Views on improving the integrity of global capital markets
22 March 2018

Ethics in Practice: Doing Enough to Protect Clients? Case Analysis Now Included

CFA Institute Ethical Decision-Making Framework

Check out the analysis for this week’s case (week of 19 March) to see how your answer compared.

Protecting confidential information is critical for any business and particularly in the investment industry. Read on to analyze whether those involved violated the CFA Institute Standards of Professional Conduct in their role in investment client data being exposed.


Giddings is responsible for compliance at GWH, a large broker/dealer and investment adviser. In connection with GWH’s wealth management business, the company maintains the personally identifiable information (names, addresses, phone numbers, account numbers, balances, and holdings) of hundreds of clients. Giddings adopted a number of policies and restrictions, including a Code of Conduct, that address employees’ access to and handling of this confidential information. Marsh, who works for GWH as a client service associate, downloads client data to his personal server located at his residence to facilitate his telecommuting. Marsh’s server is hacked and portions of the personal client information downloaded by Marsh are posted for sale on the internet. Did either Marsh or Giddings violate the CFA Institute Standards of Professional Conduct with respect to confidentiality? Join the conversation to tell us what you think and why.

  1. Marsh violated the CFA Institute Standards of Professional Conduct.
  2. Marsh did not violate the CFA Institute Standards of Professional Conduct.
  3. Giddings violated the CFA Institute Standards of Professional Conduct.
  4. Giddings did not violate the CFA Institute Standards of Professional Conduct.


CFA Institute Professional Standard III(E): Preservation of Confidentiality requires that CFA Institute members and candidates keep information about current, former, and prospective clients confidential unless the information concerns illegal activities, disclosure is required by law, or the client permits disclosure. Although Standard III(E) does not require investment professionals to become experts in information security technology, they must make reasonable efforts to ensure that communication methods and compliance procedures follow practices designed to prevent accidental distribution of confidential information. In this case, the facts presented do not provide enough information to determine whether Marsh or Giddings acted inappropriately to allow confidential GWH client information to end up for sale on the internet.

As you think about your answer choice, there are two main questions that need to be addressed. The first issue is whether Marsh had permission to download client data to his personal server. If he did not, his misappropriation of client information for his own purposes constitutes a violation of Standard III(E). Even if he was not responsible for the distribution of the information, his misconduct facilitated the publication of the information. If Marsh did have permission from GWH to download and use the information from home, the second issue is whether Giddings adopted sufficient compliance policies and procedures reasonably designed to protect client information.

As the compliance officer, Giddings is charged with ensuring the confidentiality of customer information by protecting against any anticipated threats or hazards to the security or integrity of the records. Giddings and GWH must work to protect against unauthorized access or use of client information that could result in substantial harm to clients. Although the facts state that GWH policies and Code of Conduct restricted access and handling of client information, the nature and extent of those safeguards are not provided. The fact that client information was able to be accessed and published calls into question the effectiveness of Giddings compliance efforts. Even if the policies were sufficient, there appears to have been insufficient auditing and/or testing of the effectiveness of the safeguards to keep client information confidential.

This case is based on a US SEC enforcement action from 2016.

Have an idea for a case for us to feature? Send it to us at

More About the Ethics in Practice Series

Just as you need to practice to become proficient at playing a musical instrument, public speaking, or playing a sport, practicing assessing and analyzing situations and making ethical decisions develops your ethical decision-making skills. The Ethics in Practice series gives you an opportunity to “exercise” your ethical decision-making skills. Each week, we post a short vignette, drawn from real-world circumstances, regulatory cases, and CFA Institute Professional Conduct investigations, along with possible responses/actions. We then encourage you to assess the case through the lens of the Ethical Decision-Making Framework and the CFA Institute Code of Ethics and Standards of Professional Conduct. Then join the conversation and let us know which of the choices you believe is the right thing to do and explain your choice. Later in the week, we will post an analysis of the case and you can see how your response compares.

Image Credit: ©CFA Institute

About the Author(s)
Jon Stokes

Jon Stokes was the Director of Ethics and Standards Education at CFA Institute. His responsibilities included design and creation of on-line ethics education, development and maintenance of the CFA Institute Code of Ethics and Standards of Professional Conduct, and the design and management of the CFA Institute Ethical Decision-Making and Giving Voice to Values education programs. Stokes holds a JD degree.

Leave a Reply

Your email address will not be published. Required fields are marked *

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.