Compliance Risk in onboardhing new hires: Wells Fargo and Raymond James Privacy Cases
By Richard Satran is a financial journalist - Thomson Reuters Regulatory Intelligenc
The Financial Industry Regulatory Authority cited Raymond James this week over its procedures for protecting client data brought by new hires, and a U.S. appeals court upheld an earlier FINRA sanction against a Wells Fargo broker for alleged violations of privacy rules concerning clients.
Both cases served as a reminder that firms needs to have clear compliance rules in place for protecting confidential and personal information when financial advisers change firms. Raymond James was involved in both cases – in the FINRA case just disclosed it was cited for privacy lapses involving new hires. In another case, Raymond James' client information was taken by a broker who was hired by Wells Fargo.
Firms covet client lists, regulators want privacy protection
In the heated competition between brokers for client accounts, the client list a financial adviser brings and the ability to carry those accounts to the new firm are valued assets. By industry protocols a broker is limited to only the basic contact information. The Securities and Exchange Commission Regulation S-P
places restrictions on transfers of client data such as personal identifiers and account data. The rule was adopted by the SEC, and FINRA, to follow the Gramm-Leach-Bliley Act requirement that clients be notified if such information is shared with a new employer
In the new case announced this week, Raymond James settled a charge that its policies on new hires failed to follow the privacy rules that prohibited the transfer of account information directly to the new firm without providing notice to the clients. The firm took information on customers' names, addresses and telephone numbers, along with specific information on the accounts. FINRA cited the Raymond James's compliance process for not determining whether clients approved the information transfers and fined it $500,000.
In another case, Raymond James information was on the receiving end of an alleged breach of personal data by a broker who took client information to Wells Fargo. The financial adviser, Stephen Robert Tomlinson, who worked as a manager at the Corning Credit Union affiliated with Raymond James, took a flash drive with 2,000 names of clients when he left those firms for Wells Fargo at a branch in upstate New York.
Appeal of SEC/FINRA case
The appeal was based on Tomlinson's contention that he was allowed to access the data as the manager of the firm and intended only to parse the data to transfer information for which clients' approval was given. The SEC ruled that because the flash drive was given to Wells Fargo it violated the privacy protection rule. His appeal of the suspension was denied on Thursday in the U.S. appeals court. When Corning and Raymond James discovered the data had been taken it contacted Wells Fargo, which returned the data and was not cited in the case.
Regulators in both cases cited Regulation S-P, which spells out the terms of information protection for brokers changing firms. They are required to inform clients of their intent to transfer data and to inform them they can opt out of allowing the transfer. Brokers are also required to comply with relevant state laws that place additional restrictions on data sharing.
The SEC privacy rule requires firms to have written procedures governing the handling of client information to comply with the privacy law and places responsibility on firms to let clients know when brokers wish to use their information. In practice, readily available information on names and addresses might not required disclosure, compliance experts say. But most use of personal information requires clients to be aware of what is being shared.
The new court ruling upholding the FINRA/SEC action against the broker suggests that even an inadvertent release of private data can be grounds for action. The new FINRA case, meanwhile, says that responsibility for data begins as soon a broker arrives at a firm and compliance processes must go beyond protecting a firms own clients to include those of new hires prior firms.
FINRA's new case against Raymond James alleges it "failed to establish and maintain reasonable supervisory systems" to ensure compliance. It alleged that from 2011 to 2015 some of the new recruits violated the privacy rules in bringing personal client information to Raymond James.
Response from Raymond James
“Raymond James takes the privacy of clients’ personal information extremely seriously and has detailed practices in place to safeguard this information," said Raymond James spokeswoman Shereen McCall. "Significantly, FINRA’s recent action is not related to a data breach or other security event. Rather, client information was only shared between companies for business-related purposes as advisors transitioned from one firm to another. No information was compromised in a way that would allow for illegal use. Raymond James has established a plan to address the issues raised by FINRA.”
The FINRA case involving Raymond Jamess can be viewed on the FINRA Disciplinary Actions Online database.