Skip to content

July 7, 2023

|

Last updated: June 29, 2024

FINRA Customer Information Security

By: Securities Institute Staff

Most FINRA test takers are reporting seeing more questions regarding the handling of customer information. This article will help you understand these important procedures.

Security of Customer Information

To fight identity theft and to protect customers from having too much of their information shared with people they have never met, the SEC enacted Regulation S-P to put into place a requirement from the Gramm-Leach-Bliley Act. Basically, “a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure.”

A consumer is a prospect, someone interested in establishing some type of account. A customer is someone who has now opened a financial relationship with the firm. Broker-dealers and investment advisers must deliver initial and annual notices to customers explaining their privacy policies and practices, the types of information they share and with whom, and about the opportunity and methods to opt out of their institution’s sharing of their nonpublic personal information with nonaffiliated third parties. The initial notice must be provided no later than when the firm establishes a customer relationship with the individual. 

For some purposes the difference between the terms consumer and customer is important. In terms of limiting the information that is shared for certain purposes we will just refer to “consumers.” Consumers (and customers) can only limit certain types of information sharing between a financial institution and another party. The other party is either an affiliate or a non-affiliate, as defined in the financial institution’s privacy statement. Consumers can limit the sharing of information with an affiliate for their everyday business purposes that involves the consumer’s creditworthiness. The consumer can also limit the information shared to both affiliates and non-affiliates for the purpose of marketing to the consumer. Consumers do not have the right under federal law to limit the sharing of information that the financial institution engages in for the following purposes:

  • the financial institution’s marketing purposes
  • joint marketing with other financial companies
  • affiliates’ everyday business purposes involving transactions and experiences

Broker-dealers and investment advisers also must have written supervisory procedures dealing with the disposal of consumer credit report information. Since firms typically look at a consumer’s credit history before opening accounts—especially margin accounts—selling annuities, or providing financial planning services, the firms need to safely dispose of the information rather than just setting it all in a big box out back.

Broker-dealers often must respond to requests for documents under disciplinary investigations. When providing such information through a portable media device (DVD, CD-ROM, flash drive), FINRA requires that the information be encrypted. As FINRA states:

the data must be encoded into a form in which meaning cannot be assigned without the use of a confidential process or key. To help ensure that encrypted information is secure, persons providing encrypted information to FINRA via a portable media device are required to use an encryption method that meets industry standards for strong encryption and to provide FINRA staff with the confidential process or key regarding the encryption in a communication separate from the encrypted information itself (e.g., a separate email, fax or letter).

Beyond responding to the regulators’ requests, customer emails also must be encrypted, and registered representatives should not go around sharing customer information with anyone who does not need to know it.

The FACT Act is short for the Fair and Accurate Credit Transactions Act. Under this federal legislation the three major credit reporting agencies, in cooperation with the Federal Trade Commission (FTC) set up a website at www.AnnualCreditReport.com that allows consumers to monitor their credit reports. This Act also attempts to reduce identity theft by requiring firms who collect information on individuals to safely dispose of it and by allowing individuals to place alerts on their credit history if they suspect fraudulent transactions. Broker-dealers gather information from consumers through various sales and marketing efforts. The FACT Act requires that they do not simply toss thousands of post cards or computer hard drives containing personal and financial information about consumers out in a dumpster behind the branch office. For example.

The FACT Act requires the various agencies charged with its implementation to “identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft.” The guidelines must be updated as often as necessary and cannot be inconsistent with the requirement to verify a customer’s identity when opening an account. 

The Federal Trade Commission (FTC) has implemented a red flags rule that requires broker-dealers and other financial institutions to create written “Identity Theft Protection Programs” or “ITPPs” designed to identify, detect, and respond to warning signs (red flags) that could indicate identity theft. The four elements of a firm’s ITPP (Identity Theft Protection Program) require broker dealers and other financial institutions to:

  • identify relevant red flags for the covered accounts that the firm offers or maintains, and incorporate those red flags into its ITPP;
  • detect red flags that have been incorporated into the ITPP of the financial institution or creditor;
  • respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • update the ITPP and its red flags periodically to reflect changes in identity theft risks to customers and the firm.

Broker-dealers must design their Identity Theft Protection Program, and have it approved by the Board of Directors of the firm or a designated member of senior management. The principals who approve the program must be involved in its oversight, development, implementation and administration. The firm must train staff to implement the ITPP. If the broker-dealer utilizes any third-party providers to help them with their responsibilities under the red flag rules, the firm must oversee those arrangements carefully.

We hope that this article has helped you better understand how to protect customer information for your upcoming exam. Pass your exam Guaranteed or your money back with our greenlight pass guarantee.

xref