The $1.2 million dollar fine levied by FINRA against ING and its affiliates yesterday brings to light compliance problems with traditional encryption solutions long recognized but tolerated in the finance sector. The announcement stated that the firms “..failed to set up systems to retain certain types of encrypted emails” and therefore the messages were not available to review.
Much of the frustration around traditional encryption solutions (beyond the end user experience) relates to the creation of a secondary email repository. Even when firms, like ING, make best efforts to put encryption and message archiving solutions in place the two solutions are not compatible. There are keys and certificates to manage, and when used together the archive gets filled with encrypted messages that cannot be reviewed or audited.
Email2 has solved these important compliance challenges and is the only encryption solution that will work with any archive / eDiscovery system ensuring that regardless of whether email is on-premise, hosted, or a hybrid of both, all secure messages are available decrypted for audit and eDiscovery purposes (therefore compliant with the recordkeeping provisions of the federal securities laws and FINRA rules, and supervisory requirements under FINRA rules).
Original post: http://www.finra.org/newsroom/newsreleases/2013/p207604
FINRA Fines Five ING Firms $1.2 Million for Email Retention and Review Violations
WASHINGTON — The Financial Industry Regulatory Authority (FINRA) announced today that it has fined five affiliates of ING $1.2 million for failing to retain or review millions of emails for periods ranging from two months to more than six years. The five firms, indirect subsidiaries of ING Groep N.V., are Directed Services, LLC; ING America Equities, Inc.; ING Financial Advisers, LLC; ING Financial Partners, Inc.; and ING Investment Advisors, LLC.
Brad Bennett, Executive Vice President and Chief of Enforcement, said, “As a result of broad systemic failures, these firms failed to capture and retain emails from hundreds of representatives and other associated persons, and failed to take adequate steps to ensure that their principals were fulfilling their responsibilities to review emails. Email retention and review continues to be an important regulatory responsibility and an issue of concern for FINRA.”
FINRA found that the firms failed to properly configure hundreds of employee email accounts to ensure that the emails sent to and from those accounts were retained and reviewed at various times between 2004 and 2012. In addition, four of the firms failed to set up systems to retain certain types of emails, such as emails using alternative email addresses, emails sent to distribution lists, emails received as blind carbon copies, encrypted emails and “cloud” email (emails sent through third-party systems). As a result of these failures, emails sent to and from hundreds of employees and associated persons were not retained; and because the emails were not retained, they were not subject to supervisory review.
In addition, four of the firms failed to review millions of emails that the firms’ email review software had flagged for supervisory review. At various times between January 2005 and May 2011, nearly six million emails flagged for review went unreviewed by supervisory principals because the email review software was not properly configured.
In concluding the settlement, the firms neither admitted nor denied the charges, but consented to the entry of FINRA’s findings. FINRA found that the firms violated the recordkeeping provisions of the federal securities laws and FINRA rules, and supervisory requirements under FINRA rules.
FINRA also ordered the firms to conduct a comprehensive review of their systems for the capture, retention and review of email, and to subsequently certify that they have established procedures reasonably designed to address and correct the violations.
FINRA’s investigation was conducted by the Departments of Enforcement and Member Regulation.
Investors can obtain more information about, and the disciplinary record of, any FINRA-registered broker or brokerage firm by using FINRA’s BrokerCheck. FINRA makes BrokerCheck available at no charge. In 2012, members of the public used this service to conduct 14.6 million reviews of broker or firm records. Investors can access BrokerCheck at www.finra.org/brokercheck or by calling (800) 289-9999. Investors may find copies of this disciplinary action as well as other disciplinary documents in FINRA’s Disciplinary Actions Online database.
FINRA, the Financial Industry Regulatory Authority, is the largest independent regulator for all securities firms doing business in the United States. FINRA is dedicated to investor protection and market integrity through effective and efficient regulation and complementary compliance and technology-based services. FINRA touches virtually every aspect of the securities business – from registering and educating all industry participants to examining securities firms, writing rules, enforcing those rules and the federal securities laws, informing and educating the investing public, providing trade reporting and other industry utilities, and administering the largest dispute resolution forum for investors and firms. For more information, please visit www.finra.org.