On April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert dealing with Regulation S-P, which is the Commission’s primary rule governing privacy notices and the safeguarding policies of Registered Investment Advisers (RIAs), as well as broker-dealers. The Risk Alert guidance is derived from recent examinations of RIAs and broker-dealers and is designed to help them develop compliant privacy and opt-out notices to clients who are individuals (“customers”). The Risk Alert will also help firms to adopt and implement effective policies and procedures intended to safeguard customer records and information in accordance with Regulation S-P.
Regulation S-P’s Safeguards Rule requires firms to adopt written policies and procedures that address administrative, technical, and physical safeguards to protect customer records and information. Regulation S-P also dictates what information must be included in privacy notices.
Privacy and Opt-Out Notices
Pursuant to Regulation S-P, where applicable, a firm must:
- Provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices, no later than the inception of a customer relationship (“Initial Privacy Notice”)
- Deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of certain disclosures of non-public personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”); and
- Provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices at least annually throughout the relationship, (‘Annual Privacy Notice”).
For SEC RIAs, an Opt-Out Notice is not required if the SEC RIA shares non-public information about its customers only with nonaffiliated third parties that perform services for (or functions on behalf of) the SEC RIA, including marketing the firm’s own products or services, or financial products or services offered under a joint agreement between two or more financial institutions.
For SEC RIAs, an Annual Privacy Notice is not required if the SEC RIA does not share nonpublic personal information about the customer except for certain purposes that do not trigger the customer’s statutory right to opt out and the SEC RIA has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices previously disclosed in the most recent privacy notice provided to the customer.
Deficiencies identified during broker-dealer and RIA examinations
The Risk Alert identified a number of deficiencies uncovered during examinations such as the following:
Privacy and opt-out notices. Examiners found instances where firms did not provide customers with initial privacy notices, annual privacy notices (when required), and opt-out notices (where applicable).
Lack of policies and procedures. Certain firms did not adopt written policies and procedures reasonably designed to safeguard customer records and information (referred to as the “Safeguards Rule”). Examiners found that some firms had policies and procedures containing numerous blank spaces that were not filled in by them.
Policies that were not implemented or reasonably designed to safeguard customer records and information. These policies and procedures did not appear to (1) ensure confidentiality of customer records and information; (2) protect against anticipated threats or hazards to the security of customer records and information; and (3) protect against unauthorized access or use of customer records and information. Examiners found problems regarding:
- Safeguarding of information on personal devices;
- Electronic communications containing customers’ personally identifiable information;
- Training and monitoring to ensure that employees were protecting customer information;
- Unsecure networks used by employees; and
- Outside vendors that were not contractually required to keep customers’ personally identifiable information confidential.
There were a number of other problems identified, such as a failure to inventory company-maintained customer information. Firms also lacked comprehensive incident response plans. In addition, there were issues arising from unsecure physical locations, login credentials and departed employees who still had access to restricted customer information.
By sharing these Regulation S-P compliance issues, OCIE’s goal is to encourage firms to review their written policies and procedures and how they were implemented. The Risk Alert also signals to firms that Rule S-P compliance will be a key component of future examinations.
The Risk Alert can be found HERE.
Ara Jabrayan is the Managing Member of RIA Compliance Group, LLC, and on the Advisory Board for SmartRIA. His specialties include SEC and state RIA registrations, ongoing compliance assistance, mock exams, and the development of compliance programs. Follow him on LinkedIn, Facebook, or check out his Blog.