On April 16, the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert detailing compliance issues from recent examinations of investment advisers and broker-dealers pertaining to privacy regulations.
Regulation S-P is the primary SEC rule regarding privacy notices and safeguards. It generally requires firms to:
- Provide an “Initial Privacy Notice” to customers regarding the firm’s privacy policies and practices, no later than when it begins a customer relationship.
- Provide an “Annual Privacy Notice” to customers reflecting the firm’s privacy policies and practices.
- Provide an “Opt-Out Notice” to customers enabling them to opt-out of some disclosures of non-public personal information to nonaffiliated third parties.
- Adopt written “Safeguard Rule” policies and procedures for the protection of customer information and records.
The OCIE Risk Alert details various deficiencies and weaknesses pertaining to privacy rules as applicable to investment advisers and broker-dealers:
- Failure to provide notification, including initial privacy notices, annual privacy notices, and opt-out notices.
- Failure of privacy notices to accurately reflect the firm’s existing policies and procedures.
- Failure to identify opt-out rights within privacy notices.
- Lack of or inadequate “Safeguard Rule” privacy-related written policies and procedures.
- Lack of implementation or insufficient design regarding safeguard policies and procedures, including:
- Insecure storage of customer data on personal devices
- Unencrypted email communication with personally identifiable information (PII)
- Lack of safeguards regarding placing private data on unsecure external networks
- Lack of data privacy training
- Failure to implement data privacy policies among third-party vendors
- Failure to maintain an inventory of systems housing PII
- Insufficient incident response plans
- Storage of PII in insecure physical locations
- Provision of customer login information to more employees than permitted
- Failure to remove login rights from departed employees
The OCIE strongly recommends that firms review and strengthen their data privacy policies, update their data privacy notification, and ensure adherence to SEC data privacy regulations.
ACA recommends taking the following actions regarding the compliance issues outlined in the OCIE’s Risk Alert:
- Thoroughly review and refresh existing data privacy policies and procedures.
- Update written data privacy policies, as reflected in information security programs, incident response plans, and other documentation.
- Update privacy notifications, including initial privacy notices, annual privacy notices, and opt-out notices, to ensure consistency with actual policy and adherence to SEC regulations.
- Design and provide training to all staff regarding data privacy regulations and related policies.
- Ensure third-party vendor data privacy policies are consistent with those implemented by your firm.
- Consider conducting a review of this area in preparation for a potential SEC examination.
How ACA Can Help
ACA offers the following solutions that can help your firm meet SEC regulatory requirements and prepare for an examination:
- Mock SEC exam services
- Mock regulatory cyber exams
- Data privacy compliance services
- GDPR awareness training
- Policies, procedures and governance
- Electronic communication reviews
If you have any questions, please contact your ACA consultant or email us at firstname.lastname@example.org.