As part of its settlement with the Financial Industry Regulatory Authority (FINRA), Ceros Financial Services, Inc..has agreed to pay a $75,000 fine。From January 2018 to June 2021, Ceros did not have a reasonable regulatory regime for business-related communications, and its written oversight procedures prohibited registered representatives from using personal email addresses to communicate with customers.。

FINRA notified Ceros in March 2018 that at least one of its registered representatives regularly uses personal email for business-related communications.。Despite receiving this notice, the main system implemented by the company to prevent its related personnel from using external emails for business-related communications is to create a list of employees' personal email addresses and send them from emails on this list Automatically send warning emails when incoming emails are sent to the company system。

As of June 2021, the employee's personal email list contains 16 email addresses of 88 related persons at the company。If an email is sent from the company system to an email in the personal email address list, no warning will be automatically issued。This process is not documented in any written procedure。

During the relevant period, Ceros sent at least 67 automatic warnings to individuals, some of whom received multiple warnings.。However, the company does not review communications sent from or to emails on an employee's personal email list unless those emails happen to meet other company regulatory email review standards.。The company also does not view these emails as a signal that the company's systems may not be able to capture other external business-related emails.。

The company did nothing to prevent the use of external emails by those involved, except for an automated warning email and a warning letter issued as a result of routine email censorship.。The Company also fails to take reasonable steps to ensure that all business-related communications are preserved and retained。

From January 2018 to June 2021, Ceros did not save and retain several business-related emails, as these were direct communications between the representative's personal email and the customer.。Because these emails did not include Ceros email address recipients, the company could not quantify how many business-related emails were not saved and retained.。In light of its failure to identify or preserve these communications, Ceros also did not conduct an oversight review of these business-related communications。

Ceros has now implemented a company-wide list of personal email addresses and blocked any communication with emails on the list。

By failing to reasonably supervise the use of external e-mail for business-related communications and by failing to preserve such communications, Ceros violated Section 17 (a) of the Exchange Act, Section 17a-4 of the Exchange Act and Rules 4511, 3110 and 2010 of FINRA。

During the same period, Ceros failed to adopt written policies and procedures to protect customer records and information, in violation of Section 30 (a) of Regulation S-P of the Exchange Act and FINRA Rule 2010.。

Since January 2018, Ceros has also failed to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate identity theft, in violation of the S-ID regulations of the Exchange Act and the FINRA 2010 rules.。

In addition to the fine, the company agreed to accept a censure。