SEC Issues Risk Alert on Privacy Compliance
The SEC's compliance wing released a risk alert related to Regulation S-P, the rule protecting consumer information and privacy for investment advisers.
The SEC’s Office of Compliance Inspections and Examinations has released a risk alert related to Regulation S-P, the primary SEC rule regarding the protection of consumer information and privacy for investment advisers.
Regulation S-P requires, among other things, investment advisers to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. The policies must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against anticipated threats and protect against the unauthorized access or use of the information in a way that could result in substantial customer harm or inconvenience. The definition of “customers” for purposes of Regulation S-P is limited to individuals.
The risk alert includes a list of key compliance deficiencies identified by SEC examiners during examinations of registered investment advisers and brokers and dealers over the past two years. Although not all of Regulation S-P is applicable for advisers to private funds, the Risk Alert does identify several issues that are relevant to SEC-registered private capital providers:
- Lack of Policies and Procedures – OCIE staff observed investment advisers that failed to have the required written policies and procedures
- Policies not implemented or fail to safeguard customer records and information – OCIE staff also observed advisers with policies that failed to meet the substantive requirements of Regulation S-P, that the policies be reasonably designed to (i) ensure the security and confidentiality of customer information, (ii) protect against anticipated threats, and (iii) protect against the unauthorized access or use of customer information.
In the Risk Alert, OCIE specifically encourages advisers to review their written policies and procedures, as well as the implementation of those policies and procedures, to ensure they are compliant with Regulation S-P.
You can find the full Risk Alert here.
If you have any feedback, please share with ACG’s public policy team at email@example.com.