FINRA Fines Broker-Dealer for Sharing Customer Data with Third-Party Vendor
Kestra Investment Services LLC (“Kestra”) was fined $125,000 by FINRA for sharing personal customer data with a third-party vendor. Kestra had engaged the vendor to assist newly hired brokers with the transfer of customer accounts to Kestra from competing broker-dealers. From November 2017 to February 2019, sixty-eight registered representatives joined Kestra from other firms. Each of these brokers disclosed personal customer data to the vendor, including social security numbers, driver’s license numbers, annual income, net worth and other personal and financial information, for clients that they hoped to transfer to Kestra from their prior firm(s).
According to the FINRA Letter of Acceptance, Waiver and Consent (“AWC”) in this matter, a copy of which can be found here, the unnamed third-party vendor also prepared customized spreadsheets with particular data fields for the brokers to fill in before they transferred to Kestra. The AWC states that Kestra employees specifically assisted many of the brokers in completing these spreadsheets with personal customer data before the brokers were hired by Kestra. This type of arrangement violates Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Information, promulgated by the SEC, which is also incorporated in state Blue Sky laws via the Uniform Securities Act. The full text of Regulation S-P can be found here, but the cornerstone of Regulation S-P is that financial institutions are prohibited from disclosing “nonpublic personal information” of customers. That type of conduct can also run afoul of state privacy laws.
It is not uncommon for broker-dealers to hire third-party vendors to assist with moving customer accounts from another broker-dealer. In the typical scenario, the information normally shared with the vendor (and the broker’s new firm) is limited to the client’s name, address, telephone number and e-mail address. Most broker-dealers have agreed that this information can be shared and is not private, and we are not aware of a Regulation S-P case brought by regulators involving such limited information. However, the actions of Kestra and its employees detailed in the AWC clearly violated those industry norms, and Regulation S-P.
The AWC states that “Kestra failed to take any steps to inquire whether the recruited representatives or their broker-dealers at the time had notified customers about the disclosure of their nonpublic personal information, nor did Kestra take any steps to inquire whether customers had been given an opportunity to opt-out of having their information disclosed”. FINRA further noted that “Kestra failed to provide any guidance to the recruited representatives concerning the disclosure of customers’ nonpublic personal information to the vendor”.
This case illustrates the continuing issues that broker-dealers regularly encounter in onboarding new representatives while also staying compliant with data privacy rules. Firms (and representatives) must be mindful of all applicable privacy statutes when moving from one broker dealer to another. This includes not only Regulation S-P, but also FINRA Rule 2010, and state Blue Sky and privacy protection statutes.