TO: BROKER/DEALER ADVISORY COMMITTEE No. 22-08COMPLIANCE MEMBERS No. 29-08PRIVACY ISSUES WORKING GROUP No. 6-08SEC RULES MEMBERS No. 65-08TECHNOLOGY COMMITTEE No. 18-08 RE: SEC SANCTIONS BROKER-DEALER FOR REGULATION S-P VIOLATIONS
As we previously informed you, last year the Securities and Exchange Commission instituted enforcement proceedings against a broker-dealer (the “Respondent”) alleging various violations of the SEC’s privacy regulation, Reg. S-P.[1] The proceeding alleged that the Respondent violated Rules 4, 6, 10, and 30 of Reg. S-P by obtaining non-public personal information on customers of representatives seeking to join the Respondent from other broker-dealers without providing notice to or obtaining the customers’ consent. This information was obtained by the Respondent from representatives it recruited from other broker-dealers while the representatives were still associated with the other broker-dealers. It was transferred to the Respondent either by a representative providing it, or by a representative providing the Respondent access, through computer passwords and otherwise, to its broker-dealer’s customer records. The SEC also alleged that the Respondent did not adequately secure the information once it was in the Respondent’s database and that it permitted representatives who left the Respondent to join other broker-dealers to take the information with them without notice to or consent of the customers.
In particular, the SEC staff determined that approximately 160 recruits provided the Respondent with 36,741 customer Social Security numbers, 35,960 customer account numbers, 19,866 birth dates, 3,081 customer income levels, 2,807 customer net worth estimates, 1,953 bits of information regarding customer investment experience, 1,810 customer driver’s license numbers, 429 instances of customer banking information, and 56 customer tax brackets.
In defense of its conduct, the Respondent claimed: (1) it had no warning it was violating
Reg. S-P “because the Commission did not discuss account transfers when it promulgated” the regulation; (2) the Commission’s interpretation would adversely affect customers by injecting significant delays into the account transfer process; and (3) the transfer of customer information to the Respondent was permitted under the three exceptions to Regulation S-P that allowed the sharing of nonpublic personal information:
- As necessary to effect, administer, or enforce a transactions requested by a customer;
- In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit; and
- With persons acting in a fiduciary or representative capacity on behalf of the customer.
After a hearing on the merits of the Commission’s complaint, the Administrative Law Judge (ALJ) found the Respondent “acted negligently with respect to its outbound representatives; acted extremely negligently with respect to its inbound recruits;” and aided and abetted other broker-dealers’ violation of Reg. S-P.[2] Based on these findings, the Respondent was fined $125, 000 and ordered to cease and desist from any future violations of Rules 4, 6, 10, and 30 of Regulation S-P.[3] The issues presented to the ALJ and the ALJ’s response to them are briefly described below.
Issues Discussed in the ALJ’s Opinion The Respondent’s Required State of Mind – The ALJ found that the sanctions sought by the SEC required a showing that the Respondent acted “willfully.” According to the ALJ this meant “something other than involving ‘deliberate or reckless disregard of a regulatory requirement’.” Moreover, for the SEC to demonstrate a primary violation of Reg. S-P, it must prove that the Respondent “knowingly and intentionally” violated or attempted to violate the regulation.The Respondent’s Reliance of Exceptions in Regulation S-P – The ALJ considered the Respondent’s defense regarding its reliance on three exceptions in Reg. S-P. According to the ALJ, “[t]his affirmative defense is plainly a lawyerly afterthought.” As mentioned above, the Respondent asserted that its conduct was excepted from Reg. S-P’s disclosure and consent provisions under the exception that permits the sharing of information “as necessary to effect, administer, or enforce a transaction” requested by the customer. In support of this position, the Respondent argued that “ongoing customer-registered representative relationships can be interpreted as implicit requests for ‘continuous service’.” The ALJ was not persuaded, finding “[t]he record does not show that any consumer explicitly requested or authorized any such transaction.”
