The Brokerage Where Four People Fooled Everyone for Four Years

October 6, 2025, FINRA published a Letter of Acceptance, Waiver and Consent that should make every operations manager check their DocuSign audit logs immediately. Synovus Securities—the brokerage arm of a major regional financial institution—agreed to pay $315,000 and accept censure for a supervision failure so systematic it’s almost impressive in its scope.

Between January 2022 and September 2025, employees at one Synovus branch forged or falsified more than 100 customer signatures across 150+ documents. They also forged registered representatives’ signatures on more than 500 internal documents. That’s over 650 fraudulent signatures spanning nearly four years.

The method wasn’t sophisticated. Employees reused their own contact information to receive e-signature authentication codes, then electronically signed documents on behalf of customers and colleagues. The digital signature platform faithfully recorded everything—IP addresses, email addresses, timestamps, device information—creating a perfect audit trail of the fraud.

Nobody looked at the audit trail for over a year and a half.

The violations were discovered in September 2023 during routine operational checks. By then, Synovus had accumulated “hundreds of inaccurate books and records,” according to FINRA. The firm violated FINRA Rules 3110 (supervision), 4511 (books and records), and 2010 (standards of conduct), plus Section 17(a) of the Securities Exchange Act and Rule 17a-3.

Here’s what makes this particularly concerning: Synovus didn’t have written supervisory procedures for e-signatures until April 2024—more than two years into the violation period and six months after discovering the forgeries.

The Uncomfortable Question: How Common Is This?

Synovus self-reported to FINRA. No customers complained. No financial harm occurred. The firm emphasizes these points in its public statements, and they matter—this wasn’t a theft scheme targeting customer assets.

But that’s precisely what makes this case so relevant. This wasn’t criminal enterprise. It was operational convenience taken too far by employees trying to process paperwork faster. Which means it could happen anywhere.

Think about your firm’s e-signature workflows. How many of these scenarios sound familiar?

• Customer verbally approves something over the phone, rep “helps” by handling the signature
• Internal form needs a principal’s signature, assistant signs because the principal is busy
• Account transfer paperwork has a deadline, operations staff “expedites” by signing for customers who already agreed verbally
• Customer doesn’t respond to the DocuSign email, someone uses their own email to “complete” the form

Each of these represents good intentions meeting bad compliance. And when multiplied across hundreds of documents over years, good intentions become FINRA enforcement actions.

FINRA Already Warned About This—In 2022

Here’s the detail that should worry you: FINRA issued Regulatory Notice 22-18 in August 2022 specifically warning firms about e-signature forgery and falsification risks. The notice described exactly how to detect these violations using digital signature audit trails.

Synovus’s violation period began in January 2022. The violations continued for three and a half years after FINRA published guidance on how to prevent them.

That notice laid out five common scenarios where firms discovered forgeries:

1. Customer complaints or inquiries
2. Digital signature audit trail reviews (IP address mismatches, email discrepancies)
3. Supervisory reviews of account activity
4. Internal audits or examinations
5. Third-party vendor reports

Synovus apparently wasn’t doing #2, #3, or #4 effectively. They discovered the problem during routine operational checks—more than 18 months after it began.

The notice also specified what audit trails typically contain:

• Email addresses used for signatures
• IP addresses showing where signatures originated
• Device information
• Timestamps
• Geographic location data

All of this existed in Synovus’s systems. The technology captured everything. The supervision didn’t review anything.

The Systematic Vulnerabilities That Make This Possible

Let’s break down how a major regional broker-dealer allowed four people at one branch to forge 650+ signatures over four years:

The Technology Adoption Gap

Post-pandemic, e-signature platforms became standard across financial services. DocuSign, Adobe Sign, and similar tools proliferated rapidly. Firms needed remote workflows. The technology was available. Implementation was fast.

But technology implementation outpaced control implementation. Firms rolled out digital signature capabilities without building corresponding supervisory systems. It’s the classic pattern: we digitized the forms but not the oversight.

E-signature platforms come with robust audit capabilities built in. Every signature generates completion certificates containing detailed metadata. The information exists. But if nobody’s monitoring it, you’ve just created faster fraud with better documentation.

