On April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert describing common compliance issues related to Regulation S-P – Privacy Notices and Safeguard Policies. In the Alert, OCIE identifies common deficiencies related to firms’ privacy policies and procedures as identified in recent OCIE examinations of both investment advisers and broker-dealers. As a reminder, Regulation S-P requires firms to, among other things, provide a clear and conspicuous notice that accurately describes the firm’s privacy policy and practices no later than when a customer relationship is established and not less than annually thereafter, and offer customers the right to opt out of some disclosures of non-public personal information (if applicable). Firms should pay special attention to the compliance issues noted in the SEC Risk Alert including the following:
Privacy and opt-Out notices: OCIE staff notes that many firms did not provide the initial and annual privacy and opt-out notices as required by Regulation S-P. In some cases, notices were provided to customers but the notices did not accurately reflect the firms’ actual policies and procedures. In other cases, notices did not allow customers to opt out of the sharing of their nonpublic information, as required by Regulation S-P.
Lack of policies and procedures: OCIE staff notes that many firms did not have adequate written policies and procedures as required under Regulation S-P. While some firms had procedures describing the firm’s policies for distributing Privacy Notices, the procedures did not describe the firm’s policies for safeguarding customer information. Policies may have stated that firms would safeguard customers’ nonpublic information, but the policies did not describe how firms would do this.
Policies not implemented or deficient: OCIE staff notes that while many firms had written policies and procedures describing their privacy practices, such procedures were not properly implemented or were deficient. Specifically, OCIE notes the following areas that were commonly deficient:
- Personal devices: many firms did not have procedures designed to safeguard nonpublic personal information stored and maintained on employees’ personal devices, such as personal laptops. OCIE notes that procedures did not address how such devices were properly configured to safeguard customer information.
- Electronic communications: many firms did not have procedures to address the inclusion of nonpublic personal information in electronic communications, such as email. For example, firms did not require the encryption of email containing private information.
- Training and monitoring: while firms may have had adequate policies and procedures to address privacy policies, many firms did not properly train employees on these policies and procedures and did not monitor whether firm policies were being followed.
- Unsecure networks: many firms did not have procedures to prevent employees from sending private information to unsecure locations outside of the firm’s secured network.
- Outside vendors: OCIE notes that many firms failed to follow their own policies and procedures related to outside vendors. While a firm’s policies and procedures may have required the firm to mandate that outside vendors protect nonpublic customer information, there was often no contractual obligation to require a vendor to do so.
- Inventory of information: OCIE identified deficient policies and procedures in that firms did not maintain inventories of the personally identifiable information (nonpublic information) maintained by the firm, and the devices/systems on which such information is stored. By not maintaining this type of inventory, firms were unable to adopt reasonable procedures to safeguard private customer information.
- Incident response plans: OCIE noted that firms did not have adequate incident response plans to address actions required in the event of a privacy breach. Such plans should include the identification of staff to implement the plan, as well as action required to assess vulnerabilities and address a privacy breach.
- Unsecure physical locations: in cases where nonpublic customer information is maintained in hard-copy format, many firms did not have secure locations to store that information. For example, information was stored in unlocked file cabinets or in open offices.
- Login credentials: OCIE notes that some firms disseminated customer login credentials to employees not permitted to have such information under a firm’s policies and procedures, potentially exposing nonpublic information to employees who did not have a business need to access such information.
- Departed employees: OCIE identified instances where terminated employees retained access to a firm’s systems and therefore could access nonpublic customer information.
With this Risk Alert, the SEC is reminding firms to review their policies and procedures related to Regulation S-P and Privacy. Ensure your firm’s policies address your firm’s actual practices for protecting personally identifiable information and ask yourself whether these policies are being properly implemented. If you have questions related to your firm’s privacy policies and procedures or about the issues noted by the SEC, feel free to reach out to your Foreside Consultant.