One of the many challenges involved in closing down a broker-dealer is ensuring the security and privacy of customer data. There have been some very public instances in which broker-dealers have done this incorrectly and as a result, regulatory sanctions were imposed, in some cases against individuals. And regulatory bodies have shown that they are willing to take these cases, even if most of these cases are relatively small in the scope of all that they handle. This is because regulators take customer privacy very seriously, and they consider breaches, however small, to be serious.
The requirements related to this area are spelled out in Regulation S-P. And Rule 30 of that regulation includes requirements related to safeguarding and disposal of customer records. Regulation SP requires that broker-dealers deliver a notice of its privacy policy upon the opening of an account, and annually thereafter. These notices should contain a policy statement regarding what data the firm collections, how it uses that data and how it protect the data. If broker-dealers share information with certain third parties they must include an appropriate notice in the document along with an opt-out provision in the event that customers desire to opt-out of the broker-dealer sharing of their information. This opt-out provision is particularly important for firms that operate in the independent channel, as they typically allow departing representatives to take customer data with them upon departure. When a broker-dealer closes, the provision of customer information to third parties must be compliant with these provisions of Regulation SP. Also, the form of the opt-out notice is specified in the rule. For example, simply including an address to which the customer should write is not acceptable.
Finally, when a broker-dealer closes, there will invariably be customer data (electronically stored and in paper format) which will at some point require either transfer, storage and/or disposal. Any records that contain customer information (account numbers, account holdings, dates of birth, etc.) must be disposed of properly. And broker-dealers cannot transfer this information to other firms without first having provided the requisite privacy notice with the opt-out provision (and giving clients 30 days to opt-out before the transfer). Disposal of records should be by secure means and should not violate records retention rules spelled out in SEA Rule 17a-4. Also, there are many places one might not expect to find customer information, such as the hard drives now included with most copy machines. Finally, there are requirements related to storage of records and the appointment of a custodian of records when a broker-dealer closes. The custodian must be registered with the firm at the time of the filing of Form BDW.
Mitch Atkins, FINRA’s former SVP and Regional Director has extensive experience in Regulation S-P compliance and customer information protection.
For help with your data protection and Regulation SP compliance, contact Mr. Atkins at FirstMark Regulatory Solutions in Boca Raton, Florida at 561-948-6511.