Herbert J. Sims & Co, Inc has agreed to pay a $100,000 fine as a part of a settlement with the Financial Industry Regulatory Authority (FINRA).
Between 2016 and 2019, HJ Sims failed to establish and implement an anti-money laundering (AML) program that was reasonably designed to detect and cause the reporting of suspicious cyber-events. HJ Sims therefore violated FINRA Rules 3310(a) and 2010.
Between 2016 and 2019, five cyber-events occurred at or through HJ Sims. In each event, a bad actor gained unauthorized access to a customer’s or a registered representative’s email account.
In two of those events, the bad actor initiated a request to wire funds to third-party bank accounts. In one of those instances, HJ Sims approved an $80,000 wire request and funds were sent to the third-party account (but eventually recovered). In the other three events, bad actors gained access to the email accounts of HJ Sims’ employees.
Although HJ Sims maintained a cybersecurity policy, it did not reference any requirement to review cyber-events for AML purposes. Further, HJ Sims’s written AML compliance program did not mention cyber-events and the firm had no process in place for conducting reviews of such events.
Thus, although HJ Sims became aware of each of the five cyber-events soon after they occurred, and the firm’s head of IT conducted forensic investigations of each event, the firm failed to conduct any AML investigation concerning the events or recognize that the nature of the incidents and the assets put at risk by the cyber-events potentially necessitated the filing of SARs.
On top of the fine, the respondent consents to the imposition of a censure.
