September 16, 2015
Lots of Wall Street firms rely upon Bloomberg for data and messaging. When that service provider alters its policies, such changes may have compliance and regulatory impact. As demonstrated in a recent FINRA settlement with UBS, the failure to recognize the change in a daily download protocol could go unnoticed for years with dramatic consequences. On the other hand, this settlement also raises questions about where the industry's self-regulatory organization was while this non-compliance by one of its larger members persisted year after year.
Case In Point For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, UBS Financial Services, Inc. and UBS Securities LLC, Respondents submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of UBS Financial Services, Inc. and UBS Securities LLC, Respondents (AWC 2011030806901, September 3, 2015). UBS Financial and UBS Securities are FINRA member firms with, respectively, about 12,385 and 1,831 registered representatives located at, respectively, 533 and 13 branches. Bloomberg FTP The AWC asserts that prior to early 2008, Bloomberg L.P. had provided to the UBS Respondents copies of their Bloomberg electronic mail and instant messages in order to facilitate the FINRA member firms' email review and retention protocols. Prior to early 2008, the AWC alleges that Bloomberg posted daily via a file-transfer-protocol ("FTP") one file containing Respondents' Bloomberg messages and another file containing all of the attached files to those messages. Respondents would download the two files onto their system. Bloomberg Revises Attachment Protocol Around early 2008, Bloomberg purportedly changed the FTP postings to the extent that the prior, single, daily attachments file was replaced by multiple postings on days when the number of attachments was deemed "large." Unfortunately, Bloomberg failed to notify Respondents of this alteration of its prior file posting practice. Consequently, Respondents did not alter their systems programming to undertake multiple, daily FTP downloads of the attachment files and, as a result, maintained the once-daily procedures. The AWC asserts that from May 2009 to October 2011, Respondents' employees sent/received about 13 million Bloomberg messages with attachments of which some 8 million such messages with attachments were not archived and not subjected to supervisory review because of the disconnect between the old and new Bloomberg posting policies. Shared Mailboxes In the case of UBS Securities, the AWC alleges that the firm used "shared" electronic mailboxes, which enabled multiple users to send millions of emails from a common mailbox each year. For such shared mailboxes, the "Sent" indicator did not disclose the individual employee's name but, rather, that of the shared mailbox. By January 2014, UBS Securities purportedly utilized 2,300 such shared mailboxes. The AWC concedes that about 74% of the subject messages were internal; however, FINRA underscored that the remaining 26% of the subject messages were sent externally, and half of those were transmitted by an automated application and not a human being. In total, the AWC cites UBS Securities with sending tens of millions of emails from shared mailboxes from about 2004 through December 2013 with the consequence that no records as to the actual sender, thus preventing effective supervisory review. FINRA Sanctions For the reasons cited above, the AWC charged that the UBS Respondents failed to establish, maintain, and enforce a supervisory system in violation of Section 17(a) of the Securities Exchange and Rule 17a-4 thereunder; NASD Rules 3110, 3010, and 2110; and FINRA Rule 2010. In accordance with the terms of the AWC FINRA imposed upon: - UBS Financial: a Censure and $200,000 fine;
- UBS Securities: a Censure and $300,000 fine.
Bill Singer's Comment I find it difficult to reconcile the censures and fines with the regulator's concession that Bloomberg had not updated the respondents on the new FTP policy. To the extent there is a component of the censures and fines allocated to the shared email box issue, that aspect is on firmer footing. Respondents failed to archive and review many attachment files. Did the firms do so intentionally? Did they do so based upon gross negligence or recklessness? I don't think the facts support such conclusions -- and FINRA is bound by the statement of facts (or lack thereof) in its published AWC. The world of electronic communication and social media is fluid and poses a significant challenge to both in-house compliance and outside regulatory staffs. For me, the takeaway in this case is that Bloomberg should be on notice that it must clearly warn its customers of these types of compliance changes. Similarly, FINRA should request that such service providers copy Wall Street's regulators on such critical policy changes so that industry regulators can send out their own notices and add the new policy as a punchlist item for upcoming examinations. And before FINRA gets too sanctimonious with us, just where the hell was the self-regulatory during 2008, 2009, 2010, and 2011 when it was supposedly conducting on-site examinations/investigations of its member firms? Didn't any FINRA examiner notice that Respondents were conducting a once-daily FTP download of their Bloomberg attachments files? In light of the significant role that Bloomberg plays at many FINRA member firms, did the self-regulatory organization send out a Notice to Members warning of the policy change from a once-daily to multiple FTP downloads? If that were the case, then I would have had no issue whatsoever with the sanctions. Ultimately, FINRA is not an independent, government regulator but, in fact, a "self-regulatory organization," and such a closeness to Wall Street should impose a higher duty upon the SRO to ensure that its members are not unknowingly blindsided by changes in important practices such as FTP downloads from a leading industry service provider. I am still trying to understand how a Bloomberg download policy changed in 2008 went unnoticed by both the Respondents and their self-regulator until apparently 2011. Which also raises the question as to why an alleged violation that occurred from 2008 through 2011 is only first being resolved by FINRA in 2015. Seems like there's plenty of blame to go around.For an interesting variation on this electronic communication/retention theme in which FINRA itself has been named as a Defendant in a civil lawsuit, READ: