Office of Compliance Inspections and Examinations:
Examinations of Broker-Dealers Offering
Online Trading: Summary of Findings and Recommendations
January 25, 2001
Given the growth and popularity of online trading, the staff of the Securities and Exchange Commission's ("SEC") Office of Compliance Inspections and Examinations ("Staff") initiated a series of examinations of registered broker-dealers providing customers with the ability to place trades through the Internet ("online trading").1 In these examinations, the Staff reviewed: (1) the information that firms provide to customers about trading and making investment decisions; (2) advertising; (3) the execution of customers' transactions; (4) capacity for handling customer trading volumes; (5) security measures; and (6) supervision of employees' use of the Internet.
We believe that by sharing the Staff's general findings and observations from these examinations, we can more broadly heighten awareness of these issues by broker-dealers as they evaluate their own online trading systems. We are publishing this summary to highlight issues in this area and to assist broker-dealers in evaluating their online trading systems.2
In summary, based on the examinations, the Staff recommends that broker-dealers offering online trading consider the following issues:
- the information provided to customers online about how orders are executed, how margin works, and the possibility of systems' delays;
- the objectivity of their advertising;
- procedures for ensuring that customers receive best execution;
- procedures for ensuring adequate operational capability to handle customer trading volume;
- security measures to protect customer privacy and funds; and
- procedures to supervise employees' use of Internet communications.
This report describes findings and recommendations in each of these areas.3
Broker-dealers have offered customers the ability to submit trades electronically through direct dial-up connections since the 1980s. The first Internet-based trading systems were introduced in 1995. Since that time, online trading has increased dramatically - according to a recent estimate, there are 7.8 million individuals trading online, making 807,000 trades per day.4 Currently, there are over 200 broker-dealers providing retail investors with the ability to trade online. Along with the growth in online trading, there has been a surge in investor complaints related to online trading.5 From early 1999 through today, the most common complaints by investors have been failures or delays in processing their orders online, difficulty in accessing their online accounts, and errors in processing their orders.
The Staff selected a wide range of broker-dealers offering online trading for the examinations. The firms examined included the largest firms in terms of trading volume as well as numerous mid-size and smaller firms. Most of the firms examined are traditional firms that added Internet trading to their services, although some firms were formed in order to provide Internet services to customers. The Staff focused examination attention on areas that are the subject of frequent customer complaints, as well as other related areas.
The following is a summary of the issues raised in our review of online trading.
I. Disclosure and Investor Education
As noted, the SEC has received a significant number of investor complaints that appear to indicate a lack of knowledge about trading and investing. As a result, the Staff's examinations of online firms included a review of the information firms provide to customers on their web sites.
A. Investor Education
Many people who may not have prior investment experience are entering the markets by opening accounts and trading online. With a live representative, if an investor does not understand trade terms or the mechanics of placing an order, the investor can simply ask the representative for information. On the Internet, the investor's ability to obtain answers often is dependent upon the information already available on the firm's web site in a conspicuous and accessible location.
To help educate customers, broker-dealers should consider enhancing their web sites to provide a basic explanation of securities trading, including definitions of each of the terms used on the firm's order entry page that are accessible from the trading screen. Firms should also provide conspicuous, plain English disclosure about the risks of securities trading, including the risk of systems outages or failures.6
While many broker-dealers have a glossary or help screen on their web sites that explains investment terms to their clients, the adequacy of these glossaries differs from broker to broker, and some firms do not provide any information to customers explaining key investing terms and concepts. The most helpful sites provide a glossary containing all terms used on the firm's web site that can be accessed from the trading screen. Location of the glossary is also an important consideration. At some web sites, the glossary is difficult to locate (e.g., at the bottom of a menu labeled "research"). In addition, some firms, while attempting to explain key terms and concepts, do not do so in a clear manner. The best sites reviewed by the Staff have plain English explanations of key investing terms and concepts, such as:
- the differences between the various types of orders that may be placed (e.g., a market order, a limit order, a stop limit order);
- notice that a market order may be executed at a price higher or lower than the quote displayed on the web site at the time of order entry;
- an explanation of how the customer's orders are executed;
- any situations in which customers may not receive an execution;
- any restrictions on the types of orders that customers can place;
- the possibility of systems' delays or outages, the effect of delays or outages on executing orders, and any alternative means of placing orders; and
- how market volatility can affect customers' orders.