The “Helpful” Culture Problem

Talk to operations staff at any broker-dealer and you’ll hear variations of “the customer verbally approved it, I was just making the process smoother.” Or “we had a deadline, the principal already said yes, I helped by signing so we wouldn’t miss the cutoff.”

This is where operational culture meets compliance failure. In a high-volume, deadline-driven environment, cutting corners to “help” becomes normalized. When everyone’s doing it and nothing bad happens, it becomes “how we do things here.”

Until FINRA shows up. Then it’s hundreds of inaccurate books and records, supervision violations, and six-figure fines.

The Branch Concentration Risk

Four people at one branch. That’s the detail that suggests a localized culture problem rather than a firm-wide control gap. If this were happening across multiple locations, it would indicate systematic policy failures. Concentrated at one branch, it points to insufficient branch supervision and a localized culture where shortcuts became accepted practice.

But here’s the challenge: if it happened at one branch, how do you know it’s not happening at others? Once FINRA finds a pattern at one location, they reasonably ask whether adequate controls exist elsewhere. That’s why the supervisory system violation is firm-wide even though the forgeries were localized.

The Audit Trail That Nobody Read

This is perhaps the most frustrating aspect. The evidence was there. Every single fraudulent signature was documented with:

• The employee’s email address (not the customer’s)
• The employee’s IP address (not the customer’s)
• Timestamps showing signatures happening in rapid succession
• Geographic data showing signatures originating from the branch, not customer locations

Anyone reviewing these audit trails would have spotted the pattern immediately. Someone signing 30 customer forms in an hour from the same IP address is an obvious red flag.

But “anyone reviewing” requires someone to actually review. Synovus apparently didn’t have systematic audit trail review procedures until well after the violations were discovered.

Why Generic Compliance Solutions Miss This

Most broker-dealers don’t build their own e-signature platforms. They license commercial tools (DocuSign, Adobe Sign) and integrate them into workflows. That’s sensible—these are mature, secure platforms with extensive capabilities.

But general-purpose e-signature platforms are designed for broad commercial use. They’re built for enterprises signing contracts, HR departments processing onboarding, sales teams executing agreements. They’re not specifically designed for broker-dealer regulatory compliance.

The gap becomes clear when you map the workflow:

What the E-Signature Platform Does:

• Sends documents for signature
• Tracks completion status
• Stores completion certificates
• Provides audit trails
• Maintains security controls

What the E-Signature Platform Doesn’t Do:

• Validate that the signer is actually the authorized customer
• Prevent employees from initiating signatures on behalf of others
• Automatically flag when signatures originate from firm IP addresses
• Integrate with customer records to verify email addresses
• Enforce supervisory review before documents are executed
• Alert compliance when patterns suggest forgery

That second list is where supervision happens. And at Synovus, supervision didn’t happen.

The alternative approach—which we’ll explore in detail—is e-signature capability integrated directly into purpose-built broker-dealer platforms. When the signature mechanism lives in the same system that manages the regulated workflow (LOFs, F1SA agreements, quarterly reconciliations), the supervision becomes native to the platform rather than an afterthought.

The Difference Between Digital Forms and Digital Controls

Here’s the insight that operations managers need to internalize: digitizing a form is not the same as digitizing the control environment around that form.

Digitizing the Form:

• Convert PDF to electronic format
• Route via email for e-signature
• Store completed documents electronically
• Maintain electronic records

Digitizing the Controls:

• Validate signer identity at initiation
• Enforce authorization workflows before execution
• Monitor audit trails systematically
• Flag anomalies for supervisory review
• Integrate with books and records systems
• Maintain immutable audit trails with SEC Rule 17a-4 compliance

Most firms did the first list. Many firms skipped the second list. Synovus digitized forms but not controls. They had the technology. They didn’t have the supervision.

How Purpose-Built Platforms Prevent This Systematically

This is where broker-dealer-specific solutions differ fundamentally from general-purpose tools. When a platform is designed specifically for broker-dealer operations under FINRA supervision, the controls are built into the workflow, not bolted on afterward.

The critical difference: e-signature capability integrated into the compliance platform itself, not layered through a separate third-party tool.

Consider how this works in practice:

FVD (Freefunds Verified Direct) manages letters of free funds verification between executing brokers and custodians—and includes native e-signature functionality within the same system that maintains the LOF repository.

