Regulation S-P: Possible Compliance Weaknesses

Posted on by SCM Communications

SEC Risk Alerts are helpful tools that notify broker-dealers and investment advisors of trends identified during recent examinations. A Risk Alert released last year provides insight to assist Firms with staying in compliance, highlighting trends related to Regulation S-P.

What is Regulation S-P?

The SEC’s rule on the Privacy of Client Information (Regulation S-P) requires a registrant to provide an initial privacy policies and practices notice when it establishes a customer relationship and to provide a notice annually thereafter. The Regulation also requires opt-out processes and specific information that must be included in the privacy notice.

Trends in Regulation S-P Compliance Weaknesses

  1. In some cases, initial and annual notices were not provided to clients. In other cases, delivered notices did not reflect the firm’s policies and procedures. Where surveys were provided, the clients did not receive notice of their right to opt-out of sharing their nonpublic personal information with non-affiliated third parties.
  2. Registrants may have had the “Safeguard Rule” within the manual; however, the actual implementation of the rule from an administrative, technical, and physical safeguard was not included. In some cases, the procedures contained blank spaces for registrants to insert custom content that firms failed to insert.
  3. A procedure is only half the picture; the execution of the program is where many registrants fall apart. Examples included the following:
    • Use of personal devices by employees without a clear policy on safeguarding and configuring information kept on these devices;
    • Unencrypted emails sent by employees with personally identifiable information and lacking policies to prevent this occurrence;
    • Not providing training to employees on the foundations of safeguarding information through encrypted, password-protected, and approved channels and no method of testing in-place to monitor compliance with the policy;
    • Failure to have procedures for sending personal information through unsecured networks and storing information in unsecured locations (i.e. unlocked file cabinets, open offices);
    • Failure to require confidentiality agreements when using outside vendors and even when those contracts were part of the program;
    • Not maintaining an inventory of all systems where personal information may be maintained;
    • Lackluster incident response plans that did not address important areas, roles, and required actions to address a cyber incident;
    • Multiple employees using the same login which the firm’s policies and procedures prohibit; and
    • Incidents where former employees continued to have access rights to personal customer information even after their termination.

Conclusion and Takeaways

Overall, the Risk Alert provides a starting point to help registrants assess their current programs and systems. Following this assessment, firms should make necessary changes to the program to strengthen such systems. The notice does not encompass a complete list of possible weaknesses related to Regulation S-P. Compliance professionals can use the trends highlighted in the alert to help start productive conversations within their firm.

Contact us today to see how our team of experienced consultants can help your firm in this area.