[Updated May 2019] The Financial Industry Regulatory Authority (FINRA) fined several financial services firms a total of $14.4 million for failure to properly safeguard customer records. Fourteen securities dealers received fines including the brokerage arms of two major banks, PNC Capital Markets ($500,000) and Wells Fargo ($5.5 million).
The SEC and FINRA police securities brokerage firms. Both agencies have made cybersecurity a regulatory priority. On December 21st, FINRA announced fines against several major brokerage firms including four firms associated with two major banks. PNC Capital Markets is the brokerage arm of PNC Bank. Wells Fargo Securities, Wells Fargo Prime Services and Wells Fargo Advisors are the brokerage firms associated with Wells Fargo & Co. All four companies received fines.
FINRA says it found that “at various times, and in most cases for prolonged periods, the firms failed to maintain electronic records in ‘write once, read many,’ or WORM, format, which prevents the alteration or destruction of records stored electronically.”
While the violations sound very technical, the practical effect on customers is very real. WORM is a protocol that keeps electronic records safe from alteration or destruction. Can you imagine the disruption to the financial services world if a hacker could destroy or alter everyone’s bank records?
The amount of records affected is in the hundreds of millions, although there is no evidence of any hacking or cyber breaches. The fines were levied because the firms had weak cybersecurity protocols meaning their client records were vulnerable to attack.
In settling the charges, neither PNC nor Wells Fargo admitted any wrongdoing. According to InvestmentNews, a Wells Fargo spokesperson says the company self-reported the its weaknesses and is taking steps to address the problems.
Cybersecurity, Banks and Whistleblower Awards
FINRA imposed the fines and penalties in this case. That agency doesn’t have a whistleblower award provision and can’t regulate banks. The SEC has a whistleblower program, however that extends to violations of securities rules. Lax cybersecurity is one such violation that could result in an award.
When banks violate their cybersecurity obligations, there may be an opportunity to collect an award under the FIRREA statute. Short for the Financial Institutions Reform, Recovery and Enforcement Act, FIRREA can pay whistleblowers up to $1.6 million.
To qualify for a FIRREA award, one needs inside information about misconduct affecting the financial stability of a bank. Certainly, large cybersecurity lapses or unreported successful hacks of a bank’s customer records would qualify.
Awards for whistleblowers are based on a percentage of what the government collects. The law caps awards at $1.6 million.
The OCC (Office of the Comptroller of the Currency, Federal Reserve and FDIC) all impose cybersecurity rules on banks. Those with lax security or who violate those regulations and put depositors at risk may be liable. That means cash awards may be available to whistleblowers who step forward with information.
[Update] This post was written in December 2016, just after the Federal Reserve, OCC and FDIC announced joint cybersecurity rulemaking. The proposed rule would have strengthened cybersecurity rules for banks and their vendors. Since then, nothing has happened. The OCC and FDIC backed out of the rulemaking in early 2019. The Federal Reserve says it plans on moving ahead in November 2019. Despite newer rules, the government has been able to levy multimillion dollar fines using existing rules.
For more information, visit our cybersecurity whistleblower award page or contact attorney Brian Mahany. Brian can be reached at or by phone at (414) 704-6731 (direct). All inquiries protected by the attorney – client privilege and kept confidential.
MahanyLaw – America’s Whistleblower and Bank Fraud Lawyers