In the last two months, the SEC and FINRA have, for the first time each, taken Enforcement action — including against a broker-dealer’s chief compliance officer — in regard to the safeguarding of confidential customer information under a 10-year-old SEC rule called “Regulation S-P.” These actions seem likely to cause a significant shift in how brokers, investment advisers and their firms handle customers’ confidential information, particularly when it comes to a broker or adviser taking his or her “book” of business to another firm.
Previously, when brokers or advisers left for new firms, they and their new firms usually only had to worry about their former firm suing them for breaches of non-compete, non-solicitation and non-disclosure clauses in their agreements, or suing the new firm for “raiding” the former firm’s agents (and, thus, their customers).
But recent SEC and FINRA actions put brokers, advisers and their firms on notice that each could suffer formal regulatory consequences (including fines and suspensions) from brokers or advisers casually — or clandestinely — taking confidential customer information to their new firms.
The SEC adopted Regulation S-P in 2001 pursuant to a mandate in the Gramm-Leach-Bliley Act of 1999, and amended it in 2005 pursuant to a mandate in the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act).
Broadly speaking, Regulation S-P requires broker-dealers, investment advisers and other financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties. Included in Regulation S-P is the “Safeguard Rule” (Rule 30(a)), which requires broker-dealers to, among other things, adopt written policies and procedures reasonably designed to protect customer information against unauthorized access and use.
Of course, several headlines in recent years have focused on the reported thefts or losses of large caches of confidential customer information from banks and other businesses, so it comes as no surprise that the SEC and FINRA would seek to assert their Enforcement powers in this area. Each of the recent SEC and FINRA Enforcement actions arose from departing registered representatives taking customer information to new employers without providing said customers with sufficient notice and opt-out procedures under €¨Regulation S-P.
Case Study # 1: Recent SEC Disciplinary Actions
In an administrative settlement dated April 7, 2011, the SEC fined a brokerage firm’s president, national sales manager and chief compliance officer between $15,000 and $20,000 each in regard to the transfer of 16,000 customer names and addresses, account numbers and asset values to a new firm. It did not matter that customers approved the transfer after the fact, nor did it matter that the transfer occurred because the broker-dealer was winding down its business and thus simply transferring many of its accounts to a new broker-dealer. The SEC found the firm and its senior executives liable for Regulation S-P violations and fined each of them accordingly.
Especially noteworthy is that the SEC fined the firm’s chief compliance officer for “aiding and abetting” these Regulation S-P violations by failing to improve the firm’s “inadequate” written supervisory procedures for safeguarding customer information (the “Safeguard Rule”) after “red flags” arose from prior security breaches at the firm. (Significantly, those security breaches did not involve other instances of intentional transfer of customer data to a new firm, but rather mostly theft by outsiders of a few RRs’ laptops and the unauthorized access by a former employee of a current employee’s firm e-mail account.)
Case Study # 2: Recent FINRA Disciplinary Action
This past December, FINRA’s National Adjudicatory Council affirmed a $10,000 fine and 10-day suspension ordered by a FINRA hearing panel in a contested hearing against a broker for his downloading confidential customer information from his firm’s computer system onto a flash drive on his last day of employment and then sharing that information with a new firm. FINRA found the broker’s actions prevented his former firm from giving its customers a reasonable opportunity to opt out of the disclosures, as required by Regulation S-P. FINRA also found the broker’s misconduct caused his new firm to improperly receive non-public personal information about his former firm’s customers.
These Enforcement actions will change the legal and practical landscape concerning the portability of a broker’s “book” of customers. From a contractual point of view, brokers and advisers would be well-advised to build Regulation S-P-compliant language into their agreements with their current and new firms if they anticipate ever switching firms again, as these Enforcement actions effectively sound the alarm that the SEC and FINRA will sanction a broker or adviser for furtively taking customer information to a new firm. Likewise, investment adviser and brokerage firms would be well-advised to understand the relevance of Regulation S-P when it comes to brokers or advisers moving to other firms and taking firm customer information with them.
€¨Finally, from a regulatory point of view, a broker’s or adviser’s “former” firm should implement reasonable policies and procedures to ensure compliance with Regulation S-P by all firm personnel, including brokers or advisers looking to leave the firm, and a broker’s or adviser’s “new” firm should take similar care and caution when a broker or adviser brings in confidential information regarding new customers (lest the new firm also be found liable for a Regulation S-P violation, which would have happened in the above FINRA case had the new firm done anything with the customer information it got from the subject broker).
Tags: Allison Frisbee, Jack Hewitt, Joseph Pastore, Securities Regulatory, Security, William M. Dailey
Beyond Privacy Consent: How ‘Delete Act’ Changes Game for Companies
Understanding Connecticut’s Legal Landscape for Health and Fitness Businesses