The Massachusetts Securities Division recently issued a consent order accepting an offer of settlement from a New Jersey-based broker-dealer and investment adviser who admitted to the failure to reasonably supervise four registered representatives’ handling of customers’ personal identifiable information. The firm was found to have violated the Massachusetts Uniform Securities Act and the firm’s own privacy policies and procedures as it relates to client data held in third-party CRM systems.
The broker-dealer/investment adviser involved in the order allowed its registered representatives to utilize their own third-party CRM systems to capture client information. Firm registered representatives were allowed to enter personal client data into a third-party CRM, including names, addresses, phone numbers, dates of birth, account information, and social security numbers, among other information. By allowing registered representatives to “own” this information in third-party technology platforms, the broker-dealer was found to have violated its own policies and procedures which prohibited representatives from disclosing private client information to third-parties without a client’s consent. The firm also had no access to, or control over this private information and could not monitor or supervise who had access to the information.
The firm’s privacy policies and procedures required representatives to return copies of all records containing customers’ private information upon termination, and prohibited representatives from taking private information with them upon departure from the broker-dealer. By allowing representatives to own information contained in a third-party CRM, the firm was found to have violated this procedure when representatives separated from the firm. The broker-dealer’s policies also required the firm to wipe all client personal data from a terminated representative’s electronic devices, or disable a representative’s access to devices containing this information, which was not enforced with a third-party CRM system. In practice, the firm did not include information contained in a third-party CRM in these data retrieval procedures, in violation of firm policies, and the firm could not monitor unauthorized users’ access to the third-party CRM systems.
In accepting the terms of the consent order, the broker-dealer will pay a fine of $100,000 and take corrective action to prevent future violations related to personal identifiable information. The firm is also required to notify all Massachusetts customers whose private information may have been compromised. This case provides an example of state enforcement activity related to the privacy of client information and the unintended improper sharing of such information. The case should remind broker-dealers and investment advisers to examine their own policies for the protection of private client information and the application of these policies and procedures to third-party technology platforms.
If you have questions about your firm’s privacy policies and procedures or about this case specifically, please reach out to your Foreside consultant.
A copy of the full Massachusetts Release can be found here: http://www.sec.state.ma.us/sct/current/sctsummit/R-2018-0083-Summit-Equities-Inc-Consent-Order-12-26-18-Final.pdf
This article is not a solicitation of any investment product or service to any person or entity. The content contained in this article is for informational use only and is not intended to be and is not a substitute for professional financial, tax or legal advice.