Takeaways and Tips Related to SEC Risk Alert on Regulation S-P

On April 16, 2019, the SEC released a Risk Alert providing a list of compliance issues related to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers. As with other risk alerts, these were deficiencies noted by OCIE in regulatory examinations. Though the deficiencies were fairly common sense, the release of the risk alert should be used by compliance professionals to reevaluate current practices in place and whether now is the time to make enhancements.

Regulation S-P, among other things, requires a registrant to: (1) provide a notice to its customers that accurately reflects its privacy policies and practices no later than when it establishes a customer relationship, (2) provide a privacy notice to its customers not less than annually during the continuation of the customer relationship and (3) deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”).

Additionally, the Safeguards Rule of Regulation S-P requires registrants to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

So, what deficiencies did the SEC find? We highlight the key items and remind you to analyze your own practices and privacy protocols to ensure you are in compliance:

  • Not providing the initial, annual or opt-out notices. In addition, Registrants not doing what they say they are doing within those notices!
  • Not providing an opt-out provision to the sharing of their nonpublic personal information with nonaffiliated third parties
  • Lack of policies and procedures to comply Regulation S-P
  • Not having reasonably designed policies to safeguard customer records and information. Here the SEC highlighted some additional matters with respect to safeguarding data:
    • Personal devices – Not having policies to address client data stored on employee’s laptops, mobile devices, etc.
    • Electronic communications – Not having policies that address protection of personally identifiable information (“PII”) in emails.
    • Lack of training on the firm’s policies and practices.
    • Unsecure Networks – Not having policies that prohibit employees from sending customer PII to unsecure locations outside firm’s networks.
    • Outside vendors – Failure to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by the registrant’s policies and procedures.
    • PII Inventory – Not maintaining an inventory of where PII is stored and steps to protect them.
    • Incident response plans – Not addressing role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
    • Unsecured physical locations – Lack of protection of documents maintained in unsecure locations, such as unlocked file cabinets.
    • Login credentials – No controls over who can access the client’s login credentials and not following the policies about access controls.
    • Departed employees – Not terminating access rights of employees who have departed the firm.

Here are a few key takeaways to help you ensure you have addressed these matters and strengthen your compliance program:

  • Remember the importance of advising your customers of their opt-out rights.
  • Ensure you implement and memorialize your policies and procedures related to administrative, technical, and physical safeguards. Reevaluate what your present policies are to ensure they are being carried out. Don’t just say you do things – DO THEM.
  • Encryption, encryption, encryption! Retrain your staff on the importance of encrypting email communications when it contains PII.
  • Perform surveillance of email to ensure the last bullet is being implemented.
  • Have a plan and stick to it – Ensure you maintain an incident management plan, have roles assigned and ensure you are sticking to that plan in the event of a breach.
  • Determine if you have client login credentials on file. If so, ensure there are controls and policies in place as to who can access this information and how it is securely maintained on your networks.
  • Maintain an employee “off-boarding” checklist – When an employee departs, memorialize all the access controls that have been removed and the date it was removed.

Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Introduction to SFTR ‘Cheat Sheet’

SFTR is designed to enhance transparency of Securities Finance Transactions (SFTs) for all financial and non-financial EU entities and, branches of non-EU entities. The reporting obligation begins 11 April 2020 for investment firms, followed by a nine-month phased approach for other firms. Need a quick introduction to the key details of the regulation? Download our … Continued

Even When SEC Rulemaking Slows, Your Compliance Manual Shouldn’t Stagnate

Maintaining tailored policies and procedures is a critical component of an adviser’s internal controls. Time and time again, we’ve heard regulators admonish the industry that off-the-shelf compliance manuals just don’t cut it. In today’s ever-shifting regulatory environment, does your compliance manual need a reboot? Although there has not been any significant rule making over the … Continued

Life Cycle Guidance for Service Provider Due Diligence

Engaging third-party service providers to perform key functions can offer an investment adviser access to state-of-the-art technology and solutions necessary to compete in today’s environment. Before entering into service provider relationships, advisers need to understand that while the function may be outsourced, the responsibility for the function still rests with the adviser. Firms engaging service … Continued