Financial institutions must balance the desire to protect vulnerable clients from financial exploitation with their clients’ rightful expectation that their privacy interests will be respected. Bressler, Amery & Ross’ Josh Jones discusses reporting and disclosure issues.
The financial exploitation of senior investors and vulnerable adults is a growing problem. Brokerage firms are facing increased scrutiny over their effort to protect at-risk investors from those who prey on the weak. Baby boomers are targeted daily with more sophisticated scams. Because of the number of potential victims and the dollars involved (boomers are the most invested generation in the history of the markets), a near perfect storm looms for compliance personnel. And regulators, legislators and investors’ attorneys already have taken notice.
At the same time, the industry is grappling with the safekeeping of private client information. Whether it is hackers seeking to exploit system vulnerabilities, regulators looking into companies’ efforts to safeguard their clients’ personal information or the general public’s outrage at what it views as breaches of trust, privacy issues are in the news on a daily basis.
Efforts to protect against senior financial exploitation and the safekeeping of client data have a natural intersection. Specifically, how does a firm report suspected financial exploitation or take other steps to protect at risk investors while still complying with the laws and regulations governing disclosure of such information?
Legislative and Regulatory Framework
A thorough discussion of the laws and regulations governing client privacy would require more space than is available here. Suffice it to say that there are myriad legal requirements brokerage firms must abide by in protecting their clients’ information. Most notably, these include the Gramm-Leach-Bliley Act (GLBA) and applicable self-regulatory organization rules.
In addition, there has been a recent flurry of new federal and state legislation that permits and/or requires reports of suspected financial exploitation. On the federal level, in May 2018, the President signed into law the Senior Safe Act, which encourages (but does not require) certain financial institutions to disclose suspected financial exploitation by providing limited immunity under certain circumstances with regard to such disclosures. On the state level, 26 states have passed so-called “report and hold” legislation that either requires or permits – there are variances state to state – a report of suspected exploitation to state adult protective services (APS), securities divisions or other agencies. Some states also permit disbursement or transactional holds when financial exploitation is suspected. FINRA last year implemented Rule 2165, which permits reporting and disbursement holds when exploitation is suspected.
It cannot be emphasized enough that the federal law, various state laws and the FINRA rule have unique and differing requirements. Finally, all states have APS statutes and have for some time. Some APS statutes have provisions like the new federal and state laws and FINRA’s rule.
Disclosures to Regulators and/or Law Enforcement
The analysis about reporting to governmental agencies tasked with protecting senior investors is the simplest. As a general matter, disclosure of suspected exploitation to relevant federal, state and local authorities does not violate the privacy provisions of the GLBA. Interagency guidance issued by the U.S. Securities and Exchange Commission (SEC) and federal banking regulators makes clear that “disclosure of nonpublic personal information about consumers to local, state or federal agencies for the purpose of reporting suspected financial abuse of older adults will fall within one or more of the exceptions” set forth in GLBA and that such disclosures “may be made on the financial institution’s initiative.” Indeed, the Consumer Financial Protection Bureau’s Office for Older Americans issued a report to financial institutions recommending disclosure of all cases of suspected exploitation to relevant federal, state and local authorities, “regardless of whether reporting is mandatory or voluntary under state or federal law.” Such reporting could occur pursuant to the Senior Safe Act, APS regulations, the report and hold laws discussed above and/or a SAR filing with FinCEN.
Disclosures to Third Parties
A trickier issue involves disclosures to third parties such as relatives, other financial institutions or those who may have a professional relationship with clients. Firms often have a legitimate interest in involving a third party who may be in a better position to assist the vulnerable client in understanding that they were or are being exploited. Study after study demonstrates that victims do not appreciate the risks of exploitation and tend not to suspect the likely culprits (most frequently, someone they know very well). Firms may also need to correspond with other firms about exploitation, because it often involves the transfer of funds from one institution to another.
As an initial matter, GLBA contains an exception that would allow disclosure to anyone with the client’s consent (or the consent of the consumer’s legal representative). In addition, GLBA provides for disclosure to persons “holding a legal or beneficial interest relating to the consumer” and to those “acting in a fiduciary or representative capacity on behalf of the consumer….”
GLBA also provides that financial institutions may make a disclosure “to protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability….” This fraud exception, coupled with the public’s overwhelming interest in preventing exploitation of the vulnerable, could provide firms with a sufficient basis to disclose an investor’s confidential information to someone other than a regulator, particularly if faced with an imminent risk of loss. Firms could also choose to rely on disclosure to the appropriate authorities in an effort to prevent such a loss.
In an effort to “build in” a reliable third party to contact in the case of suspected exploitation, FINRA recently amended Rule 4512 to require that broker-dealers request contact information for “a trusted contact person age 18 or older who may be contacted about the customer’s account” from clients during the account opening process. Securing client permission to discuss potential exploitation with a trusted contact pursuant to Rule 4512 addresses any reasonable privacy concerns for firms.
In addition, firms may consider amending their client agreements to allow them, as a matter of contract with the client, to aid the client’s best interest if exploitation arises. As noted above, broker-dealers are now required under amended FINRA Rule 4512 to address the trusted contact issue in writing at account opening. Firms should consider using additional language in client agreements to give them the right to make disclosures above and beyond those contemplated in the FINRA rule.
Another possibility for consideration includes the adoption of laws or regulations directly authorizing sharing of such information among financial institutions. In the anti-money laundering space, Section 314(b) of the USA PATRIOT Act permits sharing of information on a voluntary basis when financial institutions suspect that a transaction involves proceeds from a “specified unlawful activity” under the federal money-laundering statute. Financial exploitation of elderly or vulnerable persons is not a “specified unlawful activity;” therefore, 314(b) is not applicable.
Although 314(b) does not apply to financial exploitation of elderly and vulnerable persons, it could serve as a potential model for a new statutory provision permitting such sharing. Specifically, a provision could be enacted allowing for the sharing of such information when a financial institution has a reasonable belief that financial exploitation of an elderly or vulnerable client is occurring, will occur or has occurred. A statutory provision analogous to 314(b) could further the brokerage industries’ and public’s interest in protecting the elderly and vulnerable while also properly respecting clients’ interests in protecting the privacy of their confidential information.