Some of the biggest mutual fund companies in the country disclosed personal information about their shareholders on the Securities and Exchange Commission Web site, The Wall Street Journal discovered.
The list of fund companies that made customer account numbers publicly available includes: Armada Funds, a unit of National City Corp.; Pimco, a unit of German insurance giant Allianz; the Dreyfus unit of Mellon Financial Corp.; Bank of America's Columbia Funds unit; Nuveen Investments; the First American Funds unit of U.S. Bancorp; AmSouth Bancorp's fund division; and the CNI Charter of City National Bank of Los Angeles.
The leaks can be traced to SEC regulations that require fund companies to disclose the name, address and percentage ownership of any shareholder who owns more than 5% of a particular class of any mutual fund. The ruling is intended to let shareholders know of anybody who might be in a position to control or influence the fund. But some of the fund companies even posted account numbers.
The disclosures, which are typically contained in the statement of additional information, are posted on the SEC's Web site. Many fund companies also posted the supplements on their own Web sites. The increase in the number of mutual funds in recent years, combined with the expansion of share classes at some funds, means that investors can easily overshoot the 5% threshold.
It is impossible to know how many account numbers were made public because the information is scattered across thousands of regulatory filings. Most of the funds that were asked about the privacy breach by The Journal admitted to making a mistake. Some even said they had put mechanisms in place to take off existing personal information from Web sites and to prevent a recurrence.
While the SEC imposes the 5% disclosure rule, "the law does not require brokerage account numbers" to be disclosed, said a spokesman for the agency. He wouldn't comment on individual filings. A person familiar with the SEC said its staff plans to review whether the 5% rule, first imposed in 1978, might need to be changed as part of a wider look at mutual-fund disclosure issues.
Banks and brokerage firms generally say the information listed in the filings wouldn't be enough to endanger a customer's identity, because they have several layers of security protection.
Robert Douglas, a former private investigator who has testified before Congress on information privacy, said, however, that the data posted could easily enable an unscrupulous person to steal that money.
Some fund companies have steered clear of posting private customer information. Fidelity Investments, for instance, said it does not publish account numbers in SEC filings. Regions Financial Corp.'s Morgan Keegan fund group said it only provides the name, hometown and ownership stake of the customer, omitting information like the street address or other more identifying data.