On September 14, 2006, Anthony Dean Russell (Russell), a Branch Chief in the Office of Compliance Inspections and Examinations at the Securities and Exchange Commission's (SEC's) Atlanta Regional Office, saw a local news report about customer records left on the curbside of a home in Alpharetta, Georgia. The news story identified the records as belonging to J.P. Turner & Co., LLC (J. P. Turner), a national broker-dealer headquartered in Atlanta, Georgia. At the time, J.P. Turner had some 150 independent branch office in the United States staffed with nearly 500 registered representatives. This story clearly piqued Branch Chief Russell's interest.
On September 15, Russell told his immediate supervisors about the curbside customer records, and they all watched the video news report on the internet. Consequently, Russell and his staff were instructed to conduct an immediate examination of J.P. Turner. During the examination, the staff discovered that the customer records had been left outside the home of J.P. Turner employee John R. Exley. Exley was Branch Manager of an office that closed in 2001, and this position gave him access to physical copies of customer records, which were still in his possession in September 2006. By 2006, Exley was an employee registered representative in J.P. Turner's Atlanta Office. Apparently, Exley had contracted with a company to pick up and destroy the records; but, the company failed to do so and Exley never followed up on it. The customer records remained on the curb for approximately two weeks. J.P. Turner had no involvement with the disposal contract.
You wouldn't think that such a snafu would invoke federal law, but you would be wrong. I'm sure that Mr. Exley never expected that his failed attempt to swiftly dispose of customer records would invoke the ire of the SEC and get his employer in trouble, but he too was wrong.
The Financial Services Modernization Act of 1999 (also known as the Gramm-Leach-Bliley Act (the Act)), required the Securities and Exchange Commission (SEC) to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer records and information. The stated objectives of these standards are:
In implementing the above rules in 2000 for brokers, dealers, investment advisers, and investment companies, the SEC adopted the Safeguard Rule (Rule 30 of Regulation S-P) for the safeguard of customer information. In December 2004, the SEC amended the rule (re-designating it as Rule 30(a)) and required that the policies and procedures adopted thereunder be in writing. At this same time, the Commission created the Disposal Rule, or Rule 30(b) to address the disposal of consumer report information. Compliance with the amendment was mandatory by July 1, 2005.
A Federal Case
Following its investigation of the Exley curbside incident and upon the conclusion of its staff's examination of J.P. Turner, on July 17, 2009, the SEC issued an Order Instituting Proceedings (OIP) , which alleged that J.P. Turner willfully violated the Safeguard Rule by failing to have written policies and procedures that addressed administrative, technical, and physical safeguards for the protection of customer records and information and that were reasonably designed to provide the security and protection of those records. The SEC's Division of Enforcement sought a cease-and-desist order, disgorgement, and a civil money penalty.
The ALJ's Take on Things
Even interpreting the Safeguard Rule liberally, Robert G. Mahony, the SEC Administrative Law Judge (ALJ), did not find that the documents J.P. Turner provided in evidence set forth a method for or steps describing how its registered representatives should safeguard their customers' information. Conceding that the SEC chose not to adopt minimum standards for the Safeguard Rule's written requirement, but rather allowed broker-dealers to adopt "reasonably designed" written policies and procedures, ALJ Mahony found that J.P. Turner did not adopt reasonable procedures. At best, J.P. Turner was found to have only briefly mentioned in writing its intention to develop procedures, but nowhere in any of the written compliance materials provided to J.P. Turner employees were there explicit procedures (i.e., actual details of actions that should be taken) for safeguarding customer records and information, especially for physical copies of such information.
Prohibitions Versus Instructions
Granting that the Safeguard Rule may not provide minimum standards for written policies and procedures, the ALJ noted that as a FINRA member firm, J.P. Turner is subject to FINRA's rules, requirements and the notices interpreting them. NASD Conduct Rule 3010, among other provisions, requires members to establish a supervisory system and develop and maintain written supervisory procedures. The ALJ determined that FINRA required that written supervisory procedures document the supervisory system that has been established -- this to ensure that compliance guidelines are being followed and to prevent and detect prohibited practices. The ALJ admonishes that while a compliance guideline may discuss a given regulation by describing its elements, written procedures must instruct the reader on the steps necessary to ensure that the rule is being followed.
