New Regulatory Tools To Control the Activities of Rogue Individuals in the Financial Services Industries
By David M. Becker
General Counsel, U.S. Securities & Exchange Commission
Before the Subcommittee on Oversight and Investigations and
the Subcommittee on Financial Institutions and Consumer Credit
U.S. House of Representatives
March 6, 2001
Chairwoman Kelly, Chairman Bachus, Ranking Minority Members Gutierrez and Waters, and members of the Subcommittees:
I am pleased to testify today on behalf of the Securities and Exchange Commission ("SEC" or "Commission") about proposals to help give regulators in the securities, banking and insurance areas additional tools to curb the activities of rogue individuals. The Commission strongly supports steps to help regulators act against rogue individuals, such as broadening the Commission's statutory authority to use regulatory information, and improving processes for sharing information among financial regulators. I also would like to highlight implementation issues of particular interest and relevance to the Commission.
At the outset, I would like to note that the Commission welcomes the Subcommittees' attention to this matter, as well as their receptiveness to our concerns, and that the Commission looks forward to working with other regulators and with the Subcommittees to develop a workable approach to these issues. The migration of rogue individuals is a concern that spans regulatory lines. Indeed, the case of Martin Frankel, whom the Commission barred from the securities industry, but who then was able to migrate into the insurance industry and commit a multi-million dollar fraud, underscores how important it is for regulators to cooperate to protect the public from individuals who have proven to be unscrupulous.
I. Information Sharing as a Tool Against Rogue Individuals
The Commission recognizes that the sharing of regulatory information can serve as an important tool to help control rogue individuals. The Commission has firsthand knowledge of the benefits of sharing information in a systematized manner. The National Association of Securities Dealers ("NASD"), through its regulatory subsidiary, NASD Regulation ("NASDR"), maintains the Central Registration Depository ("CRD") system. The Commission, self-regulatory organizations ("SROs") and state securities regulators use the CRD system in connection with registering and licensing broker-dealers and their personnel. The CRD system maintains the qualification, employment, and disclosure histories of over 675,000 registered securities employees.
The CRD system contains an extensive range of information filed by broker-dealers, individuals, and securities regulators, as well as information obtained by the NASD during its review of registration filings, such as criminal history record information from the FBI. Data about individuals includes not only information about an individual's registrations and state licenses, but also personal information such as residential history, employment history and education, criminal charges and convictions, regulatory and disciplinary actions, certain civil judicial actions (such as injunctions involving investment-related activity), customer complaints and related arbitration and judicial proceedings, certain terminations (such as for the violation of securities statutes or rules), and certain financial information (such as bankruptcy).
The CRD system permits varying degrees of access to this information, depending on who is requesting the information and for what purposes. For instance, federal regulations strictly limit the dissemination of criminal history record information provided by the FBI. While securities regulators have the broadest access to the information contained on the CRD system, other parties, including regulated entities, are provided only with specific subsets of that information.
The public is entitled to a subset of the information contained in the CRD database through the NASDR's public disclosure program. Information available through the program includes employment history, other business experience, and disciplinary history. The public disclosure program does not encompass sensitive data such as an individual's social security number, home address, and physical description, judgments and liens originally reported as pending that subsequently have been satisfied, and bankruptcy proceedings filed more than 10 years ago. Also, the NASDR may be directed by a court to remove certain information about a person from the public disclosure program.
The NASDR also has developed, and is in the process of implementing, the Investment Adviser Registration Depository ("IARD") system to collect and maintain registration and disclosure information about investment advisers and their associated persons. Among other things, investment advisers must provide information similar to the information that broker-dealers and associated persons must provide to the CRD. Advisers also must disclose similar disciplinary actions brought against them by state or federal regulators.
The Commission will provide other federal agencies with the same level of IARD access as the Commission has. The general public will be able to obtain information on the IARD other than personal identifying information.
The CRD and IARD systems illustrate that systematized means of sharing information are not cheap. The NASD has spent approximately $50 million to develop and deploy the internet version of the CRD "Web CRD" which it originally deployed in August 1999. The NASD spends about $45 million annually to operate the CRD system and to support Web CRD's regulatory and industry users. Virtually all costs associated with the CRD are paid for by fees assessed on NASD member broker-dealers. The IARD will cost approximately $13 million to construct (despite being able to build upon existing CRD technology), and about $6 million each year to operate.