Respondents next argued the sharing of information was permitted under the exception in Reg. S-P applicable to the sale, merger, transfer, or exchange of a business. The ALJ did not find this exception applicable because, according to the ALJ, it applies to the financial institution, not to its representatives who lack “the standing to initiate a proposed transfer of one firm’s brokerage business to another brokerage business.”
The Respondent then argued that the disclosure was permitted under the exception in Reg. S-P that permits disclosure “to persons acting in a fiduciary or representative capacity on behalf of the customer.” According to the ALJ, because this exception only applies to nonaffiliated third parties who are fiduciaries, and because “as long as representatives who are recruits [of the Respondent] remain associated with their current [broker-dealer] firms, they cannot be considered nonaffiliated third parties” for purposes of this exception. The ALJ additionally noted that, “it is difficult to think that [the Respondent] could characterize itself as a fiduciary while it was surreptitiously obtaining recruits’ computer passwords and user identifications, impersonating the recruits, and extracting customer data from the computer systems of the recruits’ current brokerage firms.”
Accordingly, the ALJ concluded that none of the exceptions to Reg. S-P cited by the Respondent permitted the disclosure of customers’ nonpublic personal information.
- The Status of Independent Broker-Dealers and the Independent Contractor Business Model under Reg. S-P– The Respondent argued that, as an independent broker-dealer whose representatives are independent contractors, the relationship with customers belonged to the representatives and not the broker-dealer. Hence, according to the Respondent, it was permissible under Reg. S-P for the representatives to transfer the information to other broker-dealers. The ALJ found that the Securities Exchange Act of 1934 does not recognize a distinction between “independent” broker-dealers and other broker-dealers and that there was “no merit to this metaphysical distinction, as it is applied to Regulation S-P.”
- The Impact on the ALJ’s Decision of Common Industry Practice Relating to the Sharing of Customer Information – The Respondents also argued that “it is common industry practice for independent brokerage firms to provide their recruits with the sort of transition assistance” the Respondent provided to its recruits. It also argued that it was common industry practice to permit representatives to take customer information with them when they left one firm to join another. In support of its position, the Respondent noted that several large broker-dealers (“wirehouses”) had entered into a “Protocol for Broker Recruiting,” under which signatories agreed not to sue one another for recruiting another’s registered representatives if the representative takes only limited customer information to the new firm and the new firm does not engage in “raiding.” The customer information covered by the Protocol consists of the customer’s name, mailing address, telephone number, email address and the account title. The ALJ found that the Respondent had failed to demonstrate the existence of an industry standard permitting violation of Reg. S-P and noted that the Protocol did not permit the sharing of nonpublic personal information governed by the regulation.
- Whether Independent Contractor Representatives were Acting Outside the Scope of their Agency Relationship with the Respondent – The Respondent also argued that, in sharing the nonpublic customer information both with the Respondent and with other broker-dealers when they left the Respondent, the representatives were acting outside of their agency relationship with the Respondent. Based on a review of agency law, the ALJ found that “[a] principal that is an organization can take action only through its agents, who are typically individuals,” and concluded that the Respondents “outbound representatives and inbound recruits were acting within the scope of their agency.”
- The Respondent’s Duty to Encrypt Email Traffic – The SEC argued that the Respondent additionally violated Reg. S-P by failing to encrypt customers’ nonpublic personal information that it exchanged with recruits while it was pre-populating the account transfer forms. The ALJ found, however, that “the Commission’s authority to compel the encryption of email traffic is nowhere near as plenary as the [SEC] appears to believe.” The ALJ noted that in legislation enacted prior to the passage of the Gramm-Leach-Bliley Act (GLB Act), Congress had authorized the Secretary of Health and Human Services [HHS] to establish uniform national standards for the secure electronic exchange of certain medical information. By contrast, “nothing in the GLB Act grants the [SEC] or any other federal regulator powers remotely comparable to those that Congress granted the HHS Secretary.” Accordingly, the ALJ found the Reg. S-P did not impose a duty to encrypt email.
