The Financial Industry Regulatory Authority (FINRA) fined Wells Fargo, RBC Capital Markets, LPL Financial and others a total of $14.4 million for a records management problem. This risk and compliance issue may have allowed company and customer records to be altered.
FINRA found that the firms failed to keep hundreds of millions of records in a "write once, read many" (WORM) format. The WORM format makes it impossible to alter or destroy records after they are written. Because they were not kept in this format, it is possible these records could have been edited by the firm after the initial creation of the record.
The firms accepted the fines but neither admitted nor denied the charges. According to FINRA, these particular records were "pivotal to the firms' brokerage business" and that it relies on these records to ensure firms are following securities laws. Additionally, they cited data breaches as a potential concern for these types of records.
From a risk and compliance standpoint, these revelations are an enormous concern. Not only are these firms not complying with the proper regulations, they are putting their data at risk of a leak or breach.
When it comes to your risk and compliance plan, here are a few questions you must ask:
- Are we being transparent? The organization needs to be transparent about how they are obtaining data and where (and for how long) that data is being stored. The data also needs to be accessible to those who require it in a safe and traceable system.
- Do we have consent? Sensitive information should require consent from all parties to be obtained and stored. It should also be disposed of properly and in line with the overall information governance strategy.
- How long are we retaining data for? One of the tenants of a complete compliance plan and information governance strategy is the defensible disposition of data when appropriate. The company should always refer to current local, state, federal and industry regulations when constructing a retention schedule.
- Are we collecting unnecessary data? Data should only be collected when critical to the business. Trivial or obsolete data can pose a storage and compliance issue if not handled correctly.
- Are we keeping the data secure? Appropriate security measures are critical to every organization's overall compliance plan and must be a priority even for non-records. The up-front cost of properly securing data pales in comparison to the cost of a data breach.
- Are we giving the data to third parties? Any time data is being sent outside of the organization is important to understand how that data will be treated. Your organization can end up in just as bad of a situation if your data that resides with a third party is breached. Your data remains your responsibility regardless of where it lives.