SEC Enforcement Proceeding Against Broker-Dealer For Alleged Violations of Regulation S-P; FINRA's Reg. S-P Reminder
[21553]
August 31, 2007
TO: SEC RULES MEMBERS No. 115-07COMPLIANCE MEMBERS No. 51-07
TRANSFER AGENT ADVISORY COMMITTEE No. 56-07
PRIVACY ISSUES WORKING GROUP No. 8-07
TECHNOLOGY ADVISORY COMMITTEE No. 26-07 RE: SEC ENFORCEMENT PROCEEDING AGAINST BROKER-DEALER FOR ALLEGED VIOLATIONS OF REGULATION S-P; FINRA’S REG. S-P REMINDER
The Securities and Exchange Commission has instituted enforcement proceedings against a broker-dealer (the “Respondent”) alleging various violations of the SEC’s privacy rules under the Gramm-Leach-Bliley Act, Regulation S-P. [1] The facts and violations alleged in the Commission’s Order are briefly described below.
The Broker-Dealer’s Alleged Conduct
According to the Order, the Respondent recruited new representatives by encouraging them to leave their current broker-dealer employer and bring their existing customers to the Respondent. To assist the recruits in this process, the Respondent had a “transition team” that supplied the recruits with an Excel spreadsheet for the representative to populate with certain information about their customers including, among other information, their brokerage account numbers, mutual fund or variable annuity account numbers, social security numbers, personal financial information, passport numbers, drivers’ license numbers, bank information, employer details, and dates of birth.
The Order alleges that the Respondent’s transition team encouraged the recruits to provide the completed Excel spreadsheet to the Respondent by email, even though the Respondent did not encrypt its email. In some instances, in lieu of the recruits completing the Excel spread sheet, the transition team was provided the recruits’ user IDs and passwords at the recruits’ current broker-dealer so the transition team could access the above information directly from the broker-dealers’ records. The Order alleges that the transition team also used these IDs and passwords to access various mutual fund and annuity company websites to extract nonpublic personal information. Once a recruit left his or her existing broker-dealer and joined the Respondent, the recruit would send its customers account transfer documents that had been pre-printed by the Respondent based upon the above information.
The Order alleges that the above information obtained by the Respondent’s transition team:
- Was stored in a database that, until about May 2006, could be accessed by anyone in the Respondent’s home office;
- Was stored indefinitely in the Respondent’s common server;
- Included information on those customers who elected not to transfer their account to the Respondent and from those recruits who elected not to work for the Respondent; and
- Was sometimes forwarded by the Respondent to its clearing firm in anticipation of a recruit transferring a large number of accounts to the Respondent.
The Order further alleges that the recruits’ customers were not informed that their nonpublic personal information was being provided to the Respondent prior to it being provided; nor did the Respondent take steps to determine whether the privacy policies of the recruits’ current broker-dealers permitted the transfer of such information to the Respondent or other nonaffiliated broker-dealers. It also alleges that, when a representative leaves the Respondent, the representative is permitted to take copies of all of his or her customer filers and documents, including those containing nonpublic personal information. Until June 2006, the Respondent’s privacy policy did not inform its customers of this practice, nor did it provide them the opportunity to opt out of the sharing of this information with the representative’s new employer.
Alleged Regulation S-P Violations
Based on the above conduct, the Order alleges that the Respondent violated the following provisions of Regulation S-P:
- Rule 4, which requires broker-dealers to provide customers with a clear and conspicuous notice that accurately reflects the broker-dealers’ privacy policies and practices;
- Rule 6, which requires privacy notices to include the categories of nonpublic personal information that will be disclosed, and the categories of affiliates and nonaffiliated third parties to which nonpublic personal information may be disclosed;
- Rule 10, which prohibits SEC registrants from disclosing nonpublic personal information about consumers to nonaffiliated third parties without proper opt out notice and a reasonable opportunity to opt out. The Order additionally alleges that the Respondent violated Rule 10 by willfully aiding and abetting and causing other broker-dealers’ violations of Rule 10; and
- Rule 30, which requires broker-dealers to adopt policies and procedures to safeguard customer records and information.
This matter remains pending.
FINRA’s Regulatory Notice
Earlier this month, FINRA issued a Regulatory Notice clarifying the application of Regulation S-P when a broker-dealer is supervising the recommendations of newly associated representatives to replace mutual funds and variable products. [2] According to this Notice, a broker-dealer’s procedures to review and evaluate recommendations do not conflict with its obligations under Regulation S-P. In conducting reasonable due diligence of the prospective representative’s customer base, “the new firm needs to learn only the identity of the various mutual fund and variable products held by the registered representative’s customer base. Detailed, nonpublic information about individual customers and their particular investments is not necessary to meeting the objectives [of the members’ due diligence] review.”
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] See In the Matter of: Next Financial Group, Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 15(b) and 21C of the Securities Exchange Act of 1934 (Admin. File No. 3-12738) (the “Order”). A copy of the Order is available on the SEC’s website at: http://sec.gov/litigation/admin/2007/34-56316-o.pdf.
[2] See Regulatory Notice 07-36, FINRA (August 2007), which is available on FINRA’s website at: http://www.finra.org/web/groups/rules_regs/documents/notice_to_members/p036445.pdf