The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission has issued a risk alert concerning privacy notices and protections in connection with Regulation S-P, 17 CFR §248, Subpart A and related regulatory releases, in order to assist advisers and broker-dealers in adopting and implementing to adopt effective policies and procedures to safeguard customer records and information.
As described in the Risk Alert, Regulation S-P requires registrants to provide timely, clear and conspicuous notice to its customers that accurately reflects the privacy policy and practices of the registrant (1) when the registrant-customer relationship is first established; (2) every year annually after that, and; (3) which accurately explains the right to opt out of some disclosures of non-public personal information to nonaffiliated third parties. The Regulation requires registrants to adopt written policies and procedures that address the protection of customer information.
The Risk Alert sets out common Regulation S-P compliance issues observed by OCIE staff. These include:
- Failure to provide privacy and opt-out notices, and inadequate explanation of the registrant’s policies and procedures
- Lack of written policies and procedures;
- Policies not reasonably designed to safeguard customer information, or inadequately implemented.
The OCIE staff found that some registrants’ employees maintained customer information on their personal laptops, although no policies and procedures were in place to safeguard the information. The Risk Alert also points to deficiencies in safeguarding personally identifiable information communicated electronically; the use of unsecure networks, and storage in unsecure locations; failure to require outside vendors to keep customer information confidential in violation of comply with the registrants’ information security policies and procedures; inadequate training for registrants’ employees on encryption, password-protection and the use of other methods to safeguard customer information; failure to maintain an inventory of all systems on which a registrant maintains customer information; the dissemination of customer login credentials more broadly than authorized by the registrants’ policies; failure to devise adequate incident response plans; and failure to curtail access for employees that had left the firm.