Post Top Ad

Your Ad Spot

Blog Archive

Friday, April 26, 2019

SEC Risk Alert: Privacy Policy, Data Safeguards (Reg S-P)

By David McNeal, Contributor of My Compliance Blog 

April 25, 2019.  The SEC Office of Compliance Inspections and Examinations (OCIE) published a list of operational issues pertaining to Regulation S-P, the primary rule on privacy notices and safeguarding policies for investment advisers and broker dealers.

The "Risk Alert" reflects the issues identified in broker-dealer and adviser evaluations conducted by the OCIE over the preceding two years.

This article aims to assist advisory and brokerage firms with:

Providing compliant privacy policies;
Opt-out notices; and
Proper procedures for safeguarding customer data and records.

Privacy and Opt-Out Notices

Regulation S-P defines the required information to be included in Privacy Notices, including categories of non-public personal information collected and disclosed by the registrant, and in Opt-Out Notices.

Reg S-P mandates firms to:

“provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices generally no later than when it establishes a customer relationship”

“provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship” (also ref. brochure rule 204-3).

Written Policies and Procedures to Safeguard Customer Information

Regulation S-P (“Safeguard Rule”) requires registrants to adopt written policies and procedures addressing administrative, technical and physical safeguards to protect customer records and information.

These written policies and procedures are required to be reasonably designed:

to guarantee the security and confidentiality of customer records and data;

to protect against any anticipated threats or dangers to customer records and data, and

to protect clients against unauthorized access to or use of customer records or data which may be seriously damaging or uncomfortable.

The OCIE Risk alert identified the following as the most common deficiencies or weaknesses in the Safeguards Rule:

#1 – Insufficient Privacy and Opt-Out Notices
Registrants did not provide their customers with initial/annual privacy messages, and/or opt-out notices.

Notices were not accurate in reflecting the policies and procedures of companies.

Privacy Notices did not provide customers with notification that they have the right to refuse the registrant's share with non-affiliated third parties of their non-public personal information.

#2 - A Lack of Privacy policies and procedures
Registrants that did not have written policies and procedures as required under the Safeguards Rule. For example, firms had documents that restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards. 

Written policies and procedures that contained numerous blank spaces designed to be filled in by registrants.

Policies that addressed the delivery and content of a Privacy Notices but did not contain any written policies and procedures required by the Safeguards Rule.

#3 - Policies without safeguards for customer records and information
Registrants with written policies and procedures did not contain complete information designed to:

Ensure the security and confidentiality of customer records and information.

Protect against anticipated threats or hazards to the security or integrity of customer records and information (e.g. cybersecurity, testing, data protection, mitigation).

Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers. 

Observations relating to the Safeguards Rule:

Personal devices (e.g. laptops/cell phones)
Policies and procedures not designed to protect personal equipment customer information.

Examples: employees observed registration staff who regularly stored and maintained customer information on their personal laptops, but registrants ' policies and procedures did not determine how to configure devices to protect customer information.

Electronic communications
Policies and procedures not addressing the inclusion of personally identifiable information ("PII") in electronic communications.

Examples: the staff observed registrants who appear not to have policies or procedures designed reasonably to prevent employees from sending customers private information in unsecured emails.

Training and monitoring
Policies and procedures requiring customer information to be encryption-protected and transmitted by company-approved methods were not reasonably designed because employees were not adequately trained on these methods and the company failed to monitor if employees followed the policies.

Unsecured networks
Policies and procedures that didn't prohibit employees from sending PII to any location outside registrants' secure networks.

Outside vendors
Registrants fail to follow their own vendor policies and procedures. Examples: staff observed registrants who did not require outside vendors to contractually agree to keep the PII of customers confidential, although such agreements were mandated by the registrant's policies and procedures.

Policies and procedures that didn't identify all systems used for maintaining PII. Without an inventory of all such systems, registrants may be unaware of customer PII categories they maintain, which may limit their ability to adopt reasonably designed policies and procedures and adequately safeguard customer information.

Incident response plans
Written incident response plans did not address important areas such as role assignments to implement their incident response plan, actions to address a cybersecurity threat, and system vulnerability assessments.

Unsecured physical locations
Customer PII was stored in unsecured physical locations, e.g. open-off file cabinets.

Login credentials
Customer login credentials distributed to more employees than allowed under company policies and procedures.

Departed employees
Instances where former company employees retained access rights after departure and could still access restricted customer information.

Lastly, companies should write and review notices, policies, and procedures (including a cybersecurity plan) so that employees can easily understand and implement them properly, not only to avoid costly fees and penalties, but to protect business-critical data and information systems; safeguard client assets; create effective marketing materials; monitor client trading activities; respond to conflicts of interest; and address general risks to the company.

Full SEC “Risk Alert” listed here:

Compliance and Business Management

FIN Compliance ( is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring:  E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019).  Access all services on one site:


FIN Missions ( provides business support group sessions for other entrepreneurs.  In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.


williamoliver172 said...

Graceful written content on this blog is really useful for everyone same as I got to know. Difficult to locate relevant and useful informative blog as I found this one to get more knowledge but this is really a nice one. Conflict Minerals Compliance

Cory Roberson said...

Thanks for your feedback. Feel free to reach out again at anytime.

Post a Comment

Post Top Ad

Your Ad Spot