On April 16, 2019, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert following OCIE’s examinations of investment advisers and broker-dealers. The Risk Alert identified some of the key compliance issues in the recent examinations related to Regulation S-P, which is the SEC’s principle rule covering privacy notices and policies and practices required to safeguard customer records and information. 

Regulatory Requirements 

Regulation S-P requires investment advisers and broker-dealers to provide a number of notices regarding privacy policies and practices.  An initial notice detailing policies and practices must be sent by the time a customer relationship exists and investment advisers and broker-dealers must continue to send notices at least once annually for as long as the customer relationship exists.  Additionally, investment advisers and broker-dealers must send an opt-out notice to customers that explains a customer’s right to opt-out of some disclosures of non-public personal information that the investment advisers and broker-dealers might otherwise make to nonaffiliated third parties.

The SEC also requires investment advisers and broker-dealers to adopt written policies and procedures covering administrative, technical, and physical safeguards for the protection of customer records and information.  Regulation S-P requires that these policies and procedures be reasonably designed to (1) protect the security and confidentiality of records and information; (2) protect against anticipated threats or hazards to the security or integrity of records and information; and (3) protect against unauthorized access to or use of records or information that could result in harm or inconvenience to a customer.

Key Issues Uncovered During OCIE Examinations 

The Risk Alert detailed a number of common deficiencies or weaknesses observed by OCIE staff in their examinations of investment advisers and broker-dealers. 

In connection with privacy notices, OCIE staff found numerous situations where the required notices (initial, annual, and opt-out) were not sent at all.  The staff also found that even when notices were sent, they did not always accurately reflect current policies and practices or advise customers of their right to opt-out of some disclosures to nonaffiliated third parties.

OCIE staff also noted numerous situations where investment advisers and broker-dealers did not have written policies and procedures that complied with the Regulation S-P requirements.  Even where an investment adviser or broker-dealer had policies or procedures, OCIE staff noted numerous areas where it observed either deficiencies in the content of the policies or procedures or weaknesses in the implementation of the policies or procedures.  Some of the more common observations included:

Conclusion 

Protection of sensitive customer records and information is, and will almost certainly remain, one of the biggest challenges facing all types of companies.  The compliance issues discussed in this SEC Risk Alert will continue to be a focus of the SEC in examinations and investigations.  It is incumbent upon companies to engage in a thorough review of the existence, implementation, and operation of practices, procedures, and policies to ensure compliance with regulatory requirements.