Because many complaints by online customers relate to their inability to access accounts or to execute transactions in a timely manner, the Staff reviewed firms' disclosure relating to the possibility of systems outages or failures. The Staff found that many of the firms examined did not provide conspicuous, plain English information about the risks of systems outages or slowdowns. Most firms' discussions of delays or outages are limited to disclaimers of liability for systems capacity and failure in their new account agreements.
The SEC has also received numerous investor complaints about inadvertently-placed duplicate orders. This can happen when reports of cancellations are significantly delayed (by hours or even days) so that a customer may assume that his/her initial trade was not executed. Duplicate orders have resulted in customers placing unintended short sales or buying beyond their available funds. As a result of complaints in this area, the Staff reviewed firms' procedures for preventing the execution of duplicate orders.
Broker-dealers should take steps to prevent executions of unintended duplicate orders. In designing or implementing procedures to prevent duplicate orders, firms may want to consider several approaches we have seen in our examinations. Some firms' trading status screens provide information as to whether a trade has been cancelled or is still pending.7 Some firms have eliminated the ability of investors to place cancellation requests for market orders.8 Some broker-dealers place a "lock" on the securities, funds, or buying power subject to a sell or buy request, which is not removed until confirmation of the cancellation is received from the marketplace.9 Some online trading systems automatically notify investors of an order pending in the same security whenever they enter a new buy or sell order. Other firms provide a warning message at the time of cancellation stating that customers should not assume that a cancellation request has gone through until they have received confirmation. The Staff's review of customer complaints at firms that rely on this method, however, indicates that it does not eliminate all unintended duplicate orders.
C. Information About Margin
Customer complaints about margin have increased significantly recently, often from customers who believed that their broker-dealer should not have liquidated their margin accounts without providing an opportunity for the customer to provide additional funds. Many customers have stated that they do not understand some of the essential terms of their margin accounts.
Firms should evaluate the information they provide to customers about margin to ensure that it is in plain English and conspicuous. To address the problem of inadequate information about margin, the NASDR has filed with the SEC a proposed rule change adding new NASD Rule 2341. The proposed rule would require members to deliver to non-institutional customers, prior to or at the opening of a margin account, a specified disclosure statement that discusses the operation of margin accounts and the risks associated with trading on margin.10 The disclosures of the risks involved would include the following:
- A customer can lose more funds than he/she deposits in the account if the securities purchased on margin decline in value.
- A firm has the right to force the sale of securities in any of the client's accounts held at the firm to cover a margin deficiency if the equity in the margin account falls below the maintenance margin requirements or the firm's higher "house" requirements and a customer is responsible for any shortfall in the account after the sale.
- A firm can sell a customer's securities without contacting him/her. While many firms will attempt to notify their customers and allow the customer a few days to meet the call, the firm can still sell a customer's securities held at the firm at any time without further notice.
- A customer is not entitled to choose which securities in his/her account(s) are liquidated or sold to meet a margin call.
- The firm can increase its "house" maintenance margin requirements at any time and is not required to provide a customer with advance written notice. These changes in firm policy often take effect immediately and may result in the issuance of a maintenance margin call.
- A customer is not entitled to an extension of time on a margin call.
Approximately one-third of the firms examined did not provide or make available to prospective customers any information about margin, other than the margin agreement itself. Another quarter of the firms examined had less than complete definitions relating to margin on their web site. For example, one firm defined margin balance, but did not explain a margin call. Only a few firms explained how margin works in a rising market as well as in a falling market, an important concept for investors to understand.
Firms should consider their procedures for notifying the customer of securities that have higher margin requirements. The Staff's review found that firm practice for informing customers of margin requirements for particular securities varies. Some firms provide a list of all securities with higher margin requirements on their web sites to make customers aware of the margin requirements on the specific securities they are considering purchasing.
Firms should consider providing on their web sites either the actual interest rate that will be charged on margin balances or an explanation of how the interest rate will be calculated and providing a source that the investor can use to calculate the margin rate. The Staff's review found that most firms state on their web sites that customers will be charged an interest rate on their outstanding margin balances equaling a certain percentage over the broker's call rate (e.g., 1% over the broker's call rate).11 A few firms explained how the customer could obtain the broker's call rate (e.g., through the Wall Street Journal). Some firms provided the actual percentage rate that would be charged on outstanding margin balances (e.g., 8%), but the rates indicated were often out of date. A few firms stated that they charged a certain percentage rate above a base rate, but did not disclose how the base rate was determined or what the base rate was (e.g., 2% over the rate established by the firm).
