One-person compliance dept leads to $500,000 fine for online brokerage

Webull fined by Massachusetts regulators for inadequate compliance handling hundreds of thousands of brokerage accounts.

Compliance at online stock trader Webull was so inadequate that a single employee was often left to deal with compliance matters for hundreds of thousands of brokerage accounts, the Massachusetts state securities office says.

The regulator has fined the firm $500,000. Webull, a New York-based broker-dealer that operates fully as an electronic, online brokerage, agreed to settle the charges without admitting or denying any violation of the law.

According to the consent order Webull entered into with Secretary of the Commonwealth William Galvin’s Securities Division, the online broker-dealer has experienced exponential growth since its launch 2018, but it failed to dedicate sufficient resources to compliance. From January 1, 2020 to January 1, 2021, Webull’s open brokerage accounts belonging to Massachusetts residents increased from 4,929 to 38,459 and from January 1, 2021 to January 1, 2022 the number of brokerage accounts belonging to Massachusetts residents reached 119,822.

Six million brokerage accounts

With more than six million brokerage accounts in total at the business and almost 120,000 in Massachusetts, Webull did not have the necessary staff or supervisory procedures in place to field the over 40,000 communications received from Massachusetts customers in a four-year period, Galvin’s office said.

Rather than having a designated compliance department, the regulator said that Webull relied heavily and unreasonably on a third-party compliance consultant and compliance counsel. The written supervisory procedures prepared by the outside counsel were described by one Webull employee as “inapplicable to the business,” according to the consent order.

Webull’s employee training was also cited as inadequate, as the company failed to provide any formal training to customer service personnel through June of 2020. Written annual training on identifying complaints instructed staff to “feel” whether a communication from a customer was a complaint, rather than providing objective criteria by which employees could identify complaints.

The regulator said that Webull relied heavily and unreasonably on a third-party compliance consultant and compliance counsel.

Galvin’s office noted that while Webull paid out $30m to sponsor the Brooklyn Nets of the National Basketball Association and the New York Liberty of the Women’s National Basketball Association, the brokerage didn’t hire a dedicated compliance team.

Those sponsorship deals helped Webull amass more than six million brokerage accounts, including more than 100,000 in the state of Massachusetts, since the company’s launch in 2018, the consent order notes.

Along with the fine, the consent order requires Webull to retain independent third-party consultants to conduct a comprehensive review of its policies and written procedures. Webull must also conduct an annual compliance review for the next three years, which must be filed with the Securities Division.

AWC with FINRA

On March 9, Webull entered into a AWC with the US Financial Industry Regulatory Authority (FINRA) that included findings that Webull;

failed to exercise reasonable due diligence in approving customers for options trading; and

failed to maintain a supervisory system reasonably designed to identify, respond to, and log customer complaints related to options.

As part of the AWC, Webull senior management certified within 180 days of the date that the AWC was accepted that Webull had remediated the issues identified in it and had implemented a supervisory system. This included written supervisory procedures reasonably designed to achieve compliance with FINRA Rules 3110, 2360, 4530, and 2010 that relate to the supervision of brokers, the expectation of high standards of commercial honor, and the agency’s regulatory reporting requirements.

During the calendar year of 2021, Webull received 522 inquiries or requests from regulators, plus over 40,000 communications from Massachusetts customers through its in-app chat feature, email and phone calls, everyone seeking questions about the company or about specific client funds or transactions. This was a huge increase in inquiries and requests from such stakeholders in a one-year timeframe, the order notes.

Insufficient compliance department

From the date of its formation until about February 2021, the consent order states, Webull had a Chief Compliance Officer (CCO One), but no formally designated compliance department.

While Webull’s CCO One had performed compliance functions in his roles at prior firms, he had never served in a Chief Compliance Officer role before joining Webull.

Webull CCO One also served as Chief Operations Officer throughout the entire relevant time period.

Webull paid $30m to sponsor basketball teams the Brooklyn Nets and the New York Liberty, but didn’t hire a dedicated compliance team.

CCO Two left only six months into the job, and the business saw significant turnover on its compliance team shortly after his departure, the consent order says.

