It’s time to review the Privacy Notice and policies and procedures surrounding Regulation S-P, including Safeguarding of Client Assets.
On April 16, 2019, the Office of Compliance Inspections and Examinations, issued a Risk Alert describing compliance issues noted during examinations of Investment Advisers and Broker-Dealers over the last two years. The most frequent compliance issues include:
- Privacy and Opt-Out Notices. Initial, annual1 and opt-out notices were not provided to customers or when they were, they did not accurately reflect firms’ policies and procedures. Staff also noted that Privacy Notices did not provide notice to customers of their right to opt out of the registrant sharing their nonpublic personal information with nonaffiliated third parties.2
- Lack of policies and procedures. Registrants did not have written policies and procedures as required under the Safeguards Rule. For example, documents restated the Safeguards Rule but did not include the specifics related to administrative, technical and physical safeguards. Policies and procedures were observed that contained blank spaces for the registrants to complete. Staff also noted firms that had policies and procedures for the delivery and content of the Privacy Notice but not any written policies and procedures required by the Safeguards Rule.
- Policies not implemented or not reasonably designed to safeguard customer
records and information. Policies and procedures did not appear to be implemented or reasonably
designed to (1) ensure the security and confidentiality of customer records and
information; (2) protect against anticipated threats or hazards to the security
or integrity of customer records and information, and (3) protect against
unauthorized access to or use of customer records or information that could
result in substantial harm or inconvenience to customers. For example:
- Personal devices – Registrants’ employees regularly stored and maintained customer information on personal laptops, but registrants’ policies and procedures did not address how these devices were to be properly configured to safeguard customer information.
- Electronic communications – Policies and procedures did not address the inclusion of customer personally identifiable information (“PII”) in electronic communications. For example, no policies and procedures were designed to prevent employees from sending unencrypted emails to customers containing PII.
- Training and monitoring – employees were not trained on methods for encrypting or password protecting customer information when registrants did have policies and procedures in place. And, firms failed to monitor the transmissions to determine if employees were following policies and procedures.
- Unsecure networks – registrants did not have policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of the registrants’ networks.
- Outside vendors – registrants failed to have outside vendors contractually agree to keep customers’ PII confidential despite registrants’ policies and procedures.
- PII inventory – registrants’ policies and procedures did not identify all systems that maintained customer PII. Without such inventory, registrants may be unaware of the categories of PII they maintain which in turn could limit the ability to design policies and procedures to adequately safeguard client information.
- Incident response plans – plans did not include things such as role assignments for implementing the plan, actions required to address a cybersecurity incident and assessments of system vulnerabilities.
- Unsecure physical locations – PII was stored in unlocked file cabinets, for example.
- Login credentials – client login credentials were disseminated to more employees than were permitted under registrants’ policies and procedures.
- Departed employees – instances were found where former employees of firms retained access rights after leaving the firm and could therefore access restricted information.
1 17 CFR 248.5. Section 75001 of the Fixing America’s Surface Transportation Act, Pub. L. No. 114-94, 129 Stat. 1312 (2016), (“FAST Act”) amended the GLBA by adding subsection 503(f) to provide an exception to the Annual Privacy Notice requirement. Under this exception, a financial institution is not required to provide an Annual Privacy Notice if the financial institution (1) does not share nonpublic personal information about the customer except for certain purposes that do not trigger the customer’s statutory right to opt out and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent Privacy Notice.
2 17 CFR 248.7. Under the exceptions in 17 CFR 248.13, 248.14 and 248.15, however, an Opt-Out Notice is not required if the registrant shares nonpublic personal information with a non-affiliated third party for certain purposes. These circumstances include sharing information with a nonaffiliate (i) as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, (ii) in connection with processing or servicing a financial product or service a consumer authorizes, and (iii) in connection with maintaining or servicing the consumer’s account with the institution.