Fidelity settlement
In Re: Fidelity Brokerage Services LLC
Date: Jan. 8, 2025
Issue: Fidelity Brokerage Services LLC’s consent order with the Financial Industry Regulatory Authority (FINRA) related to an ex-employee’s alleged theft.
Case Summary: Fidelity Brokerage Services LLC agreed to pay $600,000 to settle allegations that it lacked an adequate supervisory system from 2012 to 2020, which allowed a former employee to steal $750,000 from customer accounts.
FINRA Rule 3110(a) and its predecessor, NASD Rule 3010(a), require member firms to establish and maintain systems that supervise the activities of each associated person. These systems must ensure compliance with securities laws, regulations, and FINRA rules. Rule 3110(a) and NASD Rule 3010(a) also obligate firms to investigate red flags suggesting potential misconduct and to act on their findings. NASD Rule 3012 mandates the review and monitoring of customer address changes and the validation of those changes. Violating FINRA Rule 3110 or NASD Rules 3010 and 3012 also violates FINRA Rule 2010, which demands firms uphold high standards of commercial honor and just principles of trade in their business conduct.
FINRA claimed that, between December 2012 and October 2020, an associated person allegedly stole $750,000 from 37 international participants while maintaining Stock Plan Services (SPS) account data. This person was reportedly responsible for resolving data inconsistencies and handling data inquiries from companies and their employees. FINRA asserted that Fidelity violated FINRA Rules 3110 and 2010 and NASD Rules 3010 and 3012 by failing to create an effective supervisory system to monitor the person’s access to SPS account data and the transfer of funds from international SPS accounts.
According to FINRA, Fidelity failed to design a system, including Written Supervisory Procedures (WSPs), to properly oversee its associated persons’ access to SPS account data. Fidelity’s WSPs prohibited associated persons from accessing SPS account data unless required for their job responsibilities and only allowed changes to SPS account data under instructions from plan sponsors and participants. While Fidelity used a workflow management tool to log, track, and oversee changes, it did not monitor, or block associated persons from accessing or modifying data without recording it in the tool. As a result, an associated person allegedly avoided detection by accessing and altering SPS account data without logging the changes in the workflow management tool. FINRA also claimed that Fidelity’s system failed to monitor or prevent unlogged changes to SPS account data, including unauthorized modifications to participants’ addresses. According to FINRA, Fidelity’s system was inadequate in preventing unauthorized access and changes to SPS account data.
FINRA also alleged that Fidelity failed to design an effective system to supervise outgoing money movements from international SPS accounts. After altering international SPS account data, an associated person allegedly used the improperly accessed data to impersonate plan participants through Fidelity’s online SPS plan participant portal. The person then liquidated their holdings and withdrew the funds by issuing checks from the international SPS accounts payable to himself or wiring money from the international SPS accounts to a domestic SPS account he controlled. Specifically, the associated person allegedly issued 83 unauthorized checks from international SPS accounts, totaling approximately $380,000, and made 183 unauthorized wire transfers to the domestic SPS account, totaling about $378,000. Although Fidelity had a system to monitor fund transfers from customer accounts, it did not include outgoing money movements from international SPS accounts in that system or any other firm surveillance program. As a result, Fidelity allegedly did not review or monitor the unauthorized checks and wire transfers described above.
Bottom Line: Fidelity did not admit to or deny FINRA’s allegations.
Document: Consent order