Southwest Securities: Municipal Securities Supervision Failure
FINRA recently fined Southwest Securities Inc. of Dallas $500,000 for failing to have adequate controls and procedures in place to supervise certain aspects of its municipal securities business.
It appears Southwest's procedures were not updated to reflect the MSRB Rule G-38 2005 amendment prohibiting payments to unaffiliated individuals, and the firm failed to regulate political contributions — despite those obligations being specified in their own policies and procedures.
"What is the purpose of having policies and procedures if they are not followed closely? As compliance professionals, it is our responsibility to audit to our P&P."
If there are any doubts whether your firm is conducting business as written in its policies and procedures, then either the policy or procedure needs to be rewritten, or irrelevant sections should be evaluated for elimination. Why give the regulators ammunition for sanctions?
Firms must also understand that 529 plans are considered municipal securities. If you do not have any policies and procedures controls for the sale of these products, you should immediately draft them.
The days of being able to piecemeal a firm's policies and procedures together are long gone. Everything that is outlined must be followed by all employees.
An effective Risk Management strategy is essential. So what is your firm doing right now to ensure its controls are working?
Lincoln Financial Group: Client Information Access Controls
FINRA also recently fined Lincoln Financial Group $600,000 for failing to have appropriate controls over access to client information — and notably, this action was taken even before a breach occurred. FINRA found that Lincoln allowed current and former employees to access account records from any Internet browser using shared usernames and passwords.
The problem arose when shared login credentials were not controlled and could be used by unauthorized persons — whether currently employed, terminated, or with no affiliation to the company whatsoever.
This risk affects all financial firms that offer computer-based access to confidential information. SEC Regulation S-P requires firms to maintain policies and controls to safeguard customer information. So is your compliance team taking appropriate precautions around privacy and customer confidentiality? Is your team also approaching internal audits from a risk management perspective?
Another important lesson here: FINRA will respond to non-compliant policies and lack of control without waiting for an actual incident.
"Many regulatory sanctions can be avoided if you and your compliance department are taking an offensive approach, as well as promoting a strong culture of compliance."
How often is your firm proactively auditing within the guidelines of its policies and procedures?