D. Online Public Offering Process
The SEC recently issued a release that included guidance to broker-dealers concerning, among other things, conducting online initial public offerings ("IPOs").12 In that release, the SEC noted its concern that there may be insufficient information available to investors to enable them to understand fully the online public offering process. Firms should review the SEC release, and should provide customers with a full and accurate description of their online IPO allocation and distribution methods, including the probability of receiving shares. During the examinations, the Staff found instances in which the allocation process described on firms' web sites was unclear and potentially misleading to customers.
E. Cash Accounts
The Staff's review of customer complaints found that some investors with cash accounts erroneously believed that they were not responsible for trades that were executed at prices exceeding their available funds (i.e., that the broker-dealer had agreed to only send trades for execution if the customer had the funds available in the account to cover the purchase price). This misconception apparently arises because some online broker-dealers inform customers with cash accounts that they are limited to purchasing with funds that are already deposited with the broker. To avoid this misunderstanding, broker-dealers should inform customers that cash accounts do not limit the customer's losses or liability to the funds available in the account.
F. Chat Rooms and Bulletin Boards
Several firms examined by the Staff sponsor chat rooms or bulletin boards for customers or anyone online (collectively referred to as "forums") where specific recommendations were made by participants in response to questions posed by other participants. In some cases, the firm arranged for individuals to participate in the forum as an event leader or moderator. The Staff is concerned that customers may perceive the opinions of forum participants as being endorsed by the broker-dealer, because the broker-dealer sponsors the forum and its logo appears on the web page. If firms do not intend to endorse the statements of forum participants, they should consider placing a prominent disclaimer at the forum's point of entry and on the banner along with the firm's name and/or logo indicating that the firm does not intend to make or endorse the recommendations made in the forums. In addition, if firms arrange for third parties to participate in the forums, the firm should consider disclosing the identity and professional experience of such participants and any compensation arrangements and any other association the firm has with such participants. The Staff's examinations found that all the forums reviewed contained disclaimers that indicated that the firm was not making the recommendations made in these forums. In most cases, however, the disclaimers were not prominently located and would not necessarily be seen by a person upon entering the forum.
Regulators have expressed concern that certain aggressive advertising by broker-dealers could lead investors to have unrealistic expectations about the risks and rewards of investing.13 Firms should ensure that their advertising is balanced, describing the risks as well as the potential rewards of trading and investing.14 The Staff's review found examples both of advertising that balanced the risks and benefits of online trading and advertising that may have inflated investor expectations.
III. Best Execution
The duty of best execution requires a broker-dealer to seek to obtain the most favorable terms reasonably available under the circumstances for customer transactions. This duty encompasses consideration of many factors, such as the opportunity for price improvement, the speed and certainty of execution, and the likelihood that limit orders will be executed. Indeed, the SEC has stated that: "broker-dealers deciding where to route or execute small customer orders in listed or OTC securities must carefully evaluate the extent to which this order flow would be afforded better terms if executed in a market or with a market maker offering price improvement opportunities. In conducting the requisite evaluation of its order handling procedures, a broker-dealer must regularly and rigorously examine execution quality likely to be obtained from the different markets or market makers trading a security."15
Firms must ensure that they comply with their legal obligation to seek to obtain the best execution of their customers' orders, including periodically assessing the quality of competing markets and by routing orders to the markets that provide the most beneficial terms for their customers' orders. Firms also should document steps they take to comply with their best execution obligations.16 The Staff's review found that many broker-dealers were not meeting their best execution obligations because they sent all of their order flow to their clearing firm and conducted no independent review of execution quality, they limited their review to those markets to which they currently routed order flow, or otherwise appeared not to conduct a thorough analysis of execution quality likely to be obtained from various markets.
Firms must ensure that they comply with their legal obligation not to allow payment for order flow or any other order routing inducements to interfere with their duty of best execution on customers' securities transactions. Most of the firms examined received payment for order flow from the markets to which they route orders. A number of the firms examined had affiliations with some of the markets to which they route orders. While the receipt of payment for order flow or other order routing inducements is not necessarily inconsistent with the duty of best execution, the Staff is concerned that firms might allow these inducements to interfere with their best execution obligations. The Staff saw indications during examinations that firms were not adequately assessing execution quality in determining where to route customers' orders.
