Broker-Dealer Information – Mitch Atkins FINRA Consultant

One of the many challenges involved in closing down a broker-dealer is ensuring the security and privacy of customer data. There have been some very public instances in which broker-dealers have done this incorrectly and as a result, regulatory sanctions were imposed, in some cases against individuals. And regulatory bodies have shown that they are willing to take these cases, even if most of these cases are relatively small in the scope of all that they handle. This is because regulators take customer privacy very seriously, and they consider breaches, however small, to be serious.

The requirements related to this area are spelled out in Regulation S-P. And Rule 30 of that regulation includes requirements related to safeguarding and disposal of customer records. Regulation SP requires that broker-dealers deliver a notice of its privacy policy upon the opening of an account, and annually thereafter. These notices should contain a policy statement regarding what data the firm collections, how it uses that data and how it protect the data. If broker-dealers share information with certain third parties they must include an appropriate notice in the document along with an opt-out provision in the event that customers desire to opt-out of the broker-dealer sharing of their information. This opt-out provision is particularly important for firms that operate in the independent channel, as they typically allow departing representatives to take customer data with them upon departure. When a broker-dealer closes, the provision of customer information to third parties must be compliant with these provisions of Regulation SP. Also, the form of the opt-out notice is specified in the rule. For example, simply including an address to which the customer should write is not acceptable.

Finally, when a broker-dealer closes, there will invariably be customer data (electronically stored and in paper format) which will at some point require either transfer, storage and/or disposal. Any records that contain customer information (account numbers, account holdings, dates of birth, etc.) must be disposed of properly. And broker-dealers cannot transfer this information to other firms without first having provided the requisite privacy notice with the opt-out provision (and giving clients 30 days to opt-out before the transfer). Disposal of records should be by secure means and should not violate records retention rules spelled out in SEA Rule 17a-4. Also, there are many places one might not expect to find customer information, such as the hard drives now included with most copy machines. Finally, there are requirements related to storage of records and the appointment of a custodian of records when a broker-dealer closes. The custodian must be registered with the firm at the time of the filing of Form BDW.

Mitch Atkins, FINRA’s former SVP and Regional Director has extensive experience in Regulation S-P compliance and customer information protection.

For help with your data protection and Regulation SP compliance, contact Mr. Atkins at FirstMark Regulatory Solutions in Boca Raton, Florida at 561-948-6511.

FINRA broker-dealers operate in one of the industries most frequently targeted by cyber criminals. In 2014 alone, there were numerous instances of highly-publicized cyber security and data breaches. And being a victim of these types of breaches comes with the added embarrassment of the negative press that invariably follows.SEC Chair Mary Jo White in a speech earlier this year said about Cyber threats,

“This is a global threat. Cyber threats are of extraordinary and long-term seriousness. They are first on the Division of Intelligence’s list of global threats, even surpassing terrorism. And [the] director of the FBI, has testified that resources devoted to cyber-based threats are expected “to eclipse” resources devoted to terrorism.”

Fortunately, there is a significant amount of information available to broker-dealers that can help to ensure they are reasonably compliant with industry standards. FirstMark Regulatory Solutions conducts risk assessments in the area of cyber security and provides recommendations to broker-dealers that help to ensure compliance with industry requirements. Every broker-dealer has an obligation to protect customer information which is spelled out in the safeguarding standards of Regulation SP.

“…the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” – Gramm-Leach Bliley Act

Also, broker-dealers are required under FINRA’s supervision rule to have procedures that are reasonably designed to achieve compliance with rules applicable to each area of the firm’s business. Customer information protection is one of those areas.

FirstMark advises clients on cyber security and customer data breach issues. With the former, security enhancements can include simple items such as restricting access to certain devices and technologies which can facilitate rapid transfer of large amounts of data (e.g. high speed data ports, copiers connected to the internet, portable media devices, etc.) to sophisticated penetration testing on a broker-dealer’s network. With the latter (data breaches), it is important to remember that many states have very significant penalties for failure to notify clients that their data has been compromised. For example, Florida implemented one of the toughest laws in the nation on July 1, 2014. An unreported breach could yield up to a $500,000 fine.

It is critical that broker-dealers are aware of these requirements and have procedures in place that are sufficient to address the risks inherent it their businesses. FINRA and the SEC have been conducting cyber-security sweep exams in 2014, and have indicated they will continue to do so going forward. For small firms, FINRA has created an excellent resource on cyber security that can be found here.

Mitch Atkins, FINRA’s former SVP and Regional Director has extensive experience in cyber security compliance and customer information protection. For help with your cyber security compliance, contact Mr. Atkins at FirstMark Regulatory Solutions in Boca Raton, Florida at 561-948-6511.