Exclusive: Anatomy Of A Brokerage IT MeltdownRegulators last year issued the SEC's first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.
GunnAllen's IT failures paralleled larger business problems. Formerly known as Napex Financial Corp., GunnAllen was founded in 1996 by Donald Gunn and Richard "Allen" Frueh. GunnAllen provided a place for brokers and dealers, who must be associated with a FINRA member firm in order to trade, to hang their shingle. But by 2008, senior members of the firm had come under fire for not properly vetting those brokers or monitoring what they were doing in the name of GunnAllen.
Notably, 2008 was when FINRA fined GunnAllen $750,000 for a "trade allocation scheme" conducted by former head trader Alexis J. Rivera. "In 2002 and 2003, the firm, acting through Rivera, engaged in a 'cherry picking' scheme in which Rivera allocated profitable stock trades to his wife's personal account instead of to the accounts of firm customers," according to FINRA. "Rivera garnered improper profits of more than $270,000 through this misconduct, which violated the anti-fraud provisions of the federal securities laws and FINRA rules. Rivera was barred in December 2006."
FINRA accused GunnAllen's investment division of doing business with companies, then failing to inform the broker-dealer's own compliance department that those companies should be placed on a restricted or watch list for investments, as is required by the agency. FINRA also said the brokerage failed to safeguard non-public information in its investment division, meaning that other employees could have profited from insider information. Finally, FINRA accused GunnAllen of "failing to preserve emails and instant messages."
A lack of top-down oversight of Michigan-based GunnAllen broker Frank Bluestein ultimately led to the firm's demise. Bluestein resold investments on behalf of Ed May, who FINRA said "created and marketed unregistered investments" to an estimated 1,500 investors under the company he ran, E-M Management Co., LLC. In 2007, the SEC charged May with fraud, for allegedy running a Ponzi scheme focused on a fictitious Las Vegas casino and fake telecommunications equipment and leasing deals that took in more than $250 million before being discovered and stopped.
In 2009, the SEC also charged Bluestein with fraud. According to the SEC complaint, from 2002 to 2007 Bluestein ran seminars that "lured elderly investors into refinancing the mortgages on their homes," ultimately recruiting about 800 investors and securing $74 million in investments.
In April 2011, May plead guilty to 59 counts of mail fraud, received a 16-year prison sentence, and was ordered to pay a $250,000 fine. Bluestein, however, denied all knowledge of the Ponzi scheme, citing in his defense that he'd personally purchased the investments being sold by May.
Regardless, GunnAllen faced a volley of investor lawsuits after the SEC's 2009 allegations. By March 2010, FINRA found that GunnAllen no longer had sufficient net capital to trade and closed the firm, leading to the layoff of 400 employees. By November 2010, GunnAllen had been liquidated.
First-Ever Standalone SEC Privacy Fine
Although GunnAllen went bankrupt, regulators weren't done with it. The SEC in 2011 accused two former employees--president Frederick O. Kraus and national sales manager David C. Levine--of having inappropriately used GunnAllen customer data, and it fined them each $20,000.
The SEC also slammed GunnAllen's former chief compliance officer, Mark A. Ellis, for having failed to put in place or enforce proper policies and procedures for protecting customer information. It fined Ellis $15,000. The agency noted that the broker-dealer's written policies were "vague" and turned out to be little more than a rewording of the actual SEC regulations.
As for the alleged security breaches related to InformationWeek by the former Revere Group employees, a 2010 SEC enforcement action against former GunnAllen executives detailed multiple security incidents, but not the full extent of the breaches alleged by the former employees, which included at least one missing laptop containing financial information. Likewise, the home router incident didn't even come to light until 2009, one year after FINRA fined GunnAllen.
New SEC Violations Emerge
In June 2011, Sago detailed the additional security violations in a six-page letter to the SEC's Miami office, which had conducted the GunnAllen investigation. The agency's associate director of enforcement in Miami, who was in charge of the investigation, didn't respond to multiple calls and emails seeking comment on Sago's allegations, whether the investigation was still open, or whether the additional revelations might lead to any new fines or sanctions against current or former employees of GunnAllen or The Revere Group. A spokeswoman for the SEC, reached by phone, declined to comment on any of those questions.
2 of 3