I hope that, by now, everyone understands and appreciates just how freakishly sensitive the regulators are to misconduct involving the wrongful sharing of confidential information.  If you don’t, however, FINRA was kind enough to publish two settlements in the last few weeks that work well to drive this concept home.  And both share an interesting characteristic:  they do not involve the bread-and-butter factual scenario that one typically sees: an RR who leaves BD A and moves to BD B takes with him his customer information to facilitate his ability to move his customers to BD B along with him.  Rather, both settlements have unique and interesting facts, which makes them suitable fodder for this blog.

The first settlement was an AWC back in April, involving Kestra Investment Services, out of Texas.  According to the AWC, Kestra has 678 branch offices and just under 2,000 registered representatives, and is growing.  To help with that growth, for about a year-and-a-half, “Kestra contracted with a third-party vendor to provide assistance to recruited registered representatives who had agreed to join Kestra.”  As part of that assistance, “Kestra worked with the vendor to create a template spreadsheet to collect information about recruited representatives’ customers, including their nonpublic personal information.”  That information pretty much screams “confidential”:

  • social security numbers
  • driver’s license numbers
  • birth dates
  • account numbers
  • annual incomes
  • net worth

The AWC recites that “[i]n certain instances, Kestra employees worked with recruited representatives to complete the spreadsheet while the representatives were still registered through their prior broker-dealers.”  What does “worked with” mean?  Apparently, “Kestra employees arranged and participated in conference calls between the vendor and the recruited representatives, and provided recruited representatives with guidance about how to complete the spreadsheet.”

Notably, however, “Kestra employees . . . did not receive copies of the spreadsheet or have access to the nonpublic personal information provided to the vendor. Once a recruited representative became registered through Kestra, the vendor used the spreadsheet to automatically pre-populate new account forms, which the vendor sent to customers who agreed to open Kestra accounts.”

So let’s recap.  Kestra helped RRs who it was recruiting make their transition to Kestra smoother by introducing them to a third-party vendor who gathered and organized the confidential information of their customers, so when they arrived at Kestra they could quickly and easily get new account forms completed and signed, allowing assets to be transferred to Kestra from whatever BD the RR had been registered with.  But, Kestra itself did not see that information.

So what, then, did Kestra do wrong?  It didn’t violate Reg S-P since it didn’t share the confidential information.  Well, we know that, as the AWC points out, “[a] registered representative who discloses nonpublic personal information about a customer and causes his or her broker-dealer to violate Regulation S-P violates FINRA Rule 2010.”  But, turns out that “a firm that causes another broker-dealer to violate Regulation S-P violates FINRA Rule 2010.”  Ah.  Here, Kestra didn’t violate Reg S-P, but it caused other BDs to do so.  Kind of like aiding and abetting.  Specifically,

  • “Kestra failed to take any steps to inquire whether the recruited representatives or their broker-dealers at the time had notified customers about the disclosure of their nonpublic personal information”;
  • “Kestra [failed to] take any steps to inquire whether customers had been given an opportunity to opt-out of having their information disclosed”; and
  • “Kestra also failed to provide any guidance to the recruited representatives concerning the disclosure of customers’ nonpublic personal information to the vendor.”

Given these failures, FINRA found that “Kestra’s arrangement with the third-party vendor resulted in 68 recruited representatives taking nonpublic personal customer information from their broker-dealers and disclosing it to the vendor during the Relevant Period. In so doing, Kestra caused the other broker-dealers to violate Regulation S-P.  By virtue of the foregoing, Kestra violated FINRA Rule 2010.”

The lesson is an easy, but important one:  you not only have to be careful about violating Reg S-P yourself, but, in addition, you must take pains not to cause anyone else to violate it.  It is not enough to say, Hey, well I didn’t look at any of those social security numbers, it was my vendor.  Might be a good time to check your own hiring policies, to see whether you have facilitated someone else’s Reg S-P violation.

Update March 2021:  FINRA liked this theory so much, it brought essentially the same case against Securities America, resulting in a settlement for the same underlying conduct.  Those who do not learn from history are doomed to repeat it.  Or something like that. 

The second AWC did not involve Reg S-P, but was still all about protecting confidential information.  It was submitted by Brandon Rolle, a research analyst who’s been in the industry for about five years.  The facts are short and sweet:

  • Rolle was a research analyst who researched certain sectors and companies.
  • His BD at the time, Longbow Securities, “would ultimately publish research reports to institutional customers who paid a fee for access to the reports.”
  • While associated with Longbow, Rolle sent himself five emails using his personal e-mail address “to evade detection by the firm.”
  • Attached to those emails were 31 documents “that contained confidential and/or proprietary information obtained from Longbow’s computer system. The documents included financial models, industry channel contact information, research reports, and surveys for the companies that Rolle researched and analyzed at Longbow.”
  • Rolle quit Longbow shortly after emailing himself those documents. He then joined another BD and “used the information he had taken from Longbow to assist him in carrying out his duties as an analyst for his new firm.”

So, if Reg S-P wasn’t the issue, what was?  According to the AWC, by emailing himself confidential and proprietary information, Rolle violated two things:

  • “provisions in Longbow’s employee handbook and compliance manual,” as well as
  • “a confidentiality agreement executed by Rolle when hired at Longbow.”

Here’s what’s interesting about Rolle’s AWC:  since when does FINRA care about an RR breaching a confidentiality agreement?  I am pretty sure that 99% of independent contractor reps have a confidentiality provision baked into their rep agreements, and violations, or alleged violations, of such provisions are often the subject of arbitrations.  But FINRA does not usually involve itself in such “business” disputes.  Indeed, as most compliance people know, at least those who deal with registrations, disputes between a BD and a terminated RR are explicitly deemed to be private, non-disclosable matters.

The instructions to Form U-5 say this about “internal review” disclosures:  “Generally, the Internal Review Disclosure question in Question 7B and the Internal Review Reporting Page (DRP U5) are used to report matters relating to compliance, not matters of a competitive nature. Responses should not include situations involving employment related disputes between the firm and the individual.”  Based on that instruction, I have always counseled my BD clients NOT to mark-up someone’s U-5 if the termination is related to an employment dispute.  And I, for one, would absolutely consider the breach by an RR of a confidentiality provision to be an employment dispute – provided that it does not involve confidential customer information.

And, finally, along the same lines, since when does FINRA care about the violation by an RR of a provision of an employee handbook?  A firm is entitled to include all sorts of restrictions and rules in its own handbook.  Say, a dress code provision.  Are you telling me that if an RR shows up to work in shorts and flip-flops that FINRA is going to label that a 2010 violation?  Ok, that’s an extreme example.  But, what if it’s something less silly?  What if an RR’s adult child has an account, and the RR lends money to his child?  That is not against FINRA rules, but some BDs prohibit any and all loans to and from customers, even family members.  Is FINRA saying here that it is willing to bring an Enforcement action to, well, enforce a firm’s policies?  If that is the case, then we are clearly in new territory.  Dangerous territory, at that.