Gimmal Blog

Read the latest thought leadership and industry news from the experts at Gimmal!

All Posts

Risk and Compliance Mistake Costs Financial Firms $14 Million

The Financial Industry Regulatory Authority (FINRA) fined Wells Fargo, RBC Capital Markets, LPL Financial and others a total of $14.4 million for a records management problem. This risk and compliance issue may have allowed company and customer records to be altered.

FINRA found that the firms failed to keep hundreds of millions of records in a "write once, read many" (WORM) format. The WORM format makes it impossible to alter or destroy records after they are written. Because they were not kept in this format, it is possible these records could have been edited by the firm after the initial creation of the record.


Read More: Is Your General Counsel Involved in Your Governance, Risk and Compliance Plan?


The firms accepted the fines but neither admitted nor denied the charges. According to FINRA, these particular records were "pivotal to the firms' brokerage business" and that it relies on these records to ensure firms are following securities laws. Additionally, they cited data breaches as a potential concern for these types of records.

From a risk and compliance standpoint, these revelations are an enormous concern. Not only are these firms not complying with the proper regulations, they are putting their data at risk of a leak or breach.

When it comes to your risk and compliance plan, here are a few questions you must ask:

  1. Are we being transparent? The organization needs to be transparent about how they are obtaining data and where (and for how long) that data is being stored. The data also needs to be accessible to those who require it in a safe and traceable system.
  2. Do we have consent? Sensitive information should require consent from all parties to be obtained and stored. It should also be disposed of properly and in line with the overall information governance strategy.
  3. How long are we retaining data for? One of the tenants of a complete compliance plan and information governance strategy is the defensible disposition of data when appropriate. The company should always refer to current local, state, federal and industry regulations when constructing a retention schedule.
  4. Are we collecting unnecessary data? Data should only be collected when critical to the business. Trivial or obsolete data can pose a storage and compliance issue if not handled correctly.
  5. Are we keeping the data secure? Appropriate security measures are critical to every organization's overall compliance plan and must be a priority even for non-records. The up-front cost of properly securing data pales in comparison to the cost of a data breach.
  6. Are we giving the data to third parties? Any time data is being sent outside of the organization is important to understand how that data will be treated. Your organization can end up in just as bad of a situation if your data that resides with a third party is breached. Your data remains your responsibility regardless of where it lives.

By Kevin Bley

Related Posts

Why Should Records Management be Important to You

Why should an organization care about records management? When users throughout all departments are creating new records without a thought to how they are cataloged or tagged, the sprawl of records can become a real threat. Unstructured data can lead to compliance issues for highly regulated industries. When proper records management isn’t a top priority, content that should have been disposed of for security purposes is left vulnerable for anyone to find and distribute.  

Creating Compliance in Chaos: A Consultant's Story

Records and Information Management (RIM) is constantly changing and evolving as record managers begin to realize the benefits of automation in their daily operations. In my 6 years of consulting, I have seen everything from heavily manual business processes to automated document management solutions.  Even as time goes by, information professionals continue to face the long-standing hardship of trying to get end users to comply with either internal or external regulations when it comes to records management.  Lately, there has been an apparent shift from ridged business centric solutions to end user centric solutions. 

Gimmal at ARMA International InfoCon 2019

Once a year, members in the records management community come together for ARMA’s annual conference to discuss the latest advancements and best practices for modern information managers.  ARMA, the global authority of information management and governance, hosted this year’s conference, ARMA InfoCon, in Nashville, TN. While attendees were not in the typical “record” industry that Nashville is known for, the location called for a great mix of music and information management knowledge.