RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for August, 2019

Beware of FINRA’s Increased Focus on Non-Registered, Associated Persons

Posted on: August 9th, 2019

By: Elizabeth Lowery

On July 29, 2019, FINRA announced that Citigroup Global Markets, Inc. was fined $1.25 million for failing to conduct timely or adequate background checks on approximately 10,400 non-registered associated persons spanning a seven-year period from 2010 to 2017.  This large fine issued even though  Citigroup had completed screening and fingerprinting which was fully compliant with federal banking law for some of those employees.  Citigroup’s failure to screen all such employees as required by the more stringent federal securities laws allowed three individuals to associate with, or remain associated with Citigroup, even though they were subject to statutory disqualification from associating with a brokerage firm because of previous criminal convictions.  FINRA found that Citigroup had failed to maintain a reasonable supervisory system which had procedures to identify and screen non-registered associated persons.  In settling this matter, Citigroup consented to the entry of FINRA’s findings and to the corresponding $1.25 million fine, without admitting or denying FINRA’s charges.  FINRA’s Executive Vice President of its Department of Enforcement, Susan Schroeder, explained “FINRA member firms must live up to their responsibility as a gatekeeper protecting investors from bad actions.  It is important that firms appropriately screen all employees for past criminal or regulatory events that can disqualify individuals from associating with member firms, even in a non-registered capacity.”

This is yet one of several recent examples of FINRA’s focus on non-registered, associated persons.  Pursuant to FINRA Rule 8310, FINRA may impose sanctions, such as a censure, fine, suspension or bar, upon a person associated with a brokerage firm for violations not only of FINRA rules, but also for violations of certain federal securities laws and MSRB rules.  Such sanctions typically stem from FINRA enforcement actions.  FINRA enforcement actions often begin with a request for documents, information and/or sworn testimony, commonly called an “8210 Requests” because they are made pursuant to FINRA Rule 8210.  While registered associated persons, such as those holding a stockbroker’s license, are generally aware that they are subject to FINRA’s jurisdiction, scrutiny and sanctions; non-registered associated persons often lack such awareness.  It is important for brokerage firms and their employees to be mindful that FINRA’s jurisdiction, and its rules and enforcement actions, are not limited to registered associated persons.  This is especially since FINRA’s trend of increased focus on non-registered associated persons is expected to continue.

If you have any questions or would like assistance with a FINRA or SEC enforcement action, or with FINRA 8210 Requests, please contact Elizabeth Lowery at [email protected].

Connecticut and Delaware Enact New Data Security Laws for the Insurance Industry

Posted on: August 8th, 2019

By: Ben N. Dunlap

Connecticut and Delaware have enacted new laws imposing data security obligations on the insurance industry, joining New York, South Carolina, Ohio, Michigan, and Mississippi.

Connecticut’s Insurance Data Security Law, signed by the Governor on July 26, 2019, creates new information security, risk management, and reporting requirements for carriers, producers, and other businesses licensed by the Connecticut Insurance Department.  Following the model of New York’s Department of Financial Services 2017 Cybersecurity Regulations, the Connecticut law requires licensees to maintain an information security program corresponding to the size and complexity of the licensee’s operations; perform regular risk assessments; and designate a responsible individual to oversee the information security program.  The law requires oversight by the licensee’s board of directors and annual certification of compliance to the Insurance Department.  The law also imposes a new reporting requirement: licensees will also have to report cybersecurity incidents to the Insurance Department within three business days.  The law becomes effective October 1, 2019, but licensees have until October 1, 2020 to prepare and implement programs compliant with the new requirements.

The Delaware Insurance Data Security Act, signed by the Governor on July 31, 2019, establishes a regulatory framework requiring insurers licensed to do business in Delaware to develop and implement a comprehensive data security program. Following the 2018 Model Act published by the National Association of Insurance Commissioners, the Delaware law requires insurers to report instances of data breaches to the Delaware Insurance Commissioner and consumers, and it authorizes the Department of Insurance to investigate violations of and impose penalties against insurance carriers.

The Delaware law requires licensees to (1) implement information security programs and conduct risk assessments to try to prevent data breaches and compromising of consumers’ nonpublic information and personal data; (2) conduct thorough investigations to determine if a cybersecurity event or data breach may have occurred and whose data may have been compromised; (3) notify the Insurance Commissioner within three business days of determining that a data breach or cybersecurity event has occurred; (4) notify all impacted consumers within 60 days of the determination that their data has or may have been compromised; and (5) offer free credit monitoring services for one year to consumers impacted by breaches.

If you have any questions or would like more information, please contact Ben Dunlap at [email protected].