27 May 2020

ANNOUNCEMENT OF NZ MARKETS DISCIPLINARY TRIBUNAL

PUBLIC CENSURE OF ASB SECURITIES LIMITED FOR BREACHES OF NZX PARTICIPANT RULES 4.5.5, 9.1.1(c), 10.6.1(d), 10.7.1 and 10.8.1(a)

1. The NZ Markets Disciplinary Tribunal (Tribunal) has approved a settlement agreement between NZX Limited (NZX) and ASB Securities Limited (ASBA) dated 5 May 2020 (Settlement Agreement).

Summary

2. ASBA is an NZX Trading Participant and Client Advising Participant. ASBA is bound by the NZX Participant Rules (Rules).

3. Between 2004 and 2018, certain of ASBA’s client online share trading accounts were vulnerable to unauthorised viewing or to Orders being placed by individuals who no longer had authority to access or transact on those accounts. This was a result of system and process issues with ASBA’s Online Share Trading (OST) platform.

4. As a Trading Participant, ASBA is required:
a. by Rule 4.5.5:
i. to ensure the accuracy, integrity and bona fides of all trading messages that are entered into the Trading System using ASBA’s identification code; and
ii. to have appropriate filters, screens and security measures in place in allowing access to ASBA’s trading system via Direct Market Access;
b. by Rule 10.6.1(d), to maintain appropriate security procedures designed to prevent unauthorised entry into the Trading System;
c. by Rule 10.7.1, to ensure that only its Dealers or DMA Authorised Persons authorised by ASBA enter or submit Orders into the Trading System; and
d. by Rule 10.8.1(a), to ensure that ASBA has established and maintained appropriate filters, screens and security measures.

5. As a Client Advising Participant, Rule 9.1.1(c) requires ASBA to respect and ensure the confidentiality of client information.

6. After an investigation, NZX found that ASBA breached the Rules as a consequence of two issues regarding access to the ASBA OST platform. ASBA accepts NZX’s findings. ASBA and NZX have agreed to a settlement in relation to ASBA’s breaches.

Background

7. Between 2004 and 2018, certain of ASBA’s client online share trading accounts were vulnerable to unauthorised viewing or to Orders being placed by individuals who no longer had authority to access or transact on those accounts. This was a result of system and process issues with ASBA’s OST platform.

8. In particular, unauthorised access to ASBA’s client accounts was the consequence of two issues:
a. Delinking Issue: Access by individuals to the ASBA OST platform through a trading account was not always removed when ASBA had been requested to do so by the account owner. As a result, the individuals retained the ability to view the trading account and place Orders using ASBA’s OST application, despite the fact that the account owner had withdrawn their authority.
b. Historic System Issue: ASBA clients not registered for the ASBA OST platform or deregistered from the platform were able to access OST via the ASB Bank online banking application, despite not having authority to do so.

9. Between 2004 and 2018, 576 client online share trading accounts were made vulnerable to unauthorised viewing or Orders by either the Delinking Issue or the Historic System Issue. Of those 576 affected accounts:
a. 31 affected accounts were viewed using an access code associated with an individual without authority to access the account; and
b. Six affected accounts had Orders placed using an access code associated with an individual without authority for DMA. ASBA has subsequently contacted the account holders in relation to each of those accounts where Orders were placed and, in each instance, the account holder has confirmed that the account holder was aware of the trading and did not have any concerns in relation to it.

10. In August 2018, ASBA was alerted to the Delinking Issue by a customer. The customer had inadvertently viewed the client account of her ex-husband, to which she no longer held access authority. She therefore informed ASBA of this. ASBA investigated the matter and informed NZX of the Delinking Issue in November 2018. At the same time, ASBA rectified the accounts affected by the Delinking Issue.

11. In the course of its investigation into the Delinking Issue, ASBA also identified the Historic System Issue. The Historic System Issue had occurred because ASBA’s system had allowed clients to log in to the ASB Bank online banking application and then use the single sign-on to access the OST platform without revalidation through ASBA’s Identity and Security Module. ASBA notified NZX of the Historic System Issue on 29 March 2019. The technical fault which caused the Historic System Issue had already been raised and resolved internally by ASBA on 10 November 2016.

12. Across a three-year sample period from November 2015 to November 2018, the Delinking Issue occurred in certain de-linking events actioned by 21 employees (which equated to most of the ASBA Client Services team over that period).

Determination

13. ASBA accepts the findings by NZX that, as a consequence of the two issues regarding access to the ASBA OST platform, ASBA breached Rules 4.5.5, 9.1.1(c), 10.6.1(d), 10.7.1 and 10.8.1(a). ASBA accepts that a penalty should be imposed by the Tribunal for these breaches.

14. The Tribunal considers that breaches of the Rules relating to client account security and the integrity of the Trading System are breaches of fundamental obligations. Compliance with these Rules by Participants is essential in maintaining market integrity and investor confidence.

15. Accordingly, the Tribunal considers that the breaches are serious and fall within Penalty Band 3 of Procedure 9 of the Tribunal Procedures. Under Penalty Band 3, a penalty of between $0 and $500,000 may be imposed.

16. The Tribunal considered that there were aggravating factors in this case:
a. Although view or trading access only occurred in 37 cases, a significant number of client accounts were able to be accessed by unauthorised individuals and were vulnerable to activity that could have had a significant impact on clients in terms of financial loss and violations of client privacy and account security;
b. The breaches occurred over an extended period of time—over at least a 14-year period from 2004 to 2018; and
c. The breaches resulted from a lack of effective processes, systems, and procedures in relation to auditing or compliance testing and supervision to ensure that staff were fully complying with ASBA's delinking requirements. ASBA employees did not routinely follow ASBA’s own standard operating procedures, and ASBA did not have an audit or compliance testing process to assess whether
staff were carrying out the manual delinking sequence required by ASBA’s standard operating procedures.

17. The Tribunal also considered that there were mitigating factors:
a. ASBA did not breach the Rules intentionally;
b. ASBA reported the issues to NZX when they were identified;
c. ASBA resolved the issues once identified, with the result that the vulnerabilities with the affected accounts were rectified;
d. ASBA cooperated with NZX’s investigation, and entered into an early settlement of NZX’s referral to the Tribunal;
e. There was no evidence of financial loss to clients or investors; and
f. ASBA did not benefit financially or obtain a commercial advantage from the breaches.

Penalties

18. NZX and ASBA have agreed that:
a. A public censure by the Tribunal will be made;
b. ASBA will pay to the NZX Discipline Fund a financial penalty of NZ$80,000 for the breach of Rules 4.5.5, 9.1.1(c), 10.6.1(d), 10.7.1 and 10.8.1(a);
c. ASBA will pay the costs of the Tribunal (plus GST, if any); and
d. NZX and ASBA will each meet their own costs.

Approval

19. The Settlement Agreement is approved by the Tribunal pursuant to NZ Markets Disciplinary Tribunal Rule 8, and as such, the Settlement Agreement is the determination of the Tribunal.

Censure

20. The Tribunal hereby censures ASBA for breach of Rules 4.5.5, 9.1.1(c), 10.6.1(d), 10.7.1 and 10.8.1(a).

The Tribunal

21. The Tribunal is a disciplinary body which is independent of NZX and its subsidiaries. The Financial Markets Authority approves its members. Under the NZ Markets Disciplinary Tribunal Rules, the Tribunal determines and imposes penalties for referrals made to it by NZX in relation to the conduct of parties regulated by the NZX market rules.

ENDS