Moreover, under the Gramm-Leach-Bliley Act, the Commission is required to share information with federal banking regulators about categories of information such as the results of examinations of registered investment companies, and the results of examinations of the investment advisory activities of a bank or bank holding company. The Act also requires federal banking regulators to provide the Commission with information about banks that rely on exceptions from the definitions of "broker" and "dealer" in the Exchange Act, and about the results of examinations of the investment advisory activities of a bank or bank holding company. The Commission will work with banking regulators to develop further mechanisms to exchange this information, as necessary.
Given the presence of existing information sharing mechanisms, the Commission believes that initiatives to share information to curb rogue individuals, or for other purposes, should build upon the arrangements that are already in place, and should be evaluated in light of six key factors.
Even with the best of intentions, the more people who have access to regulatory information, the more we have to be concerned about the leakage of that information. The states, the self-regulatory organizations and the Commission are keenly aware of the personal privacy concerns of associated persons of broker-dealers, and therefore seek to collect only the information they need to perform their regulatory responsibilities.
It goes without saying that the government owes a trust to those members of the public who have provided personal information to it. More widespread disclosure of that information raises concerns about core privacy issues such as identity theft. These privacy concerns are accentuated by the fact that a panoply of privacy laws and open record laws apply to regulatory agencies. Some of those laws restrict an agency's ability to disseminate information, and can even lead to civil and criminal liability, while others may require the public disclosure of information used by an agency.
Because privacy safeguards are only as strong as their weakest link, it is incumbent on us to consider carefully what information will be required, how it will be shared, and who will have access to that information.
B. Compromising Regulatory Actions
Information in the CRD and the IARD includes data about completed enforcement actions against an individual or firm. These systems, however, do not include certain other types of highly sensitive information, such as data about the financial status of brokers. Any approach to sharing information should avoid the premature disclosure of information that could compromise the enforcement mission of a regulatory agency.
C. Reliability of Data
Most of the information submitted to the CRD and IARD systems comes from regulators or regulated entities (who may face sanctions for false or incomplete reporting). Examples include information about final actions and findings reached after due process of law. Other information submitted to these systems comes directly from individuals, such as information on the forms they file when they apply for registration. Securities regulators are mindful of those distinctions when they use information from these systems. Similarly, it is important that the regulators who would use data produced by other regulators be mindful of, and have a means of knowing, the extent to which other regulators' information has been vetted.
Fairness is a corollary to questions regarding the integrity of data. It is a matter of basic fairness and due process that the data that is placed into regulatory databases and disseminated does not subject individuals to wrongful consequences. The more that regulators share information among themselves, the more this could pose a problem. It would not be consistent with anyone's interest if a person could be barred from practicing his or her livelihood due to a regulatory action that is based on erroneous information placed into a database, without giving the person a fair opportunity to correct the record.
E. Reciprocity and the Identification of Individuals
The Commission recognizes that different regulators include different types of information in their databases, and that the goal of information sharing may require the staff of each regulator to learn to adjust to the particularities of each individual system. For shared information to be useful, however, it must meet certain minimum standards. In particular, the information would have very little use unless it identifies individuals by name and a unique identifier. Otherwise, information from the originating agency would be useless to the recipient.
F. Scope of Access
Any plan for systematically sharing information will raise core questions about who will have access to the information. Given the range of regulatory agencies that may participate, and the varying administrative and privacy requirements under which they may operate, it is vital for information to be shared in a way that harmonizes all applicable standards.
In the context of the securities laws, the question of access also raises an issue of particular importance which regulatory organizations will have access to the information. The securities laws encompass the concept of self-regulation. Self-regulatory organizations, such as the NASD and the New York Stock Exchange, play an integral part in enforcing the securities laws. It therefore is important to ensure that SROs be allowed access to the information they need to carry out their regulatory functions.
Indeed, as is discussed above, the CRD already contains multiple levels of data, ranging from publicly available to highly restricted. The SROs have access to the information they need to fulfill their missions. That approach to information sharing allowing regulatory organizations access to the information they need, but restricting access to more sensitive information may provide a model for further information sharing initiatives.
II. Weighing the Costs and Benefits of Specific Proposals
In general terms, it is important to recognize that deciding how best to share regulatory information may involve a tradeoff between ease of use on the one hand, and the speed and cost of implementation on the other hand. In light of that tradeoff, the Commission feels that a decentralized approach to sharing information would be preferable.
Specifically, a few options for increasing information sharing among regulators are under discussion thus far. One option would be to set up a new system that would provide a centralized means to access existing regulator databases. Another option would be for regulators to exchange reciprocal rights of access to existing databases.
