In a recent FINRA regulatory settlement, we come across a case in which a registered rep didn't make a bad situation worse. Which isn't to say that he undid the bad situation. He didn't. It is to say that he seems to have renounced engaging in further bad actions, which, if nothing else, gave FINRA an excuse to pull its punches. Some might say that the rep stopped short because his broker-dealer caught him in the act. That may be true. On the other hand, whatever the motivation, the confidential information of 1,696 retirement-plan participants never got misused beyond being wrongfully downloaded into spreadsheets and emailed away from the firm. Other than that Mrs. Lincoln, did you at least enjoy the play?
Case In Point
For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Fabiano de Franco submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of Fabiano de Franco, Respondent (FINRA AWC 2017054076501, April 2, 2019). http://www.finra.org/sites/default/files/fda_documents/2017054076501 %20Fabiano%20de%20Franco%20CRD%204528382%20AWC%20va.pdf
The AWC asserts that de Franco was first registered in 2002, and by 2010, he was registered with FINRA member firm ICMA-RC Services ("RC Services") and also an employee of IRC, an investment-advisor affiliate. IRC provided bookkeeping and administrative services to public-sector retirement plans; and RC Services provided educational services to participants in plans IRC administered.
FINRA Investigation
The AWC asserts that FINRA's investigation of de Franco's conduct was prompted by the self-regulatory-organization's receipt of a Uniform Termination Notice for Securities Industry Registration (the "Form U5) filed on April 27, 2017, by RC Services that disclosed de Franco had been terminated for violation of the firm's policies and procedures.
Before Leaving
During his seven-year tenure with RC Services and IRC, de
Franco purportedly provided investor educational services to certain plan participants for which IRC provided administrative and
recordkeeping services. The AWC asserts that de Franco had access to
an IRC database containing certain confidential information of
plan participants that he used pursuant to providing educational services. As set forth in part in the AWC:
Before leaving the Firm to build his own outside retirement-planning business, de
Franco generated spreadsheets from IRC's database that contained confidential
information, including names, dates of birth, and account balances for 1,696 plan
participants, including participants with whom de Franco had no prior
relationship. Without the authority of the participants, the Firm or IRC, he
emailed the spreadsheets from his RC Services email account to an email account
that his outside business maintained and to which his wife, who was not affiliated
with IRC or the Firm, had access. Neither the email nor the spreadsheets were
encrypted, risking the possibility that if misdirected personal information of plan
participants would fall into the hands of third parties. De Franco emailed the
spreadsheets so that he could contact a subset of the plan participants on the
spreadsheets for the purpose of selling them retirement-planning services through
his outside business. The Firm discovered the April 4, 2017 email through routine surveillance, and terminated de Franco's registration. De Franco never
used the information for any purpose.
FINRA Sanctions
FINRA deemed de Franco's cited conduct to constitute violations of FINRA Rule 2010. In accordance with the terms of the AWC, FINRA imposed upon de Franco a $5,000 fine and a 10-business-day suspension from associating with any FINRA member in all capacities
When you get to Asheville
Send me an email
Tell me how you're doing
How its treating you
Did you find a new job . . .
Bill Singer's Comment
Compliments to FINRA on a nice, tight AWC. Similarly, taking into consideration the allegations, the 10-business-day suspension strikes me as reasonable and tailored to the unique circumstances at issue.
No . . . there is nothing earth-shattering or particularly offensive about the underlying facts presented in the AWC. That being said, this FINRA regulatory settlement presents the perfect opportunity to remind registered reps of several issues to consider when transitioning from one firm to another. Accordingly, let's parse through the AWC:
Before leaving the Firm to build his own outside retirement-planning business, de Franco generated spreadsheets from IRC's database that contained confidential information . . .
Once you have decided to move on from your current firm, be aware that the whole "before leaving" period of time will come under scrutiny. The key point here is that you have decided to leave, as in you no longer have any intention of remaining at your current employer. That changed state of mind is a critical distinction, and one that a veteran industry lawyer will latch on to whether that lawyer is in the service of your former firm or part of a regulator's staff. Consequently, once you have decided that you're leaving, you have to be careful about accessing your current' firm's confidential databases. Careful as in the fact that you will inevitably leave a digital footprint of the date and time you logged on to the database and performed the data dump. In de Franco's case, his generation of spreadsheets from IRC's database became all the more troubling because he not only had decided to leave RC Services but he also was pursuing "his own outside retirement-planning business." On top of that, it gets messy trying to distinguish between what de Franco did wrong at or to his FINRA member firm employer RC Services versus non-member-firm-affiliate IRC.
de Franco generated spreadsheets from IRC's database that contained confidential information, including names, dates of birth, and account balances for 1,696 plan participants, including participants with whom de Franco had no prior relationship.
If de Franco had merely used the confidential information of plan participants with whom he had a prior, ongoing relationship, that still would not have been okay -- but it would have been less bad than what he did by accessing the confidential data of 1,696 plan participants, "including participants with whom de Franco had no prior relationship." It doesn't look right a couple of years later and it likely rankled IRC when the conduct was of a more contemporaneous vintage. You may be thinking that if de Franco had asked for permission to download the data that the BD and RIA might both have declined the request. You may be right. You may be wrong. Regardless, he didn't ask -- and that's the only thing that matters at this point.
Without the authority of the participants, the Firm or IRC, he emailed the spreadsheets from his RC Services email account to an email account that his outside business maintained and to which his wife, who was not affiliated with IRC or the Firm, had access. Neither the email nor the spreadsheets were encrypted, risking the possibility that if misdirected personal information of plan participants would fall into the hands of third parties.
It's easy to see in hindsight how de Franco's simple decision to create spreadsheets and then email them to his outside business was a huge mistake. At the time, as is often the case, it likely seemed harmless (or perhaps a "who's gonna find out?"). It may well have been that de Franco felt that he had invested some seven years at RC Services and IRC and, well, you know how these things get rationalized, he may have figured it was "his" business and he had access to the data anyway as part of his job and . . . and . . . and. The problem with de Franco's conduct is that he sent confidential customer information away from his firm, which was entrusted with securing that information and protecting the participants. Worse, by transmitting the confidential files without encryption and to "his outside business," de Franco created a troubling scenario that invited his former firm's Form U5 narrative and the scrutiny of FINRA. Yes, I know, we all send all sorts of stuff by email. On the other hand, how did that work out for de Franco?
The Firm discovered the April 4, 2017 email through routine surveillance, and terminated de Franco's registration.
As an industry lawyer, among the more common things I hear from clients is how they never, ever thought that those idiots in Compliance would ever find out that they had logged on to the firm's computer system and downloaded X or copied Y or altered the contact information for their clients. Did you notice how RC Services fired de Franco after the firm "discovered the April 4, 2017 email through routine surveillance?" So, maybe those folks in Compliance ain't the dumb shits that you think they are? And, while we're doing some soul searching, maybe you're not as clever as you think you are?
De Franco never used the information for any purpose.
The fact that "De Franco never used the information for any purpose," may have moved FINRA's regulatory needle from a multi-week or multi-month suspension to a more temperate 10-business-days. Keep that in mind should you find yourself under FINRA's scrutiny for similar misconduct. For whatever reason de Franco didn't exacerbate a bad situation by actually using the data to solicit customers or to harm his former firm. If he had pursued such actions, I'm certain that his suspension would have been for a more lengthy period.