- Whether the Respondent Aided and Abetted other Broker-Dealers’ Violation of
Reg. S-P – According to the ALJ, the Commission must establish three elements to show that a Respondent willfully aided and abetted a violation of federal law: (1) a primary wrongdoer has committed a securities law violation; (2) the accused aider and abetter has a general awareness that its action was part of an overall course of conduct that was illegal or improper; and (3) the accused aider and abetter substantially assisted the conduct constituting the primary violation. With respect to (1), the ALJ found that the privacy policies of the broker-dealers from which the recruits were sharing customers’ nonpublic personal information generally did not inform customers that the information was being shared and did not provide them an opportunity to opt out of the sharing. Accordingly, the ALJ found these broker-dealers to have acted negligently in not preventing the disclosure, thereby satisfying the first element. With respect to element (2), the ALJ found that the Respondent “did nothing to determine whether the recruits’ current brokerage firm disclosed that it was sharing nonpublic personal information with [the Respondent].” The ALJ described the conduct on the Respondent’s part as “extremely reckless” and found that it satisfied element (2). Finally, with respect to element (3), the ALJ noted that the Respondent had asked recruits to provide their user identifications and passwords so the Respondent could access the computer systems of the recruits’ current brokerage firms and extract customer nonpublic personal information. The ALJ found this conduct “extremely reckless” and found that the Respondent “must have known that its conduct was highly improper.” Because this conduct satisfied the third element, the ALJ found the Respondent aided and abetted violations of Reg. S-P.
- Whether Reg. S-P is Limited to the Selling of Nonpublic Personal Information – The Respondent asserted that Reg. S-P only prohibits the sale of nonpublic personal information – not its sharing. The ALJ noted that, in signing the GLB Act, President Clinton stated, in relevant part, that the Act provided consumers “an absolute right to know if their financial institution intends to share or sell their personal financial data . . ..” As such, the ALJ found no merit in the Respondent’s assertion.
The Impact the ALJ’s Decision Would Have on Impeding and Delaying the Account Transfer Process – The Respondent also argued that consumers will be disadvantaged by limiting the sharing of their information because it will impede and delay the account transfer process. The ALJ was not persuaded by this argument because, under Reg. S-P, a customer could opt in to the sharing of their information such that Reg. S-P would “not add one second to the time it takes to complete the transfer” of information from one firm to another. Moreover, Reg. S-P “does not prevent registered representatives from using services that facilitate the account transfer process. It simply requires a financial institution to notify customers that information sharing may take place and give customers a reasonable opportunity to opt out.”
Tamara K. Salmon
Senior Associate Counsel
2
hr align="left" size="1" width="33%"
[1] See Institute Memorandum to SEC Rules Members No. 115-07, Compliance Members No. 51-07, Transfer Agent Advisory Committee No. 56-07, Privacy Issues Working Group No. 8-07 [No. 21553], dated August 31, 2007, summarizing In the Matter of: Next Financial Group, Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 15(b) and 21C of the Securities Exchange Act of 1934 (Admin. File No. 3-12738) (Aug. 24, 2007). The SEC’s Order is available on the SEC’s website at: http://sec.gov/litigation/admin/2007/34-56316-o.pdf.
[2] See In the Matter of Next Financial Group, Inc., Initial Decision Release No. 349 (Admin. File No. 3-12738) (June 18, 2008), which is available at: http://www.sec.gov/litigation/aljdec/2008/id349jtk.pdf.
[3] Rule 4 (§248.4 of Reg. S-P) requires broker-dealers to provide customers with a clear and conspicuous notice that accurately reflects the broker-dealers’ privacy policies and practices. Rule 6 (§248.6) requires privacy notices to include the categories of nonpublic personal information that will be disclosed and the categories of affiliates and nonaffiliated third parties to which nonpublic personal information may be disclosed. Rule 10 (§248.10) prohibits SEC registrants from disclosing nonpublic personal information about consumers to nonaffiliated third parties without proper opt out notice and a reasonable opportunity to opt out and willfully aiding and abetting and causing other broker-dealers’ violations of Rule 10. Rule 30 (§248.30) requires broker-dealers to adopt policies and procedures to safeguard customer records and information.