April 25, 2019. The SEC Office of Compliance Inspections and Examinations (OCIE) published a list of operational issues pertaining to Regulation S-P, the primary rule on privacy notices and safeguarding policies for investment advisers and broker dealers.
The "Risk Alert" reflects
the issues identified in broker-dealer and adviser evaluations conducted by the
OCIE over the preceding two years.
This article aims to assist advisory and brokerage firms with:
Providing compliant privacy policies;
Opt-out notices; and
Proper procedures for safeguarding customer data and records.
Privacy and Opt-Out Notices
Regulation S-P defines the required
information to be included in Privacy Notices, including categories of
non-public personal information collected and disclosed by the registrant, and
in Opt-Out Notices.
Reg S-P mandates firms to:
“provide
a clear and conspicuous notice to its customers that accurately reflects its
privacy policies and practices generally no later than when it establishes a
customer relationship”
“provide
a clear and conspicuous notice to its customers that accurately reflects its
privacy policies and practices not less than annually during the
continuation of the customer relationship” (also ref. brochure rule 204-3).
Written Policies and Procedures to Safeguard
Customer Information
Regulation
S-P (“Safeguard Rule”) requires registrants to adopt written policies and
procedures addressing administrative, technical and physical safeguards
to protect customer records and information.
These
written policies and procedures are required to be reasonably designed:
to
guarantee the security and confidentiality of customer records and data;
to
protect against any anticipated threats or dangers to customer records and data,
and
to
protect clients against unauthorized access to or use of customer records or
data which may be seriously damaging or uncomfortable.
The OCIE Risk alert identified the following
as the most common deficiencies or weaknesses in the Safeguards Rule:
#1 – Insufficient Privacy
and Opt-Out Notices
Registrants did not
provide their customers with initial/annual privacy messages, and/or
opt-out notices.
Notices were not
accurate in reflecting the policies and procedures of companies.
Privacy Notices did
not provide customers with notification that they have the right to refuse
the registrant's share with non-affiliated third parties of their non-public
personal information.
#2 - A Lack of
Privacy policies and procedures
Registrants that did
not have written policies and procedures as required under the Safeguards Rule.
For example, firms had documents that restated the Safeguards Rule but did not
include policies and procedures related to administrative, technical, and
physical safeguards.
Written policies and
procedures that contained numerous blank spaces designed to be filled in
by registrants.
Policies that
addressed the delivery and content of a Privacy Notices but did not contain any
written policies and procedures required by the Safeguards Rule.
#3 - Policies without
safeguards for customer records and information
Registrants with written policies and
procedures did not contain complete information designed to:
Ensure the security
and confidentiality of customer records and information.
Protect against anticipated
threats or hazards to the security or integrity of customer records and
information (e.g. cybersecurity, testing, data protection, mitigation).
Protect against
unauthorized access to or use of customer records or information that could
result in substantial harm or inconvenience to customers.
Observations relating
to the Safeguards Rule:
Personal devices
(e.g. laptops/cell phones)
Policies and procedures not designed to
protect personal equipment customer information.
Examples: employees observed registration staff who regularly stored
and maintained customer information on their personal laptops, but registrants
' policies and procedures did not determine how to configure devices to protect
customer information.
Electronic
communications
Policies and procedures not addressing the inclusion
of personally identifiable information ("PII") in electronic
communications.
Examples: the staff observed registrants who
appear not to have policies or procedures designed reasonably to prevent
employees from sending customers private information in unsecured emails.
Training and
monitoring
Policies and procedures requiring customer
information to be encryption-protected and transmitted by company-approved
methods were not reasonably designed because employees were not adequately
trained on these methods and the company failed to monitor if employees
followed the policies.
Unsecured networks
Policies and procedures that didn't prohibit
employees from sending PII to any location outside registrants' secure
networks.
Outside vendors
Registrants fail to follow their own vendor
policies and procedures. Examples: staff observed registrants who did not
require outside vendors to contractually agree to keep the PII of customers
confidential, although such agreements were mandated by the registrant's
policies and procedures.
Policies and
procedures that didn't identify all systems used for maintaining PII. Without
an inventory of all such systems, registrants may be unaware of customer PII
categories they maintain, which may limit their ability to adopt reasonably
designed policies and procedures and adequately safeguard customer information.
Incident response plans
Written incident response plans did not
address important areas such as role assignments to implement their incident
response plan, actions to address a cybersecurity threat, and system
vulnerability assessments.
Unsecured physical
locations
Customer PII was stored in unsecured
physical locations, e.g. open-off file cabinets.
Login credentials
Customer
login credentials distributed to more employees than allowed under company
policies and procedures.
Departed employees
Instances
where former company employees retained access rights after departure and could
still access restricted customer information.
Conclusion
Lastly,
companies should write and review notices, policies, and procedures (including
a cybersecurity plan) so that employees can easily understand and implement
them properly, not only to avoid costly fees and penalties, but to protect
business-critical data and information systems; safeguard client assets; create
effective marketing materials; monitor client trading activities; respond to
conflicts of interest; and address general risks to the company.
Full SEC “Risk Alert” listed here:
Compliance and Business Management
FIN Compliance (FINCompliance.io) is a
consortium of compliance services including: RIA Consults-Roberson Consults
Group, a compliance consulting firm, RIA Review, a compliance-management
software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management
software tool, and FINLancer is a business
management portal featuring: E-signature tools; Invoicing integration,
Vendor Directory, continuity directory*, business client document portal, and
more (available by Q3 2019). Access all services
on one site: FINCompliance.io.
Impact
FIN Missions (FINmissions.com) provides business support group
sessions for other entrepreneurs. In addition, Cory has volunteered
for more than fifteen youth programs in locations such as like S. Korea, China,
S. Africa, Thailand, and India.
2 comments:
Graceful written content on this blog is really useful for everyone same as I got to know. Difficult to locate relevant and useful informative blog as I found this one to get more knowledge but this is really a nice one. Conflict Minerals Compliance
Thanks for your feedback. Feel free to reach out again at anytime.
Post a Comment