22 March 2018

Ethics in Practice: Doing Enough to Protect Clients? Case Analysis Now Included

Posted In: Standards, Ethics and Regulations (SER)

CFA Institute Ethical Decision-Making Framework

Check out the analysis for this week’s case (week of 19 March) to see how your answer compared.

Protecting confidential information is critical for any business and particularly in the investment industry. Read on to analyze whether those involved violated the CFA Institute Standards of Professional Conduct in their role in investment client data being exposed.

Case

Giddings is responsible for compliance at GWH, a large broker/dealer and investment adviser. In connection with GWH’s wealth management business, the company maintains the personally identifiable information (names, addresses, phone numbers, account numbers, balances, and holdings) of hundreds of clients. Giddings adopted a number of policies and restrictions, including a Code of Conduct, that address employees’ access to and handling of this confidential information. Marsh, who works for GWH as a client service associate, downloads client data to his personal server located at his residence to facilitate his telecommuting. Marsh’s server is hacked and portions of the personal client information downloaded by Marsh are posted for sale on the internet. Did either Marsh or Giddings violate the CFA Institute Standards of Professional Conduct with respect to confidentiality? Join the conversation to tell us what you think and why.

Marsh violated the CFA Institute Standards of Professional Conduct.
Marsh did not violate the CFA Institute Standards of Professional Conduct.
Giddings violated the CFA Institute Standards of Professional Conduct.
Giddings did not violate the CFA Institute Standards of Professional Conduct.

Analysis

CFA Institute Professional Standard III(E): Preservation of Confidentiality requires that CFA Institute members and candidates keep information about current, former, and prospective clients confidential unless the information concerns illegal activities, disclosure is required by law, or the client permits disclosure. Although Standard III(E) does not require investment professionals to become experts in information security technology, they must make reasonable efforts to ensure that communication methods and compliance procedures follow practices designed to prevent accidental distribution of confidential information. In this case, the facts presented do not provide enough information to determine whether Marsh or Giddings acted inappropriately to allow confidential GWH client information to end up for sale on the internet.

As you think about your answer choice, there are two main questions that need to be addressed. The first issue is whether Marsh had permission to download client data to his personal server. If he did not, his misappropriation of client information for his own purposes constitutes a violation of Standard III(E). Even if he was not responsible for the distribution of the information, his misconduct facilitated the publication of the information. If Marsh did have permission from GWH to download and use the information from home, the second issue is whether Giddings adopted sufficient compliance policies and procedures reasonably designed to protect client information.

As the compliance officer, Giddings is charged with ensuring the confidentiality of customer information by protecting against any anticipated threats or hazards to the security or integrity of the records. Giddings and GWH must work to protect against unauthorized access or use of client information that could result in substantial harm to clients. Although the facts state that GWH policies and Code of Conduct restricted access and handling of client information, the nature and extent of those safeguards are not provided. The fact that client information was able to be accessed and published calls into question the effectiveness of Giddings compliance efforts. Even if the policies were sufficient, there appears to have been insufficient auditing and/or testing of the effectiveness of the safeguards to keep client information confidential.

This case is based on a US SEC enforcement action from 2016.

Have an idea for a case for us to feature? Send it to us at [email protected].

More About the Ethics in Practice Series

Just as you need to practice to become proficient at playing a musical instrument, public speaking, or playing a sport, practicing assessing and analyzing situations and making ethical decisions develops your ethical decision-making skills. The Ethics in Practice series gives you an opportunity to “exercise” your ethical decision-making skills. Each week, we post a short vignette, drawn from real-world circumstances, regulatory cases, and CFA Institute Professional Conduct investigations, along with possible responses/actions. We then encourage you to assess the case through the lens of the Ethical Decision-Making Framework and the CFA Institute Code of Ethics and Standards of Professional Conduct. Then join the conversation and let us know which of the choices you believe is the right thing to do and explain your choice. Later in the week, we will post an analysis of the case and you can see how your response compares.

Tags: Regulations Standards and Ethics

Share On

About the Author(s)

Jon Stokes

Jon Stokes is the director of Professional Standards at CFA Institute. His responsibilities include developing, maintaining, and providing interpretation on the organization’s Code of Ethics and Standards of Professional Conduct, Asset Manager Code of Professional Conduct, and other ethics codes and standards. He has designed and created on-line ethics education programs for CFA Institute, including the CFA Institute Ethical Decision-Making and Giving Voice to Values education programs. Stokes has led numerous in-person and online ethics trainings for members, societies, and investment professionals and contributes to the ethics curriculum at all three levels of the CFA Program. He holds a JD degree.