Beyond the Privacy Notice - Safeguarding Confidential Client Information
This is the emerging expectation of state and federal securities regulators. For instance, the State of Massachusetts recently adopted a comprehensive and restrictive set of requirements to prevent client data security breaches, which must be met by any investment adviser with a client residing in Massachusetts. Under the this new regulation, an investment adviser firm with a client residing in Massachusetts must develop, implement, maintain and monitor a comprehensive written information security program and ensure that confidential client information stored on portable devices is encrypted.
Likewise, the U.S. Securities and Exchange Commission ("SEC") has heightened its focus upon how investment adviser firms are safeguarding confidential client information. This increased attention upon the protection of confidential client data has manifested itself in an SEC enforcement action under Regulation S-P against a broker-dealer/investment adviser that was a victim of hacking and a proposal by the SEC to amend Regulation S-P with more specific safeguards for protecting confidential client information.
If you would like to learn more about the proposed and recently passed requirements for protecting confidential client data and best practices, please join us for our webinar, Beyond the Privacy Notice, on Thursday, April 15, 2010, from 12:00 - 1:00 p.m. Central. You can purchase your seat for $59.95 by clicking here.
posted by bhill at 10:44 AM
SEC Proposing to Permit the Release of Customer Contact Info. to Departing Reps
According to the text of the proposed amendments, this exception for releasing limited customer information to a departing representative is based upon the following conditions:
- The information is limited to a customer's name, a general description of the type of account and products held by the customer, and the customer’s contact information, including the customer’s address, telephone number, and email information;
- The information does not include any customer's account number, social security number, or security positions; and
- The departing representative must provide the departing investment adviser or broker-dealer, no later than the representative’s separation date from employment with the departing investment adviser or broker-dealer, a written record of the information that will be disclosed pursuant to this exception, and the departing investment adviser or broker-dealer must maintain and preserve such records.
In the proposing rule release, the SEC clarified that a representative could use this information to solicit only a departing firm's customers that were the representative’s clients. The SEC explained that "this condition recognizes that an investor might expect to be contacted by a representative with whom the investor has done business before, but not by another person at the representative’s new firm."
Finally, the SEC noted that a registered investment adviser or broker-dealer "may not require or expect a representative from another firm to bring more information than necessary for the representative to solicit former clients."
The SEC is seeking comments regarding the proposed rule. RIA Compliance Consultants will keep readers of our blog informed of the SEC's final action related to this amendment.
posted by bhill at 9:13 PM
Proposed Amendments to Reg S-P Permits Limited Transfer of Information When IARs Change Firms
Of particular interest to those investment adviser representatives and/or registered representatives that are considering the possibility of departing their existing registered investment adviser or broker-dealer and joining a new firm, the proposed amendments to Regulation S-P would apparently permit the transfer of limited information when such personnel change firms. Although the SEC has not issued the text of these proposed amendments, SEC Chairman Christopher Cox explained during the open meeting that "the proposed amendments would provide guidance on the responsibilities that a firm and its employees have to protect client privacy when employees move from one firm to another."
Upon the SEC's publication of the proposing release, RIA Compliance Consultants will provide a detailed summary of the proposed amendments to Regulation S-P to the readers of our blog.
posted by bhill at 7:52 PM
Amendments to Regulation S-P - What Information May an IA Employee Take?
According to the SEC, the amendments would specify under Regulation S-P what information that may be transferred when employees of broker-dealers or investment advisers change firms.
Since the SEC's current interpretation of Regulation S-P, as evidenced by the SEC's enforcement action against the Next Financial, has resulted in significant challenges to investment adviser representatives departing their previous registered investment adviser firms, it will be interesting to learn whether the SEC will raise the requirements or provide some type of safe harbor for departing investment adviser representatives under Regulation S-P.
Labels: Privacy
posted by bhill at 3:31 PM
SEC Initiates Cease-and-Desist Proceeding over Regulation S-P
The United States Securities and Exchange Commission (“SEC”) recently announced the issuance of an Order Instituting Administrative Cease-and-Desist Proceedings against Next Financial Group, Inc. (“Next”) for alleged violations of Regulation S-P (Privacy of Consumer Financial Information).
