By Kristina Neff Burland

On April 16, the Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE) released a new Risk Alert that identifies common compliance issues facing investment advisers and broker-dealers with respect to the privacy notice and safeguard policy requirements of Regulation S-P. The Risk Alert aggregates common compliance issues identified by the OCIE during the course of administering its National Exam Program (NEP) in order to “assist investment advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records under Regulation S-P.”

Although the Risk Alert is specific to investment advisors and broker-dealers subject to Regulation S-P, it serves as a continuing reminder that mere paper privacy programs are insufficient to pass regulatory muster. Privacy programs must be thoughtfully designed, constructed, and implemented.  Key takeaways from the Risk Alert include:

  1. Where required by law, privacy notices and opt-outs must be provided to customers.
  2. All privacy notices and opt-outs must accurately reflect policies and procedures.
  3. Privacy policies and procedures must be reasonably designed and implemented to ensure the security and confidentiality of data; protect against anticipated threats to the security or integrity of data; and protect against unauthorized access to data.
  4. Privacy policies and procedures should address how data is safeguarded; the transmission of personally identifiable information or other sensitive data via email and to external recipients; and systems where personally identifiable information or other sensitive data is maintained.
  5. Employees should receive training on policies and procedures related to the protection of data. Organizations should also monitor employee compliance with policies and procedures that address privacy and data security.
  6. Access rights to sensitive data should be appropriately restricted. Access rights should also be routinely assessed and updated to reflect organizational changes (e.g., employee departures).
  7. Organizations should hold vendors and other third parties to the organization’s policies and procedures with respect to privacy and data security.

Read the Text of the Risk Alert Here