For the very first time, the Securities and Exchange Commission (SEC) has assessed financial penalties against individuals charged solely with violating Regulation S-P. As part of an agreement to settle the SEC charges against them for failing to protect confidential information about their customers, a former president and sales manager of a now defunct broker-dealer have been each ordered to pay penalties of $20,000, and the former Chief Compliance Officer (CCO) of the firm paying $15,000.
GunnAllen Financial Inc. (GAF) was registered as a broker-dealer with the SEC from March 1986 to April 2010. As its business was winding down in 2010, GAF's Sales Manager, David C. Levine, planned to form with another GAF representative a new business partnership and intended to transfer GAF's customer accounts as an incentive for another broker-dealer to employ them. To that end, GAF's president, Frederick O. Kraus, authorized the transfer of 16,000 accounts containing nonpublic personal information (NPI) of its customers to any broker-dealer that Levine and his partner chose to associate with after they left GAF. On May 14, 2010, Levine sent those GAF customers a letter notifying them that their accounts would be transferred to another broker-dealer in which Levine was newly associated (the Receiving BD) unless those customers decided to opt-out within 15 days. Before verifying whether any customers had chosen to opt-out, Levine provided the NPI contained in the GAF accounts to the Receiving BD.
GAF's Violations of Regulation S-P
Rule 7(a) and Rule 10(a) of Regulation S-P essentially prohibit SEC registered broker-dealers from disclosing the NPI of their customers without first providing them with a clear and conspicuous notice of the broker-dealer's privacy practices and an explanation of the customer's opt-out rights, as well as provide the customers with a reasonable opportunity to opt-out of any disclosure. The SEC alleged that GAF violated Rule 7(a) and Rule 10(a) by failing to provide its customers with notice of their opt-out rights, and by not notifying them that their account information was transferred until after the disclosure of NPI to the Receiving BD had already occurred. Moreover, the SEC claimed that GAF did not provide a sufficient time for its customers to opt-out and that it was unreasonable to only provide for opt-out objections through a letter that the customers had to write to GAF.
In addition, Rule 30(a) of Regulation S-P (otherwise known as the "Safeguards Rule"), requires broker-dealers to maintain reasonably designed policies and procedures to protect the NPI of their customers from security threats and unauthorized access. The SEC alleged that GAF violated the Safeguards Rule by not putting in place policies and procedures to address the transfer and protection of its customers' NPI, despite the reasonably foreseeable risk that its departing registered representatives would disclose customer NPI to successor brokerage firms during GAF's winding-down period.
Violations by the Individual Executives
As a result of Levine's actions in transferring GAF customer accounts and NPI to the Receiving BD and sending untimely and inadequate notices to those customers, the SEC alleged that Levine willfully aided and abetted and caused GAF's violations of Rules 7(a), 10(a), and 30(a) of Regulation S-P. Pursuant to the settlement with the SEC, he was ordered to pay a monetary penalty in the amount of $20,000, was censured, and was required to cease and desist from committing or causing any violations or future violations of the provisions charged.
The SEC also alleged that Kraus willfully aided and abetted and caused GAF's violations of Rules 7(a), 10(a) and Rule 30(a) of Regulation S-P as a result in of his role in authorizing the transfer of the 16,000 customer accounts and their NPI to Levine and in approving the contents of the inadequate and untimely notifications to such customers. Kraus also settled with the SEC by agreeing to pay a monetary penalty in the amount of $20,000, consenting to censure and ordered to cease and desist from committing or causing any violations or future violations of the provisions charged.
Finally, the SEC found that GAF"s CCO, Marc A. Ellis, willfully aided and abetted and caused GAF's violations of Regulation S-P's Safeguards Rule. As GAF's CCO, Ellis was responsible for implementing, maintaining, and reviewing its policies and procedures in order to comply with the Safeguards Rule. The SEC believed Ellis should have been on notice that GAF's policies and procedures were inadequate to comply with the Safeguards Rule as a result of previous unrelated incidents in which laptop computers were stolen and an employee's password credentials were misappropriated. Indeed, the SEC found that GAF's safeguarding policies and procedures were too short (less than a page long), general, and too vague, and failed to address the transfer and protection of customer NPI. As with the other former GAF executives, Ellis settled with the SEC and was ordered to pay a monetary penalty in the amount of $15,000, was censured, and was required to cease and desist from committing or causing any violations or future violations of the Safeguards Rule.
This settlement should remind senior officers of financial institutions that the SEC is willing to hold them individually liable for their role in violations of Regulation S-P. Therefore, it is incumbent upon such individuals to consider the effect of their actions and of their company's decisions regarding the privacy rights of customers. Lastly, companies and their executives should also take away from this settlement that the SEC will consider whether an information security policy is sufficiently comprehensive when determining Regulation S-P liability.