Wall Street's customers have every right to expect -- to demand -- that their personal information is not freely bartered to the highest bidder. Expectations and demands aside, the sale of personal info has become the stock and trade of far too many fintech service providers, but that's a whole other article for another day. One man's Fintech is another's Fintheft. Like I said, be that as it may, FINRA has maintained a vigilant posture when it comes to the misuse of customers' so-called nonpublic personal information, which is often referred to as "NPI" (gotta love acronyms, no?). In today's blog, we consider the missteps of two respondents when it came to their handling of NPI. And then we ponder the imponderable of how long is too long.
Regulation S-P
Regulation S-P prohibits firms from disclosing "nonpublic personal information" about a customer unless the customer receives proper notice and an opportunity to opt out. Nonpublic personal information generally means any information provided by customers to a broker-dealer to obtain any product or service. It includes, but is not limited to, account numbers, social security numbers, birth dates, and account balances. READ:
In settling cases involving alleged violations of Regulation S-P, FINRA often resorts in its AWCs to asserting variations of the following:
Regulation S-P generally prohibits financial institutions from disclosing "nonpublic
personal information" about a customer unless the customer receives proper notice and an
opportunity to opt out of disclosure. "Nonpublic personal information" includes
personally identifiable financial information (1) that a consumer provides to a broker-dealer to obtain a financial product or service; (2) about a consumer resulting from any
transaction involving a financial product or service between a broker-dealer and a
consumer; or (3) that a broker-dealer otherwise obtains about a consumer in connection
with providing a financial product or service to that consumer.
A registered individual who improperly discloses nonpublic personal information about a
customer, thereby causing his FINRA member firm to violate Regulation S-P, violates
FINRA Rule 2010, which requires registered persons to observe high standards of
commercial honor and just and equitable principles of trade in the conduct of their
business.
Additionally, FINRA frequently uses variations of the following admonition:
Regulation S-P Rule 30 requires firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information that are reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. Regulation S-P also requires firms to provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their right to opt-out of information sharing. Further, FINRA Rule 3110 (Supervision) requires firms to establish and implement a system that is reasonably designed to comply with Regulation S-P Rule 30, as well as related policies and procedures.
Cases in Point
Olheiser
For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Joseph D. Olheiser submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of Joseph D. Olheiser, Respondent (FINRA AWC 2019062873001 / November 25, 2020)
The AWC asserts that Joseph D. Olheiser entered the industry in 2002, was first registered in 2010, and by April 2016, he was registered with Morgan Stanley Smith Barney, where he remained until February 2019, at which time he registered with Raymond James Financial Services, Inc. The AWC asserts that Olheiser "does not have any relevant disciplinary history." As alleged in part in the AWC:
In February 2019, in anticipation of joining Raymond James, Olheiser improperly
removed from Morgan Stanley his customers' nonpublic personal information, which he
had received from Morgan Stanley as part of his employment as a registered
representative. Olheiser faxed to Raymond James the client profile information for
twenty Morgan Stanley customers, without their knowledge or consent, in order to open
accounts at Raymond James. The Morgan Stanley client profiles included detailed
information that is covered by Regulation S-P, such as account numbers, account
objectives, investment time horizons, risk tolerances, and account balances. Olheiser
improperly possessed this information after leaving Morgan Stanley. At all relevant
times, Morgan Stanley's policies and procedures required representatives like Olheiser to
use customers' nonpublic information only in their capacity as a representative and
prohibited the use or disclosure of nonpublic confidential customer information for the
representative's own personal benefit or for the benefit of a new or prospective employer.
In accordance with the terms of the AWC, FINRA found that Olheiser violated FINRA Rule 2010 by causing Morgan Stanley to violate
Regulation S-P, and the self-regulatory organization imposed upon him a $5,000 fine and a 10-business-day suspension with any FINRA member firm in all capacities.