Setting up a new system to access existing regulatory databases may have the potential to provide the fastest and most convenient interface for regulatory staffs to use. That option, however, also would be associated with an unknown cost, and would take an unknown period of time to implement. The history of the CRD and the IARD indicate that the costs and time involved may be considerable.
A process of granting reciprocal regulatory access to existing databases possibly could be implemented more quickly and at less cost. That option may lead to a less convenient result, however, in that it would require the staff of regulators to perform a series of individual searches, instead of a single metasearch.
The decisionmaking process should recognize that tradeoff. Because of the unknown costs and timing associated with creating a new system, and the possible ease of the alternative approach, reciprocal rights of access may be a preferable first step, even if only as an interim measure. Ideally, in the long run, we would welcome a system that is designed to facilitate the interface between various regulatory databases, in a way that would maximize appropriate information sharing, while preserving each agency's autonomy and ability to fulfill its regulatory mandate.
An approach that facilitates the exchange of information among databases that are separately maintained by individual agencies, rather than relying on a single centralized system, may also be more consistent with each agency's specific privacy and administrative responsibilities. With a non-centralized approach, because each agency would be able to continue to employ its established system of internal controls, it would be possible to avoid difficult questions about how a centralized system would substitute for existing individualized control systems.
Finally, it is important to recognize that the value of a new system may depend in part on who is responsible for developing the system, and what their regulatory mission is. Because it may be impossible to develop a mechanism in which a central authority could accommodate equally the different missions of various financial regulators, reciprocal rights of access may be the best way to assure that regulators have access to all relevant information that is available.
III. The Need for Broader Statutory Authority
Sharing information is, of course, just a means to an end. It is vitally important that regulators have the tools necessary to act against individuals who have violated a trust, and to keep those persons from migrating among the financial services industries. Access to information by itself is not enough. Information will not lead to a meaningful result unless the Commission, and other regulators, can use that information.
The Commission already has mechanisms in place to look at the backgrounds of individuals when they become associated with a brokerage firm or when they move between brokerage firms. Those mechanisms work well in the context of securities industry activities. We believe, however, that now is the time to refine these mechanisms to address the increasing overlap between the financial services industries. In the Commission's case, for example, statutory changes would be needed before we could effectively put to use any improved access to banking or insurance regulatory information.
Under the current statutory framework, even if the Commission has information showing that a person has been disciplined by banking or insurance regulators, the Commission may not have the authority to use that information to keep that person out of the securities business. That is like giving rotten apples one barrel after another to spoil.
Specifically, Section 15(b) of the Securities Exchange Act ("Exchange Act") and 203(e) of the Investment Advisers Act of 1940 authorize the Commission to censure, limit, suspend or revoke the registration of a broker-dealer or investment adviser under certain enumerated conditions. Those conditions include, among other things, court orders barring the person from associating with a bank or an insurance company, actions by the Commodity Futures Trading Commission, convictions for certain crimes and, of course, violations of the federal securities laws.
Those conditions, however, currently do not encompass orders of state insurance regulators or orders of state or federal depositary institution regulators, meaning that the Commission may lack the legal basis to restrict a person's ability to enter the securities industry even if banking or insurance regulators have barred that individual from those industries.
Other portions of the securities laws are similarly limited. For example, self-regulatory organizations ("SROs") such as exchanges, national securities associations and clearing agencies may limit the ability of a person to associate with a member firm, or to work for the SRO itself, if that person has a "statutory disqualification." Someone with a "statutory disqualification" may work for one of those entities only if the SRO approves that association and demonstrates to the Commission that the association is appropriate and that the person will be adequately supervised. Section 3(a)(39) of the Exchange Act sets forth several categories of findings that constitute a "statutory disqualification," including orders of the Commission, and even orders of foreign securities regulators, but that definition does not encompass orders of insurance or banking authorities.
Accordingly, the Commission believes that the federal securities laws should be amended to give the Commission a basis to exercise its authority against rogues seeking to migrate into the securities industry from the insurance or banking industries.
IV. Liability Implications and Immunity
Inevitably, there will be disagreements about what information should be disseminated. Some persons may claim to have been harmed by the wrongful disclosure of information, no matter how carefully we tailor these processes. The threat of litigation and liability may discourage some entities from sharing regulatory information. Accordingly, it is advisable to clarify the statutory immunity available to self-regulatory organizations that disseminate information.
The Commission appreciates the Subcommittees' efforts to advance these important regulatory goals. We look forward to working with other regulators and with the Subcommittee as the efforts continue.