Subscribe to our mailing list

* indicates required







We seek to provide information, insights and direction that may enable the Financial Community to effectively and efficiently operate in a regulatory risk-free environment by curating content from all over the web.


Stay Informed with the latest fanancialish news.




Compliance Concepts

OCIE Offers Guidance on Complying with Regulation S-P

May 8, 2019

by Howard Haykin


The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) recently shared some compliance issues its staffers have observed pertaining to Regulation S-P, the primary SEC rule regarding privacy notices and safeguard policies of investment advisers (“RIAs”) and broker-dealers (“B/Ds”).
The OCIE Risk Alert is intended to assist RIAs and B/Ds in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.
Here are some of the most common deficiencies or weaknesses identified by the OCIE staff.



PRIVACY AND OPT-OUT NOTICES.    Some registrants did not provide Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to their customers.

  • When such notices were provided to customers, the notices didn’t accurately reflect firms’ pols and procedures;
  • Some Privacy Notices didn’t inform customers of their right to opt out of the registrant sharing their nonpublic personal information with nonaffiliated 3rd parties.



LACK OF POLICIES AND PROCEDURES.    Some registrants did not have the required written pols and procedures.

  • Some documents restated the Safeguards Rule but didn't include pols and procedures related to administrative, technical, and physical safeguards.
  • Some written pols and procedures contained numerous blank spaces designed to be filled in by registrants.
  • Some firms had policies that addressed the delivery and content of a Privacy Notice, but didn’t contain any written pols and procedures required by the Safeguards Rule.



POLICIES NOT IMPLEMENTED OR NOT REASONABLY DESIGNED TO SAFEGUARD CUSTOMER RECORDS AND INFORMATION.    Some registrants did not appear to have implemented or reasonably designed their written pols and procedures so as to:

  • ensure the security and confidentiality of customer records and information;
  • protect against anticipated threats or hazards to the security or integrity of customer records and information; and,
  • protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers.
  • For example …


  • Personal devices. Some pols and procedures were not reasonably designed to safeguard customer information on personal devices.
  • Electronic communications. Some pols and procedures did not address the inclusion of customer personally identifiable information (“PII”) in electronic communications.
  • Training and monitoring. Certain pols and procedures that addressed privacy requirements were not reasonably designed because employees were not provided adequate training on these methods and firms failed to monitor if the policies were being followed by employees.
  • Unsecure networks. Some pols and procedures did not prohibit employees from sending customer PII to unsecure locations outside of the registrants’ networks.
  • Outside vendors. Some registrants failed to follow their own pols and procedures regarding outside vendors.
  • PII inventory. Some pols and procedures did not identify all systems on which the registrant maintained customer PII.
  • Incident response plans. Written incident response plans did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
  • Unsecure physical locations. Customer PII was stored in unsecure physical locations, such as in unlocked file cabinets in open offices.
  • Login credentials. Customer login credentials had been disseminated to more employees than permitted under firms’ pols and procedures.
  • Departed employees. There were instances where former employees of firms retained access rights after their departure.