The Office of Compliance Inspections and Examinations (the “OCIE”) issued a risk alert that provides guidance to broker-dealers and investment advisors for complying with the requirements of Regulation S-P on April 16, 2019. Regulation S-P is designed to provide safeguards for customer or client records and information collected by SEC-registered investment advisors and broker dealers (“Registrants” or “Firms”). This article summarizes the compliance-related issues identified by the OCIE in its recent examinations that Registrants should examine to ensure compliance with Regulation S-P.

Overview of Regulation S-P

Regulation S-P requires investment advisers and broker-dealers to adopt and enforce policies and procedures aimed at protecting the personal information of their “customers” (brokerage customers and advisory clients, as applicable). In particular, the “Safeguards Rule” of the regulation requires that a Firm adopt and enforce written policies outlining the administrative, technical, and physical procedures in place to protect a customer’s personal information. These required policies should be reasonably designed to secure the confidentiality of records and information, protect against anticipated hazards or threats to that information, and protect against any unauthorized access of that information that may cause a substantial harm or inconvenience to customers. In addition, Regulation S-P requires that Firms provide clear and conspicuous notice of these policies and procedures to customers (i) at the inception of the business relationship (the “Initial Privacy Notice”) and, in certain cases, (ii) at least annually during the continuation of the business relationship (the “Annual Notice”).[1] In addition, the regulation requires Registrants to provide clear and conspicuous notice to investors of their right to opt out of certain disclosures of personal information that may otherwise be made by the Registrants to third parties (the “Opt Out Notice”, and together with the Initial Privacy Notice and the Annual Notice, the “Required Notices”). In addition to the Required Notices, Regulation S-P also outlines the type of information required in each notice and certain required disclosures regarding information collected by a Registrant about its customers.

Common Noncompliance Issues noted by the OCIE

In its risk alert, the OCIE identified a number of common ways that Firms failed to comply with the requirements of Regulation S-P. By surveying the below deficiencies, Registrants can better assess their current compliance and its deficiencies and use this information to try to avoid the common pitfalls of other firms in their own business practices.

• Failure to provide Initial, Annual, and Opt Out Notices. OCIE staff cited firms’ failures to provide the Required Notices as a common mistake. In addition, providing an insufficient notice to customers or a notice of policies that failed to comply with the requirements of the Safeguards Rule were deemed deficient by the OCIE.
• Lack of Policies and Procedures relating to Data Security. The Safeguards Rule requires that firms outline a comprehensive procedure for protecting customer information. These written policies must detail the administrative, technical, and physical procedures followed by Firm employees to ensure the confidentiality and security of customer information in both electronic and in physical form (such as files stored in filing cabinets on site). 
• Insufficient Policies and Procedures. Even where Firms have written policies and procedures in place for the security of customer data, the policies must be sufficiently robust to satisfy the requirements under the Safeguards Rule. The OCIE noted written policies were insufficient where the policy did not:
  • Address the storage and access of customer data from employee mobile device,
  • Outline procedures for the encryption of emails containing personally identifiable information (“PPI”);
  • Mandate and schedule regular training for employees on compliance with the policies;
  • Prohibit employees from sending PPI to unsecure destinations outside of the Firm network;
  • Require outside vendors and third parties to comply with Firm policies, including failing to require outside vendors to contractually agree to keep customers’ PII confidential, even though such agreements were mandated by the Registrant’s policies and procedures;
  • Require the maintenance of a current inventory of Firm systems and controls that maintain customer PPI;
  • Include written response plans for cyber security incidents or other unauthorized accesses of customer PPI;
  • Require locks or sufficient security measures on cabinets and file storage for physical client records;
  • Prohibit the widespread dissemination of customer login credentials to employees; and
  • Immediately restrict terminated employees from accessing customer data.

Broker dealers and investment advisory firms must assess their written policies and procedures to ensure compliance with the Regulation S-P framework. An internal annual review of such policies can help identify deficiencies like the ones noted in the recent OCIE alert and allow Registrants to mitigate any issues that may be flagged by the OCIE.