Broker-dealer firms are well advised to review and update their privacy policies, in light of the Securities and Exchange Commission’s (“SEC”) recent enforcement and investigation activities arising from Regulation S-P.

According to trade press, recently the SEC informed one independent broker-dealer firm, Next Financial Group, Inc. of Houston, Texas, that it may file a “privacy” suit under Regulation S-P. The suit would be based on the practice, which Next maintains is common among independent broker-dealer firms, of requiring broker recruits from other firms to provide Next with customer information in anticipation of the move. According to the press, the SEC contends that before the brokers left their firms to join Next, they should have asked clients for their consent to use any information at the new firm. Alternatively, Next should have only required brokers to provide this information if the brokers’ prior firms had stated in their privacy policies that departing brokers may take certain customer information to competing firms (and the particular consumers had not opted-out of this policy). The SEC is reportedly considering suing Next for violations of Regulation S-P, as well as for aiding and abetting the violations by the brokers it recruited.  


Regulation S-P contains the privacy rules promulgated by the SEC under section 504 of the Gramm-Leach-Blilely Act. Section 504 requires the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution’s ability to disclose non-public personal information about consumers. Under the Gramm-Leach-Blilely Act, a financial institution must provide its customers with a notice of its privacy policies and practices, and must not disclose nonpublic personal information about a consumer to nonaffiliated third parties unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure. 

Regulation S-P requires brokers, dealers, and investment companies to provide “clear and conspicuous” notice to customers that accurately reflects their privacy policies and practices. The notices must be provided at the time a customer relationship is established, annually thereafter, and every time the privacy policy changes.

The privacy policy must state (among other things) the categories of: (1) nonpublic personal information that are collected and/or disclosed; (2) affiliates and nonaffiliated third parties to whom nonpublic personal information is disclosed; (3) nonpublic personal information about former customers that are disclosed; and (4) third parties to whom this information about former customers is disclosed. 

The privacy notice must explain the procedures by which consumers may opt out of a company’s policy to disclose nonpublic personal information to nonaffiliated third parties. The privacy notice must also describe the polices and procedures used to protect the confidentiality and security of nonpublic personal information.   A company can disclose non-public personal information to nonaffiliated third parties only if it complies with the privacy notice requirements and the consumer does not opt out of the privacy policy.

Regardless of the privacy policy, companies are prohibited from disclosing account numbers or similar forms of access numbers or access codes for consumers’ accounts to non-affiliated third parties for use in telemarketing, direct mail marketing, or other marketing through electronic means.

You can find more on Regulation S-P on the SEC’s website here.