Regulation S-P: keeping client data on the D-L

The direction of travel is towards greater scrutiny of how private information is stored and used. A recent risk alert gives a steer.

Data privacy is big news. And not just for Mark Zuckerberg.

A risk alert from the SEC’s Office of Compliance Inspections and Examinations has highlighted shortcomings among investment advisers when it comes to Regulation S-P, the rule that governs how managers look after client data and the disclosures they need to make.

To recap: the regulation “requires a registrant to provide a clear and conspicuous” privacy notice to customers or clients when the initial customer relationship is established and then annually thereafter. The registrant must offer opt-out privacy notices for clients who do not want their personal information shared with third parties. Managers must also have adequate written policies and procedures that address “administrative, technical, and physical safeguards for the protection of customer records and information”.

It is worth noting that this is only an issue for managers with individual investors in their funds.

In its risk alert, the OCIE noted that some firms had no written policies, or had template policies containing blank spaces that were meant to be filled out. Firms were lax about whether client data were being stored on personal devices, such as laptops. Firms were also letting staff send unencrypted emails containing clients’ “personally identifiable information”.

And as is often the case with issues around data or technology, security failings are often analogue in nature. An unlocked filing cabinet in an office hallway that contains client information is most likely a breach of Regulation S-P.

“Every OCIE team that is going out, even if they didn’t participate in this set of risk exams, will be looking for this in a firm’s policies and procedures,” says Greg MacCordy, a former SEC industry expert now with compliance consultant Alaric Compliance Services.

As Californians and Europeans will testify, the direction of travel is towards greater scrutiny of how private information is stored and used. This risk alert provides managers with a useful laundry list of compliance hotspots.

Managers who make sure they are compliant with Regulation S-P will not only stay on the right side of the SEC, they will be better prepped for privacy rules that are coming down the track.

Write to the authors: and