The ALJ harshly characterized J.P. Turner's written policies and procedures relating to the Safeguard Rule as "piecemeal references to various regulations or general policies." The ALJ stated that J.P. Turner's compliance documentation did not satisfy the requirement for "reasonably designed" policies and procedures for the safeguard of customer records and information. There were no direct instructions to the registered representatives, who were the ones that collected and maintained the customer information. Instead, J.P. Turner's manuals and privacy policies made references to nonexistent procedures. Similarly, the NASD webcast instructed viewers to review their company's procedures, but, with no actual procedures in place, there was nothing to review, lessening the effectiveness of such training.
One Free Bite?
J.P. Turner cited the lack of any prior violation of the Safeguard Rule during NASD/FINRA annual audits, and its 2004 SEC examination. The ALJ was unsympathic to that argument and fell back upon the well-settled SEC position that respondents cannot shift responsibility for compliance to FINRA or the SEC, and that a regulator's failure to take early action neither operates as an estoppel against later action nor cures a violation. Under this precedent, the ALJ ruled that it was unreasonable for J.P. Turner to equate NASD/FINRA or SEC staff "inaction" with tacit approval of J.P. Turner's procedures. Furthermore, a primary impetus in revising the Safeguard Rule to require that the policies and procedures be in writing was the SEC's recongition that its staff was having in auditing unwritten policies and procedures.
Cease And Desist Order
The ALJ noted that it is essential for the protection of its customers that J.P. Turner have adequate written policies and procedures to safeguard customer records and information to avoid future harm to its customers. The ALJ did not find that the firm presented persuasive evidence that it recognizes the wrongful nature of its conduct, nor had it presented meaningful assurances against future violations. Absent such assurances, the ALJ concluded that there was a risk of future. As such, the ALJ issued a cease-and-desist order against J.P. Turner.
Civil Monetary Penalty
Under Section 21B(a)(1) of the Exchange Act, the Commission may assess a civil penalty in this proceeding if the respondent willfully violated the Exchange Act or the rules or regulations thereunder. For each "act or omission" by a non-natural person, in this instance a corporation, the adjusted maximum amount of a penalty in the
To impose a second-tier penalty, the act or omission must involve fraud, deceit, manipulation, or deliberate or reckless disregard of a regulatory requirement. To impose a third-tier penalty, the facts must meet the requirements for a second-tier penalty and the act or omission must also have directly or indirectly resulted in substantial losses or created a significant risk of substantial losses to other persons or resulted in substantial pecuniary gain to the person who committed the act or omission.
The ALJ found that J.P. Turner's conduct was not severe enough to be deemed "reckless". The ALJ credited J.P. Turner with making attempts to comply with Regulation S-P and specifically, though less effectively, with the Safeguard Rule. However, J.P. Turner's procedures for the physical protection of customer information were deemed inadequate. The ALJ assessed a first-tier civil money penalty on J.P. Turner for this violation, which was deemed to be a single violation as of July 1, 2005. However, given J.P. Turner's continued failure to create written policies and procedures in compliance with the Safeguard Rule despite the issuance of at least ten versions of its Main Office Written Supervisory System & Procedures manual -- which stated that such policies and procedures would be developed - the ALJ opted to impose the maximum civil money penalty permitted under Tier One: $65,000
NOTE: The Initial Decision will not become final until the Commission enters an order of finality. The Commission will enter an order of finality unless a party files a petition for review or a motion to correct a manifest error of fact, or unless the Commission determines on its own initiative to review this Initial Decision as to any party. If any of these events occur, the Initial Decision shall not become final as to that party.
Bill Singer's Comment: Hats off to Branch Chief Russell. I love it! This is how regulation works best. An SEC staffer sees a story -- one that many of his colleagues were probably also watching -- but this regulator didn't just shake his head in amazement. To Russell's credit, he followed up. Not a week or month later, but the next day. As a result, unlike with so many recent SEC failed investigations, this one moved forward quickly.
