<--Back to Newsletter

The SEC's Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert on April 16, 2019, which provided a list of compliance issues related to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers.

Regulation S-P was adopted by the SEC to implement the privacy rules promulgated under Section 504 of the Gramm-Leach-Bliley Act. Among other things, Regulation S-P requires a registrant to:

  • provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices generally no later than when it establishes a customer relationship (Initial Privacy Notice);1

  • provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship (Annual Privacy Notice,2 and together with the Initial Privacy Notice, "Privacy Notices"); and

  • deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties (Opt-Out Notice).3 Regulation S-P describes the information that must be included in Privacy Notices, including the categories of nonpublic personal information that the registrant collects and discloses, and in Opt-Out Notices;4 and (4) adopts written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information (the "Safeguards Rule").5

The Risk Alert listed the following examples of the most common deficiencies or weaknesses identified by OCIE staff to assist advisers and broker-dealers in providing compliant Privacy and Opt-Out Notices and in adopting and implementing effective policies and procedures for safeguarding customer records and information under Regulation S-P:

  1. Privacy and Opt-Out Notices – The registrants did not provide Initial Privacy Notices, Annual Privacy Notices, or Opt-Out Notices to their customers, or the notices provided did not accurately reflect the firms' policies and procedures.

  2. Lack of policies and procedures – The registrants did not have written policies and procedures as required under the Safeguards Rule.

  3. Policies not implemented or not reasonably designed to safeguard customer records and information – For example, policies and procedures failed to safeguard customer information on personal devices; address the inclusion of customer personally identifiable information (PII) in electronic communications; provide adequate training and monitoring to employees in connection with transmitting encrypted, password-protected information; prohibit employees from sending customer PII to unsecure locations outside of the registrants' networks; and identify all systems on which the registrant maintained customer PII. Registrants failed to follow their own policies and procedures regarding outside vendors. Written incident response plans failed to address important areas, such as role assignments, for implementing plans, actions required to address a cybersecurity incident, and assessments of system vulnerabilities. Customer PII was stored in unsecure physical locations. Customer login credentials had been disseminated to more employees than permitted under firms' policies and procedures. And former employees of firms retained access rights after their departure and therefore could access restricted customer information.

<--Back to Newsletter

[1] 17 CFR 248.4.
[2] 17 CFR 248.5.
[3] 17 CFR 248.7.
[4] 17 CFR 248.6, 248.7.
[5] 17 CFR 248.30(a).

Copyright © 2019 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Areas