On April 16, the Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE) released a new Risk Alert that identifies common compliance issues facing investment advisers and broker-dealers with respect to the privacy notice and safeguard policy requirements of Regulation S-P. The Risk Alert aggregates common compliance issues identified by the OCIE during the course of administering its National Exam Program (NEP) in order to “assist investment advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records under Regulation S-P.”
Although the Risk Alert is specific to investment advisors and broker-dealers subject to Regulation S-P, it serves as a continuing reminder that mere paper privacy programs are insufficient to pass regulatory muster. Privacy programs must be thoughtfully designed, constructed, and implemented. Key takeaways from the Risk Alert include:
- Where required by law, privacy notices and opt-outs must be provided to customers.
- All privacy notices and opt-outs must accurately reflect policies and procedures.
- Privacy policies and procedures must be reasonably designed and implemented to ensure the security and confidentiality of data; protect against anticipated threats to the security or integrity of data; and protect against unauthorized access to data.
- Privacy policies and procedures should address how data is safeguarded; the transmission of personally identifiable information or other sensitive data via email and to external recipients; and systems where personally identifiable information or other sensitive data is maintained.
- Employees should receive training on policies and procedures related to the protection of data. Organizations should also monitor employee compliance with policies and procedures that address privacy and data security.
- Access rights to sensitive data should be appropriately restricted. Access rights should also be routinely assessed and updated to reflect organizational changes (e.g., employee departures).
- Organizations should hold vendors and other third parties to the organization’s policies and procedures with respect to privacy and data security.