The external compliance resource Webull used provided significant support, even responding to regulatory inquiries on behalf of Webull, the order notes.

This consultant issued reports to FINRA containing materially inaccurate information each year, the consent order says (and FINRA’s AWC notes), sometimes the same ones from the prior year. Several of these reports even included parenthetical references to an individual holding the title of CCO at the firm who had actually never served in that role or at the firm in any capacity. These reports also said Webull’s main office was located in London had moved to Paris, but there had actually been no main office in either city.

In drafting written supervisory procedures (WSPs), compliance counsel just used a copy and paste method – or at least that is how Webull’s CCO Two described the WSPs, since they did not apply to Webull’s business, the consent order says.

Webull relied on an internally developed Customer Relationship Management (CRM) system to maintain records of customer communications. It also largely relied on the CRM system, through its use of a lexicon, to identify potential customer complaints contained within customer correspondence.

Webull developed the lexicon – a specific set of words and phrases – and applied it within its CRM system to identify customer communications for further review by the Webull compliance team. Prior to March 2021, the lexicon did not contain certain words that appeared in customer complaints received by Webull and failed to flag such communications as customer complaints, such as those referring to fraud, theft, or misappropriation of customer funds or securities.

GRIP comment

Where to start?

Not all of the compliance program deficiencies noted in the consent order were included here – the CEO and CCO One had mentioned training was needed for customer service representatives but was not provided, for example – but you get the picture.

Webull had an inadequate compliance program, from its policies and procedures and training to its reporting and responsiveness to regulatory and customer inquiries. It failed to have staffing levels and sufficient compliance expertise to achieve compliance with state and federal securities laws as well as industry best practices.

Firms cannot design effective compliance programs without understanding the business and crafting policies and procedures that are finely tailored to it – and having the experienced and well-trained resources to build this bespoke type of program.

Resources and hotlines

Companies can produce large binders of policies and procedures and count out the number of controls in their programs, but if you don’t test those policies, procedures, and controls or have the resources to stay on top of tens of thousands of customer inquiries and hundreds of regulator requests and queries, they are obviously meaningless. Although the Webull consent order does not mention them, whistleblower hotlines designed to detect and report bad behavior are essential, as are codes of conduct  intended to align employees’ behavior with company policies and external regulations. 

At a truly fundamental level, knowing who within the organization will be in charge of overseeing, monitoring and enforcing the compliance program is essential – a qualified person who knows the business and its people, preferably, and is well-prepared to act as the company’s overseer of its regulatory and reputational risks. This is not to say external resources should not be used, as consultants with prior tenures at regulatory agencies and within similar business organizations can be of tremendous help.

But that’s not true when the consultant is similarly overwhelmed or knows too little about the business she or he is overseeing, and possibly also lacks sufficient communication and collaboration with other members of the in-house team to make the oversight meaningful.

Staff education of Webull’s revised compliance policies and procedures must also include details of how to report infractions, where to go for more information, why conduct codes are needed in the workplace and how the education goes hand in hand with their employee compensation and career growth. And they must be continuously updated.

Yearly audit

The Webull consent order does not make any mention of a yearly audit of the compliance program, which is where an external resource could have been the most effective, at least to supplement internal resources that tested and thoroughly reviewed the compliance program at least annually.

Cultural failures are evident here as well – given how vulnerabilities and violations discovered by FINRA were not followed up with sufficiently prompt and consistent efforts to address the problem so there would not be … well, this Massachusetts securities agency consent order.

And why was the departure of employees in the compliance department following CCO Two’s leaving not the impetus to take a true look at whether the effective management compliance program was even considered a doable task?

The huge escalation in regulatory and customer inquiries in 2020 also should have been a red flag deserving of prompt attention and the allocation of resources toward correcting.

The problems outlined in this case and these lessons are a reminder that broker-dealer firms have a best interest standard to fulfil to their clients. And that this standard of care doesn’t just encompass disclosure, care and conflict of interest obligations, but also a compliance one, which requires broker-dealers to establish, maintain, and enforce written policies and procedures that are designed to achieve compliance with the other three obligations.