Posted on March 17, 2008 by Scott J. Carpenter

SEC Seeks to Better Protect Investors' Privacy With Proposed Amendments to Regulation S-P

In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities.

Specifically, the amendments would require covered entities, such as brokers, dealers and investment advisers and companies, to adopt more detailed policies for safeguarding and disposing clients’ confidential personal information. The proposed rules also would require regulated businesses to establish standards for responding to data breaches. However, the new regulations would ease existing restrictions on firms recruiting registered representatives by allowing representatives who switch firms to disclose certain client information without having to comply with the usual notice and opt-out rules under Regulation S-P. 

Safeguards and Disposal Rule Expanded To Require Comprehensive Information Security Program

The SEC’s proposed amendments to Regulation S-P develop and broaden the existing safeguards rule. Under the current rule, broker-dealers, registered advisers and investment companies must adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information.  The proposed amendments build upon the existing rule by requiring each business subject to the safeguards rule to develop, implement, and maintain a comprehensive “information security program.” Such a program must be designed to:

(i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or securityholder who is a natural person.

Companies also would need to preserve written records of the information security program, as well as written records that they have met the requirements of developing, maintaining and implementing the program. 

Moreover, the amendments would broaden the type of information covered under the safeguards and disposal rules. According to the SEC, the current rules do not adequately define the scope of personal information subject to Regulation S-P, and thus, the new rules would define personal information broadly “to encompass any record containing either ‘nonpublic personal information’ or ‘consumer report information.’” Consumer report information is defined in the Fair Credit and Reporting Act as any information from a consumer reporting agency related to a consumer's credit worthiness, credit standing, credit capacity, character, or general reputation.

Responding to Data Breaches

Firms also would be required under the proposed amendments to implement policies and procedures to respond to data breaches. The proposed regulations compel companies experiencing incidents of unauthorized access to personal information to promptly notify affected customers “if misuse of sensitive personal information has occurred or is reasonably possible.” Companies also would have to notify the SEC of a data breach if “an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.”

Recruiting Registered Representatives

According to the proposed amendments, registered representatives seeking to join a new firm could bring with them certain personal information related to their clients without violating Regulation S-P’s notice and opt-out requirements, which require that a consumer give consent, either express or implied, before a company may disclose the consumer’s personal information to a non-affiliated third party. In particular, a migratory representative may bring to his or her new firm “a customer’s name, a general description of the type of account and products held by the customer’s name, and the customer’s home address, telephone, and email information.”

Under the current standards, before a representative joins a new firm, the representative and the new firm must obtain consent from clients if they intend to use client information. This policy sparked considerable controversy in 2007 when the SEC initiated an administrative proceeding against NEXT Financial Group, Inc., a registered broker-dealer, claiming that NEXT allowed registered representatives to take nonpublic client information without client consent when they left NEXT for other firms. The SEC also alleged that NEXT aided and abetted violations of Regulation S-P by requiring its recruited representatives to provide NEXT with the client information from the representative’s previous firm. For more on the NEXT Financial, see our post of last year here.

Companies and commentators argued that the position the SEC took with NEXT interferes with the broker-client relationship, causes substantial delays in the account transfer process, and creates a “blackout period” in which clients cannot place trades because receipt of notice and consent are still pending. The proposed amendment to Regulation S-P would reduce the burdens on representatives by permitting them to use certain information to solicit clients for their new firm.

The proposed rule to amend Regulation S-P can be found here. The SEC is accepting comments on the proposed amendments until May 12, 2008.
Tags: , , , , , ,
Posted on March 29, 2007 by Navid Soleymani

SEC Ratchets Up Privacy Enforcement Under Regulation S-P

Broker-dealer firms are well advised to review and update their privacy policies, in light of the Securities and Exchange Commission’s (“SEC”) recent enforcement and investigation activities arising from Regulation S-P.

According to trade press, recently the SEC informed one independent broker-dealer firm, Next Financial Group, Inc. of Houston, Texas, that it may file a “privacy” suit under Regulation S-P. The suit would be based on the practice, which Next maintains is common among independent broker-dealer firms, of requiring broker recruits from other firms to provide Next with customer information in anticipation of the move. According to the press, the SEC contends that before the brokers left their firms to join Next, they should have asked clients for their consent to use any information at the new firm. Alternatively, Next should have only required brokers to provide this information if the brokers’ prior firms had stated in their privacy policies that departing brokers may take certain customer information to competing firms (and the particular consumers had not opted-out of this policy). The SEC is reportedly considering suing Next for violations of Regulation S-P, as well as for aiding and abetting the violations by the brokers it recruited.  

 

Regulation S-P contains the privacy rules promulgated by the SEC under section 504 of the Gramm-Leach-Blilely Act. Section 504 requires the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution’s ability to disclose non-public personal information about consumers. Under the Gramm-Leach-Blilely Act, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure. 

Regulation S-P requires brokers, dealers, and investment companies to provide “clear and conspicuous” notice to customers that accurately reflects their privacy policies and practices. The notices must be provided at the time a customer relationship is established, annually thereafter, and every time the privacy policy changes.

The privacy policy must state (among other things) the categories of: (1) nonpublic personal information that are collected and/or disclosed; (2) affiliates and nonaffiliated third parties to whom nonpublic personal information is disclosed; (3) nonpublic personal information about former customers that are disclosed; and (4) third parties to whom this information about former customers is disclosed. 

The privacy notice must explain the procedures by which consumers may opt out of a company’s policy to disclose nonpublic personal information to nonaffiliated third parties. The privacy notice must also describe the polices and procedures used to protect the confidentiality and security of nonpublic personal information.   A company can disclose non-public personal information to nonaffiliated third parties only if it complies with the privacy notice requirements and the consumer does not opt out of the privacy policy.

Regardless of the privacy policy, companies are prohibited from disclosing account numbers or similar forms of access numbers or access codes for consumers’ accounts to non-affiliated third parties for use in telemarketing, direct mail marketing, or other marketing through electronic means.

You can find more on Regulation S-P on the SEC’s website here.
Tags: , , , , ,