Recruiting Registered Reps and Complying with Regulation S-P

On August 24, 2007, the Securities and Exchange Commission announced the issuance of an Order Instituting Cease-and-Desist Proceedings against NEXT Financial Group, Inc. (“NEXT”) charging violations of Regulation S-P.1 Consistent with ever-growing consumer concerns over the security and privacy of personal data given to retailers, the SEC appears to be targeting securities firms’ use of client information, specifically when new reps bring over customers from prior firms. At the same time, however, the SEC has signaled that it may be amending Regulation S-P in an effort to address just this issue.

In a similar context, however, FINRA (previously NASD) has alerted firms and reps to the scrutiny the SRO will pay towards the actions registered persons who change firms may take to attempt to retain their customers. Suitability determinations and supervision of transactions that appear more focused on keeping customers when reps go to a new firm, rather than on the investment merits of such transactions, are not likely to meet sympathetic review from FINRA.

Recruiting registered reps is no longer merely a business reality and necessity, it is a compliance issue. The NEXT action and concerns over customer privacy on one hand, and FINRA’s focus on suitability on the other, is a clear signal for firms to pay close attention to their recruiting efforts, and the policies and procedures surrounding those efforts. Firms may be well-advised to review their privacy practices and policies for compliance with both Regulation S-P and general suitability requirements in connection with transitioning both outgoing and incoming employees and the individual clients those employees seek to retain.2

NEXT Financial Group, Inc.

The SEC’s Order outlines 22 separate “facts” or instances in which NEXT allegedly violated, or aided and abetted the violation by other firms, of Regulation S-P. Each of the claimed violations concern NEXT’s alleged practices by which it obtained nonpublic information about customers of independent broker-dealers it was in the process of recruiting (the “recruits”), and how those practices allegedly directly violated Regulation S-P, or aided and abetted or caused a violation of Regulation S-P. The Order focuses around NEXT’s use of a “transition team” that worked with the recruits to allegedly pre-populate account transfer documents such as customer notification letters, Automated Customer Account Transfer forms, NEXT new account information forms, change for broker-dealer letters, and mailing labels. Among other things, the SEC’s Order charges that NEXT’s transition team required recruits to gather and submit personal nonpublic information, including social security numbers, passport numbers, drivers license numbers, net worth, annual income, and occupation.3

The SEC also alleges that non-public information concerning recruits’ customers was maintained on NEXT’s computer servers regardless of whether the recruits’ customers eventually became a customer, and customers were not informed of this practice and presented no opportunity to optout.

The Order also states that when a registered representative left NEXT, he was permitted to take copies of all his customer files and documents which included nonpublic personal information, as well as to download from NEXT’s computer system similar nonpublic personal information. The SEC alleged that prior to June 2006, NEXT’s privacy policy did not clearly and conspicuously inform the customers of this practice.

Based on these and other instances of conduct, the SEC has charged NEXT Financial Group with violations of Rules 4, 6, 10, and 30 of Regulation S-P.4 NEXT’s chairman and CEO, Gordon D’Angelo, while refusing to comment about the Order specifically, stated that “In general, we feel that the SEC had not notified the industry about their concerns over Reg S-P.”5 Elaborating, Mr. D’Angelo explained he wasn’t “arguing the letter of the law” but added that “there’s no customer complaint” and “no corporate complaint.”6

The SEC’s Focus On The Privacy Of Consumer Financial Information

The position apparently taken by NEXT, that the SEC’s concerns about Regulation S-P in the context of firm recruiting may be grounded in fact. Nevertheless, the SEC’s concerns regarding customer privacy generally have repeatedly been made clear and are worth reviewing.

The SEC enacted Regulation S-P under requirements of the Gramm-Leach-Bliley Act, “to adopt rules implementing notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers.”7 Compliance with Regulation S-P became mandatory on July 1, 2001.8 Regulation S-P requires, among other things, a broker-dealer to maintain and disclose privacy practices to safeguard personal information.

The Regulation requires privacy notices be sent to customers and consumers at different points (initial, annual, as well as revised notices) throughout the relationship, and identifies what type of information should be included in such notices.9 On March 21, 2007, eight federal agencies jointly released a model privacy notice for comment.10 The model notice is a two or three page document mainly in chart form, designed to provide firms with a safe harbor for purposes of privacy notices.

Firms that fail to comply with Regulation S-P face adverse regulatory action from the SEC as well as from NASD, which requires through NASD Rules 3010, 3012 and 3013, that its member firms have policies and procedures and a supervisory scheme designed to comply with SEC regulations.

