US IT and compliance directors need to pay a lot closer attention to how they jointly test and evaluate critical data generated by back-office systems.
That’s the bare bones lesson, according to ten IT and compliance managers speaking with FinOps Report, that financial firms should learn from Scottrade’s reporting fiasco which resulted in a fine of US$2.5 million to the Securities and Exchange Commission late last month. The St.Louis-based Scottrade also admitted guilt — a pretty rare occurrence during regulatory settlements.
The retail brokerage giant acknowledged it didn’t report complete information about trades 1,231 times between March 2006 to April 2012. The regulator discovered the holes in Scottrade’s reporting when it asked for the so-called Blue Sheet data — in 2011 as part of its investigation into a suspected “account intrusion.”
The SEC uses Blue Sheet information to track trading it suspects is illegal or fraudulent. The information includes the name of the firm executing the order, the name of the security traded and the specific parties involved.
The SEC never got the data, because Scottrade’s reporting didn’t include the trades in recorded in its internal “error account” – transactions removed from customer accounts because they had trading errors or suspected fraudulent activity.
Scottrade blames its glaring deficiencies on an unintentional coding error which took place when it changed a code on the back-office system back in 2006. The platform was installed three years earlier.
But based on the SEC’s account of events leading up to the fine, it appears that code problem was just the beginning. The more important issue was the breakdown in communications and controls between the compliance and IT departments, according to FinOps’ expert sources.
“Blue sheet reports are critical to SEC investigations, so broker-dealers need to pay even closer attention to the performance of their critical data-producing back office systems,” says one compliance director at a New York brokerage firm. He recommends mimicking SEC requests and even hiring an independent third-party auditor to verify any testing results.
Had the SEC not investigated Scottrade for an apparent security breach, it is unlikely either the SEC or Scottrade would have caught the recordkeeping mistake. In fact, Scottrade claims it didn’t know about the coding error, until it was told by the SEC about the missing data on its Blue Sheet reports.
“Although the information systems department conducted testing of the data processing system program, its testing was inadequate and it failed to reveal the exclusion of the error account trades. The compliance department conducted annual testing of samples of blue sheet responses and didn’t catch the error either,” says the regulatory agency in its settlement with Scottrade.
Scottrade’s payment of the SEC’s fine came the same week as that of Western Asset Management which also cited a computer glitch at the core of its error in allocating the wrong securities to pension plans.
But Scottrade’s news was overshadowed by WAMCO’s. The likely reason, compliance specialists tell FinOps: the SEC did call Scottrade’s coding error egregious, yet apparently agreed with the firm’s stance that it was entirely unintentional. In addition, unlike WAMCO’s mistake, Scottrade’s error only affected Scottrade’s ability to meet its reporting requirements and didn’t harm any investors.
Nonetheless, Scottrade’s mistake shouldn’t be downplayed far more than WAMCO’s compliance, insist compliance and IT specialists. While WAMCO’s errors did ultimately amount to a breach of fiduciary responsibility in allocating the wrong securities to pension plans and not owning up to the mistake immediately, they too started off as a coding mistake. When a coding error is not uncovered for six years as was the case with Scottrade, it shows something was clearly amiss with financial firm’s controls and procedures.
“It’s apparent that Scotttrade’s IT department didn’t understand what it should be looking for in the testing and neither did the compliance department,” says one IT director at a New York brokerage firm.
Even more disturbing, according to another compliance specialist, is that neither Scottrade’s IT department nor its compliance department recognized that the firm omitted trades – and probably exactly the kind of trades the SEC was looking for — from the Blue Sheet reports it sent the SEC. The regulator had to tell Scottrade the reports were incomplete.
Even if an innocent coding error was the reason for the omitted information, as Scottrade insists, wouldn’t someone have reviewed and signed off on the information provided to the SEC?
The SEC offered no further explanation of what it meant by unauthorized account intrusions — the reason for its investigation — and Scottrade is clearly downplaying that aspect of events. “In accepting guilt for the recordkeeping error and paying a fine, it clearly deflected attention from potentially more serious account intrusions,” says one New York legal expert who spoke on condition of anonymity.
What does Scottrade have to say for itself? FinOps was instructed by a public relations analyst at the firm’s St. Louis office to refer to the following statement. “As explained in the order, Scottrade inadvertently omitted certain trades from its Blue Sheet responses due to a computer programming error made in 2006. When the situation was discovered, Scottrade promptly conducted a thorough assessment, corrected the issue and supplied the missing information.”
Sending corrections for more than a thousand transactions in six years was probably easier for Scottrade than it was for SEC to integrate the information in its case work for that timeframe. Assuming the various SEC investigations aren’t long closed, Scottrade’s fine may or may not cover the SEC’s administrative costs of dealing with the delayed reports.
Scottrade’s settlement also included a censure, and hiring of a consultant to review and oversee any further corrections to its data management and reporting systems. All in all, uncovering and fixing the coding error would clearly have been a lot less expensive and embarrassing had Scotttrade done so before the SEC forced its hand.
Leave a Comment
You must be logged in to post a comment.