When an executing broker initiates a LOF request through FVD-S, the request is logged in their repository. When the custodian receives it in FVD-R, they review it within their authenticated interface and can approve or decline with an electronic signature—all within the same platform. The signature isn’t happening in DocuSign and then being imported. It’s happening where the LOF lives, where the audit trail lives, where the supervision happens.

This architecture prevents the Synovus problem at multiple levels:

The counterparty can’t sign on behalf of someone else because they’re authenticated into their own FVD-R instance. There’s no email being forwarded. No authentication code being shared. The custodian’s operations staff logs into FVD-R with their credentials, sees pending requests, and signs with their authenticated identity.

The requesting broker can’t forge a response because they don’t have access to the custodian’s FVD-R interface. The systems are separated by authentication boundaries. An executing broker using FVD-S literally cannot submit a response on behalf of the custodian—the platform architecture prevents it.

Supervisors see the complete chain in one place. The LOF request, the counterparty response, the signature metadata, and the audit trail all exist in the unified repository. There’s no need to cross-reference between a document management system and a separate e-signature platform. The supervision happens where the workflow happens.

All LOFs sent through FVD are retained in the repository with complete audit trails—who sent it, who received it, who signed it, when, from what IP address, with what device. When FINRA examines your LOF controls, you’re showing them a purpose-built system designed for exactly this regulatory requirement, not a generic tool adapted for broker-dealer use.

PBIN (Prime Broker Integrated Network) applies the same integrated approach to F1SA agreements (Form 1 Schedule A) and other prime brokerage documentation.

When brokers execute F1SA agreements through PBIN, the e-signature happens within the platform that manages the entire agreement lifecycle. Document initiation, routing, approval workflows, signature collection, and final storage all occur in the same system with unified authentication.

This becomes particularly powerful when both the prime broker and the executing broker are on the Loffa Network. At that point, you have straight-through processing with approval supervision happening entirely within a system that’s been enforcing guardrails throughout the workflow.

The requesting broker initiates the F1SA in PBIN-S. The document routes through required internal approvals (which are enforced by workflow, not optional). It’s then submitted to the counterparty, who receives it in their PBIN-R interface. They review it, route it through their own approval workflows, and sign it—all within authenticated access to PBIN-R.

Nobody can shortcut this. Nobody can sign on behalf of the counterparty. Nobody can forge an approval that should have come from a principal. The platform enforces the sequence, validates identity at each step, and maintains immutable audit trails throughout.

When both parties are on the Loffa Network, the common platform creates natural supervision boundaries. Each party can only act within their authenticated scope. The system knows who’s supposed to sign what, and won’t accept signatures from anyone else.

QBS (Quarterly Broker Statement) handles SEC Rule 17a-13(b)(3) quarterly reconciliation with the same integrated e-signature approach.

When position statements go out for quarterly reconciliation, counterparties can electronically sign their responses directly within the QBS platform. The reconciliation request, the position data, the counterparty response, and the signature all exist in one unified audit trail.

This matters because quarterly reconciliation often involves hundreds or thousands of position statements. In a world where someone’s using DocuSign separately from their reconciliation system, there’s opportunity for “helpful” staff to expedite signatures for customers who verbally confirmed positions. In QBS, the signature happens where the position lives, where the reconciliation happens, where the audit trail is maintained.

The workflow prevents forgery because authentication boundaries are enforced throughout. The reconciliation system knows who the counterparty is supposed to be. It won’t accept a signature from anyone else’s authenticated session.

The Architectural Difference That Matters

Here’s why integrated e-signature prevents the Synovus problem while bolt-on solutions don’t:

In the Synovus model (separate tools):

1. Broker initiates document in their system
2. Document gets routed to DocuSign (separate platform)
3. DocuSign sends email to customer
4. Someone receives that email (maybe the customer, maybe not)
5. Authentication happens via email/code (which can be intercepted or shared)
6. Signature happens in DocuSign
7. Completed document returns to broker’s system
8. Audit trail exists in DocuSign (separate from operational records)

Each of these handoffs creates opportunity for “helpful” workarounds. The employee can use their own email to receive the DocuSign. They can complete the signature on behalf of the customer. The audit trail shows someone signed, but cross-referencing that audit trail against operational records requires manual supervision.