According to SEC Release No. 56316 (August 24, 2007), the SEC alleges that Next violated Regulation S-P by allowing its “registered representatives to take customer nonpublic personal information with them when leaving Next’s employment” without allowing the customer to opt out of such disclosure. Moreover, the SEC alleges that Next aided and abetted the violation of the privacy policies of other firms by encouraging registered representatives leaving other broker-dealers and joining Next to bring nonpublic, personal customer information without proper notice to the client and a reasonable opportunity to opt out of such a disclosure.
In light of this cease-and-desist proceeding, the following precautions are worthy of consideration by a registered representative planning to depart from his or her broker-dealer. (Since registered investment advisers are subject to Regulation S-P, the following suggestions may also be applicable to an investment adviser representative in similar circumstances.)
- Prior to any intentions to depart, a registered representative of an independent broker-dealer (“IBD”) or investment adviser representative (“IAR”) of an investment adviser firm should urge his or her IBD or investment adviser to amend its privacy policy so as to allow a departing registered representative or IAR to take nonpublic, personal customer information unless the client opts out.
- Similarly, a registered representative of an IBD, who also operates or serves as an IAR of an independent investment adviser firm unaffiliated with the IBD, should urge the IBD to amend its privacy policy in order to permit the sharing of nonpublic, personal customer information with the registered representative’s independent investment adviser firm unless the client exercise the right to opt out of a disclosure.
- In the event that a registered representative’s broker-dealer or IAR of an investment adviser firm has not amended its privacy policy as described above, a registered representative or IAR will need to either obtain authorization from each customer to take such nonpublic, personal customer information, or refrain from taking or utilizing any nonpublic, personal customer information when departing his or her current broker-dealer or preparing the paperwork necessary to transfer his or her accounts.
With respect to broker-dealers and investment adviser firms, the following are a few of the strategies that should be considered in the context of this cease-and-desist proceeding involving Regulation S-P:
- Include a covenant within the agreement between registered representative or IAR and the new broker-dealer or investment adviser firm whereby the registered representative or IAR represents that he or she has not and will not in the future utilize nonpublic, personal customer information in violation of the privacy policy of his or her previous firm while transferring accounts to the new broker-dealer or investment adviser firm.
- Establish a written policy prohibiting registered representatives or IARs from taking or utilizing nonpublic, personal customer information in violation of a previous firm’s privacy policy.
- Train recruiters, transition specialists and operations support staff of the broker-dealer or investment adviser firm’s policy prohibiting such use as described as above.
- Instruct incoming registered representatives or IARs of the new firm’s policy. This training should be documented by the broker-dealer or investment adviser firm in a contemporaneous note or checklist.
- Refrain from taking electronic files with customer data and populating new account paperwork on behalf of a new registered representative or IAR unless the firm has reasonable assurances that such information wasn’t obtained in violation of a previous firm’s privacy policy.
- Amend its privacy policy to allow, after an opportunity for the client to opt out, a departing registered representative to take nonpublic, personal customer information and/or disclose such information to an unaffiliated investment adviser firm operated by a registered representative of the broker-dealer.
Finally, it’s important to recognize that trade secrets, confidentiality obligations and non-solicit restrictions also should be factored in establishing a policy for the broker-dealer or investment adviser firm or determining the permissible activities for a departing registered representative or IAR.
If you or your firm needs assistance analyzing, preparing or amending your firm’s privacy policy, please call RIA Compliance Consultants at 877-345-4034.
Labels: Enforcement, Privacy
posted by bhill at 4:01 PM
Has Your Firm Safeguarded Customer Information
While your firm may have prepared a written privacy policy, have you designed safeguards within your firm to protect client information? Since the introduction of Regulation S-P, the SEC has emphasized the significance of protecting client information by developing and implementing safeguards to secure client information.
Some of the suggestions that have been provided by regulators include keeping client files in locked rooms or locked cabinets. The files should only be accessible to those individuals within the firm that need the information to perform their jobs. Does your firm shred old documents and files, or are they simply thrown in the waste basket? Measures should be taken to ensure that client information is regularly shredded prior to discarding. Other suggestions include making sure all computers are password protected and screen savers are automatically set to display after inactivity.
Another important component of a privacy policy is conducting tests to ensure its viability. This could include retaining an information technology consultant to try to break through your network's firewall, or testing employee passwords to determine if they can be easily guessed. Ultimately, the key to any good policy is testing the procedures that have been designed around the policy.
If you have any questions concerning the privacy obligations of an investment advisor, please give us a call.
Labels: Privacy
posted by bhill at 9:29 PM
