Regulation S-P – Privacy Notices and Safeguard Policies

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on compliance issues related to privacy regulations. The alert comes from recent examinations of broker-dealers and registered investment advisers.

Regulation S-P is the primary SEC rule regarding privacy notices and safeguards. The Risk Alert doesn’t cover all of the requirements of Reg S-P or all of the problems OCIE found regarding Reg S-P over the last two years.

The most frequent deficiencies and weaknesses:

  • Failure to provide notification, including initial privacy notices, annual privacy notices, and opt-out notices.
  • Lack of policies and procedures as required by Regulation S-P.
  • Lack of safeguards of customer data on personal devices
  • Sending unencrypted email communication with personally identifiable information (PII)
  • Lack of data privacy training
  • Sending PII to networks outside of the registrant’s network
  • Failure to follow privacy policies regarding outside vendors
  • Failure to maintain a PII inventory
  • Insufficient incident response plans
  • Storage of PII in insecure physical locations
  • Making customer login information available to more employees than permitted under the firm’s policies and procedures
  • Failure to remove login rights from departed employees

Sources:

Feds Release Usable Model Consumer Privacy Notice

There was much cheering when federal regulators finally released their Final Model Privacy Notice Form back in November.

That was quickly followed by a gnashing of teeth when it turns out the regulators did not understand the concept of a form or how to use Adobe Acrobat. They merely created a static document that you would have to spend hours trying to recreate.

They finally released version of the model privacy notice that is a fillable form using adobe acrobat.

To obtain a legal “safe harbor” and so satisfy the Gramm-Leach-Bliley Act’s disclosure requirements, institutions must follow the instructions in the model form regulation when using the Online Form Builder.

Sources:

Federal Regulators Issue Final Model Privacy Notice Form

Eight federal regulatory agencies today released the final model privacy notice form. It’s supposed to make it easier for consumers to understand how financial institutions collect and share information about consumers. Under the Gramm-Leach-Bliley Act, institutions must notify consumers of their information-sharing practices and inform consumers of their right to opt out of certain sharing practices. The two model form issued today can be used by financial institutions to comply with these requirements. One form allows consumers to opt out of sharing of personal information. The other form has no opt-out.

Back in April, the Securities and Exchange Commission reopened the period for public comment because they tested the model notices and found weaknesses with the current form.

The final model privacy form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. There is also a joint release of the rule that goes along with the Final Model Privacy Form under the Gramm-Leach-Bliley Act

References:

Privacy Notices – Testing Effectiveness

privacy
Its great that regulators come up with privacy disclosure forms, but are they effective?

The Securities and Exchange Commission has reopened the period for public comment on proposed amendments to Regulation S-P, which implements the privacy provisions of the Gramm-Leach-Bliley Act. [15 U.S.C. §§6801 – 6809] They opened back up for comment because they tested the model notices and found weaknesses with the current form.

The proposed amendments were designed to create a safe harbor for a model form that financial institutions may use to provide disclosures in initial and annual privacy notices required under Regulation S-P. Based on the field research, it sounds like the model notice needs some more work.

See: