Guest Blog: Fair Credit Reporting Act (FCRA) and Regulation S-P by Regulated or Aggrieved

July 11, 2022

Fair Credit Reporting Act (FCRA) and Regulation S-P 
by "Regulated or Aggrieved"

The authors of this article happened to recently evaluate and review the implications of the Fair Credit Reporting Act and Regulation S-P and determined that much of the data contained in the databases of Equifax, Experian and TransUnion and those collected from Customers under Regulation S-P are similar to the data collected by the Central Registration Depository (CRD) that is maintained by the Financial Industry Regulatory Authority (FINRA). 

To understand the inequities apparent in the privacy of their databases, let us first examine the definitions of "fair" according to the Merriam-Webster dictionary. Among the meanings stated are: "marked by impartiality and honesty: free from self-interest, prejudice or favoritism," "conforming with the established rules", and "open to legitimate pursuit, attach, or ridicule." We appeal to the reader to question why SEC rule S-P applies to Broker/Dealers and other financial institutions, the FCRA applies to credit reporting companies, and yet, the "fairness" dies when it comes to our regulators! For this reason, we feel it imperative to subject the regulators to our interpretation of fairness: "open to legitimate pursuit, attach or ridicule." In plain English, (which is a requirement when it comes to the writing of public documents for SEC registrants), shouldn't what is good for "the goose" be good for "the gander"? 

The CRD maintains personal data relating to both of these authors and data relating to the entities with which they are associated. None of these entities are aware of the writing of this article. Therefore, they have not approved or disapproved of our words, which are general in nature. 

If the FCRA is adhered to so strictly among the three major credit reporting agencies listed in the first paragraph of this article, shouldn't it and Regulation S-P for our customers be equally applicable to the CRD and FINRA? 

We are not attorneys. We are simply lay people who have been subject to decades of CRD filings during their Wall Street careers, who realize that the hundreds of thousands of Associated Persons whose data is contained in the CRD files are deserving of the same protection and privacy that exists at the major credit reporting agencies and for our customers. Actually, we believe that FCRA applies to the CRD, and we wonder about how CRD and FINRA accumulate and preserve the data in a manner that conforms to the letter of the FCRA or at least the spirit of the FCRA, and in the spirit of Regulation S-P for customers of the broker-dealers and other financial institutions. 

Here are some of our concerns: 
  • The sources of information contained in CRD files 
    • Forms U-4 o Forms U-5 
    • Forms BD 
    • Regulatory agencies 
      • SEC 
      • FINRA 
      • State securities commissions 
  • The fact that the relative inability of the subjects of the information to have all or some of the negative data to be removed, expunged or explained. 
  • The fact that no recourse exists when misinformation appears in files in the first place 
  • The fact that some of the information may be totally incorrect or merely accusatory 
  • The fact that many of the disciplinary or other legal cases brought against persons is often settled with an inability of an accused person to deny charges
  • The fact that the identification of passive owners of industry entities are indicated even though these owners may have nothing to do with the management of the industry entities 
  • The fact that predatory attorneys can seek out persons to sue based mainly on the data contained in CRD, but without any knowledge that these persons have engaged in any wrongdoing 
  • The fact that much of the information is easily accessible to too many persons including: 
    •  Regulatory agency employed persons 
    • Governmental agency employed persons 
    • New or previous employers of individuals 
  • The fact that this information is accessed by others without the subject individual being notified of the access, as well as the fact that broker-dealers are not entitled to any type of representation or warranty from the regulators that their information will not be shared except when required by law (as is stated in Reg-SP with an opt-out clause for third-parties) 
  • The fact that hackers can and have inappropriately obtained access to data contained in the files of at least one of the major credit reporting agencies 
  • The fact that hackers can gain access to the CRD and have access not only to our birthdates, addresses, eye color, height, weight, gender and employment history, which leaves Associated Persons more vulnerable to identity theft. 
Now that we have expressed our concerns, we admit that to some extent it is helpful to have the ability to check the backgrounds of industry participants, especially before we commence a relationship with them. For example, we may wish to know if a salesperson has been found guilty of defrauding a customer, financially exploiting seniors or that he or she has bounced around from firm to firm, which could potentially be a "red flag". On the other hand, sometimes the offenses of individuals or firms are not necessarily relevant nor related to securities violations. For example, a bankruptcy disclosure should not necessarily be judged in a negative manner, unless it occurs regularly, which may indicate a more serious issue. Individuals and entities can certainly encounter hard times, as we've recently experienced with the Covid-19 pandemic. In fact, bankruptcy disclosures actually no longer appear on an individual's Form U-4 record after 10 years. Even the New York State government recently proposed the "Clean Slate Act" where the possibility existed of sealing felony convictions after seven years and misdemeanors after three years (it passed in the Senate but not in the Assembly) 

On the other hand, a record of an industry offense that has been disciplined is forever tattooed into an individual's record and remains there to influence all curiosity seekers. 

Future employers of industry individuals can discern whether the individual was ever disciplined, but seldom know or understand the circumstances behind the disciplinary action. Those future employers can reject an applicant without notifying the applicant that it was the CRD data that sealed his or her fate and not a major credit reporting agency data that did so. We assume that CRD is not thought of as being subject to the FCRA, though it is our thinking that it should be. 

Then there are statistics that are somewhat meaningless since household names of large broker-dealers have so much to report and their reported violations or infractions are somewhat ignored in the long run. Observe the following data as of July 4, 2022, extracted from BrokerCheck: 

# of individuals reported
Goldman Sachs

Merrill Lynch 


Morgan Stanley




We readily admit that we would not hesitate to engage in business with any of the above listed firms because of their vital statistics. We also do not understand them. 

On the other hand, the reported offenses of small firms or individuals can become their death knell because of the publicity given to them as a result of what is reported about them. 

We almost (but not really) feel guilty that we have expressed concerns and observations, but we have not offered any solutions. We believe there is some merit to having a Central Registration Depository and a functional application such as BrokerCheck. Simultaneously, we also strongly believe that our industry has ignored the privacy rights of its participants such as broker-dealers, investment advisors and individuals. The protections of those rights are also important, and all should be treated "fairly." Perhaps the Federal Trade Commission or the Consumer Financial Protection Bureau should take a stand on this as it applies to our industry and place its regulators under the FCRA umbrella. We sincerely hope that our query stimulates positive change to protect the privacy of information pertaining to our financial institutions and its Associated Persons!


The author of this Guest Blog has requested anonymity under the pen name "Regulated or Aggrieved."

NOTE: The views expressed in this Guest Blog are those of the author and do not necessarily reflect those of Blog.