FINRA Rules 12300 and 13300 amended to prevent disclosure of PCI in arbitration

FINRA’s Concern About Disclosure Of PCI In Arbitration

It is not uncommon for parties to an arbitration proceeding to provide FINRA with pleadings or other documents that contain an individual’s Social Security number, taxpayer identification number or financial account number (collectively “PCI” or personal confidential information). Until now, FINRA had procedures in place to guide its staff and arbitrators in handling and transmitting documents containing PCI. However, there were no meaningful controls or guidance for the parties handling and distributing documents containing PCI. As a result, FINRA has amended the Code of Arbitration Procedure for Customer Disputes and Industry Disputes to require the redaction of certain PCI from documents field with FINRA. See Regulatory Notice 14-27, effective July 28, 2014.

Amended Rules Specify What Should Be Redacted

As amended, Rules 12300 and 13300 now make clear that in an electronic or paper filing with FINRA, a party must not include a full Social Security number, taxpayer identification number or account number. Instead, these numbers should be redacted to reflect only the last four digits. Any claim submitted without the required redactions will be deemed deficient pursuant to Rule 12307 or 13307, as applicable, and will need to be refiled within 30 days. Any document other than a claim subject to Rule 12307 or 13307 that is submitted to FINRA and contains PCI will be rejected and the filing party will have 30 days to refile the document. Timely refiled documents will be deemed filed as of the date the non-compliant document was first filed.

Notably, these requirements do not apply to materials exchanged between or among the parties or provided to an Arbitration Panel. Additionally, these rules do not apply to cases administered under FINRA’s Simplified Arbitration Rules 12800 and 13800. Nevertheless, there is no reason that the parties cannot agree among themselves to steps intended to further mitigate the risk of identity theft. As an example, redaction of PCI for documents exchanged between parties might be a constructive step. In addition, the scope of what constitutes PCI could be broadened to encompass other identifying information, such as driver’s license numbers or dates of birth.