MML Investor Services, LLC, has recently agreed to dock out a $75,000 fine as a part of its settlement agreement with the US regulator, the Financial Industry Regulatory Authority, or FINRA.
Violations Of Privacy Protection Rules
The settlement in itself is in reference to MML’s behavior during the times of March 2017 all the way to March 2018, referred to as the Relevant Period. Within this Relevant Period, MML had summarily failed to remove access to customer information and records for registered and associated individuals who had been terminated from the firm.
This includes nonpublic personal information and stands in direct violation of Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information. Furthermore, it violates FINRA Rule 2010.
Back To The Beginning
On the 1st of July, 2016, the parent company of MML had managed to acquire MetLife Securities, Inc, or MSI, from its parent insurance company. As a result, MSI was summarily merged into MML, and all associated persons of MSI were then associated with MML.
The parties to this deal agreed that MSI’s former representatives, a few, in particular, would be capable of accessing the proprietary system of the insurance company used to store customer information. Notably, this system saved nonpublic personal information regarding customers of MML, who held annuity products and insurance through the insurance company.
This system has been referred to as the “Third Party System.” These parties agreed to allow certain representatives registered at MSI to maintain access to this Third-Party system throughout September of 2017. This was for service to customer accounts to continue should they register through MML.
Failing To Keep Information Secure
During this Relevant Period, MML had policies and procedures put in place that mandated the immediate disabling of system access to all associated persons should their association be terminated. However, the company failed to implement these procedures and policies properly, and thus the entire settlement began.
In particular, MML had failed to verify that access to this Third-Party System had been limited to only those previously registered representatives of MSI itself. These representatives were the only ones that were agreed to have access to the Third Party System.
A Chain Of Events
Due to this, other former MSI registered representatives, as well as associated persons, had the ability to access this Third-Party System after the company’s acquisition. As a result of MML not being aware that these related persons and registered representatives had access to the Third Party System after MSI’s acquisition, the company failed to notify the Insurance Company.
In particular, they failed to notify them regarding the fact that they had ceased being associated with MML. As a result, the company itself failed to shut access to those individuals in a timely fashion.