Morgan Stanley Smith Barney has agreed to pay six states $6.5 million that would settle charges after the firm compromised the personal information of millions of customers nationwide.
In July 2020, Morgan Stanley alerted six attorneys general of two security incidents. The settlement with Connecticut, Florida, Indiana, New Jersey, New York and Vermont settled an ongoing investigation over the incidents.
As The DI Wire reported in 2022, the Securities and Exchange Commission announced charges against Morgan Stanley stemming from the firm’s “extensive failures,” over a five-year period, to protect the personal identifying information of 15 million customers. Morgan Stanley agreed to pay a $35 million penalty to settle the SEC charges.
The first incident involved computer devices that were decommissioned and resold in connection with the closing of two data centers in 2016. While Morgan Stanley had contracted the vendor to remove its data from the devices, it subsequently learned that the vendor subcontracted certain relevant services to an unauthorized entity and that certain devices still contained some unencrypted personal information, according to an agreement released by New York Attorney General Letitia James.
The second incident occurred when a software flaw that could’ve resulted in unencrypted data fragments remaining on the affected devices that Morgan Stanley was unable to locate following a decommissioning event; the data fragments may have remained on the affected devices as a result of a manufacturer flaw in the encryption services.
According to James, Morgan Stanley failed to decommission its computers and erase unencrypted data belonging to 1.1 million New Yorkers.
The agreement says James and the other attorneys general “determined that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, the data incidents could have been prevented.”
New York, according to James, will receive $1.7 million from the settlement and Morgan Stanley will be required to strengthen its data security measures.
In a separate matter, the firm agreed last week to a censure and $400,000 fine with the Financial Industry Regulatory Authority, which charged that Morgan Stanley failed to deliver prospectuses to customers electing paper delivery in connection with 166,104 trades in 65 ETFs, affecting over 44,000 accounts from August 2020 to October 2022.
The firm’s prospectus delivery failures stemmed from coding in the firm’s internal systems that incorrectly indicated that prospectuses need not be delivered for transactions in these 65 ETFs, all of which were in the same fund family.
FINRA says that because Morgan Stanley’s third-party prospectus fulfillment vendor delivered a paper prospectus only when Morgan Stanley’s systems indicated one should be delivered, the vendor did not deliver prospectuses for the 65 ETFs until Morgan Stanley discovered and fixed the coding error in October 2022. The firm subsequently implemented additional procedures requiring manual reviews of prospectus delivery indicators to confirm its systems accurately indicate whether prospectuses are to be delivered.
Morgan Stanley Smith Barney LLC is registered as both a brokerage firm and an investment advisor. The company buys and sells securities such as stocks, bonds, mutual funds, and other investment products, as well as manages investment portfolios and financial planning services.