May 8, 2019
The Office of Compliance Inspections and Examinations (the “OCIE”) issued a risk alert that provides guidance to broker-dealers and investment advisors for complying with the requirements of Regulation S-P on April 16, 2019. Regulation S-P is designed to provide safeguards for customer or client records and information collected by SEC-registered investment advisors and broker dealers (“Registrants” or “Firms”). This article summarizes the compliance-related issues identified by the OCIE in its recent examinations that Registrants should examine to ensure compliance with Regulation S-P.
Overview of Regulation S-P
Regulation S-P requires investment advisers and broker-dealers to adopt and enforce policies and procedures aimed at protecting the personal information of their “customers” (brokerage customers and advisory clients, as applicable). In particular, the “Safeguards Rule” of the regulation requires that a Firm adopt and enforce written policies outlining the administrative, technical, and physical procedures in place to protect a customer’s personal information. These required policies should be reasonably designed to secure the confidentiality of records and information, protect against anticipated hazards or threats to that information, and protect against any unauthorized access of that information that may cause a substantial harm or inconvenience to customers. In addition, Regulation S-P requires that Firms provide clear and conspicuous notice of these policies and procedures to customers (i) at the inception of the business relationship (the “Initial Privacy Notice”) and, in certain cases, (ii) at least annually during the continuation of the business relationship (the “Annual Notice”). In addition, the regulation requires Registrants to provide clear and conspicuous notice to investors of their right to opt out of certain disclosures of personal information that may otherwise be made by the Registrants to third parties (the “Opt Out Notice”, and together with the Initial Privacy Notice and the Annual Notice, the “Required Notices”). In addition to the Required Notices, Regulation S-P also outlines the type of information required in each notice and certain required disclosures regarding information collected by a Registrant about its customers.
Common Noncompliance Issues noted by the OCIE
In its risk alert, the OCIE identified a number of common ways that Firms failed to comply with the requirements of Regulation S-P. By surveying the below deficiencies, Registrants can better assess their current compliance and its deficiencies and use this information to try to avoid the common pitfalls of other firms in their own business practices.
Broker dealers and investment advisory firms must assess their written policies and procedures to ensure compliance with the Regulation S-P framework. An internal annual review of such policies can help identify deficiencies like the ones noted in the recent OCIE alert and allow Registrants to mitigate any issues that may be flagged by the OCIE.
 An adviser is not required to provide an annual privacy notice if it (i) does not share nonpublic personal information about the customer except for certain purposes that do not trigger the customer’s statutory right to opt out of such sharing and (ii) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in its most recent privacy notice.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.