BlogLine

SEC Issues Risk Alert Regarding Broker-Dealers and Investment Advisers’ Privacy Practices and Compliance with Regulation S-P

4/22/19

By: Jennifer Lee

On April 16, 2019, the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert summarizing the findings from the examinations of broker-dealers and investment advisers’ privacy practices and compliance with Regulation S-P.
Regulation S-P, 17 C.F.R. § 248.30, was enacted to protect the privacy of customers and their information. It has three major components:

1. Firms are required to provide their customers with a copy of their privacy policies and procedures at the initial outset of the relationship and also on an annual basis.
2. Firms are prohibited from sharing customers’ nonpublic information with unaffiliated third parties unless the customer is given prior notice regarding such practices.
3. Firms must inform customers that they have a right to opt-out of the firm’s data sharing practices with unaffiliated third-parties and provide a method in which customers can opt-out.

During the examinations, which spanned over the course of the past two years, the Office of Compliance Inspections and Examinations (“OCIE”) found common deficiencies in firms’ compliance with Regulation S-P. The OCIE found that some firms did not provide customers with the initial and/or annual privacy policies and procedures. In other instances, the privacy policies and procedures were inadequate to satisfy the requirements under Regulation S-P. For example, the policies and procedures failed to identify the precautions taken to ensure the integrity of customers’ information.
Even when firms gave the required notices and had satisfactory written policies and procedures on the books, the OCIE often found that such policies and procedures were not actually being implemented and firms’ practices diverged from the written policies and procedures. Customers’ personally identifiable information (“PII”) were sent via unencrypted emails and left in unsecured physical locations, firm employees had customer information on unsecured personal devices, and outside vendors were not vetted on their cybersecurity and privacy practices.
These findings are unsurprising because often when a new set of privacy or cybersecurity regulations is introduced, companies will invest an incredible amount of time and resources to develop policies and procedures that comply with the new requirements. Usually, most of this work is done by the COO or Chief Information Security Officer (“CISO”). However, it does not and cannot stop there as most enforcement actions and customer actions are brought based on the firm’s failure to implement its policies and procedures.
To reduce the risk of enforcement and customer actions, firms must ensure that the policies and procedures in its books are put into practice. This requires buy-in from everyone at the executive level—from the CEO to the CMO—and cooperation from multiple departments in the firm that may not necessarily work closely with each other on a regular basis. In addition, firms should shift their perspective on compliance with Regulation S-P and other privacy or cybersecurity regulation. It is not a one-off event. Instead, it should be seen as an active and on-going process that requires constant training and monitoring.
If you have any questions regarding your firm’s compliance with Regulation S-P or other privacy and cybersecurity regulations, please contact Jennifer Lee at jlee@fmglaw.com.