The Securities and Exchange Commission says that Morgan Stanley Smith Barney LLC (MS) will pay a $1M penalty to resolve charges involving its purported failure to protect customer data. Some of this information was hacked and violators attempted to sell the data online.
According to the regulator, the firm did not put into place written policies and procedures that were designed in a manner reasonable enough to protect customer information. Because of this, said the SEC, from ’11 to ’14, former Morgan Stanley employee Galen J. Marsh was able to access without permission information regarding approximately 730,000 accounts and move them to his own server. This made it possible for third parties to access and hack the information from there.
The Commission said that Morgan Stanley had two internal portals that made it possible for employees such as Marsh to access confidential customer account information and it was for these internal applications that the firm lacked the needed authorization modules that would have restricted which employees could see this information. This deficiency existed for over a decade.
It was just last week that the Financial Industry Regulatory Authority said that it was censuring and fining E*Trade Securities LLC for supervisory violations related to customer order information protection and for not performing sufficient review of the quality of customer order executions. As a firm that offers online services for securities investing and trading to retail customers, E*Trade is supposed to evaluate the competing markets that it routes customer orders to, including exchange and non-exchange market centers. Firms such as E*Trade are also supposed to conduct periodic and stringent reviews of the quality of customer order executions to see if there are any differences among the markets, which is why the firm set up a Best Execution Committee to do this job.
Yet, according to the self-regulatory organization, the committee did not have sufficiently accurate information to make such assessments and did not factor in the internalized order flow that was sent to G1 Execution Services, an affiliated brokerage-dealer market maker. FINRA said that E*Trade lacked the adequate controls and systems to make sure that confident customer data was not used improperly by persons who were registered with both G1X and E*Trade.
By settling, E*Trade is not admitting or denying the charges brought by FINRA.