Search This Blog

This is a photo of the National Register of Historic Places listing with reference number 7000063

Sunday, June 12, 2016


SEC: Morgan Stanley Failed to Safeguard Customer Data

Washington D.C., June 8, 2016 — The Securities and Exchange Commission today announced that Morgan Stanley Smith Barney LLC has agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online.

The SEC issued an order finding that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data.  As a result of these failures, from 2011 to 2014, a then-employee impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.

“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection.  We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” said Andrew Ceresney, Director of the SEC Enforcement Division.

According to the SEC’s order instituting a settled administrative proceeding:

The federal securities laws require registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.
Morgan Stanley’s policies and procedures were not reasonable, however, for two internal web applications or “portals” that allowed its employees to access customers’ confidential account information.
For these portals, Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need.
Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals.
Consequently, then-employee Galen J. Marsh downloaded and transferred confidential data to his personal server at home between 2011 and 2014.
A likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities.

The SEC’s order finds that Morgan Stanley violated Rule 30(a) of Regulation S-P, also known as the “Safeguards Rule.”  Morgan Stanley agreed to settle the charges without admitting or denying the findings.  In a separate order, Marsh agreed to an industry and penny stock bar with the right to apply for reentry after five years.  He was criminally convicted for his actions last year and received 36 months of probation and a $600,000 restitution order.

The SEC’s investigation was conducted by William Martin and Simona Suh of the Enforcement Division’s Market Abuse Unit and supervised by Joseph G. Sansone, Co-Chief of the unit.  The SEC appreciates the assistance of the New York Field Office of the Federal Bureau of Investigation and the U.S. Attorney’s Office for the Southern District of New York.

Friday, June 10, 2016



Washington D.C., June 9, 2016 — The Securities and Exchange Commission today announced a whistleblower award of more than $17 million to a former company employee whose detailed tip substantially advanced the agency’s investigation and ultimate enforcement action.

The award is the second-largest issued by the SEC since its whistleblower program began nearly five years ago.  The SEC issued a $30 million award in September 2014 and a $14 million award in October 2013.

“Company insiders are uniquely positioned to protect investors and blow the whistle on a company’s wrongdoing by providing key information to the SEC so we can investigate the full extent of the violations,” said Andrew Ceresney, Director of the SEC’s Division of Enforcement.  “The information and assistance provided by this whistleblower enabled our enforcement staff to conserve time and resources and gather strong evidence supporting our case.”

Sean X. McKessy, Chief of the SEC’s Office of the Whistleblower, added, “In the past month, five whistleblowers have received a total of more than $26 million, and we hope these substantial awards encourage other individuals with knowledge of potential federal securities law violations to make the right choice to come forward and report the wrongdoing to the SEC.”

By law, the SEC protects the confidentiality of whistleblowers and does not disclose information that might directly or indirectly reveal a whistleblower’s identity.

The SEC’s whistleblower program has now awarded more than $85 million to 32 whistleblowers since the program’s inception in 2011.  Whistleblowers may be eligible for an award when they voluntarily provide the SEC with unique and useful information that leads to a successful enforcement action.  Whistleblower awards can range from 10 percent to 30 percent of the money collected when the monetary sanctions exceed $1 million.  All payments are made out of an investor protection fund established by Congress that is financed through monetary sanctions paid to the SEC by securities law violators.  No money has been taken or withheld from harmed investors to pay whistleblower awards.

Sunday, June 5, 2016


Brokerage Firm Charged With Anti-Money Laundering Failures

Washington D.C., June 1, 2016 — The Securities and Exchange Commission today charged a Wall Street-based brokerage firm with failing to sufficiently evaluate or monitor customers’ trading for suspicious activity as required under the federal securities laws.

An SEC investigation found that Albert Fried & Company failed to file Suspicious Activity Reports (SARs) with bank regulators for more than five years despite red flags tied to its customers’ high-volume liquidations of low-priced securities.  On more than one occasion, an AF&Co customer’s trading in a security on a given day exceeded 80 percent of the overall market volume.  In other instances, customers were trading in stocks issued by companies that were delinquent in their regulatory filings or involved in questionable penny stock promotional campaigns.  Certain customers also were the subject of grand jury subpoenas received by AF&Co.

AF&Co agreed to pay a $300,000 penalty to settle the charges.

“Albert Fried & Company ignored numerous instances when customer trading activity should have triggered the firm to file SARs.  Brokerage firms must take their anti-money laundering responsibilities seriously so they can serve as a line of defense against misconduct and market risks,” said Andrew Ceresney, Director of the SEC’s Division of Enforcement.

The SEC’s order finds that AF&Co violated Section 17(a) of the Securities Exchange Act of 1934 and Rule 17a-8.  AF&Co agreed to be censured and pay the $300,000 penalty without admitting or denying the findings in the order, which credits the firm for its cooperation and the remedial measures already undertaken.

While the SEC has charged other firms with anti-money laundering failures under the federal securities laws, this is the first case against a firm solely for failing to file SARs when appropriate.

The case stemmed from the work of the Enforcement Division’s Broker-Dealer Task Force, led by Associate Director Antonia Chion and New York Regional Office Director Andrew M. Calamari.  The task force focuses on current issues and practices within the broker-dealer community and develops national initiatives for potential investigations.

The SEC’s investigation was conducted by Matt Reilly and supervised by Melissa Hodgman with assistance from Eric Kringel, Daniel Goldberg, Damon Reed, and Andrae Eccles of the Enforcement Division’s Bank Secrecy Act Review Group.