Broker Suspended For Downloading Customer Files On Flash Drive And Laptop
Steven Robert Tomlinson entered the financial industry in 1981, and over a 20 year span worked for various firms before joining a Corning , NY credit union in 2001 as a financial advisor in its investment services group --by 2003, he became the group manager. During the relevant times in this matter, the credit union was affiliated with Financial Industry Regulatory Authority (“FINRA”) member firm Raymond James Financial Services, Inc. ("RJFS"), and Tomlinson was an employee of both the credit union and registered with RJFS. Salary Versus Commission In 2008, Tomlinson learned from a magazine article that a registered representative with whom he had trained years earlier had built a business at another broker-dealer firm to pass along to his son. That success story seemed to have troubled Tomlinson, who also desired to leave a business for his son but was growing concerned about the inherent limitations in his credit union's salary-based compensation system versus the brokerage industry’s commission structure. Consequently, the magazine article may have fanned the embers of Tomlinson’s desire to move on and move up. Walkin' Over To Wachovia Toward the end of June 2008, Tomlinson began talking to a friend at Wachovia about an opening in a nearby branch office; and in October 2008, Tomlinson visited a St. Louis, MO, Wachovia office. Tomlinson must have liked the grass on the other side of the fence because he soon decided to leave the credit union and RJFS to join Wachovia, where his new position offered a small payment for managing the branch coupled with the potential for much greater commission-based compensation. You're On Notice As a credit union manager, Tomlinson was familiar with the organization’s compliance manual, which, in pertinent part stated: Associates may not share customer information with third parties unless specifically authorized by the client. Customer and confidential information may not be removed from a Raymond James office without the branch manager's permission. Further, the credit union’s compliance manual prohibited financial associates (subject to client authorization) from transmitting non-public or personally identifiable information (e.g., social security number, financial account numbers, net worth, income, tax bracket) to a third party for non-business purposes. Also, Tomlinson had signed a financial advisor agreement with RJFS and the credit union in which he agreed, among other things, not to remove records from the premises of the investment group without prior authorization and not to disclose to any person any non-public customer information. Wachovia’s Instructions In contemplation of his joining Wachovia, that firm had instructed Tomlinson that the only information he could bring with him was in the nature of a "Christmas card list;" i.e., the names, phone numbers and addresses of his clients. Wachovia conveyed the instruction several times in several different ways, including during a discussion at the St. Louis recruiting meeting and also memorialized in a “Financial Advisor Integration Planner" given to Tomlinson by the senior vice president who had handled his recruitment. The Planner stated in bold-face type that financial advisors were not allowed to bring "client statements, account numbers, social security numbers, client files, confirmation, performance reports, copies of notes or any electronically stored client data;" however, exceptions were noted for certain allowable information, such as, customer name, client name, account title, their address, phone numbers, and their e-mail addresses. Down Low Download During business hours and late at night on November 18th and November 20th, without authorization and prior notice to the credit union, RJFS, or Wachovia, Tomlinson downloaded confidential, non-public information of over 2000 credit union customers (e.g., social security numbers, birth dates, account numbers, and account balances) to his personal flash drive (unencrypted and lacking password protection) and his personal laptop. Wachovia provided Tomlinson with a firm-issued flash drive that he was supposed to use to download only the limited information that he was permitted to take with him, but he claimed to have had difficulty making the software work and downloaded information onto his personal flash drive. Although some of the clients involved on the downloaded files were Tomlinson’s, about 60% were customers of other credit union financial advisors with whom he had previously had contact or were total strangers. Formal Resignation Tomlinson officially resigned from the credit union on November 24, 2008, Monday, and on that day he spoke with a number of people at the union and participated in an exit interview with an IT person. In keeping with the union’s standard procedure, the IT person conducted an exit interview and received from a departing employee any physical keys and badges, including the Virtual Private Network (“VPN”) token used to access the union's computer systems. Tomlinson returned a VPN token, his keys, and other things to union staff.