On April 16, 2019, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new risk alert reminding registered investment adviser (“RIA”) firms of their obligations related to Regulation S-P privacy notices and safeguard policies. According to OCIE, the risk alert “is intended to assist advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.” The OCIE staff shares their recent observations to urge “registrants to review their written policies and procedures, including implementation of those policies and procedures, to ensure that they are compliance with the relevant regulatory requirements.”
Privacy and Opt-Out Notices
SEC OCIE staff notes that some of the Regulation S-P requirements for RIA firms include:
- provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies generally no later than when it establishes a customer relationship (“Initial Privacy Notice”),
- provide a clear and conspicuous notice to its customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship (“Annual Privacy Notice” and together with the Initial Privacy Notice, “Privacy Notices”), and
- deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information that must be including the categories of nonpublic personal information that the registrant collects and discloses, and in Opt-Out Notices.
SEC OCIE staff notes that a number of investment advisory firms “did not provide Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to their customers.” In other instances, when notices were provided to clients they often did not correspond to firm’s policies and procedures or failed to “provide notice to customers of their right to opt out” from the RIA firm “sharing their nonpublic personal information with nonaffiliated third parties.” These observations mirror similar observations from state regulatory examiners who have also highlighted an RIA firm’s failure to deliver the privacy policy on an annual basis as the most common privacy-related regulatory compliance deficiency.
Written Safeguarding Policies and Procedures to Safeguard Customer Information
In the risk alert, SEC OCIE staff highlights:
- The Safeguards Rule of Regulation S-P requires registrants to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written polices and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
SEC OCIE staff further notes that a number of investment advisers failed to create written policies and procedures or if policies were created, they failed to be properly implemented or were “not reasonably designed to safeguard customer records and information.” Some issues flagged include:
- Policies and procedures that simple restated the Safeguards Rule in the firm’s compliance manual but failed to establish any administrative, technical, or physical safeguards
- Policies and procedures that contained blank spaces and were incomplete
- Policies and procedures that addresses the delivery and content requirements of the Privacy Notice but failed to include any written policies and procedures as mandated by the Safeguards Rule
In particular, the staff also noted that RIA firms had written policies and procedures that failed to be implemented or were not properly designed to:
- ensure the security and confidentiality of customer records and information,
- protect against anticipated threats or hazards to the security or integrity of customer records and information, and
- protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers.
Some specific examples cited by OCIE staff include:
- Personal devices
- Electronic communications
- Training and monitoring
- Unsecure networks
- Outside vendors
- PII Inventory
- Incident response plans
- Login credentials
- Departed employees
While cybersecurity may not be the specific focus of this risk alert, it’s important to note that each of nine specific examples cited above directly relate to common cybersecurity-related issues. Furthermore, in recent cybersecurity-related investment adviser SEC enforcement actions, violation of the Safeguard Rule has been specifically cited. As such, we highly recommend that the Chief Compliance Officer (“CCO”) and all advisory firm principals carefully review this latest SEC RIA compliance risk alert. Failure to address privacy notice issues and establishing and implementing proper policies and policies related to Regulation S-P and information security concerns can lead to serious compliance issues. This latest risk alert also makes it clear that simply having written policies and procedures isn’t enough, RIA firms need to ensure that the policies and procedures have been reasonably designed and fully implemented with proper staff training and monitoring.