Regardless of the outcome for NEXT, it appears that the SEC is sensitive to potentially unintended consequences of Regulation S-P. Only recently, Paul Jenson, the Deputy Chief Counsel of the SEC’s Division of Market Regulation, announced that the Division is in the process of recommending amendments to Regulation S-P on this very issue.11 According to one report, Mr. Jenson has indicated that a proposed amendment would “allow brokers to take customer lists to their new firms when they change jobs.”12 However, the proposed changes would apparently restrict representatives from taking customer account numbers with them.13 Such an amendment might be considered by some as a step toward clarifying how privacy obligations and business realities may co-exist when reps switch firms. Yet, it remains unclear how a continuing barrier to prior customer account number information is consistent with that goal – especially in light of NASD’s recent Notice to Members, discussed below.

FINRA’s Concerns Regarding Transactions Following New Hires

On the flip side of recruiting, FINRA has recently focused on suitability determinations for the customers of new recruits. Specifically, in a Notice to Members in February 2007, the NASD warned against the temptation newly hired reps may have to recommend transactions merely to keep former customers, regardless of whether the transaction is truly suitable for the customers. NASD Notice to Member 07-06, published on February 13, 2007, specifically addresses the suitability and supervision of transactions concomitant with representatives hired from other firms.14

Even if a firm and their newly hired reps are able to successfully navigate through privacy concerns in order to take full advantage of the rep’s contacts with their former customers, the current holdings of those former customers might be untenable at the new firm – for example, if the new firm does not have a selling agreement with the issuer of the investment product held by the customer at the prior firm. In such a scenario the rep is faced with the decision of either leaving the customer (or at least some of the customer’s assets) behind, or recommending that the customer transfer their investments to those that are offered at the new firm. The temptation for reps to justify the latter, regardless of whether such a recommendation is suitable for the individual customer, has not gone unnoticed.

In the original notice, NASD suggested that in circumstances where reps change firms and find that their customer base may not have the same investment options at the new firm, the representative has a financial incentive to replace existing investments with investments that are available at the new firm. In the Notice to Members, NASD: (1) reasserted that the suitability requirements of NASD Rule 2810 must be met with respect to each such transaction, “based upon the customer’s investment needs and not the financial needs of the firm or its associated persons”; and (2) required that firms maintain or establish “procedures ... including supervisory procedures, that are specifically designed to review and evaluate investment recommendations relating to mutual funds and variable products that are made by newly associated persons to their existing customers.”

In a concession to the obvious tension between the notice as originally written, and Regulation SP’s privacy requirements, FINRA released additional guidance in the context of customer-transfer suitability determinations. On August 13, 2007, FINRA issued Regulatory Notice 07-36 that reiterated the need for robust suitability determinations for customers of newly-hired transfers; it also clarified that the suitability determinations attendant with customers of a newly transferred representative do not require the acquisition of confidential customer data or the use of such information. Rather, FINRA noted that “in conducting reasonable due diligence of the prospective registered representative’s customer base, the new firm needs to learn only the identity of the various mutual fund and variable products held by the registered representative’s customer base.” This clarification relieves the tension between the prior notice and Regulation S-P, but it does not relieve firms from their need to focus on suitability determinations in the context of customers of new hires.

Conclusion

While recruiting revenue-generating representatives has always been a focus of the business managers of retail broker-dealers, both the SEC and FINRA have now given more reason for firms to focus compliance efforts to the recruiting and transition process. The SEC’s apparent new probing of privacy practices has gone beyond the familiar concerns over the security of confidential data with respect to third parties, and has now grown to encompass the increasing regulatory concern over the commercial use of such data by individual representatives and the firms that recruit them. Although the SEC appears to be initially targeting independent-contractor brokerdealers who carry with them client information from one firm to another, traditional wirehouses and other financial institutions may have the same or similar exposure. And while the SEC may continue to tweak the Regulation, it is clear that the Commission will continue to aggressively enforce consumer privacy and the disclosure of the same.

In light of the SEC’s concerns regarding the use of customer data when registered representatives switch firms, broker-dealer firms should consider whether their existing privacy practices and policies are adequate in the context of registered representative attrition and recruitment – regardless of whether such practices are tacitly or explicitly condoned by their competitors. What’s more, this new interest by the SEC could signal a broader focus by the regulator into privacy policies, practices, and compliance programs by financial institutions generally. Given the current environment of regulatory interest concerning privacy breaches, it is important for financial institutions to periodically review, and where appropriate revise, their privacy practices, procedures and compliance programs to ensure that they will pass muster when the regulators come calling.

At the same time, firms may be well-advised to assess their current supervisory procedures with respect to recruiting and new hires, as FINRA’s new guidance may well require additions or modifications to existing procedures – and may also, for many firms, require the addition or strengthening of a compliance element early-on in the recruitment process.