See Something. Say Something. That is an effective formula for regulation. All of which underscores my long-standing point that we really don't need all the overpaid, underworked, self-important senior executives at the SEC or most regulators. Fire a quarter of those useless paper-pushers, divide their salaries among their subordinates who do the grunt work, and instill a greater degree of initiative among the ranks. Hey, Branch Chief Russell, nice job!
I fully appreciate the valid and appropriate goals of both the Safeguard and the Disposal Rules. Nonetheless, as should be evident to anyone reading this Initial Decision, the SEC has done an atrocious job spelling out in sufficient detail what constitutes compliant conduct. As best I can make out the logic of this case, the ALJ seems to concede that the SEC's history of drafting and implementing Reg S-P has been, at best, fuzzy. Remember that it was only in 2004 that the SEC thought to require that the requisite policies and procedures even be in writing!
Recall that the SEC chose not to adopt minimum standards for the Safeguard Rule's written requirement, but rather allowed broker-dealers to adopt "reasonably designed." At its heart, this ruling chastizes J.P. Turner for failing to have specific details concerning safeguarding and disposing customer records, but, oddly, doesn't offer a single such detail -- and the ALJ often notes that the present SEC rules are somewhat vague. Talk about the pot calling the kettle black. All of which renders this case a troubling example of "Do as I say, not as I do."
What bothers me with this matter is the suggestion that even if the SEC's rules are unclear, a FINRA member firm should still seek interpretive guidance from FINRA's rules. Of course, quite often, FINRA's rules are equally nebulous and the so-called "guidance" does not come from the language of the rule but must often be divined through phone calls to FINRA's staff, who frequently hide behind the explanation that they can't give you a "yes" or "no" answer. FINRA staff also hides behind the equally infuriating "we can't give you legal advice on that issue."
Any suggestion that FINRA caselaw is illuminating is equally erroneous. Most of FINRA's disciplinary cases are decided upon the specific facts involved. Change the facts, change the outcome. Further, interpreting whether a given decision in one case will apply to the facts in yours will produce many "good faith" interpretations that the SEC and/or FINRA will subsequently dispute -- and then tell the member firm that it was their obligation in the first place to comply with the vague rule. Nothing good ever comes of poorly drafted laws. Nothing good ever comes when compliance officers flip coins to determine what is the compliant course of action.
As such, I think that J. P. Turner made a fair point when it said that it had reasonably relied upon its prior clean bills of health from both the SEC and FINRA on the very issues now cited as violations. The SEC says that such a defense improperly results in regulated firms shifting their compliance responsibilities to their regulator. That's too slick a proposition. Regulation does not occur in a vacuum. The regulated are participants in a form of operant conditioning -- when the regulator finds a violation, the reasonable firm will fix the problem; when the regulator doesn't find a problem, the reasonable firm infers that there is no problem. If a regulator previously missed a violation and inadvertently misled a regulated firm into a false sense of compliance, then the proper response should be for the regulator to require an immediate correction of the newly discovered violation --- but NOT to cynically say "oops, we missed this last year" and then impose a fine upon the brokerage firm. It is exactly this type of cynicism that corrodes the regulatory system and instigates cover-ups by the regulated community.
I mean, come on, honestly, how did this all become a federal case against J.P. Turner? Exley foolishly left customer records on the curb. The SEC has a vague rule. The SEC and FINRA staffs reviewed J. P. Turner in prior years and never discovered any relevant written supervisory procedures failures. It seems clear to me that, at best, Exley committed a bone-headed goof -- a terrible lapse in judgment. You just don't leave confidential customer records on the curb. Does the SEC truly, honestly -- look-me-in-the-face-and-don't-laugh sincerely -- believe that if J.P. Turner had more specific written record disposal rules that Exley would not have done what he did? What firm in its right mind would even think that it would be necessary to draft the following compliance policy: Do not leave customer records on the curb next to your home.
In the Matter of J.P. Turner & Co. LLC (INITIAL DECISION, Initial Decision Release No. 295; Admin. Pro. File No. 3-13550 / May 19, 2010) http://sec.gov/litigation/aljdec/2010/id395rgm.pdf