Takeaways and Tips Related to SEC Risk Alert on Regulation S-P

On April 16, 2019, the SEC released a Risk Alert providing a list of compliance issues related to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers. As with other risk alerts, these were deficiencies noted by OCIE in regulatory examinations. Though the deficiencies were fairly common sense, the release of the risk alert should be used by compliance professionals to reevaluate current practices in place and whether now is the time to make enhancements.

Regulation S-P, among other things, requires a registrant to: (1) provide a notice to its customers that accurately reflects its privacy policies and practices no later than when it establishes a customer relationship, (2) provide a privacy notice to its customers not less than annually during the continuation of the customer relationship and (3) deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties (“Opt-Out Notice”).

Additionally, the Safeguards Rule of Regulation S-P requires registrants to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

So, what deficiencies did the SEC find? We highlight the key items and remind you to analyze your own practices and privacy protocols to ensure you are in compliance:

  • Not providing the initial, annual or opt-out notices. In addition, Registrants not doing what they say they are doing within those notices!
  • Not providing an opt-out provision to the sharing of their nonpublic personal information with nonaffiliated third parties
  • Lack of policies and procedures to comply Regulation S-P
  • Not having reasonably designed policies to safeguard customer records and information. Here the SEC highlighted some additional matters with respect to safeguarding data:
    • Personal devices – Not having policies to address client data stored on employee’s laptops, mobile devices, etc.
    • Electronic communications – Not having policies that address protection of personally identifiable information (“PII”) in emails.
    • Lack of training on the firm’s policies and practices.
    • Unsecure Networks – Not having policies that prohibit employees from sending customer PII to unsecure locations outside firm’s networks.
    • Outside vendors – Failure to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by the registrant’s policies and procedures.
    • PII Inventory – Not maintaining an inventory of where PII is stored and steps to protect them.
    • Incident response plans – Not addressing role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
    • Unsecured physical locations – Lack of protection of documents maintained in unsecure locations, such as unlocked file cabinets.
    • Login credentials – No controls over who can access the client’s login credentials and not following the policies about access controls.
    • Departed employees – Not terminating access rights of employees who have departed the firm.

Here are a few key takeaways to help you ensure you have addressed these matters and strengthen your compliance program:

  • Remember the importance of advising your customers of their opt-out rights.
  • Ensure you implement and memorialize your policies and procedures related to administrative, technical, and physical safeguards. Reevaluate what your present policies are to ensure they are being carried out. Don’t just say you do things – DO THEM.
  • Encryption, encryption, encryption! Retrain your staff on the importance of encrypting email communications when it contains PII.
  • Perform surveillance of email to ensure the last bullet is being implemented.
  • Have a plan and stick to it – Ensure you maintain an incident management plan, have roles assigned and ensure you are sticking to that plan in the event of a breach.
  • Determine if you have client login credentials on file. If so, ensure there are controls and policies in place as to who can access this information and how it is securely maintained on your networks.
  • Maintain an employee “off-boarding” checklist – When an employee departs, memorialize all the access controls that have been removed and the date it was removed.

Post written by Korrine Kohm

Related Content

Latest Content

How to Be a Wildly Effective Compliance Officer

Being a Compliance Officer is no easy task. Administering a compliance program, implementing controls to help protect clients and the firm, and staying on top of new regulations is only part of the job. Compliance Officers are also expected to be flexible and pro-business. So how do you do it all? How can you be … Continued

Mitigating the Risk of Insider Trading

One of the biggest risks affecting investment advisers is the potential that material non-public information (“MNPI”) may be misused, leading to a charge of insider trading. Advisers should implement controls to mitigate these risks. Steven Stone of Morgan, Lewis & Bockius, LLP, Salvatore Cincinelli of the FBI and David Chaves of Tone at the Top … Continued

Compliance 2.0 – Being a Strategic Partner in Your Firm

Compliance as a profession continues to evolve. With Enron, Bernie Madoff and numerous other failures paving the way for rulemaking across industries and nations, the days of drawing a short straw, getting drafted into a compliance role and operating in isolation outside of the business are – or should be – ancient history. Since the … Continued

Big Data Part III: Preparing for the Future of Global Regulatory Governance

United States and European Union reporting requirements imposed on investment managers have exploded since the Global Financial Crisis and, with the imminent arrival of SFTR in Europe, it seems poised to expand again. The challenge of reporting trades, transactions and contracts in multiple jurisdictions requires firms to embrace technology as regulators continue to look to … Continued

Custody Concerns Continue

You timely filed your Form ADV within 90 days of fiscal year end, but did you properly answer all the questions related to custody? Not surprisingly, the Form remains confusing for many advisers, as does application of the Custody Rule itself. The SEC has issued guidance, letters to the industry, alerts and FAQs, but things … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.