Regulation S-P – Compliance Building

Regulation S-P – Privacy Notices and Safeguard Policies

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on compliance issues related to privacy regulations. The alert comes from recent examinations of broker-dealers and registered investment advisers.

Regulation S-P is the primary SEC rule regarding privacy notices and safeguards. The Risk Alert doesn’t cover all of the requirements of Reg S-P or all of the problems OCIE found regarding Reg S-P over the last two years.

The most frequent deficiencies and weaknesses:

Failure to provide notification, including initial privacy notices, annual privacy notices, and opt-out notices.
Lack of policies and procedures as required by Regulation S-P.
Lack of safeguards of customer data on personal devices
Sending unencrypted email communication with personally identifiable information (PII)
Lack of data privacy training
Sending PII to networks outside of the registrant’s network
Failure to follow privacy policies regarding outside vendors
Failure to maintain a PII inventory
Insufficient incident response plans
Storage of PII in insecure physical locations
Making customer login information available to more employees than permitted under the firm’s policies and procedures
Failure to remove login rights from departed employees

Sources:

Risk Alert: Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies

Feds Release Usable Model Consumer Privacy Notice

There was much cheering when federal regulators finally released their Final Model Privacy Notice Form back in November.

That was quickly followed by a gnashing of teeth when it turns out the regulators did not understand the concept of a form or how to use Adobe Acrobat. They merely created a static document that you would have to spend hours trying to recreate.

They finally released version of the model privacy notice that is a fillable form using adobe acrobat.

Instructions for using the Privacy Notice Online Form Builder
If you provide an opt out and you want to include affiliate marketing, use Form 1.
If you provide an opt out and you do not want to include affiliate marketing, use Form 2.
If you do not provide an opt out and you want to include affiliate marketing, use Form 3.
If you do not provide an opt out and you do not want to include affiliate marketing, use Form 4.

To obtain a legal “safe harbor” and so satisfy the Gramm-Leach-Bliley Act’s disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder.

Sources:

Instructions for using the Privacy Notice Online Form Builder
SEC Press Release – Federal Regulators Release Model Consumer Privacy Notice Online Form Builder
Federal Regulators Issue Final Model Privacy Notice Form – prior post

Federal Regulators Issue Final Model Privacy Notice Form

Eight federal regulatory agencies today released the final model privacy notice form. It’s supposed to make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act, institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The two model form issued today can be used by financial institutions to comply with these requirements. One form allows consumers to opt out of sharing of personal information. The other form has no opt-out.

Back in April, the Securities and Exchange Commission reopened the period for public comment because they tested the model notices and found weaknesses with the current form.

The final model privacy form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. There is also a joint release of the rule that goes along with the Final Model Privacy Form under the Gramm-Leach-Bliley Act

References:

SEC Press Release: Federal Regulators Issue Final Model Privacy Notice Form
Final Rule SEC 17 CFR Part 248 [Release Nos. 34-61003, IA-2950, IC-28997; File No. S7-09-07] RIN 3235-AJO6
Model form with opt-out
Model form with no opt-out
Privacy Notices – Testing Effectiveness – prior post

Privacy Notices – Testing Effectiveness

privacy
Its great that regulators come up with privacy disclosure forms, but are they effective?

The Securities and Exchange Commission has reopened the period for public comment on proposed amendments to Regulation S-P, which implements the privacy provisions of the Gramm-Leach-Bliley Act. [15 U.S.C. §§6801 – 6809] They opened back up for comment because they tested the model notices and found weaknesses with the current form.

The proposed amendments were designed to create a safe harbor for a model form that financial institutions may use to provide disclosures in initial and annual privacy notices required under Regulation S-P. Based on the field research, it sounds like the model notice needs some more work.

See:

Gramm-Leach-Bliley Act 15 USC, Subchapter I, Sec. 6801-6809 Disclosure of Nonpublic Personal Information
Regulation S-P
Feud of the Forms — The Battle of The GLBA Notices by Brendon Tavelli for the Proskauer Privacy Blog
Consumer Comprehension of Financial Privacy Notice (.pdf) by Alan levy and Manoj Hastak (2008)
Mall Intercept Study of Consumer Understanding of Financial Privacy Notices: Methodological Report (.pdf) by Macro International
Evolution of a Prototype Financial Privacy Notice (.pdf) by Kleimann Communication Group, Inc. (2006)
Financial Privacy Rule: Interagency Notice Research Project by the FTC