IV. Operational Capability
It is important that all firms have sufficient operational capability to accept and to process appropriately customers' securities transactions. The huge growth in online trading makes having sufficient capability to handle this volume critical. In Staff Legal Bulletin No. 8, the Division of Market Regulation emphasized that broker-dealers should take steps to prevent capacity or other operational concerns from disrupting market operations.17 Firms should review Staff Legal Bulletin No. 8 and, consistent with this and other guidance, establish capacity estimates, periodically evaluate the capacity of their systems, and develop procedures for handling system capacity problems.18 Firms should also use every reasonable effort to notify customers of operational difficulties. In addition, to assist in monitoring and planning for systems disruptions, firms should consider maintaining records of capacity evaluations and system slowdowns and outages, including details on the cause and impact of the problem.
In reviewing operational capability, firms should consider: (a) evaluating the capacity of their telephone systems and telephone hold times; (b) maintaining records of phone capacity evaluations performed; (c) evaluating the adequacy of their backup systems and considering the advisability of dual running sites or a backup site that could be switched to within a short period after systems failure; (d) evaluating their ability to increase phone representatives during an outage or during high volume days; (e) employing multiple Internet service providers ("ISPs");19 (f) improving server capacity; (g) giving priority at time of peak usage to customers who wish to enter orders; (h) educating customers about Internet access issues; and (i) providing alternative means to place orders when Internet access is slow or unavailable.
During examinations, the Staff considered the extent to which firms had adequate policies and procedures to ensure that they maintain adequate capability. The Staff assessed the extent to which each firm reviewed the capability of its online trading system. About a quarter of the firms examined either did not conduct any assessment of their operational capability or had difficulty responding to questions regarding their capacity. Many firms indicated that they do conduct regular assessments of their operational capability. Some firms that conducted capacity assessments had an automated system for monitoring capacity on a continuous basis. A few firms conducted assessments on a weekly or monthly basis. Firms used various methods to assess capacity, including simultaneous number of trades during peak usage, average number of simultaneous trades, and total number of trades a day. In cases in which computer systems performed multiple functions, many firms assessed capacity based on the number of simultaneous operations of all types.20
Many firms have developed backup systems in the event of a failure of their primary system or a failure by their ISPs. Almost a third of all firms examined had either dual running sites (i.e., two or more sites that run concurrently so that if one site has a systems failure the other sites can handle the volume), or a hot backup site (i.e., a backup site that can be switched to promptly in the event of a systems failure). The majority of firms had at least two ISPs in the event that one ISP experienced problems. All firms examined relied at least in part on telephone representatives to accept orders if their web site was unavailable. Most brokers were able to increase the number of staff to take orders by phone in the event of an outage.
V. Security Measures
The SEC recently adopted privacy rules for brokers, dealers, investment companies, and investment advisers.21 The rule requires that firms registered with the SEC adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. The issues described below may be helpful to firms as they consider and adopt policies and procedures in anticipation of the new rule.
A. Use of Encryption Technology
One of the risks of Internet communications is that information sent through web sites or through e-mails may be intercepted by third parties. To reduce the risk of third party interception of information sent between a customer's computer and the firm's web site or information sent through e-mails, it is necessary to use some form of encryption (i.e., scrambling the data using a mathematical formula before transmission). While there currently exist standard methods of encryption for web site transmissions, most e-mail transmissions sent through the Internet are not secure.22
Firms should evaluate the security of their web site and e-mail systems. If either system does not provide a secure method of transmission, the firm should consider developing procedures to reduce the likelihood that personal information will be sent through unsecure transmissions.
With respect to web sites, the Staff's review of online broker-dealers found that all firms used some form of encryption, but not all firms used the most secure method available. Web sites that are encrypted typically use a method referred to as secure socket layer ("SSL").23 SSL comes in two versions, 40-bit and the more secure 128-bit.24 The Staff's review of online broker-dealers indicated that most firms' web sites offered both 40-bit and 128-bit, depending on the browser used by the customer. Because most individuals have computers with 40-bit browsers, customers may be unaware that a more secure option is available to them.25
With respect to e-mails, the Staff observed many instances of confidential information being sent without any security measures, including account numbers, passwords, social security numbers, or details of trades placed. At some broker-dealers, customer service representatives routinely requested confidential information from customers such as account number, social security number, and mother's maiden name, with the result that the customers' e-mail responses contained such information. Of the brokers reviewed, only one-fifth of the firms had written policies on employees sending confidential information over e-mails and a fifth of the firms warned customers about sending confidential information through e-mails.