In the Loffa model (integrated platform):

1. Broker initiates request in FVD-S/PBIN-S/QBS-S
2. Counterparty receives it in FVD-R/PBIN-R/QBS-R (authenticated access required)
3. Counterparty reviews it within their authenticated interface
4. Counterparty signs it within the same platform (no external routing)
5. Response returns to requesting broker’s repository automatically
6. Complete audit trail exists in unified system (request + response + signature metadata)

There are no external handoffs where someone can “help.” The requesting broker can’t access the receiving broker’s interface. The receiving broker can’t sign on behalf of someone else because authentication is enforced at the platform level. Supervisors see the complete workflow in one place because it all happened in one system.

This is what “purpose-built” actually means: the e-signature capability isn’t a separate tool that gets integrated afterward. It’s native to the platform that manages the regulated workflow. The authentication, the audit trail, the supervision, and the signature all happen in the same compliance-designed system.

When FINRA examines your e-signature controls, you’re not showing them how you adapted DocuSign for broker-dealer use. You’re showing them a platform designed from the ground up for broker-dealer operations, where e-signature is one component of a unified compliance workflow.

What SEC Rule 17a-4 Compliance Actually Means

Broker-dealers are required to maintain books and records under SEC Rule 17a-4, which specifies that electronic records must be stored in a non-rewriteable, non-erasable format. This is the foundation of the audit trail requirement.

But most firms interpret this as “we need to store documents long-term.” That’s necessary but insufficient. The deeper requirement is that the records must be accurate—which is where FINRA Rule 4511 intersects.

When Synovus accumulated hundreds of inaccurate books and records, they violated both the accuracy requirement (Rule 4511) and the underlying Exchange Act recordkeeping rules (Section 17(a), Rule 17a-3).

The audit trail that 17a-4 requires isn’t just about storage duration. It’s about evidentiary quality. When an examiner asks “prove this customer actually authorized this transaction,” the audit trail needs to demonstrate actual authorization, not just that someone clicked a button with the customer’s name attached.

Purpose-built platforms for broker-dealer operations are designed with this evidentiary standard in mind. The audit trails aren’t just logs—they’re compliance evidence showing who did what, with authentication proving identity at each step.

What Changes Right Now

If you’re an operations manager at a broker-dealer using e-signature platforms, here’s the immediate action list:

Pull your e-signature audit trails today. Don’t wait for the next compliance review. Export the last quarter’s completion certificates and look for red flags:

• Signatures originating from firm IP addresses when they should come from customer locations
• Employee email addresses used where customer email addresses should appear
• Sequential signatures from the same IP address suggesting batch processing
• Discrepancies between stored customer contact information and signature metadata

If you find anything suspicious, investigate now. Self-reporting carries more weight than discovery during an examination.

Review your written supervisory procedures for e-signatures. Synovus didn’t have written procedures until April 2024—over two years into the violation period. If your WSPs don’t specifically address e-signature supervision, you have a gap that FINRA will cite during examinations.

Your procedures should specify:

• Who can initiate e-signature requests
• What validation happens before documents are sent
• How audit trails are monitored
• What constitutes a red flag requiring investigation
• How frequently audit reviews occur
• Who’s responsible for branch-level surveillance

Implement systematic audit trail monitoring. One-time pulls aren’t enough. You need systematic, recurring surveillance that flags anomalies automatically. Most firms have the data. Few firms have the monitoring.

Train staff on what constitutes forgery under FINRA rules. Many violations stem from misunderstanding. FINRA’s definition is simpler than state law: signing someone else’s name without explicit, documented permission is forgery, regardless of intent. Customer verbal approval doesn’t constitute permission to sign electronically on their behalf.

Assess your vendor platforms for broker-dealer compliance features. If you’re using general-purpose e-signature tools separately from your operational workflows, you’re creating the supervision gap that caught Synovus.

