement Proceeding Over Dually Registered Investment Adviser And Broker-Dealer's Failure To Comply With Regulation S-P Requirements For Safeguarding Customer Information The SEC settled an enforcement action against a firm registered as both a broker-dealer and an investment adviser (the "Registrant") for the Registrant's failure to adopt written policies and procedures reasonably designed to safeguard personal customer information under Rule 30(a) of Regulation S-P (the "Safeguards Rule"). The Safeguards Rule requires registered broker-dealers and advisers, and other entities subject to SEC regulation, to maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, and that are reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information.

Unauthorized Access. In its order settling the enforcement proceeding, the SEC found that in or around November 2008 an unauthorized person accessed and traded, or attempted to trade, in customer accounts of the Registrant by using a computer virus to gain access to the login credentials of a registered representative (an "RR") of the Registrant. The credentials allowed access to the Registrant's intranet (the "Intranet"), which provides access to a proprietary trading platform operated by the Registrant's clearing broker (the "Trading Platform"). Once logged on to the Intranet, the unauthorized person gained access to non-public information for 368 customer accounts and used the Trading Platform to place, or attempt to place, eighteen unauthorized trades across eight customer accounts totaling over $523,000 in securities of one publicly traded company. The clearing broker detected the unauthorized purchases within ten minutes and was able to block most of them; however, some unauthorized purchases were executed resulting in an aggregate loss of $8,000 that was absorbed by the Registrant.

Registrant's Practices. The SEC noted that, at all relevant...

To continue reading

REQUEST YOUR FREE TRIAL