About a third of the broker-dealers examined used some form of e-mail encryption. Almost all of these firms used an encryption system that only encrypted incoming e-mails so that e-mails sent by the firm to customers were not secure. Even without an e-mail encryption system, there are some minimal procedures that firms could adopt to reduce the risk of confidential information being sent over the Internet. For example, some firms have implemented written procedures that prohibit employees from sending confidential information to customers over unsecure e-mail and that prohibit them from requesting confidential information from customers over unsecure e-mail. In some cases, these procedures listed the types of information considered confidential. In addition, some broker-dealers provided information to customers about the unsecure nature of e-mails and the need to keep confidential information from e-mail transmissions.
The Staff reviewed the security measures established by firms for their internal computer systems to prevent intrusions by unauthorized persons (e.g., a cracker or hacker, who may obtain unauthorized access to a computer system by bypassing passwords or otherwise breaching computer security).26 One concern is that unauthorized persons could obtain access to customer information and, in the worst case, to customer cash or securities. Firewalls are systems used to prevent unauthorized access to firms' internal computer systems.27 Firewalls use different techniques to prevent unauthorized access, and most experts recommend a combination of techniques. All firms should consider implementing a periodic review of their security in light of changes in technology and the introduction of new security methods. In addition, firms should consider hiring an outside entity to periodically test the adequacy of their security. The Staff's review found that all firms have at least minimal procedures and the majority of firms had multiple levels of firewalls. About a third of the firms examined retained outside consultants to test the security of their firewalls by attempting to break in to the system.
All broker-dealers use passwords to limit access to confidential web site information to identified customers. But, the use of passwords creates an inherent risk - that the password will be appropriated by a third party. Broker-dealers should evaluate the security of the password selection method they use. Many firms set passwords based on the customer's personal information.28 Some examples of more secure methods include: customer passwords set at a random sequence, customer selected passwords, or, if personal information is used to set the initial password, the customer must reset the password on the first log in.29
Several broker-dealers allow customers to e-mail that they have lost their password, and the firm resets the password to its original default without obtaining any verifying information from the customer. Other broker-dealers stated that a safer practice is to require that the customer telephone the firm, so that the firm could obtain verifying information before resetting the password.
Once a customer has signed in on a firm's web site using a password, "session information" is stored on the customer's computer in a cookie or on the firm's web servers. This allows customers to move around the web site without continually typing in their password. Once the session information is stored, anyone using that computer is able to access that customer's account without signing in. Broker-dealers should evaluate whether security is enhanced by restoring password protection after a period of time or after the customer leaves the website. At most broker-dealers examined, password protection is restored when the customer logs off. However, if customers do not go through the log off procedure, password protection is not restored. To respond to this concern, many broker-dealers automatically restore password protection after a certain period of time or upon closing the browser.
VI. Employee Supervision
The Internet allows registered representatives to communicate with customers from the firm and from their home or elsewhere. Like other communications with customers, firms must establish written procedures to supervise registered representatives' communications over the Internet.30 Firms should create written procedures for employees' permissible and impermissible use of the Internet, including prohibiting communications with customers outside of the communications channels monitored by the firm. Firms should provide appropriate guidelines and training to employees, outlining each of the potential activities (e.g., e-mail, chat rooms, bulletin boards, and web sites) and examples of what is and is not permissible. Firms should review employees' use of the Internet to ensure that employees are using the Internet in ways that conform to the firm's guidelines. In addition, firms might consider specifying how employees are permitted to use the firm's name. Finally, firms should consider surveilling the Internet for use of the firm's name to prevent employee misuse of the firm's name.
Approximately half of the brokers examined had at least minimal written policies outlining permissible activities on the Internet for their employees. Some firms prohibited employees from establishing any web page or a securities-related web page on employees' own home computers, and prohibited employees from using their own computers to communicate with customers.31 Some firms provided employees with firm laptop computers for use at home, in part, so that communications between firm employees and customers could be supervised. Approximately half of the firms surveilled the web periodically to locate all web pages using the firm's name.