Hee
For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Daniel Hee submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of Daniel Hee, Respondent (FINRA AWC 2018060447501 / November 27, 2020)
The AWC asserts that Daniel Hee entered the industry in 2014 as an associated person with UBS Financial Services Inc., and was first registered in 2016 with another member firm (not named in the AWC), where he remained until March 2019. The AWC asserts that Hee "does not have any relevant disciplinary history." As alleged in part in the AWC:
Between November 2015 and January 2016, while he was still registered through an association with UBS, and in anticipation of moving to a new firm, Hee printed account documents for approximately 100 customers and hand-delivered them to a representative he planned to work with at the New Firm. The documents he delivered included NPI, such as social security numbers, birth dates, and account numbers, which was information provided to UBS by those customers. Hee improperly removed the customers' documents containing NPI and gave them to a representative at the New Firm without UBS's or the customers' knowledge or consent. The documents Hee removed were never uploaded to the New Firm's system and were not used to recruit any customers away from UBS.
In accordance with the terms of the AWC, FINRA found that Hee violated FINRA Rule 2010 by causing UBS to violate Regulation S-P, and the self-regulatory organization imposed upon him a $5,000 fine and a 10-business-day suspension with any FINRA member firm in all capacities.
Bill Singer's Comment
In Olheiser, we have alleged misconduct that is reasonably related in time to the imposition of FINRA's sanction: February 2019 misconduct responded to via a November 2020 AWC. In Hee the lapse in time between misconduct and sanction is about five years, depending upon where in the November 2015 to January 2016 time continuum you wish to drop a pin versus the November 2020 AWC.
Why do I raise the passage of time in Olheiser versus Hee? That's a very fair question and it's important that I carefully explain my concern.
My comfort with Olheiser and my discomfort with Hee is not merely one prompted by the mechanics of notice, investigation, negotiation, and settlement -- nor something that is inattentive to the delays of the intervening COVID pandemic. I acknowledge all of those issues and take them into account. Similarly, FINRA must be given a reasonable amount of time to investigate allegations of misconduct and to institutionally consider what response is appropriate.
Having noted all of the above, let me now raise a somewhat esoteric concern; namely, that belated fines and suspensions may cross the line from reasonable, remedial sanctions to impermissible, punitive penalties.
As the current jurisprudence reflects, as a non-governmental regulator, FINRA may impose sanctions designed to further the so-called "public interest" via a remedial purpose inherent in a given fine and/or suspension. On the other hand, as current jurisprudence also reflects, FINRA, as that very same non-governmental actor, is not empowered to punish or impose penalties.
In discerning between sanctions and penalties, the courts have noted that it is typically for a sovereign -- a state or the federal government -- to impose criminal/civil penalties. In making that distinction, courts often note that in our republic, those facing fines and imprisonment are entitled to the full panoply of state and federal constitutional and procedural rights. As FINRA often proclaims, you are not entitled to any of those rights when in the posture of a respondent caught up in one of its investigations. You have no Fifth Amendment right. You are not entitled to counsel. There isn't even a guarantee of Due Process. As such, the courts have been called upon to get between FINRA's extra-constitutional powers and the lack of same by which the self-regulator's targets must navigate their investigations and proceedings.
What then are we to make of the fact that FINRA alleges that it was between November 2015 and January 2016 when Hee engaged in the misconduct of copying UBS account documents and providing same to another firm's rep?
Here we are in November 2020 -- is the public interest protected by imposing a modest fine and suspension upon Hee some five years after the alleged misconduct at issue? Moreover, is FINRA's purported "sanction" really a "punishment" given that the imposition of the fine/suspension can't remediate such now-distant conduct?
No . . . I am not urging that Hee get a free pass. What he did is a mixture of both wrong and stupid. On the other hand, even if only for an academic purpose, it's fair to ask: How long is too long? At what point along a given time continuum does FINRA lose the ability to remediate misconduct in the service of protecting the investing public and the self-regulatory-organization's fines are merely serving to generate revenue derived from penalties? For me. Olheiser fits perfectly into the mold of a remedial sanction designed to rap a rep's knuckles, get his attention, and right a foundering career. On the other hand, Hee -- five years after the cited misconduct --comes off more as a regulatory cash register that's ringing up a sale designed to enrich FINRA's coffers.