FINRA recently settled an action against a registered representative of a broker-dealer for alleged violations regarding the safeguarding and use of private consumer data. The broker accepted and consented to the settlement without admitting or denying FINRA’s findings regarding the alleged violations.

The stockbroker was employed by Merrill Lynch for several years. In January 2014, he resigned from his position there to take a job with Edward Jones. Before resigning, he sent an email, titled “Vacation,” from his Merrill Lynch account to his personal account, purportedly to conceal the transfer of Merrill Lynch clients’ sensitive personal information. He knew this violated Merrill Lynch policy, and his email contained sensitive information regarding numerous Merrill Lynch customers and their accounts.

After starting at Edward Jones, the stockbroker attempted to access the information. Once Merrill Lynch learned of the transfer, it notified Edward Jones, which prohibited its registered representatives from bringing in information regarding their prior firms’ customers. Upon receiving this notice, Edward Jones terminated the stockbroker’s employment.

FINRA determined that the stockbroker caused Merrill Lynch to violate Regulation S-P and FINRA Rule 2010. Regulation S-P requires that firms establish policies and procedures to protect customer information and records. FINRA Rule 2010 requires that members observe “high standards of commercial honor and just and equitable principles of trade.” FINRA fined the stockbroker $5,000 and suspended him for 10 business days.

This action should remind broker-dealers and associated persons that:

  • Private consumer data compiled by a representative in the course of his employment and stored on a firm’s system is subject to the supervision and care of that firm. Representatives have no right to freely transfer this data outside of firm policy.
  • Access to clients’ private personal information should be restricted to necessary employees.
  • Upon receiving notice that an employee is resigning or leaving involuntarily, the employer should immediately restrict and terminate access to any customer information.
  • Even if there is no direct pecuniary harm, broker-dealers and representatives can still be sanctioned for having improper policies and procedures.
  • A written policy in accordance with Regulation S-P must be implemented and monitored. Having and appropriately enforcing written policies safeguarding information may potentially shield the entity from liability.
  • Systems for monitoring and detecting the transfer of consumer information should be set up and reported to management.

This list is not exhaustive, but should serve as a reminder that FINRA, in accordance with the SEC, is adamant about implementing guidance and pursuing violations to better protect consumers from cyber-risks and data breaches.