Through their examination process, the Office of Compliance Inspections and Examinations (OCIE) has uncovered a number of compliance concerns pertaining to Regulation S-P, the Securities and Exchange Commission (SEC) regulation that defines requirements for privacy notices and safeguard policies that must be adopted by investment advisers and broker-dealers.
Through a risk alert issued in late April 2019, OCIE has offered assistance to advisers and broker-dealers in providing privacy and opt-out notices that meet compliance standards set forth in Regulation S-P, and in adopting and implementing effective policies and procedures for safeguarding customer records and information.
Regulation S-P: The Requirements for Compliance
The guidelines laid out in Regulation S-P require firms to provide the following:
- A clear and conspicuous Initial Privacy Notice to all customers, clearly and accurately stating the firm’s privacy policies and practices upon establishing a customer relationship
- An accessible Annual Privacy Notice to its customers that clearly explains its privacy policies and practices during the entire term of the customer relationship
- A clear and conspicuous Opt-Out Notice that explains the customer’s right to decline some disclosures of non-public personal information to nonaffiliated third parties
In addition, Regulation S-P specifies the information that must be included in each of these required notices, including informing the customer of the specific categories of nonpublic personal information that the registrant collects and discloses.
It also requires registrants to implement written policies and procedures that establish and maintain administrative, technical, and physical safeguards for the protection of confidential customer records and information against any anticipated threats that could result in harm or inconvenience.
Commonly Occurring Compliance Issues
OCIE notes compliance shortcomings in all of the above listed requirements, prompting the release of a risk alert.
Firms often failed to provide the required Privacy Notices, Annual Privacy Notices, and Opt-Out Notices to their customers.
In some cases, notices that were provided failed to accurately reflect firms’ policies and procedures or did not notify customers of their right to opt out of the registrant sharing their nonpublic personal information with third parties.
Some firms that were examined did not have the required written policies and procedures related to administrative, technical, and physical safeguards, or the documents were incomplete.
In the event where written policies and procedures were available, OCIE found cases where policies were not implemented or insufficient to safeguard customer records and information, with the risk alert specifically mentioning weaknesses in the following areas:
- Personal devices
- Electronic communication
- Training and monitoring
- Unsecure networks
- Outside vendors
- Personal Identifiable Information (PII) inventory
- Incident response plans
- Unsecure physical locations
- Login credentials
- Departed employees
This risk alert, based on the outcomes of OCIE examinations, provides registered advisers and broker dealers a set of criteria which they can use to ensure they are compliant with the requirements found in Regulation S-P.
The Opportunity to Evaluate Your Firm’s Compliance
It is highly recommended that your firm utilize the information found in this risk alert for internal testing of your privacy policies and procedures, possibly as part of an annual review, which would enable you to identify gaps in your safeguards and notices and implement additional controls as needed.
Updating policies and procedures prior to regulatory examination is one of the surest ways to avoid potential enforcement.
Core Compliance can provide assistance with developing or revising your firm’s privacy policies, procedures, and notices, and perform internal reviews that help reveal existing compliance issues pertaining to Regulation S-P and other applicable regulatory requirements, contact us today for assistance.