The Office of Compliance Inspections and Examinations has issued a risk alert on Regulation S-P describing the most common deficiencies it has uncovered in recent examinations of both registered investment advisers and broker-dealers.
Regulation S-P is the primary Securities and Exchange Commission rule regarding privacy notices and safeguard policies of investment advisers and broker-dealers. “The information in this Risk Alert is intended to assist advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P,” the OCIE said.
Regulation S-P requires registrants to provide a clear and conspicuous notice to their customers that accurately reflects their privacy policies and practices (1) generally no later than when it establishes a customer relationship and (2) no less than annually during the continuation of the customer relationship. Registrants must also deliver a notice to their customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties.
Regulation S-P’s Safeguards Rule requires registrants to adopt written policies and procedures for the protection of customer records and information. The most common deficiencies or weaknesses identified by OCIE staff in connection with the rule include:
Privacy and opt-out notices. Some registrants did not provide initial privacy notices, annual privacy notices, or opt-out notices to their customers. “When such notices were provided to customers, the notices did not accurately reflect firms’ policies and procedures,” OCIE said. “The staff also noted privacy notices that did not provide notice to customers of their right to opt out of the registrant sharing their nonpublic personal information with nonaffiliated third parties.”
Lack of policies and procedures. Some registrants did not have written policies and procedures as required under the Safeguards Rule. “For example, firms had documents that restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards,” the OCIE said. Additionally, some had written policies and procedures that contained numerous blank spaces designed to be filled in by registrants. Other firms’ policies addressed the delivery and content of a privacy notice but did not contain any written policies and procedures required by the Safeguards Rule.
Policies not implemented or not reasonably designed to safeguard customer records and information. Some registrants had written policies and procedures that did not appear implemented or reasonably designed to ensure the security and confidentiality of customer records and information; protect against anticipated threats or hazards to the security or integrity of customer records and information; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers.
Specifically, written policies were often found to lack oversight of the following areas:
- Personal devices;
- Electronic communications;
- Training and monitoring;
- Unsecure networks;
- Outside vendors;
- Personally identifiable information (PII) inventory;
- Incident response plans;
- Unsecure physical locations;
- Login credentials; and
- Terminated employees.
In the risk alert, OCIE said it “encourages registrants to review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are compliant with Regulation S-P.”