A whistle-blower is accusing some key financial regulators of allowing sensitive broker information to become readily accessible, even as industry watchdogs emphasized the need for companies to protect client data.
According to a complaint lodged with the U.S. Securities and Exchange Commission, personal data such as brokerage account numbers provided to an industry-funded regulator have long been easily accessible online. Separately, Social Security numbers and other information meant to be kept private also was made publicly accessible by state regulators for years up until 2015, according to the complaint, which was reviewed by Bloomberg News.
At issue is material on brokers and their firms gathered by the Financial Industry Regulatory Authority and other regulators to help clients keep tabs on the people handling their money. To spot potential red flags, the SEC encourages investors to search the data that’s housed in the sprawling Central Registration Depository of more than 3,700 broker-dealers and hundreds of thousands of people authorized to work in the securities industry.
Some of that information, which is used in FINRA’s BrokerCheck online portal and passed on to state authorities, has been mishandled, said the whistle-blower who asked not to be identified in discussing the allegations for fear of reprisals.
While both FINRA and the North American Securities Administrators Association acknowledged past problems in a response to questions from Bloomberg News, they dispute any contention that they’ve been negligent in efforts to clean-up the disclosures.
The issues shed light on the massive back-office systems maintained by regulators and the difficulty of keeping the sensitive information in them private. There is so much data that FINRA has a team of more than 30 people who review filings and runs hundreds of automated queries to look for information that shouldn’t be made public.
“They’re sitting on top of an even larger amount of private data than the firms they regulate,” said Donald Langevoort, a professor at Georgetown University Law Center in Washington. “There is an immense amount of cynicism about the ability of any institution public or private to do a good job at safeguarding privacy.”
Concern over financial regulators’ ability to safeguard data led to congressional hearings last year after the SEC revealed that hackers broke into its corporate filing system and accessed two people’s names, dates of birth and Social Security numbers. That disclosure followed a massive breach at Equifax Inc. that may have led to the theft of personal data on about 150 million Americans.
FINRA notes that unlike the Equifax and SEC intrusions, there’s no indication that the posting of broker data resulted from a hack.
“There has been no unauthorized access, hack or breach of BrokerCheck or the registration systems on which it is based,” FINRA Spokesman Ray Pellecchia said in a statement. The organization “is constantly enhancing our controls to better prevent or more rapidly address the isolated incidents where sensitive information is inadvertently entered by a non-FINRA filer.”
Regulators said the problem stemmed from some firms and brokers including more information than they should have on registration forms. Some sensitive material reached the web because FINRA’s filters failed to catch it.
As recently as January, dozens of profiles available on websites run by FINRA included account numbers and other sensitive data, including in one online portal on the SEC’s website that lets people look up their investment advisors.
SEC spokesman Chris Carofine declined to comment.
FINRA said it sent financial firms and professionals a reminder to enter only requested information, after Bloomberg News asked about the issue. The regulator also said it has stepped up reviews of data available through its BrokerCheck system.
The moves appear to have had an impact. Almost all of the sensitive information available in files on brokers and advisors reviewed by Bloomberg since November have been scrubbed.
Some examples of data that were until recently available include: the name, address and account information of a Wisconsin church where a Scottrade broker was acting as treasurer; the account number for a trust on which a Morgan Stanley money manager was supposed to be serving; and the account information, name and address of the widowed mother-in-law of a Prudential Financial Inc. investment advisor.
While only a small fraction of the hundreds of thousands of registered professionals appear to have been affected, there’s no easy way to fully search the data available in BrokerCheck. Information available on the web portals is also gathered by the states where brokers and investment advisors are licensed.
Joseph Brady, executive director of the North American Securities Administrators Association, urged filers to include private information only when it’s requested.
“We are concerned to hear of current and isolated instances in which some potentially sensitive information, such as account numbers, may be disclosed inadvertently,” he said. “NASAA continues its long-standing commitment with FINRA and the SEC on efforts to mitigate any such instances.”
In a separate problem, state regulators inadvertently made hundreds of people’s Social Security Numbers available for multiple years until 2015, according to the whistle-blower.
FINRA alerted NASAA after learning that the information was made publicly available.
“State securities regulators worked diligently to identify the individuals whose information may have been disclosed inadvertently and sent notification letters to these individuals,’’ NASAA’s Brady said. “The purpose of this outreach was to encourage the associations to reach out to firms about the importance of reviewing registration forms, to be mindful of how they disclose personal information, and especially not to add unsolicited personal or sensitive information on the forms when it is not required.’’
Judging by the personal data that was recently available in online profiles, it appears more than two years later some brokers and firms still haven’t gotten the message.