By Cory Roberson, Principal at RIA Review and RIA Consults
Advisors,
The challenges of
safeguarding client information affect businesses in all industries.
Earlier this
month, Facebook revealed that it inadvertently allowed an unauthorized third
party, Cambridge Analytica, to access data from over 50 million of its
users. This wide sweeping data breach prompted
an investigation from the Federal
Trade Commission (“FTC”) that will likely result in heavy fines for the social
media juggernaut.
On February 2, 2018,
my blog on “Data Protection/laptop theft security,” discussed the risks of data breaches for advisors
who may work remotely in various settings, such as coffee shops. As such, the financial industry is under a
heavy microscope from regulators.
The Securities
and Exchange Commission (SEC) is conducting more tests in the face of an
increasing frequency of cyber threats and data hacks. Last May, the SEC Office of Inspections and Compliance
Examinations (OICE) issued a report of its cybersecurity examinations of some
of its registrants in response to a global cybersecurity attack (“Ransonware”).
Even regulators are feeling its
own scrutiny in terms of data breaches. On
March 27, 2018, Bloomberg uncovered a whistleblower’s complaint against self-regulatory
organizations (“SRO’s”), such as the Financial Industry Regulatory Authority
(FINRA) and the North American Securities Administrators Association (NASAA). The complaint, filed against regulators who
supervise broker-dealers and state registered advisors respectively, alleges
that the agencies failed to safeguard social security and brokerage account numbers.
Client protection
rulemaking is not a new issue. In 2001,
more than seventeen years ago, lawmakers created a broad sweeping rule for
financial firms to mitigate the challenges of data protection, known as
Regulation S-P (Gramm-Leach-Bliley Act).
What is required to safeguard client information?
Rule 30 of the Regulation S-P requires financial firms across
multiple jurisdictions to include written policies and procedures in its
operations (“Privacy Policy”). Generally,
firms can create a sufficient privacy policy through the creation of a client
disclosure document and a summary of internal office procedures.
Regulation S-P covers: investment advisers, brokers-dealers,
banking institutions, lending institutions, and investment companies ("mutual
funds").
What types of client information should be protected?
Non-Public Information can include any of the
following:
Customer
financial data (income, tax status,
assets held in other financial institutions), client names, addresses, dates of birth, social
security numbers, tax identification numbers, bank account numbers, credit card
information, and copies of driver’s licenses or passports.
How to create Policies and Procedures (“Privacy
policy”)?
Step 1 – Maintenance of books and records
Firms should create procedures for handling both
paper and electronic records that contain non-public or other sensitive
customer information. The policy can
include the purpose for using data and who has access to sensitive information.
Step 2 – Protection
of books and records
The policy should include steps for protection methods
such as shredding paperwork, IT security systems, testing for breaches, encryption
technology, password storage, remote working protocols, business continuity
plans, and/or deleting sensitive firm information.
Step 3 –
Communication with authorities
Firms should maintain policies for sharing
information with regulators, government officials, or local authorities. (e.g. what is required to share, what is
not).
Step 4 – Steps
for employee training
The policy should include steps for informing
employees of best practices for safeguarding client information.
Step 5 –
Sharing information with third-party parties
Firms should include policies for sharing
information with third parties, affiliates, or other outside individuals. (e.g.
Account for situations where information may be shared to other groups for
business purposes and/or provide disclosures when information will never be
shared).
Step 6 –
Reporting Breaches
The policy should include steps for reporting
any actual or possible breaches of customer information. (e.g. procedures for
informing clients, offering credit monitoring, or recompensing clients if a data
breach results in a loss of securities or assets).
Step 7 – Updating Privacy Policy
The policy should be updated for any changes in firm policies,
systems, or protection methods.
Q. How to disclose
details to clients (investment advisors)?
A.
Offer Letter: Advisors are required to send an annual offer
letter to clients within 120 days of the firm’s fiscal year end. At this time, firms should include an updated
copy of the Privacy Policy in paper or electronic format (e.g. link to form
online).
Website: Firms should place a copy of their privacy
policy disclosure on their website (if applicable).
ADV: Firms can reference that a copy of the
privacy policy, code of ethics, and/or business continuity plan is available
upon request. Advisors may also attach a
copy of privacy policy on their ADV (optional).
Summary: Overall, both state
and SEC-registered firms should adhere to Reg S-P guidelines for safeguarding
client information.
Our Mission: “Serving the Investment Community to Make a Social Impact”
Cory Roberson is Principal of RIA Review, a compliance and document management portal (www.riareview.com) - 120+ users and growing. He is also Principal of RIA Consults -Roberson Consults Group), a consulting firm providing compliance, operations, and business development services for registered investment advisors and next-gen fintech entrepreneurs (www.riaconsults.com) more than 160 SEC & State advisors clients across the US (including a few in Europe). His third platform, RegTech Review, a FinTech compliance portal site: (http://regtechreview.com) is currently in prototype stage.
As a social entrepreneur, through his mission-driven arm SoCap Missions (http://SoCapmissions.com), he provides business support group sessions and has volunteered for more than 15 youth programs in locations such as S. Korea, China, S. Africa, Thailand, and India.
No comments:
Post a Comment