The Financial Industry Regulatory Authority has fined two Wells Fargo entities $2.25 million for failing to maintain customer identification program records in a proper tamper-proof format over a 17-year period.

Finra said that from 2003 to 2020, Wells Fargo Clearing Services LLC and Wells Fargo Advisors Financial Network failed to store about 13 million customer identification program records in the format known as “write once, read many” or “WORM” format. The agency said that such records are critical for anti-money-laundering programs. WORM programs are considered to be tamper proof, which security analysts deem to be critically important in an age of data breaches. The 13 million records covered 8.2 million customers, Finra said.

“Broker-dealers are required to establish, document, and maintain a Customer Identification Program (CIP), including risk-based procedures for verifying the identity of its customers, pursuant to federal anti-money laundering regulations,” said Finra in its letter of acceptance, waiver and consent. “A broker-dealer’s [program] must include procedures for making and maintaining records of all information obtained in verifying a customer’s identity, including a description of the methods and the results of any identity verification measures, and a description of the resolution of each substantive discrepancy discovered when verifying such information.”

Finra said that Wells Fargo staff discovered the problem while trying to clear up a similar issue related to its brokerage accounts in 2016. In December of that year, Finra said that Wells Fargo Advisors LLC, Wells Fargo Advisors Financial Network LLC and First Clearing LLC had failed to keep one million brokerage accounts in the WORM format since 2003, and Wells Fargo received a $1.5 million fine at the time.

But even though firm personnel discovered then that the customer identification program records were on a system that wasn’t WORM compliant, “the issue, however, was not escalated to the firms’ working group that considered Finra reporting obligations, and the firms did not report it to Finra or remediate it at that time,” says the most recent agency letter.

“Approximately 13 million CIP-related records, pertaining to approximately 8.2 million customers, were stored on the non-WORM compliant platform from 2003 to August 2020, with approximately 4 million documents having been stored on the firms’ non-WORM compliant platform after the firms discovered the issue in November 2016. Therefore, from 2003 to August 2020, the firms violated Exchange Act Rule 17a-4(f)(2)(ii)(A), NASD Rules 3110 and 2110, and FINRA Rules 4511 and 2010.”

Wells Fargo sent a statement to Financial Advisor: "At Wells Fargo Advisors, we take our regulatory responsibilities seriously and we are pleased to have this issue resolved."