August 6, 2020

Volume X, Number 219

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

SEC Issues Risk Alert on Customer Privacy Safeguards

Earlier this month, the Securities and Exchange Commission (“SEC”) took a break from its recent focus on digital assets and the Best Interest fiduciary standard to publish a Risk Alert encouraging investment advisers and broker-dealers to revisit their policies and procedures relating to Regulation S-P (“Reg S-P”) (17 C.F.R. Part 248, Subpart A), which sets out requirements designed to protect customer information and records. The Alert highlights several key compliance issues identified by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) during exams completed in the past two years.

Reg S-P was adopted in 2000 to enhance financial privacy protections and stem the rising tide of unwanted solicitations. Among other things, Reg S-P requires investment firms to provide clear and conspicuous notice to customers regarding their privacy policies and practices when a customer relationship begins, and at least annually thereafter. It also mandates that firms deliver a clear and conspicuous notice to customers explaining the right to opt out of disclosures of non-public personal information to non-affiliated third parties. A 2005 amendment called for the implementation of written policies and procedures reasonably designed to safeguard customer records and information.

The recent Risk Alert focuses on three common areas of compliance shortcomings: (1) privacy and opt-out notices, (2) lack of policies and procedures, and (3) policies that were not implemented or reasonably designed to safeguard customer records and information. Most of the issues identified in connection with existing policies are technology-related. Curiously, the Risk Alert does not reveal how pervasive these shortcomings were.

First, OCIE staff found that firms either failed to provide the required privacy and opt-out notices altogether or provided notices that did not accurately reflect the firm’s policies and procedures or adequately explain the customer’s right to opt out of information sharing.

Second, examiners also found that firms lacked policies and procedures relating to administrative, technical, and physical safeguards, or had policies that were incomplete, containing blank spaces apparently left to be filled in at a later date.

Finally, OCIE staff observed firms failed to implement or reasonably design policies to safeguard customer records and information. The Alert highlights several areas where policies were altogether inadequate with regard to securing personal laptops, encryption of emails containing customer information, transmission of sensitive information to external locations, vendor management, training, monitoring, cataloging of all systems containing customer information, incident response planning, physical storage, login credential management, and system access by departed employees.

The issuance of the Risk Alert makes clear the SEC still has its eye on this tenured regulation, which has taken on renewed importance in a big data, tech-driven world. More than a decade after the agency enacted these requirements, firms handling customer information are expected to have policies that comply with the regulation both on paper and in practice. Corporate counsel should draw on the Risk Alert to leverage the OCIE’s cumulative industry-wide observations in assessing their firm’s own potential vulnerabilities, especially those presented by the dynamic use of technology in the workplace.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 119

TRENDING LEGAL ANALYSIS


About this Author

Jeff Kern, Business Trial and White Collar Attorney, Sheppard Mullin,
Special Counsel

Jeff Kern is a special counsel in the Government Contracts, Investigations, and International Trade Practice Group in the firm's New York and Los Angeles offices.  He is admitted to practice in New York and Massachusetts.

Areas of Practice

Mr. Kern's practice encompasses securities regulation, compliance, and litigation as well as internal investigations and white collar defense.  He represents broker-dealers and associated individuals who are the focus of SEC, FINRA and other regulatory investigations and provides guidance in the FINRA membership application...

212-634-3075
Associate

Christopher Bosch is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's New York office. He graduated magna cum laude from Fordham Law School.

212-653-8185