FINRA fines Kestra Investment Services for causing broker-dealers to violate consumer info safeguarding rules
The violations concern mishandling of data such as customers’ social security numbers, driver’s license numbers, and birth dates.
Kestra Investment Services, LLC has agreed to pay a fine of $125,000 as a part of a settlement with the United States Financial Industry Regulatory Authority (FINRA).
From approximately November 2017 until February 2019, Kestra caused certain recruited registered representatives to take nonpublic personal customer information from the firms where the representatives were then registered and to disclose it to a third-party vendor that assisted the representatives with their transition to Kestra, without the other broker-dealers’ or the customers’ knowledge or consent. This way, Kestra caused those broker-dealers to violate the SEC’s Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Information. As a result, Kestra violated FINRA Rule 2010.
Regulation S-P generally prohibits financial institutions from disclosing “nonpublic personal information” about a customer unless the customer receives proper notice and an opportunity to opt out.
During the Relevant Period, Kestra contracted with a third-party vendor to provide assistance to recruited registered representatives who had agreed to join Kestra. Specifically, Kestra worked with the vendor to create a template spreadsheet to collect information about recruited representatives’ customers, including their nonpublic personal information. The spreadsheet contained fields for, among other items, customers’ social security numbers, driver’s license numbers, and birth dates, as well as fields pertaining to their financial position (account numbers, annual incomes, and net worth, etc.).
In certain instances, Kestra employees worked with recruited representatives to complete the spreadsheet while the representatives were still registered through their prior broker-dealers.
Kestra failed to take any steps to inquire whether the recruited representatives or their broker-dealers at the time had notified customers about the disclosure of their nonpublic personal information, nor did Kestra take any steps to inquire whether customers had been given an opportunity to opt-out of having their information disclosed.
Kestra also failed to provide any guidance to the recruited representatives concerning the disclosure of customers’ nonpublic personal information to the vendor.
Kestra’s arrangement with the third-party vendor resulted in 68 recruited representatives taking nonpublic personal customer information from their broker-dealers and disclosing it to the vendor during the Relevant Period. This way, Kestra caused the other broker-dealers to violate Regulation S-P.
In addition to the fine, Kestra agrees to a censure.