The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert on compliance issues related to privacy regulations. The alert comes from recent examinations of broker-dealers and registered investment advisers.
Regulation S-P is the primary SEC rule regarding privacy notices and safeguards. The Risk Alert doesn’t cover all of the requirements of Reg S-P or all of the problems OCIE found regarding Reg S-P over the last two years.
The most frequent deficiencies and weaknesses:
- Failure to provide notification, including initial privacy notices, annual privacy notices, and opt-out notices.
- Lack of policies and procedures as required by Regulation S-P.
- Lack of safeguards of customer data on personal devices
- Sending unencrypted email communication with personally identifiable information (PII)
- Lack of data privacy training
- Sending PII to networks outside of the registrant’s network
- Failure to follow privacy policies regarding outside vendors
- Failure to maintain a PII inventory
- Insufficient incident response plans
- Storage of PII in insecure physical locations
- Making customer login information available to more employees than permitted under the firm’s policies and procedures
- Failure to remove login rights from departed employees
Sources:
