OCIE Issues Risk Alert Regarding Compliance With Regulation S-P’s Notice And Safeguard Policy Requirements

Fox Rothschild LLP

Fox Rothschild LLP

On April 16, the Securities and Exchange Commission (SEC)’s Office of Compliance Inspections and Examinations (OCIE) released a new Risk Alert that identifies common compliance issues facing investment advisers and broker-dealers with respect to the privacy notice and safeguard policy requirements of Regulation S-P. The Risk Alert aggregates common compliance issues identified by the OCIE during the course of administering its National Exam Program (NEP) in order to “assist investment advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records under Regulation S-P.”

Although the Risk Alert is specific to investment advisors and broker-dealers subject to Regulation S-P, it serves as a continuing reminder that mere paper privacy programs are insufficient to pass regulatory muster. Privacy programs must be thoughtfully designed, constructed, and implemented.  Key takeaways from the Risk Alert include:

  1. Where required by law, privacy notices and opt-outs must be provided to customers.
  2. All privacy notices and opt-outs must accurately reflect policies and procedures.
  3. Privacy policies and procedures must be reasonably designed and implemented to ensure the security and confidentiality of data; protect against anticipated threats to the security or integrity of data; and protect against unauthorized access to data.
  4. Privacy policies and procedures should address how data is safeguarded; the transmission of personally identifiable information or other sensitive data via email and to external recipients; and systems where personally identifiable information or other sensitive data is maintained.
  5. Employees should receive training on policies and procedures related to the protection of data. Organizations should also monitor employee compliance with policies and procedures that address privacy and data security.
  6. Access rights to sensitive data should be appropriately restricted. Access rights should also be routinely assessed and updated to reflect organizational changes (e.g., employee departures).
  7. Organizations should hold vendors and other third parties to the organization’s policies and procedures with respect to privacy and data security.

Read the Text of the Risk Alert Here

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.