On April 16, 2019, the Office of Compliance Inspections and Examinations (“OCIE”) published a list of compliance issues in connection with Regulation S-P. Regulation S-P requires registered investment advisers, investment companies, and broker-dealers (“registrants”) to provide notice to customers and maintain written records of policies and procedures related to information privacy. Privacy notices must be made available upon beginning a client relationship and at least annually* thereafter. In addition, clients must receive notice that they may opt out of making certain personal information available to third-parties.
OCIE recently examined a group of registrants to evaluate their compliance with Regulation S-P, identifying several common implementation issues. Many registrants failed to provide proper notices to clients, sent notices which contained misinformation, or neglected to distribute them altogether. Some of those examined did not have acceptable written policies and procedures in place or used documentation with major informational gaps.
The most alarming of OCIE’s findings is that many registrants were discovered to be improperly implementing or poorly designing privacy measures meant to protect client information. In some cases, confidential customer information was found to be made available to unauthorized vendors or to former employees. The lack of security on devices and networks was determined to be problematic as well. Some registrants’ employees were observed routinely accessing client information from personal devices without significant security measures in place. Employees were regularly sending unencrypted emails or accessing unsecured networks when handling client information. Other identified compliance issues included unlocked file cabinets, substandard login credentials, and poorly devised incident response plans.
WHAT DOES THIS MEAN FOR ME?
Regulation S-P is designed to protect investment companies, advisers, broker-dealers, and the clients working with them. OCIE urges registrants to review, revise, and properly implement the rules related to Regulation S-P. Fairview® is available, as needed, to assist clients in ensuring their privacy policies and procedures related to Regulation S-P are up-to-date and accurately reflect the firm’s practices. Please contact Fairview® if you are interested in additional support with penetration and full-service vendor management.
*Exception to the Annual Privacy Notice delivery obligation applies if the registrant (1) does not share a client’s nonpublic personal information in a way which would trigger the right to opt out and (2) has not changed any policies or practices which would affect the disclosure of nonpublic personal information since distribution of the most recent Privacy Notice.