FINRA Sanctions Emailing of Private Consumer Info

March 2, 2017

Few issues are of more pith and moment than consumer privacy. And few industries are more susceptible to breaches of consumer privacy than the financial community. Seems that nary a day goes by that there hasn't been some hack or illegal uploading of confidential customer info. As such, today's BrokeAndBroker.com Blog highlights a recent FINRA regulatory settlement involving one registered person's violation of consumer data policies.

Case In Point

For the purpose of proposing a settlement of rule violations alleged by the Financial Industry Regulatory Authority ("FINRA"), without admitting or denying the findings, prior to a regulatory hearing, and without an adjudication of any issue, Arturo Fernando Alcocer Romo submitted a Letter of Acceptance, Waiver and Consent ("AWC"), which FINRA accepted. In the Matter of Arturo Fernando Alcocer Romo, Respondent (AWC 20150474600-01, February 14, 2017).

In 2005, Romo entered the securities industry with FINRA member firm Merrill Lynch, Pierce, Fenner & Smith Incorporated. The AWC asserts that Romo had no prior relevant disciplinary history. 

Regulation S-P

Regulation S-P became effective on November 13, 2000, after the Securities and Exchange Commission ("SEC") adopted the privacy rules promulgated under section 504 of the Gramm-Leach-Bliley Act, which  imposed notice requirements and restrictions on financial institutions' ability to disclose nonpublic personal information about consumers. Reg S-P requires inancial institutions to provide customers with notice of privacy policies and practices, and institutions must not disclose consumers' nonpublic personal information to nonaffiliated third parties unless the consumer has been notified of the proposed disclosure and has not elected to opt out. 

In pertinent part,  17 CFR 248.3: Definitions states:

(t)

(1) Nonpublic personal information means:

(i) Personally identifiable financial information; and

(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available information.

(2) Nonpublic personal information does not include:

(i) Publicly available information, except as included on a list described in paragraph (t)(1)(ii) of this section or when the publicly available information is disclosed in a manner that indicates the individual is or has been your consumer; or

(ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available information.

(3) Examples of lists.

(i) Nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available information, such as account numbers.

(ii) Nonpublic personal information does not include any list of individuals' names and addresses that contains only publicly available information, is not derived in whole or in part using personally identifiable financial information that is not publicly available information, and is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

Theory of Relative-ity?

The AWC asserts that on October 2,2015, Romo used his Merril Lynch email account to send a message to a relative. Allegedly, the email included an attachment consisting of five Merrill Lynch Wealth Management International "Client Account Information Forms," which contained the names of eight customers, and their brokerage account numbers, addresses, birth dates, and passport numbers. 

Third-Party Public Website

Moreover, around October 6, 2015, Romo allegedly uploaded five files to a publicly-accessible third-party website. Said files contained the names of nine Firm customers, along with their addresses, birthdates, passport numbers and account numbers. 

Not Getting IT

The AWC characterized Romo's above email activity as having circumvented his firm's: 

information technology ("IT") safeguards by modifying the names of the files he transmitted in order to disguise their contents. The materials Romo disclosed included 'non-public personal information' as that term is defined under Regulation S-P, because it: ( 1) was provided by Firm customers to obtain financial products and services; (2) resulted from transactions involving financial products or services the Firm provided to its customers; and or (3) was obtained in connection with providing financial products or services to Firm customers. Romo did not provide notice to the Firm, or any customer, that he intended to disclose customer information to any third party, nor did he receive authorization to do so. 

Logging Off

Online FINRA BrokerCheck records as of March 2, 2017, disclose under the heading "Employment Separation After Allegations" that Merrill Lynch "Discharged" Romo on October 14, 2015, based upon allegations of:

Conduct involving failure to adhere to firm policy regarding electronic communications by sending proprietrary information to external email addresses. 

Sanctions

FINRA deemed Romo's conduct as causing Merrill Lynch to violate Regulation S-P, and in so doing, Romo violated FINRA Rule 2010. In accordance with the terms of the AWC, FINRA imposed upon Romo a $5,000 fine and a 31-day suspension from association with any FINRA member in any capacity.

Bill Singer's Comment

Compliments to FINRA for a nice, tight AWC that deals with an issue of importance for consumers. If I have one quibble (and when don't I?) it was the lack of explanation as to the identity of the "relative" and why Romo had sent the emails to that individual. Beyond that, this is a serious issue and the Romo should be thankful that the self-regulatory organization imposed a relatively modest fine and suspension.