Ceros Financial Services Fined for Failures in Communications Supervision and Identity Theft Management

The Case

As part of a settlement with FINRA, Ceros Financial Services, Inc. has agreed to pay a fine of $75,000 for failing to implement a reasonable supervisory system for business-related communications from January 2018 to June 2021. Ceros’s written supervisory procedures prohibited registered representatives from communicating with customers using their personal email addresses.

As a result of its failure to reasonably supervise the use of external email for business-related communications and failure to preserve such communications, Ceros violated Exchange Act Section 17(a), Exchange Act Rule 17a-4, and FINRA Rules 4511, 3110, and 2010.

During the same period, Ceros failed to adopt written policies and procedures to safeguard customer records and information in violation of Rule 30(a) of Regulation S-P of the Exchange Act and FINRA Rule 2010.

From January 2018 through the present, Ceros also failed to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in violation of Regulation S-ID of the Exchange Act and FINRA Rule 2010.

Why Does This Matter?

The Safeguards Rule, or Reg-S-P, concerns the privacy of consumer financial information. It requires registered broker-dealers, investment companies, and investment advisors to adopt written policies and procedures that address administrative, technical, and physical safeguards to protect customer records and information.

In addition, FINRA said the firm did not develop or implement a program to detect, prevent, and mitigate identity theft. It relied only on its privacy policy, which lacked practical details on how to respond to identity theft red flags.

Regulation S-ID requires firms to “develop and implement a written Identity Theft Prevention Program … that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” A firm’s identity theft program must include reasonable policies and procedures to, among others, identify red flags of identity theft, detect those red flags, and respond appropriately to those detected.”

In 2022, FINRA issued a Risk Alert that addressed the SEC’s expectations of firms regarding Reg S-ID and based on error patterns its exam staff observed of its member firms.

In addition, the action reflects a continued focus on off-channel communication (including emails, chats, SMS messages, social media posts, and other ad hoc, person-to-person communications). Given this regulatory environment, fintechs should remain aware of the report’s baseline electronic communications rules and emerging expectations to ensure comprehensive program design and implementation.

InnReg's Experience

InnReg has over a decade of experience developing effective supervisory frameworks for fintechs based on a systematic approach to identifying risks, implementing effective controls, and enhancing internal documentation to reduce regulatory burdens. InnReg’s compliance consulting services empower fintechs to enhance policies, processes, and technologies for e-communications compliance.

Learn More About This Topic

For additional details, read how InnReg’s specialized broker-dealer compliance services can help your fintech build best practices to meet evolving regulatory requirements. InnReg’s framework includes an end-to-end guide for reviewing and testing a broker-dealer supervisory system, conducting business reviews, and testing AML programs.