A whistle-blower is accusing some key financial regulators of allowing sensitive broker information to become readily accessible, even as industry watchdogs emphasized the need for companies to protect client data.
According to a complaint lodged with the U.S. Securities and Exchange Commission, personal data such as brokerage account numbers provided to an industry-funded regulator have long been easily accessible online. Separately, Social Security numbers and other information meant to be kept private also was made publicly accessible by state regulators for years up until 2015, according to the complaint, which was reviewed by Bloomberg News.
At issue is material on brokers and their firms gathered by the Financial Industry Regulatory Authority and other regulators to help clients keep tabs on the people handling their money. To spot potential red flags, the SEC encourages investors to search the data that’s housed in the sprawling Central Registration Depository of more than 3,700 broker-dealers and hundreds of thousands of people authorized to work in the securities industry.
Some of that information, which is used in FINRA’s BrokerCheck online portal and passed on to state authorities, has been mishandled, said the whistle-blower who asked not to be identified in discussing the allegations for fear of reprisals.
While both FINRA and the North American Securities Administrators Association acknowledged past problems in a response to questions from Bloomberg News, they dispute any contention that they’ve been negligent in efforts to clean-up the disclosures.
The issues shed light on the massive back-office systems maintained by regulators and the difficulty of keeping the sensitive information in them private. There is so much data that FINRA has a team of more than 30 people who review filings and runs hundreds of automated queries to look for information that shouldn’t be made public.
“They’re sitting on top of an even larger amount of private data than the firms they regulate,” said Donald Langevoort, a professor at Georgetown University Law Center in Washington. “There is an immense amount of cynicism about the ability of any institution public or private to do a good job at safeguarding privacy.”
Concern over financial regulators’ ability to safeguard data led to congressional hearings last year after the SEC revealed that hackers broke into its corporate filing system and accessed two people’s names, dates of birth and Social Security numbers. That disclosure followed a massive breach at Equifax Inc. that may have led to the theft of personal data on about 150 million Americans.
FINRA notes that unlike the Equifax and SEC intrusions, there’s no indication that the posting of broker data resulted from a hack.
“There has been no unauthorized access, hack or breach of BrokerCheck or the registration systems on which it is based,” FINRA Spokesman Ray Pellecchia said in a statement. The organization “is constantly enhancing our controls to better prevent or more rapidly address the isolated incidents where sensitive information is inadvertently entered by a non-FINRA filer.”
Regulators said the problem stemmed from some firms and brokers including more information than they should have on registration forms. Some sensitive material reached the web because FINRA’s filters failed to catch it.
As recently as January, dozens of profiles available on websites run by FINRA included account numbers and other sensitive data, including in one online portal on the SEC’s website that lets people look up their investment advisors.