I am hardly saying that SEC Regulation S-P is the sexiest of regulations. I mean, has any customer is history actually read one of those exciting statement stuffers that discloses in some dense font a BD’s privacy policy? Likely not, but, nevertheless, it remains that in this day and age, with hacking and phishing and cybersecurity a part of the everyday vernacular, Reg S-P is something that BDs cannot afford to be even slightly unfamiliar with.
Helpfully, last week the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert “providing a list of compliance issues related to Regulation S-P,” which it described as “the primary SEC rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers.” It is short, a mere four pages, and it is easy to read and digest, so I heartily recommend it to everyone. But, since it is my job to make your lives easier, let me provide a thumbnail of its contents.
What OCIE did was review the results of exams that it conducted of BDs and IAs to identify the typical Reg S-P related deficiencies its staff uncovered. And before you say who cares, consider that both the SEC and FINRA have brought a bunch of Enforcement actions based on Reg S-P violations. That includes a settlement with Voya Financial Advisors in September last year that resulted in a $1 million civil penalty, and another $1 million civil penalty in a 2016 settlement with Morgan Stanley. And if that’s not scary enough, then think about the fact that the SEC has demonstrated a willingness to name individuals for Reg S-P violations when appropriate. See this and this, for example.
Anyway, the exam deficiencies fall into a couple of broad categories. The first involves the obligations to provide Privacy and Opt-Out Notices. As I assume you know, Reg S-P requires that BDs provide an “Initial Privacy Notice” at the outset of a customer relationship that describes, clearly and conspicuously, the firm’s privacy policies and practices, plus an “Annual Privacy Notice,” which repeats what was said in the Initial Notice, plus an “Opt-Out Notice,” which provides customers the right “to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties.” According to OCIE, the problems observed include some that are really basic and obvious, including not providing the Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to customers, or providing notices that “did not accurately reflect firms’ policies and procedures.”
The next category involves the failure to maintain appropriate or reasonable policies and procedures to ensure compliance with Reg S-P. The biggest problem that the OCIE staff observed concerned policies that were not reasonably designed to safeguard customer records and information. This is the kind of thing you read about all the time, and likely get emails from your IT Department reminding you of your obligations to keep customer information confidential.
With regard to this last point, OCIE provided some specific and helpful observations about common deficiencies in policies and procedures regarding the confidentiality of customer personally identifiable information (“PII”):
- failure to safeguard customer information on personal devices, such as where employees regularly stored and maintained PII on their personal laptops;
- failure to address the inclusion of customer PII in electronic communications, such as employees who send unencrypted emails to customers containing PII;
- Policies and procedures that appropriately required customer information to be encrypted, password-protected, and transmitted using only registrant-approved methods, but which, in practice, were ineffective because employees were not provided adequate training;
- Failure to prohibit employees from sending customer PII to unsecure locations outside of the firm’s networks;
- Failure to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by policies and procedures;
- Failure to identify all systems on which customer PII was maintained (which can cause a firm to be unaware of the categories of customer PII being maintained);
- Inadequate written incident response plans that did not address who was responsible for implementing the plan, the actions required to address a cybersecurity incident, and assessments of system vulnerabilities;
- Unsecure physical locations for the storage of customer PII, such as unlocked file cabinets in open offices;
- The dissemination of customer login credentials to more employees than permitted under firms’ policies and procedures; and
- Allowing former employees to retain access rights after their departure, thereby potentially providing continuing access to restricted customer information.
According to the SEC, the “key takeaway” from the Risk Alert is this: “Through sharing some of the Regulation S-P compliance issues it observed, OCIE encourages registrants to review their written policies and procedures, including implementation of those policies and procedures, to ensure compliance with the relevant regulatory requirements.” I couldn’t have said it better. This is a wake-up call. Hit snooze at your own peril.