The questions to ask aren’t just about the e-signature tool itself. They’re about integration:

• Is e-signature native to the platform managing your regulated workflows (LOFs, prime broker agreements, quarterly reconciliations)?
• Do your LOF repository and signature mechanism exist in the same system, or are they separate tools requiring cross-referencing?
• Can supervisors see the complete chain—request, signature, and response—in one unified audit trail?
• Are authentication boundaries enforced at the platform level, preventing one party from signing on behalf of another?
• When both counterparties use the same platform, does it create natural supervision boundaries through shared authentication?

If your answers reveal that e-signature happens in one system (DocuSign) while your operational workflows happen in another (your LOF tracking spreadsheet, your F1SA filing cabinet, your quarterly reconciliation database), you have the architecture that enabled Synovus’s violations.

The gap between “e-signature tool” and “broker-dealer compliance platform with integrated e-signature” is exactly where these supervision failures occur.

The Branch Supervision Challenge

Most supervision happens at the branch level, but most surveillance happens at the home office. Branch managers supervise day-to-day operations. Home office compliance runs reports, monitors patterns, and escalates findings.

When branch culture normalizes shortcuts and home office surveillance isn’t looking at the right data, violations can persist for years.

Synovus’s violations concentrated at one branch, suggesting the home office didn’t have effective surveillance of branch-level e-signature activity. The audit trail data existed, but centralized monitoring apparently didn’t.

The solution isn’t just technology—it’s systematic surveillance that surfaces branch-level patterns to home office compliance. Red flags like high volumes of e-signatures from single IP addresses, signatures originating from firm locations instead of customer locations, and rapid sequential signatures are detectable with basic data analysis. But only if someone’s analyzing.

The Enforcement Pattern Emerging

Synovus is the latest in a series of e-signature enforcement actions. FINRA issued Regulatory Notice 22-18 in 2022 because they were seeing enough violations to warrant industry-wide guidance. Since then, multiple firms have faced enforcement for e-signature supervision failures.

The pattern is clear: FINRA warned firms about the risk. They published specific guidance on detection methods. They’re now examining firms for compliance with that guidance. Firms that haven’t implemented systematic monitoring are creating examination findings.

The enforcement will continue. E-signature adoption is universal now. The controls haven’t caught up universally. That gap is where violations happen—and where FINRA enforcement lands.

The Bottom Line

Synovus’s $315,000 fine wasn’t for lacking e-signature technology. It was for lacking e-signature supervision. They had the forms. They didn’t have the controls.

The audit trail existed. The red flags were documented. The metadata was captured. Nobody was looking at it systematically for nearly four years.

This isn’t a technology problem. It’s a supervision problem disguised as technology adoption. When you digitize workflows without digitizing controls, you’ve just created faster, better-documented compliance violations.

And when your e-signature tool is separate from your operational compliance platform, supervision requires manual cross-referencing between systems. That’s where Synovus failed. The DocuSign audit trails existed separately from the operational workflows. Nobody was connecting the dots.

The firms that succeed are those recognizing that e-signatures in broker-dealer operations aren’t just about digital signatures—they’re about supervised digital signatures within compliance-native platforms. When the signature mechanism is integrated into the system managing LOFs, F1SA agreements, or quarterly reconciliations, supervision becomes native to the workflow rather than an afterthought.

The audit trail isn’t just storage—it’s evidence. The supervision isn’t optional—it’s required by FINRA Rule 3110. And when 650 forgeries can happen at one branch over four years, the supervision clearly wasn’t there.

If your firm implemented e-signatures during the pandemic rush to remote operations, now’s the time to implement the supervision that should have accompanied them. And if you’re still using separate tools for signatures and operational workflows, you’re maintaining the architecture that enabled Synovus’s violations.

Because FINRA is looking. And the audit trail is already there, documenting everything. The question is whether you’re reviewing it before or after the examination—and whether your platform architecture makes that review possible without manual cross-referencing between disconnected systems.

Ready to discuss how integrated e-signature within purpose-built platforms enforces supervision systematically? Contact Loffa Interactive Group to explore how FVD, PBIN, and QBS provide native e-signature capabilities within the same systems that manage LOF verification, prime broker agreements, and quarterly reconciliations—creating unified audit trails and supervision workflows designed for broker-dealer compliance. Visit loffacorp.com or reach out for a consultation.

This post is for informational purposes only and does not constitute legal advice. For guidance on specific regulatory obligations, consult your counsel or compliance advisor.