Our examinations of broker-dealers offering online trading revealed examples of sound practices as well as areas where some broker-dealers can enhance their practices. In particular, our examinations indicated that enhanced disclosure in certain areas would respond to many customer complaints. Some basic measures include providing help screens on web sites with explanations of key investing terms and concepts; taking steps to prevent executions of unintended duplicate orders; providing enhanced margin disclosure, including a list of securities with higher margin requirements and the actual interest rate that will be charged on margin balances; describing the IPO allocation process; and informing customers with cash accounts of their trading liabilities.
The examinations highlighted other areas where broker-dealers should review their procedures. Firms should evaluate their advertising to ensure that they do not inflate investor expectations. Firms should also scrutinize their order routing practices to ensure they are meeting their legal obligation to seek the best execution of their customers' orders. As technology plays an increasing role in broker-dealer operations, firms should constantly monitor the adequacy of their systems. Firms should evaluate their operational capability to accept and to process appropriately customers' securities transactions. Firms must also institute procedures to protect customer records and information. These procedures should include measures to protect information sent between firms and their customers through web sites or e-mails, to prevent unauthorized access to the firms' internal computer systems, and to prevent access to a customer's account through unauthorized use of the customer's password. Finally, firms should evaluate whether their supervisory procedures are adequate to monitor employees' use of the Internet.
The Staff recommends that broker-dealers evaluate their own online trading programs in light of the issues described in this report.
1 Examinations were conducted by the SEC, the NASD Regulation, Inc. ("NASDR"), and the New York Stock Exchange ("NYSE") from October 1998 through the present. This is a report of the SEC's staff, and the examination findings described herein are those of the Staff, and are not findings of the SEC.
2 Commissioner Unger has highlighted issues associated with online brokerage. See, "Online Brokerage: Keeping Apace of Cyberspace" (November 1999).
3 This report does not discuss suitability in light of pending NASDR policy guidance in this area.
4 Online Financial Services Update, U.S. Bancorp Piper Jaffray (April 2000).
5 For the twelve months ended September 30, 1997, the SEC's Office of Investor Education and Assistance received 259 complaints relating to online trading or by customers of firms trading online. By the twelve months ended September 30, 1998, the number of complaints rose to 1,114 and by September 30, 1999, complaints rose to 3,313. For the twelve months ended September 30, 2000, online complaints numbered 4,258. The most common complaints by online customers were failure to process/delays in executing orders, difficulty in accessing account/contacting broker, margin position sellouts, errors in processing orders, and best execution problems. The NYSE first began tracking online trading complaints in the fourth quarter of 1999. Since that time, more complaints have been received regarding online trading than any other category of customer complaints. The NASDR estimates that it has received 851 complaints concerning online trading since June of 1999, when it began tracking such complaints.
6 Firms also should consider linking their web sites to relevant pages on the web sites of the SEC, NYSE, and NASDR. See, e.g., www.nasdr.com/2500_online.htm; www.sec.gov/consumer/onlitips.htm; www.nyse.com.
7 Other firms' trading status screens immediately delete the pending trade from the screen at the time the cancellation request is received or will display a message that indicates the pending trade has been cancelled even though the trade is still pending. Customers have complained that such messages erroneously led them to believe that their trade was cancelled.
8 The weakness to this approach is that there are some instances where an investor may want to cancel a market order (e.g., during a trading halt) and eliminating the investor's ability to do so may be detrimental to the investor's interests.
9 The advantage of such an approach is that customers are protected from overselling or overbuying their account. The weakness of this approach is that it does not prevent double execution if the investor has sufficient funds, buying power, or securities to satisfy both executions.
10 Margin Disclosure Statement to Non-Institutional Customers, SR-NASD-00-55 (September 5, 2000). The rule proposal would also require NASD members to deliver on an annual basis the specified disclosure statement to their non-institutional customers with margin accounts.
11 Securities Exchange Act Rule 10b-16 requires that, when a customer opens a margin account with a broker-dealer, the broker-dealer must furnish in writing specific information disclosing, among other things, the annual rate of interest, method of computing interest, what other credit charges may be imposed, and the conditions under which additional collateral can be required. The broker-dealer must also give or send written account statements on a periodic basis disclosing, among other things, the balance at the beginning of the period, details on each debit and credit entered during such period, the closing balance, and the total interest charge for the period. The Staff's examinations revealed, however, that most firms' margin agreements were written in technical terms that investors may have difficulty understanding.
