Risk Alert Warns RIAs and Broker-Dealers About Compliance Issues Involving Regulation S-P Privacy Notices and Safeguard Policies

Regulation S-P is the SEC’s primary rule pertaining to the privacy notices and safeguard policies of Registered Investment Advisors (“RIAs”) and broker-dealers. On April 16, 2019, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Regulation S-P Risk Alert, which summarized the findings of RIA and broker-dealer examinations during the previous two years. The Risk Alert discusses many of the deficiencies or weaknesses related to Regulation S-P that were identified by examiners.

 The purpose of the Risk Alert is to assist RIAs and broker-dealers with adopting and implementing effective policies and procedures for safeguarding customer records and information. The Risk Alert is also intended to help RIAs and broker-dealers distribute compliant privacy and opt-out notices. The Risk Alert is available at https://www.sec.gov/ocie/announcement/ocie-risk-alert-regulation-s-p.

Keys to providing compliant privacy and opt-out notices

To comply with Regulation S-P, firms must provide a clear and conspicuous notice to their customers, which accurately describes their privacy practices and policies. The notice must be provided before the customer relationship begins and at least once a year through the duration of the relationship.

In addition, firms must deliver a clear and conspicuous notice to their customers, which accurately advises how customers may opt out of certain disclosures of non-public personal information to nonaffiliated third parties. The notification to customers is known as an opt-out notice.

The Safeguards Rule of Regulation S-P requires companies to adopt written policies and procedures addressing administrative, technical and physical safeguards to protect customer records and information. These written policies and procedures must be reasonably designed to:

 Ensure the security and confidentiality of customer records and information;

• Protect against expected hazards or threats to the security or integrity of customer records and information; and
• Protect against unauthorized access to or use of records or information that could potentially result in substantial harm or inconvenience to a customer.

Firms should use this Risk Alert to improve their Regulation S-P policies and procedures.

Frequent Regulation S-P compliance issues identified by examiners

In the Risk Alert, examiners identified a number of deficiencies including the following:

Privacy and opt-out notices. Examiners encountered firms that failed to provide customers with initial privacy notices, annual privacy notices, and opt-out notices. Some of these firms never notified customers of their right to opt out of sharing their nonpublic information with nonaffiliated parties.

Lack of policies and procedures. Examiners observed that some firms had not complied with the Safeguards Rule policies and procedures requirement. They did not have policies and procedures addressing administrative, technical and physical safeguards. Certain firms did not fill in blank spaces in their policies and procedures.

Policies not implemented or reasonably designed to safeguard customer records and information. Even when firms did implement policies and procedures, examiners found that they were not designed to:

• Ensure the confidentiality of customers’ records and information;
• Protect against foreseeable threats or hazards to the security of customer information and records; and
• Guard against unauthorized access to – or use of – customer records and information.

The Risk Alert identified ten areas where examiners found deficient policies and procedures:

1. Examiners noted that policies and procedures failed to address how to safeguard customer information on personal devices, such as laptop computers. Firms’ policies and procedures did not articulate how to configure those devices in order to safeguard customer information.
2. Firms lacked policies and procedures designed to safeguard customers’ personally identifiable information (“PII”) in electronic communications. Policies and procedures did not prevent employees from sending unencrypted emails containing PII to customers.
3. Employees were not provided with adequate training on policies and procedures that required customer information to be encrypted, password-protected and transmitted. Firms also failed to monitor if policies and procedures were adhered to by employees.
4. Firms’ policies and procedures did not prohibit employees from sending customers’ PII to unsecure locations outside of their networks.
5. Firms did not abide by their own policies and procedures governing outside vendors. Certain firms’ contracts did not require outside vendors to keep customers’ PII confidential, even though their policies and procedures obligated them to insert that requirement in their agreements.
6. Examiners observed that policies and procedures did not always identify systems on which the firm maintained customer PII. Because they did not keep an inventory, firms were not able to adopt reasonably designed policies procedures and could not adequately safeguard customer information.
7. Firms lacked written incident response plans to address key areas, such as who should implement the plan. Incident response plans were deficient in that they failed to address how to handle a cybersecurity incident and how to assess system vulnerabilities.
8. Examiners were also troubled to learn that customer PII was stored in unsecure physical locations, such as unlocked file cabinets in open offices.
9. Customer login credentials were distributed to more employees than permitted in the firm’s policies and procedures.
10. In some cases, former employees retained access to customer information after leaving the firm.

OCIE’s Risk Alert pointed out that there were additional deficiencies or weaknesses identified, which were not discussed in the publication.

Conclusion

The SEC uses Risk Alerts to inform firms regarding their compliance responsibilities and to prevent them from repeating mistakes made by other RIAs and broker-dealers. After publishing a Risk Alert, the SEC expects firms to review their policies and procedures to ensure they are thorough and effective. A firm’s policies and procedures should be bolstered in response to a Risk Alert.

This particular Risk Alert sends the message that future examinations are likely to focus on Regulation S-P compliance issues. Aside from improving their Regulation S-P policies and procedures, firms should always make certain that employees are adhering to them.

This article is not a solicitation of any investment product or service to any person or entity. The content contained in this article is for informational use only and is not intended to be and is not a substitute for professional financial, tax or legal advice.