On July 22, 2008, the SEC’s first administrative enforcement order under Regulation S-P, which protects customer nonpublic information, became final. An SEC administrative law judge (ALJ) fined NEXT Financial Group, Inc. $125,000 and ordered it to stop asking recruits to bring with them nonpublic customer information for account transfers and to stop allowing departing reps to take such information. (Order at http://sec.gov/litigation/aljdec/2008/id349jtk.pdf.)
Overview of Regulation S-P
Regulation S-P requires firms regulated by the SEC to adopt security measures to protect nonpublic personal information about customers and to inform customers about the firms’ privacy policies and practices. It also limits when firms may disclose nonpublic personal information to any nonaffiliated third party without first giving the customer an opportunity to opt out of the disclosure. As we previously reported in an HRO Client Alert, Regulation S-P is being overhauled to, among other things, allow registered reps and advisors to retain certain limited customer information when moving firms, as long as customers are informed of this in privacy notices.
SEC Finds that NEXT Violated Regulation S-P by Seeking Customer Information
When recruiting reps, NEXT used aggressive tactics to get customer account transfer information, including having departing reps provide password information for their prior firms’ computer systems for purposes of pre-populating transfer paperwork. NEXT also encouraged recruits to fill out spreadsheets with customer names, contact information, account numbers, social security numbers or tax IDs, account types, net worth, income, bank names, and driver’s license numbers. Although NEXT changed its practices and stopped seeking computer passwords and asking for social security numbers, birth dates, and driver’s license numbers, it continued having its recruits supply customer name and contact information and securities and bank account information. The SEC ALJ found that all of this customer information was nonpublic personal information protected by Regulation S-P, and that NEXT had not determined whether its use of this information was allowed under the privacy policies of the firms from which it was recruiting.
NEXT tried to defend its practices, in part, claiming that they were consistent with industry norms as exemplified by the Protocol for Broker Recruiting (Protocol). The Protocol, of which several securities firms are members, allows departing reps to retain limited customer information, such as their contact information and general account and product descriptions. The ALJ commented that the information taken under the Protocol is likely protected nonpublic personal information, stating “Protocol signatories cannot place themselves beyond the reach of Regulation S-P by signing a contract.” The SEC has not, however, pursued any enforcement action against Protocol signatories under Regulation S-P and, importantly, is planning to change Regulation S-P to allow disclosure of this limited information.