In an era of increasing digital connectivity, financial firms have been charged with ensuring the protection and safeguarding of all customer information and privacy. In recognition of this responsibility, the Securities and Exchange Commission (SEC) has recently proposed amendments to Regulation S-P, aiming to enhance the safeguarding of customer data.
Regulation S-P currently requires covered institutions to create and maintain written policies and procedures designed to protect customer records and information. The proposed amendments would update these requirements to address the expanded use of technology and associated risks which have arisen since the regulation’s inception in 2000.
These proposed changes would close the gap in current regulations, requiring broker-dealers, investment companies, RIAs and transfer agents to provide notification to individuals affected by data breaches that may put them at risk of identity theft or other harm. As stated within the amendment, the notice would be required to be provided as soon as practicable, but no later than 30 days after becoming aware of the incident.
More specifically key changes to Regulation S-P would include:
- Broadening and aligning the scope of the safeguards rule and disposal rule.
The proposed amendments extend the safeguards and disposal rules’ protections to encompass nonpublic personal information collected by covered institutions about their own customers and received about customers of other financial institutions. By doing so, the amendments strengthen data protection across various data flows and sources.
2. Extending the safeguards rule and disposal rule to transfer agents.
To ensure comprehensive protection, the proposed amendments extend the safeguards rule to transfer agents registered with the SEC or other appropriate regulatory agencies. Additionally, the scope of the disposal rule expands to include transfer agents registered with other regulatory agencies, not just those registered with the SEC. These measures aim to enhance data security throughout the entire financial ecosystem.
3. Conforming existing provisions.
The proposed amendments also address the statutory exception created by Congress in 2015, bringing Regulation S-P’s existing provisions relating to the delivery of annual privacy notices in line with the exception. This step ensures consistency in privacy notice delivery while maintaining regulatory compliance.
These recently proposed changes have made Regulation S-P a topic of heightened interest again and have placed pressure on firms and their compliance programs to meet the current requirements of the regulation.
If you’re a compliance professional at an investment firm, brokerage firm or RIA firm use this blog post as a guide to ensure compliance with the current Regulation S-P requirements.
How your investment firm, brokerage firm or RIA firm can comply with Regulation S-P requirements
To meet the current SEC Regulation S-P requirements and prepare for potential amendments, investment firms, brokerage firms and RIA firms can take several proactive measures. Ensure the privacy of consumers’ financial information by taking the following steps:
- Review and update policies.
Evaluate existing policies and procedures at your firm to ensure that they detail how your firm will protect customer records and information. While Regulation S-P currently requires covered institutions to have written policies and procedures for protecting customer records and information, the proposed amendments would update these requirements to address the expanded use of technology and associated risks which have come about since the regulation’s inception in 2000. To best evaluate your firm’s policies and procedures, your firm might want to conduct a risk assessment to determine what areas to prioritize in updating policies.
2. Develop and implement an incident response program.
Develop a robust incident response program that addresses unauthorized access or use of customer information. Determine the personnel who should be a part of the program. The composition of the incident response team may vary across firms based on several factors such as size, but generally, these teams might include personnel from information technology (IT), compliance, human resources and executive management.
After that, it’s important to define clear protocols for detection, response, containment and recovery in the event of a breach.
3. Enhance data security measures.
Although this may mostly be a job for your firm’s IT department, members of other departments, including compliance, may play a role in ensuring that these measures are in place and are effective. Implement encryption, access controls, multi-factor authentication and regular security audits. Invest in secure storage and transmission mechanisms for sensitive customer information.
4. Conduct employee training and awareness programs.
Your firm should implement regular compliance training. Train employees on data protection best practices and their roles in safeguarding customer information. Foster a culture of security awareness throughout the organization and empower employees to report any concerns or risks they notice.
5. Establish due diligence procedures for third-party service providers.
Hiring third-party service providers is a common practice but can present a risk to protecting your customers’ financial information. Develop and implement procedures to evaluate the data security practices of third-party service providers. Ensure that the third-party service providers your firm hires adhere to the same high standards for data protection that your firm does.
6. Regularly monitor and audit your firm’s compliance program.
Regularly review and audit compliance with the SEC’s Regulation S-P requirements. Conduct internal assessments and engage external experts if necessary to identify and swiftly address any vulnerabilities or gaps.
The proposed amendments to Regulation S-P underscore the SEC’s commitment to protecting customer information in an ever-evolving digital landscape. By implementing these best practices, your firm can ensure compliance with the SEC’s Regulation S-P requirements, strengthen its compliance program and prepare for potential changes.
Need further assistance navigating the SEC’s Regulation S-P requirements? Contact us today!