Briefing: Are you in breach of Regulation S-P?

OCIE’s most recent risk alert is about client data: find out what compliance issues they found and why private equity firms should pay attention.

On April 16 the Office of Compliance Inspections and Examinations released a risk alert listing the compliance issues related to Regulation S-P they came across when testing various investment advisors and broker-dealers. The list highlights a number of compliance issues that private equity firms should be aware of.

Remind me what Regulation S-P is…

Regulation S-P “requires a registrant to provide a clear and conspicuous” privacy notice to customers or clients when the initial customer relationship is established, annually, and opt-out privacy notices if a customer or client doesn’t want personal information shared with third parties. Registrants must also have adequate written policies and procedures that address “administrative, technical, and physical safeguards for the protection of customer records and information,” the alert states.

And does it apply to all private equity firms?

The regulation only applies to PE firms that have individual investors investing in their funds. “If they have institutions or businesses investing in their private equity fund, this would not apply to them,” Greg MacCordy, a director at Alaric Compliance Services, tells pfm. “What we’re really talking about is if we [a PE firm] gathered all of an individual’s private information [such as their name, home address, social security number, phone and other private information] obviously that can be misused.”

“Regulation S-P is also in place so firms properly safeguard personal information when using the services of a third party, such as a service provider that produces K-1s [the tax forms for investing in a PE firm or partnership]. That information like your social security number and your name would have to be sent to them.”

What did the OCIE find?

OCIE found that firms didn’t have proper written policies and procedures in place to comply with regulation S-P. “Firms had documents that restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards,” the risk alert states.

The OCIE staff also found written policies that contained blank spaces that were meant to be filled out.

“That usually happens when a firm gets a template [from an outside consultant] and doesn’t customize it. Also, often times when firms try to do their own policies and procedures they tend to just write about the rule and not what specific steps they take to implement the rule,” Tina Mitchell, a lead senior compliance consultant at Core Compliance & Legal tells pfm.

Firms generally failed to protect customer information and anticipate potential harmful situations. The staff found employees that regularly stored customer information on their personal laptops. Participants also failed to have rules in place to prevent employees from sending unencrypted emails to customers containing “personally identifiable information.”

“What if I had social security numbers stored in a personal laptop and accidentally left it at the airport? Especially with private equity funds where the business people travel regularly, you don’t want that information on personal devices,” MacCordy says.

Other compliance issues included a lack of training and monitoring of employees and simple things, such as having unlocked filing cabinets in open spaces which left sensitive information exposed.

“One thing that flips out the examiners when they come on site: they find unlocked file cabinets that are out in the hallway or other open space that anyone can open up and there’s all this account information on a client,” Guy Talarico, the CEO and founder of Alaric Compliance Services tells pfm.

Other issues included firms not having proper incident response plans in place in the case of a cybersecurity breach or firms not following up with outside vendors to make sure that their policies and procedures were being followed.

What should private equity firms do?

Now that the regulator has released this comprehensive risk alert there’s no excuse for private equity firms to not comply with regulation S-P. At the very least firms should create a checklist based on this alert to improve their compliance rules, Talarico says.

MacCordy who most recently spent four years at the Securities & Exchange Commission as an industry expert and specialized compliance examiner in the asset management unit (enforcement division) believes the agency will most likely be looking for these compliance issues following the risk alert: “Every OCIE team that is going out, even if they didn’t participate in this set of risk exams, will be looking for this in a firm’s policies and procedures.”