Regulation S-P – Privacy Notices and Safeguard Policies

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on compliance issues related to privacy regulations. The alert comes from recent examinations of broker-dealers and registered investment advisers.

Regulation S-P is the primary SEC rule regarding privacy notices and safeguards. The Risk Alert doesn’t cover all of the requirements of Reg S-P or all of the problems OCIE found regarding Reg S-P over the last two years.

The most frequent deficiencies and weaknesses:

  • Failure to provide notification, including initial privacy notices, annual privacy notices, and opt-out notices.
  • Lack of policies and procedures as required by Regulation S-P.
  • Lack of safeguards of customer data on personal devices
  • Sending unencrypted email communication with personally identifiable information (PII)
  • Lack of data privacy training
  • Sending PII to networks outside of the registrant’s network
  • Failure to follow privacy policies regarding outside vendors
  • Failure to maintain a PII inventory
  • Insufficient incident response plans
  • Storage of PII in insecure physical locations
  • Making customer login information available to more employees than permitted under the firm’s policies and procedures
  • Failure to remove login rights from departed employees

Sources:

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.