Subject: S7-05-23
Form Type A
After review of the public comment letters from 2008(1), I would like to summarize the general themes before providing an opinion.
Sometimes representatives own the client relationship and sometimes broker dealers own the relationship with the client
There should be data retention rule to protect for regulatory investigations/compliance
Protecting data is good
Customers should be informed of data breaches
Many of the suggested rules will be costly for small firms to implement
Each institution should be able to decide their own rules based on their goals and risk tolerance
We already police ourselves & have our own policies
I am a householder investor, so this is written with household investors predominantly in mind. This ties in perfectly with one of the missions of the SEC - protect investors.
I don't choose my representative based on if they own the relationship or the broker owns the relationship with me. While this is an important concept for the representative, it's outside the scope of what are my best interests.
Informing customers of a data breach is important so that customers are aware of issues and feel they can trust who they do business with. Trust is further reinforced in difficult times.
Although firms believe they can decide (privacy, shredding, data breaches, etc) what is best, there are countless instances that firms will do the bare minimum when asked to govern themselves. Examples and corresponding fines will be discussed later in this letter.
As a result, there should be a clear policy that members should adhere to for privacy protection, shredding, data breaches etc. Everyone already agrees protecting data is of critical importance.
The impact to small firms is irrelevant here from a customer centric lens. I understand this could increase cost, but I see this as leading to driving competition so the customer has the best protection.
Any financial institution including independent representatives, broker dealers, and transfer agents with a relationship to the customer, should be informing the customer of a breach. The length that independent advisors and firms should retain data should align with SEC policy. This will ensure independent advisors can remain in regulatory compliance and support investigations after they change employers.
Under current rules and regulations, SEC fines are not adequate nor are they enforced timely. In 2022 there was this fine issued against Morgan Stanley Smith Barney LLC (MSSB) “..stemming from the firm’s extensive failures, over a five-year period, to protect the personal identifying information, or PII, of approximately 15 million customers. MSSB has agreed to pay a $35 million penalty to settle the SEC charges.”(2)
The SEC fined 16 firms with record keeping failure. It’s pathetic that such big institutions have poor quality controls. That SEC press release(3) said:
The Securities and Exchange Commission today announced charges against 15 broker-dealers and one affiliated investment adviser for widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications. The firms admitted the facts set forth in their respective SEC orders, acknowledged that their conduct violated recordkeeping provisions of the federal securities laws, agreed to pay combined penalties of more than $1.1 billion, and have begun implementing improvements to their compliance policies and procedures to settle these matters.
Clearly, institutions can’t be expected to police themselves as the first example carried on for 5 years and the second example showed 16 firms not being compliant. In addition, I find the fines to be too low and want the fines to be significantly higher where they are no longer seen as a cost of doing business. The fines need to be increased to actually be deterrents.
To recap,
We need the SEC to have an official policy on protecting data and information of data breaches.
Customers should feel their data is secure, protected, and informed when there is a data breach.
History has shown that financial entities can not be trusted to police themselves.
Related to that, the fines have been shown to just be costs of doing business, and therefore, need to be increased to actually lead to a demonstrable change in behavior.
The SEC needs to look at this entire policy through the lens of their mission statement to protect household investors.
1. https://www.sec.gov/comments/s7-06-08/s70608.shtml
2. https://www.sec.gov/news/press-release/2022-168
3. https://www.sec.gov/news/press-release/2022-174