News & Insights

SEC Fines Firm $45M for Recordkeeping, Cyber Woes

January 16, 2025

What happened?

The SEC announced on January 13, 2025, that two brokerage firms agreed to pay a combined $45 million, $33.5 million, and $11.5 million, respectively, in civil penalties relating to multiple SEC charges stemming from their brokerage operations. The charges include violations with regards to recordkeeping, policies and procedures, electronic communications, and more.

The Acting Director of the SEC’s Division of Enforcement, Sanjay Wadhwa, stated that “Today’s order finds that the two firms failed to observe a broad array of significant regulatory requirements, including failing to accurately report trading activity, comply with short sale rules, submit timely suspicious activity reports, maintain books and records, and safeguard customer information”.

As detailed in the SEC’s cease-and-desist order, the two firms’ violations included conduct arising from the following instances:

  • From January 2020 through March 2022, the firms failed to timely investigate suspicious transactions. Consequently, in many instances, the firms failed to file suspicious activity reports (“SARs”) until months after the questioned activity was flagged.
  • From April 2019 through July 2022, the firms failed to implement effective policies and procedures designed to detect, prevent, and mitigate identity theft in connection with their customers’ accounts.
  • From June 2021 through November 2021, the firms failed to adequately address known risks posed by a cybersecurity vulnerability that resulted in a third party obtaining unauthorized remote access to their systems and downloading information connected to millions who had provided information to the firm.
  • The firms failed to maintain and preserve electronic communication as required by certain recordkeeping provisions. Both admitted to these findings regarding off-channel communications.
  • The firms failed to implement a system to adequately comply with recordkeeping obligations that prevent legally required records from being intentionally or inadvertently deleted or modified.
  • The firms did not maintain certain communications that are legally required, with brokerage customers during 2020 and 2021.

Additionally, the SEC found that one of the two firms alone committed violations relating to Electronic Blue Sheets (“EBS”) and Fractional Share Trading and Stock Lending. The firm failed to provide complete and accurate blue sheet data to the SEC over about a five-year period. The firm did not comply with Regulation SHO’s close-out, order-making, and locate requirements that regulate abusive short selling practices from May 2019 through December 2023.

The SEC’s cease-and-desist order details the remedial efforts taken by the firms to address violations.

What does this mean for me and my firm?

This enforcement action demonstrates the SEC’s ongoing emphasis on cybersecurity, electronic communications, and proactive compliance, and it further sets a precedent for future enforcement actions. Firms should review their compliance and cyber programs to ensure they are aligned with existing regulations and best practices, including the items mentioned below.

  • Identity Theft Prevention: Under Regulation S-ID, advisers are expected to implement robust safeguards against identity theft and maintain effective procedures for responding to vulnerabilities. Advisers should regularly review their procedures to ensure customer material non-public information (MNPI) is properly protected. For details on Regulation S-ID, click here.
  • Anti-Money Laundering (AML): Advisers are required to have an AML program that promptly flags, investigates, and reports suspicious transactions. Firms should regularly review their programs to ensure they are in line with the firm’s transaction volume and equipped to handle periods of heightened activity. For details on the AML rule, click here.
  • Off-Channel Communications: The SEC continues to hold firms accountable for failing to adequately maintain communication records. This enforcement action emphasizes the importance of oversight and management of off-channel communications. Advisers should ensure staff are trained on approved communication channels and procedures to ensure communications are maintained properly. For more details and guidance, click here to access our Adviser Guide to Off-Channel Communications.
  • Proactive Compliance: Advisers are expected to be proactive in compliance, including surveillance, investigation, and recordkeeping of their programs. Firms should regularly audit and strengthen their policies and procedures, particularly in rapidly evolving areas like electronic communication, AML, and cybersecurity. For more guidance on how to maintain a proactive compliance program, click here to view our 2025 Compliance Program Checklist.

Many of these items are dynamic and constantly evolving. Advisers can turn to the our 2025 Cybersecurity Examination Priorities as a resource to ensure their compliance and cyber programs are on track to align with regulation and best practices.

If you have any questions or need additional support on any of these items, please contact your relationship manager or contact us here.

Click below to view General Filing Deadlines and SEC Holidays

Regulatory Calendar

Stay up to date on the latest industry news and resources.

Filter by Category

Filter by Topic

Fairview

Fairview has been providing streamlined solutions to providers in the financial services industry since 2005. We are part of ViewPoint Partners, our employee-owned parent company for both Fairview and FilePoint, which provides regulatory reporting solutions for registered investment companies.

©2025 Fairview® Investment Services, LLC. All rights reserved.

1330 St. Mary’s St.
Suite 400
Raleigh, NC 27605

info@fairviewinvest.com
919.706.4100
FAX: 800.770.9925