May 27, 2008
The Securities and Exchange Commission (the Commission) has proposed significant amendments to Regulation S-P. As CEO of Sutter Securities Incorporated, a small introducing broker-dealer and a member of the FINRA Small Firm Advisory Board, I appreciate the opportunity to comment on these amendments.
The Commission acknowledges that the amendments will place a significant burden on the industry. I would like to raise two fundamental reasons for a modification of these proposed rule changes as they apply to some small broker-dealers.
First, the major purpose of the amendments is to provide added customer protection. The amendments require each firm to have added security and protective procedures aimed at preventing or providing early discovery of the theft of client information. This goal is to be accomplished, in the main, by providing safeguards and procedures surrounding the computers that store this personal and sensitive information, although procedures are also required to safeguard hard copy documents. For many small broker-dealers that are introducing firms (i.e., their client accounts are carried by a larger clearing firm), client information is stored only on the clearing firms computers. Introducing firms access this information via a password and secure network provided by the clearing firm. In our case, and I believe for a large number of small firms, there is no sensitive client data stored on any of our firms desktop computers. Whatever benefits will be gained through a substantial portion of these amendments will be fully realized if our clearing firm complies with the new rules.
It is not uncommon for a clearing firm to provide many of the necessary procedures that allow a small broker-dealer to comply with various regulatory requirements. This includes clearing firm participation in TRACE and MSRB trade reporting, Best Execution requirements, and Business Continuity Plans among others. The same should be true of compliance with many of these proposed Regulation S-P amendments. If a broker-dealer clears through another broker on a fully-disclosed basis, does not provide on-line brokerage accounts and does not maintain client information on its own servers or desktop computers, it cannot be the successful target of a keylogger program or a phishing attack regarding client information. Significant costs would be imposed on the small firm in the implementation of these proposed amendments to Regulation S-P without any additional benefit. The amendments should be clarified in this regard and should explicitly permit the introducing firm to rely on the clearing firm to establish and maintain computer security in the situation described above, save for requirements that the introducing firm exercise due care with respect to persons whom the introducing firm permits to access the clearing firm database and have procedures for checking that no sensitive client information has been downloaded and saved onto the firms computers.
Second, based upon my personal experience as the CEO and Chief Compliance Officer for a small broker-dealer, I believe the cost estimates to be significantly understated. The staff estimates the initial costs to smaller institutions would be approximately $18,500 to comply with the proposed amendments plus an additional $10,764 per institution per year in connection with these burdens. In most small firms the Chief Compliance officer is also the firm Chief Executive Officer or the Chief Financial Officer. As a result, the firm does not have the depth of staff that would allow these new requirements to be absorbed by assigning a few hours of additional work to several of the firms existing compliance personnel. In fact, these rules may cause the firm to hire additional staff if they were required to implement these changes. Further, I believe that the estimates are too low. One firm that recently hired a consultant to test for intrusion weakness informed us that the audit alone cost that firm approximately $20,000. The cost of hiring a full-time experienced compliance officer so as to ensure compliance with the increasing regulatory burden on the small broker-dealer would add $150-200,000/year for each firm. As the required compliance procedures increase, many small broker dealers may have no alternative but to close their doors. FINRA statistics support this concern. In the past five years although the number of registered representatives has grown by over 23,000, the number of member firms has decreased by 288.
I would urge the Commission to provide an exemption to some of these amendments for certain small broker-dealers. For purposes of the Regulatory Flexibility Act, a small broker or dealer is a firm with total capital of less than $500,000. Consequently, the Commission estimates that only 18% of all broker dealers, 894 out of approximately 5000 firms, qualify as small entities. This contrasts dramatically with FINRAs classification that considers approximately 80% of its members as small firms.
I would propose that the following criteria would allow a small firm to qualify for relief from many of these rule changes:
1. The broker-dealer must clear all of its retail transactions through a broker-dealer(s) who is subject to these amendments.
2. The broker-dealer does not offer on-line brokerage accounts.
3. The broker-dealer signs an annual attestation that they access client data through their clearing firm and do not download and retain this data on their own computers.
4. The broker-dealer obtains an annual certification from its clearing firm(s) that it is in full compliance with these new rules and nothing has come to the introducing firms attention that would lead it to believe such certification is incorrect.
5. The broker-dealer exercises due care with respect to the persons to whom it gives access to information on the clearing firms computers.
6. The broker-dealer has written procedures to test that no sensitive client information has been downloaded and retained on the firms computers.
If a broker-dealer meets the above criteria, I believe it should be exempt from the computer safeguard portion of these new amendments. My comments have addressed those proposed rule changes as related to electronic data. I am not suggesting that a firm be relieved from its obligations to ensure the security of paper records such as new account forms or client statements that may be maintained by the firm.
Robert A. Muh
Chief Executive Officer