Earlier this month, the Securities and Exchange Commission (“SEC”) took a break from its recent focus on digital assets and the Best Interest fiduciary standard to publish a Risk Alert encouraging investment advisers and broker-dealers to revisit their policies and procedures relating to Regulation S-P (“Reg S-P”) (17 C.F.R. Part 248, Subpart A), which sets out requirements designed to protect customer information and records. The Alert highlights several key compliance issues identified by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) during exams completed in the past two years.
Reg S-P was adopted in 2000 to enhance financial privacy protections and stem the rising tide of unwanted solicitations. Among other things, Reg S-P requires investment firms to provide clear and conspicuous notice to customers regarding their privacy policies and practices when a customer relationship begins, and at least annually thereafter. It also mandates that firms deliver a clear and conspicuous notice to customers explaining the right to opt out of disclosures of non-public personal information to non-affiliated third parties. A 2005 amendment called for the implementation of written policies and procedures reasonably designed to safeguard customer records and information.
The recent Risk Alert focuses on three common areas of compliance shortcomings: (1) privacy and opt-out notices, (2) lack of policies and procedures, and (3) policies that were not implemented or reasonably designed to safeguard customer records and information. Most of the issues identified in connection with existing policies are technology-related. Curiously, the Risk Alert does not reveal how pervasive these shortcomings were.
First, OCIE staff found that firms either failed to provide the required privacy and opt-out notices altogether or provided notices that did not accurately reflect the firm’s policies and procedures or adequately explain the customer’s right to opt out of information sharing.
Second, examiners also found that firms lacked policies and procedures relating to administrative, technical, and physical safeguards, or had policies that were incomplete, containing blank spaces apparently left to be filled in at a later date.
Finally, OCIE staff observed firms failed to implement or reasonably design policies to safeguard customer records and information. The Alert highlights several areas where policies were altogether inadequate with regard to securing personal laptops, encryption of emails containing customer information, transmission of sensitive information to external locations, vendor management, training, monitoring, cataloging of all systems containing customer information, incident response planning, physical storage, login credential management, and system access by departed employees.
The issuance of the Risk Alert makes clear the SEC still has its eye on this tenured regulation, which has taken on renewed importance in a big data, tech-driven world. More than a decade after the agency enacted these requirements, firms handling customer information are expected to have policies that comply with the regulation both on paper and in practice. Corporate counsel should draw on the Risk Alert to leverage the OCIE’s cumulative industry-wide observations in assessing their firm’s own potential vulnerabilities, especially those presented by the dynamic use of technology in the workplace.