12 Securities Exchange Act Release No. 42728 (April 28, 2000), 65 FR 25843.
13 Chairman Levitt raised concerns that certain advertising was inflating investors' expectations about trading securities (National Press Club, May 4, 1999: "Plain Talk About On-Line Investing"); also see, Report of NASDR Concerning the Advertisement of Online Brokerage (September 21, 1999).
14 See, e.g., NASD Rule 2210(d); NYSE Rules 472.30 and 472.40. Advertising that contains misrepresentations or omissions of material fact may violate the antifraud provisions of the federal securities laws.
15 Securities Exchange Act Release No. 37619A (September 6, 1996), 61 FR 48290 at 48323.
16 The SEC recently adopted rules requiring greater disclosure of order routing and order execution practices by broker-dealers, effective January 30, 2001. Securities Exchange Act Release No. 43590 (November 17, 2000).
17 Staff Legal Bulletin No. 8 (December 9, 1998).
18 The obligation to maintain operational capability is not new. The securities laws have always required firms to handle customer transactions properly, whether manually or electronically. It is a violation of the antifraud provisions of the securities laws for a broker-dealer to accept orders without having sufficient personnel and facilities to properly execute securities transactions. See, Securities Exchange Act Release No. 8363 (July 29, 1968), 33 FR 11150.
19 An ISP is a company that provides access to the Internet to companies and individuals.
20 Approximately a third of firms relied on third party vendors to run their systems either on dedicated equipment or on an undivided portion of the entity's system. Firms should be familiar with vendor systems used to run the firm's web site, including security measures used and available capacity for future growth.
21 Regulation S-P, Securities Exchange Act Release No. 42974 (June 22, 2000), 65 FR 40333.
22 Currently, there are two generally available methods to secure e-mail transmissions, although neither is widely used. One type of e-mail encryption is digital certificate. In its most basic form, a digital certificate assigns two "keys" to a specified user, a public key and a private key. The public key is made available to anyone who wants to send a secure message to the user. After an e-mail is scrambled with the public key, it can only be read by unscrambling it using the related private key, which is known only to the recipient. The other form is browser based encryption, which works by sending and receiving e-mails through the broker's web site. To send or receive messages, the customer must visit the firm's web site. Some firms receive e-mails through the web site but respond by sending an unsecure e-mail to the customer.
23 Both the Netscape and Microsoft web browsers use SSL.
24 A 128-bit system is estimated to be approximately 300 x 1024 times stronger than a 40-bit system. See, Help.netscape.com/kb/consumer/19971208-6.html.
25 Until recently, a 40-bit browser has been the standard installed on most computers. To obtain 128-bit security, a customer would need to download and install additional software. However, 128-bit browsers are becoming the new standard.
26 Recently, several web sites, including one belonging to a broker-dealer, experienced outside denial of service attacks that resulted in the sites being unavailable for customers for several hours. While there are no complete solutions, there are some techniques to reduce the intensity of an attack, including having the ISP filter messages. Firms should discuss measures with their ISP.
27 A firewall could consist of software, a router (a device that determines the next network point to which a packet or unit of information should be forwarded toward its destination), a separate computer system, or a combination of the three.
28 The ease with which another person may obtain someone else's personal information was described in "An Expert in Computer Security Finds His Life is a Wide-Open Book," NYTimes p. C4 (December 13, 1999). Experts were able to obtain a subject's social security number and the subject's mother's maiden name from public files.
29 New technologies are being developed to replace passwords. The most common is the use of a "public key" or computer algorithm, instead of a password. The public key can be stored in software, a smart card, or a separate device such as a mobile phone. See, "Easy to Use PKI is key to cryptography's success" Network World (January 31, 2000), "New Ways of Securing Online Data" NYTimes (December 22, 1999).
30 NASD Rule 3010 requires firms to establish written procedures to supervise registered representatives. See, also, NYSE Rule 342.16 (provides that firms should have written procedures for supervision of registered representatives, including procedures for review of communications with customers); Securities Exchange Act Section 15(b)(4)(E) (provides a defense to a failure to supervise charge if a firm adopts procedures reasonably designed to prevent and detect violations).
31 In NASD Notice to Members 98-11, the NASDR stated that it "would expect members to prohibit correspondence with customers from employees' home computers or through third party systems unless the firm is capable of monitoring such communications."