The Office of Compliance Inspections and Examinations (“OCIE”) conducts the SEC’s National Exam Program with a mission to protect investors by improving compliance, preventing fraud, monitoring risk and informing policy. The results of OCIE’s examination are used by the SEC to inform rule-making initiatives, identify and monitor risks, improve industry practices and pursue misconduct. On April 16, 2019 OCIE provided a list of compliance issues related to Regulation S-P.
What is Regulation S-P?
Regulation S-P is the primary SEC rule which describes the information that must be included in Privacy Notices, including the categories of non-public personal information that the registrant collects and discloses. This notice should be provided when a customer relationship is established as well as on an annual basis during the continuation of the customer relationship. Additionally, the notice should accurately explain the right to opt-out of some disclosures of non-public personal information to non-affiliated third parties.
As part of Regulation S-P, registrants must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.
Frequent Regulation S-P Compliance Issues
Below are examples of the most common deficiencies or weaknesses identified by OCIE staff:
- Privacy and Opt-Out Notices: Failure to provide Initial, Annual and Opt-Out Notices.
- Lack of Policies and Procedures
- Policies were not implemented or reasonably designed to safeguard customer records and information.
- Personal Devices – Policies and procedures should address how these devices are to be properly configured to safeguard customer information.
- Electronic Communications – Policies and procedures should prevent employees from regularly sending unencrypted emails to customers containing personally identifiable information (“PII”).
- Training and Monitoring – Employees should be trained on how to encrypt, password-protect and transmit customer information.
- Unsecure Networks – Policies and procedures should prohibit employees from sending customer PII to unsecure locations outside of the registrants’ networks.
- Outside Vendors – Outside vendors should contractually keep customers’ PII confidential.
- PII Inventory – Maintain an inventory of systems that store PII to adequately safeguard customer information.
- Incident Response Plans – Plans should address role assignments for implementing the plan, actions required to address an incident and assessment of system vulnerabilities.
- Unsecure Physical Locations – Customer PII should be stored in locked file cabinets or locked offices.
- Login Credentials – Login credentials should only be disseminated to permitted employees.
- Departed Employees – Terminated employees access must be cut off immediately, so they can no longer access customer information.
Through sharing some of the Regulation S-P compliance issues it observed, the OCIE encourages registrants to review their written policies and procedures, including implementation of those policies and procedures, to ensure compliance with the relevant regulatory requirements.
Please refer to Regulation S-P: Risk Alert and contact an ARG analyst for any questions regarding this matter.