SEC Risk Alert: Compliance Issues with Privacy Notices and Safeguard Policies

By May 9, 2019Uncategorized

issued April 16, 2019

On April 16, 2019 the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert related to Privacy Notice and safeguard policy compliance issues. This regulatory communication is applicable to investment advisers and broker-dealers (“registrants”) alike.  OCIE cited issues identified in deficiency letters from broker-dealer and adviser exams completed by the Staff during the past two years. It should be noted by SEC registrants that the Commission has issued deficiency notices and pursued enforcement actions on the basis of registrant non-compliance with Risk Alerts, including on the basis of guidance in the absence of a rule.

Applicable Rules

Regulation S-P and the Safeguards Rule thereunder are the primary regulations underlying the focus of the SEC’s Risk Alert guidance.

Regulation S-P requires registrants to:

  • Provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices, no later than when it establishes a customer relationship (“Initial Privacy Notice”);
  • Provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship (“Annual Privacy Notice”); and
  • Where applicable, deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”).

Regulation S-P references the information which must be included in Privacy Notices and Opt-Out Notices.  This information includes the categories of nonpublic personal information that the registrant collects and discloses. 

The Safeguards Rule under Regulation S-P requires registrants to:

  • Adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information; and
  • Reasonably design policies and procedures to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to their security or integrity, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Exam Findings

Notices and Opt-Out failures included:

  • Failure to provide Initial and Annual Privacy Notices and when required, Opt-Out Notices
  • Notice provisions that were not congruent with information sharing practices of the registrant
  • Failure to provide to customers notice of their right to opt out of the registrant’s information sharing protocol with nonaffiliated third parties

Policy and procedure failures included:

  • Absence of policy and procedures
  • Incomplete policy and procedures
  • Poorly designed policy and procedures
  • Storage of customer information on personal devices without adequate procedures and internal controls
  • Electronic communications sharing customer personally identifiable information (“PII”)[1] without encryption or security controls
  • Lack of employee training to convey proper use of personal devices and handling of customer information
  • Lack of internal controls to prohibit sending of customer PII to unsecure locations outside of the registrants’ networks
  • Deficient third-party vendor policies; e.g., failure to require vendors to contractually agree to keep customer PII confidential, even though such agreements were mandated by policy
  • Lack of identification of all systems on which customer PII was stored … which impedes the implementation of strong protective controls
  • Inadequate internal controls relative to incident documentation/resolution, e.g., failure to identify responsible parties, no instructions for handling cybersecurity incidents, and no requirements to assess system vulnerabilities
  • Weak physical security controls over hard copy customer PII records
  • Unnecessary distribution of customer logins
  • Weak employee termination controls, which facilitated continued access to PII by terminated employees

Compliance Tips

To remain compliant with Regulation S-P and the Safeguards Rule:

  • Examine your firm’s information handling and sharing practices and carefully design policies, notices, and opt-outs to match your practices
  • Leverage the regulators’ jointly issued model privacy form which allows a registrant to use a common privacy notice to meet the content requirements of privacy and opt-out notices to enjoy safe harbor protections under privacy regulations
  • Leverage the FAST Act to avoid Annual Privacy Notice obligations, available to registrants that: (a) do not share nonpublic personal information about the customer except for certain purposes that do not trigger the customer’s statutory right to opt out; and (b) have not changed their policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent Privacy Notice
  • Privacy policy violations are equivalent to privacy rule violations in the eyes of the SEC … so if your policies introduce requirements which go beyond rule requirements, failures to comply with such policies, even if not rule violations, will likely result in an examination deficiency
  • Be mindful of the body of rules and regulatory guidance that impact privacy and information handling outside the framework of Regulation S-P, which include:
    • Regulation S-AM which governs the sharing of customer information for marketing purposes
    • Regulation S-ID: Identity Theft Red Flags which requires certain financial institutions to adopt identity theft prevention programs
    • GDPR which sets legal guidelines for the collection and processing of personal information of individuals within the European Union
    • State privacy regulations which vary by state and govern the handling of the personal information of state residents
    • State data security regulations requiring businesses and governments to take specific measures to keep electronic data secure, which generally include security breach laws
    • Cybersecurity guidance from the SEC and state authorities to protect personal information from cyber-attacks and related risks
  • Document all compliance related activity pursuant to implementation of policy, procedure and internal controls

Bottom Line

The Staff reiterated in its Risk Alert that the issues highlighted above should not be considered all-inclusive. Enforcement actions related to privacy rule violations are on the rise, not to mention the reputational risks of security incidents!

View the Risk Alert here: Risk Alert: Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies (PDF)

©1998-2019 Horrigan Resources, Ltd.

(724) 934-0129

Not customized advice. Not legal advice.

[1] PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Any data that could potentially be used to identify a particular person. The definition of PII is not anchored to any single category of information or technology; rather it requires a case-by-case assessment of the specific risk that an individual can be identified.

Betsy Rathz

Author Betsy Rathz

More posts by Betsy Rathz