FINRA Rules Regarding Personal Data

What is FINRA?

FINRA or Financial Industry Regulation Authority is a private corporation that manages, regulates, enforces, arbitrates operations handled through the New York Stock Exchange. They are a self-regulatory agency. It is a non-government agency that works closely with and regulates transaction processes for member brokerage firms and exchange markets. The government department that functions similarly in regulating the financial markets is the Securities and Exchange Commission (SEC).

The private corporation owned regulatory committees that began with the stock market as NASD or National Association of Securities Dealers in 1939. It was formed as a response to the 1938 Maloney Act and the Securities Exchange Act from 1934. The NASD, historically speaking, is the predecessor to the current FINRA agency. Today, FINRA offers regulatory oversight in the financial industry. It covers all securities firms that do business with the public. It also oversees companies that contribute to the industry, such as those offering professional training, testing, and licensing of those in the finance industry. It was in July 2007 that FINRA was formed as a consolidation of member regulations, enforcement, and arbitration operations of three agencies: the New York Stock Exchange, NYSE Regulations, Inc., and the NASD.

According to regulatory by-laws, the FINRA board must consist of the make-up of specific individuals. This requirement includes the chief executive officer of FINRA, the chief executive officer of NYSE Regulation, eleven public governors, and ten industry governors, including a floor member governor, an independent dealer/insurance affiliate governor, an investment company affiliate governor, three small firm governors, one mid-size firm governor, and three large-firm governors. The association members of FINRA elect the governor positions.

Does FINRA Have Privacy Rules?

Are there privacy rules or regulations for members of FINRA? Yes. Effective July 28, 2014, the SEC approved specific amendments to its Codes of Arbitration Procedures, which require the redaction of Personal Confidential Information from documents file with FINRA. FINRA added regulation 14-22 to address personal privacy matters, and within the bounds of this regulation are specific details addressing redaction, which are listed under FINRA Rule 13300.

The SEC approved the amendments in regulations that handle privacy and data security. It was added to the Customer and Industry Codes of Arbitration Procedure. The rulings provide details on redaction and privacy protection to any document that a party files with FINRA that contains sensitive information. The private data of consumers, brokers, and companies should be sanitized to prevent fraud. These amendments only apply to documents filed directly through FINRA. However, they do not apply to documents exchanged between members or submit to arbitrators at hearings. Most security firms handle redaction or sanitization of papers in all cases to prevent any loss of data to their consumers and investors. They are cautious to protect their public reputations in the case of a data breach or lawsuit for mishandling data. Without their consumers’ and investors’ trust, these individual firms and brokers would lose business and possibly face fines or other financial penalties. To be optimistic about how your personal data is handled, it is essential to ask any securities agencies you work with for your financial future.

While arbitration cases and those filed under the Simplified Arbitration Rules do not require sanitization of documents, it is suggested. During a legal or arbitration proceeding, parties on either side submit various pleadings and documents to the FINRA Dispute Resolution (DR). Customers often file their forms, which may contain personal confidential information (PCI). When filing an account statement with FINRA DR, these documents often show their account numbers. With many cases and other pleadings, FINRA employees usually handle and transmit party documents that contain PCI. The organization has policies and procedures that staff and arbitrators follow to keep confidential information safe. These in-house procedures have created an enhancement to previous security rules for party documents and information. For additional protection for all parties from identity theft or loss of PCI, FINRA amended the regulation Code of Arbitration Procedure for Customer Disputes and the Code of Arbitration Procedure for Industry Disputes to sanitize document that contains specified PCI from any documents filed. PCI that is recommended for redaction includes the following information:

• Individual Social Security Numbers.
• Taxpayer Identification Numbers.
• Employer Identification Numbers.
• Financial Account Numbers.

It is recommended for all documents that these numbers be limited to the last four digits only. If a party files any form with PCI that is not covered in the specified rules regarding redaction and sanitization, in that case, FINRA will determine that the filing is improper and ask the party to refile the documents with the required redactions. If the party refiles the form within 30 days of the notice and complies with redaction requests or rules, then FINRA will allow the document to be dated as filed at the time of the initial filing date.

Securities firms are moving to further protect their customers and their corporate reputation by redacting more PCI than is required by the rulings. They include all types of personally identifiable information or PII, including home addresses, dates of birth, driver’s license numbers, state identification numbers, or other data that could compromise an individual’s or corporation’s data.

Steps FINRA Takes to Protect Personal Data

Protecting personal confidential information and cybersecurity is one of the most important details for any business or corporation. FINRA has specific steps taken as a precautionary measure to protect PCI from both consumers and businesses. Some examples of the safety measures taken by FINRA are:

• Train FINRA staff members regarding the importance of protecting personal confidential information;
• Verify the recipient’s identity for all case correspondence;
• Confirm arbitrator contact details (address, email, and fax) upon appointment;
• Use encryption for any electronic messages sent outside FINRA that contain PCI;
• Use encryption for any digital files when stored on laptops or portable media devices (e.g., flash drives);
• Store and regularly dispose of case materials to protect the confidentiality of the information; and
• Remove or redact all personal confidential information that appears in publicly available awards.

Redaction is a Solution

Redacting or sanitizing documents is a solution for protecting personal confidential information. Redaction is a term used to describe the process of removing specified data from a record. In most instances, the details removed are replaced by black boxes, which indicates to the reader that there is redacted information at that location. Since any organization, including financial companies, could be the victim of unscrupulous actors, hackers, or other criminals attempting to cause fraud, removing personally identifiable data before storing the data on computer systems is recommended. Encryption is also recommended to help reduce the chance of losing data.

The loss of data files, even in hacking, falls back to the data holder’s responsibility. If a data breach occurs within any organization, business, or corporation, the public loses trust in the company’s data security capabilities. Loss of consumer trust means a loss in revenue. People tend not to forget these details when they know their information has the possibility of being breached. Companies are responsible for the safety of the data, and in some states, like California, loss of data can mean severe financial penalties for the organization. These penalties are applied under the California Consumer Protection Act (CCPA). Under this particular state legislation, a single data breach could mean facing every customer’s lawsuits impacted by the breach. The financial penalties, loss of business, and consumer trust loss to continue to do business with them could be enough to break an organization financially. The solution for protecting critical data is through redaction and encryption.

Artificial Intelligence Creates Accuracy

Any FINRA member, broker, or agency handles a great deal of sensitive data. It is possible to redact documents manually; however, the costs involved are exorbitant. The costs to cover employee work hours, salaries, and benefits, to spend hours manually sanitizing records can be too high. With manual redaction, there are other risks, including human error. A single mistake in a document could cause litigation, fines, and more. The answer or solution to this is to have top-quality automated redaction software in use.

CaseGuard has built one of the best-automated redaction software systems in the world. It is easy to use so that even those with no prior experience in redaction could be easily trained or even understand its functions intuitively. CaseGuard eliminates the concern for human error in the sanitization process. Using smart design, artificial intelligence, and machine learning capabilities, CaseGuard offers one of the most accurate redaction solutions on the market. Compliance through the use of automated redaction changes the risks involved. It is far more precise than manual redactions and reduces the risk of error or release of protected data. It speeds up the process; what used to take hours can now be done with just one click. Machine learning means that the included artificial intelligence is continuously learning to improve upon itself from use. Faster, more accurate, and better over time for any redaction process is how to stay fully compliant and save money. When a financial agency gets serious about protecting your data – they choose CaseGuard.