The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has issued a risk alert relating to Regulation S-P, which requires SEC registered investment advisors to, among other things, provide privacy notices to their customers and adopt written safeguarding policies and procedures to safeguard customer information.
In the risk alert, OCIE provided examples of the most common deficiencies or weaknesses identified by examination staff in connection with Regulation S-P. These examples include the following:
- Privacy and Opt-Out Notices – Deficiencies included not providing initial privacy notices, annual privacy notices and opt-out notices to customers. In addition, certain privacy notices did not provide notice to customers of their right to opt out of the registrant sharing their nonpublic personal information with nonaffiliated third parties.
- Lack of policies and procedures – Certain registrants did not have written policies and procedures as required under Regulation S-P. In addition, OCIE noted that some firms had documents that did not include policies and procedures related to administrative, technical, and physical safeguards.
- Policies not implemented or not reasonably designed – OCIE observed that some policies and policies did not address the safeguarding of customer information with respect to personal devices, electronic communications, training and monitoring, unsecure networks, outside vendors, PII (personally identifiable information) inventory, incident response plans, unsecure physical locations, login credentials, and departed employees.
Please click here to view the entire risk alert from OCIE.
Here are some other important points to remember with respect to Regulation S-P and privacy notices:
- A financial institution is not required to provide an Annual Privacy Notice if the financial institution (1) does not share nonpublic personal information about the customer except for certain purposes that do not trigger the customer’s statutory right to opt out and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent Privacy Notice.
- An Opt-Out Notice is not required if the registrant shares nonpublic personal information with a non-affiliated third party for certain purposes.
- The SEC has adopted a model form to satisfy Privacy Notice disclosure requirements. Use of the form provides a “safe harbor” for the required disclosures under Regulation S-P. The model form can be found at the following address: https://www.sec.gov/rules/final/2009/34-61003_modelprivacyform.pdf
For more information about Regulation S-P and the requirements for investment advisors, please contact NCA Compliance.
Hayley Nelson is the President and Principal Consultant of NCA Compliance, Inc., a compliance consulting firm providing a wide range of customized compliance solutions for investment advisors. Ms. Nelson previously worked for the Securities and Exchange Commission and a large investment manager in New York.