On 30 March 2017, the FCA published the final notice that it has issued to Christopher Niehaus, a former investment banker, imposing a fine of £37,198 for sharing client confidential information over the instant messaging application, WhatsApp.
In the relevant period (24 January 2016 to 16 May 2016) Mr Niehaus was a CF30 at Jefferies International Ltd, an investment bank. He was responsible for covering EU Industrial groups in the firm's investment banking division. In this role, Mr Niehaus had access to client confidential information relating to future corporate deals that the firm was working on.
The FCA found that Mr Niehaus had breached Statement of Principle 2 of the Statements of Principle and Code of Practice for Approved Persons (failure to act with due skill and care). Mr Niehaus had shared client confidential information, which he received in the course of his employment, with both a personal acquaintance and with a client of the firm who was also his friend. The information related to two clients, one of which was a competitor of the friend. As well as disclosing the identity of the client, Mr Niehaus disclosed details relating to the client mandate and the fee that the firm would charge for its involvement in the transaction.
The FCA found that the information had been disclosed not with a view to the information being used by the recipients, but to impress them. None of the parties involved dealt in any securities relating to the disclosures and the information was not shared with that expectation. However, Mr Niehaus' conduct was found to be particularly serious given that the disclosure of client confidential information to a competitor could have conferred an undue advantage to Mr Niehaus' friend. It also demonstrated Mr Niehaus' failure to pay due regard to the interests of his client.
Mr Niehaus admitted that the information disclosed was client confidential, that he should not have shared it and that he should have known better. He also admitted that he would routinely share information relating to his work with his friend. Mr Niehaus was suspended from the firm pending the completion of its disciplinary process and he resigned before that process was completed.
The missing peice of information in this fine is why exactly the FCA brought this case. After all, data protection breaches are normally brought by the Information Commissioner. If you employ staff, you may take comfort from this ruling, and it may apply intime to the IFAs, who commonly leave their sponsor firms with confidential data.