CFA Institute’s Code of Ethics and Standards of Professional Conduct codify the ethical guidelines for the investment profession that are critical to maintaining the integrity of capital markets and investor trust. Members, candidates, and even firms make a commitment to uphold these standards as they help elevate ethical decision-making universally around the globe.
As investment professionals, we are certain to face important ethical decisions in our day-to-day activities. Some scenarios we encounter will be straightforward, while others may be more complex. No matter what circumstances we face, continuous learning remains imperative in an investment industry that continues to evolve with products undergoing innovation and a regulatory environment continuing to adapt.
For that reason, each week we will feature a sample case from CFA Institute’s Ethics in Practice Casebook. Each case is built upon a real-life example that may involve a regulatory matter or even a CFA Institute Professional Conduct investigation. At the end of the case is a multiple-choice question that addresses the ethical nature of the actions taken in that case.
This week’s case involves Standard III(E) Preservation of Confidentiality.
Doing Enough to Protect Clients?
Giddings is responsible for compliance at GWH, a large broker/dealer and investment adviser. In connection with GWH’s wealth management business, the company maintains the personally identifiable information (names, addresses, phone numbers, account numbers, balances, and holdings) of hundreds of clients. Giddings adopted a number of policies and restrictions, including a Code of Conduct, that address employees’ access to and handling of this confidential information. Marsh, who works for GWH as a client service associate, downloads client data to his personal server located at his residence to facilitate his telecommuting. Marsh’s server is hacked and portions of the personal client information downloaded by Marsh are posted for sale on the internet. Did either Marsh or Giddings violate the CFA Institute Standards of Professional Conduct with respect to confidentiality?
A. Marsh violated the CFA Institute Standards of Professional Conduct.
B. Marsh did not violate the CFA Institute Standards of Professional Conduct.
C. Giddings violated the CFA Institute Standards of Professional Conduct.
D. Giddings did not violate the CFA Institute Standards of Professional Conduct.
What do you think is the correct choice? Feel free to discuss in the comments below and make sure to check back later this week as we post the analysis. The completion of this case qualifies for 0.25 hour of Standards, Ethics, and Regulation (SER) credit.
[Update - 4/16/2020]
Welcome back! Here is the analysis of this case:
Analysis
CFA Institute Professional Standard III(E): Preservation of Confidentiality requires that CFA Institute members and candidates keep information about current, former, and prospective clients confidential unless the information concerns illegal activities, disclosure is required by law, or the client permits disclosure. Although Standard III(E) does not require investment professionals to become experts in information security technology, they must make reasonable efforts to ensure that communication methods and compliance procedures follow practices designed to prevent accidental distribution of confidential information. In this case, the facts presented do not provide enough information to determine whether Marsh or Giddings acted inappropriately to allow confidential GWH client information to end up for sale on the internet.
As you think about your answer choice, there are two main questions that need to be addressed. The first issue is whether Marsh had permission to download client data to his personal server. If he did not, his misappropriation of client information for his own purposes constitutes a violation of Standard III(E). Even if he was not responsible for the distribution of the information, his misconduct facilitated the publication of the information. If Marsh did have permission from GWH to download and use the information from home, the second issue is whether Giddings adopted sufficient compliance policies and procedures reasonably designed to protect client information.
As the compliance officer, Giddings is charged with ensuring the confidentiality of customer information by protecting against any anticipated threats or hazards to the security or integrity of the records. Giddings and GWH must work to protect against unauthorized access or use of client information that could result in substantial harm to clients. Although the facts state that GWH policies and Code of Conduct restricted access and handling of client information, the nature and extent of those safeguards are not provided. The fact that client information was able to be accessed and published calls into question the effectiveness of Giddings compliance efforts. Even if the policies were sufficient, there appears to have been insufficient auditing and/or testing of the effectiveness of the safeguards to keep client information confidential.
This case is based on a US SEC enforcement case from 2016 against Morgan Stanley Smith Barney and Galen March, an MSSB employee.
Image by Werner Moser from Pixabay
© 2018 CFA Institute. All rights reserved. You may copy and distribute this content, without modification and for non-commercial purposes, provided you attribute the content to CFA Institute and retain this copyright notice. This case was written as a basis for discussion and is not prescriptive of how a business situation or professional conduct matter should or should not be handled or addressed. Certain characters mentioned are fictional to facilitate discussion, and any resemblance to actual persons is coincidental.