The SEC charged three former executives of GunAllen Financial Thursday with willfully violating privacy rules when the firm was winding down its business operations in April 2010. Former president Frederick O. Kraus and former national sales manager David C. Levine improperly transferred customer records from more than 16,000 GunnAllen accounts to another firm, while former chief compliance officer Mark A. Ellis failed to ensure that the firm had good policies and procedures in place to safeguard confidential customer information. Kraus, Levine, and Ellis each agreed to settle the SEC’s charges against them.
Kraus and Levine have been ordered to pay penalties of $20,000 each, and Ellis has been ordered to pay a $15,000 penalty.
GunnAllen blew up last year due to net capital violations. The firm was facing lawsuits seeking up to $50 million in damages, many of the claims related to Frank Bluestein, a rogue broker who allegedly steered clients into a Ponzi scheme that went belly up in 2007. It also faced lawsuits related to its sale of Provident Royalties LLC private placements. At the time, Gunn Allen’s clearing firm Ridge Clearing & Outsourcing Solutions Inc., was to take over the accounts.
“Kraus and Levine violated the law by transferring customers’ private information without giving them reasonable notice to opt out,” said Glenn S. Gordon, Associate Director of the Miami Regional Office in a release. “GunnAllen did not have adequate policies or procedures in place to safeguard client information, ignoring several red flags from security breaches at the firm in prior years.”
The cases against Kraus and Levine mark the first time that the SEC has charged individuals with violation of Regulation S-P related to a departing representative taking customer information to a new employer without providing sufficient notice and opt-out procedures. Regulation S-P requires financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties.
According to the SEC, Kraus authorized Levine to take the information from the GunnAllen accounts to his new employer as the firm wound down last year. Levine downloaded customer names and addresses, account numbers, and asset values to a portable thumb drive, and provided the records to his new employer after resigning from GunnAllen. The SEC found that the record transfer violated Regulation S-P because account holders were only informed about it after the fact.
According to the SEC’s order against Ellis, GunnAllen’s policies and procedures to protect customer information were too vague. Meanwhile, there were several serious security breaches at GunnAllen from July 2005 to February 2009, including the theft of three laptop computers belonging to GunnAllen’s registered representatives and the unlawful access of its e-mail system by a terminated employee using stolen password credentials. Despite these events, Ellis did nothing to change GunnAllen’s procedures for safeguarding customer information.
The SEC’s orders found that Kraus, Levine, and Ellis willfully aided and abetted and caused GunnAllen’s violations of Rule 30(a) of Regulation S-P under the Securities Exchange Act of 1934, and that Kraus and Levine willfully aided and abetted the firm’s violations of Rules 7(a) and 10(a) of the same regulation.