BROWSE BY TOPIC
Stories of Interest
- Sarah ten Siethoff is New Associate Director of SEC Investment Management Rulemaking Office
- Catherine Keating Appointed CEO of BNY Mellon Wealth Management
- Credit Suisse to Pay $47Mn to Resolve DOJ Asia Probe
- SEC Chair Clayton Goes 'Hat in Hand' Before Congress on 2019 Budget Request
- SEC's Opening Remarks to the Elder Justice Coordinating Council
- Massachusetts Jury Convicts CA Attorney of Securities Fraud
- Deutsche Bank Says 3 Senior Investment Bankers to Leave Firm
- World’s Biggest Hedge Fund Reportedly ‘Bearish On Financial Assets’
- SEC Fines Constant Contact, Popular Email Marketer, for Overstating Subscriber Numbers
- SocGen Agrees to Pay $1.3 Billion to End Libya, Libor Probes
- Cryptocurrency Exchange Bitfinex Briefly Halts Trading After Cyber Attack
- SEC Names Valerie Szczepanik Senior Advisor for Digital Assets and Innovation
- SEC Modernizes Delivery of Fund Reports, Seeks Public Feedback on Improving Fund Disclosure
- NYSE Says SEC Plan to Limit Exchange Rebates Would Hurt Investors
- Deutsche Bank faces another challenge with Fed stress test
- Former JPMorgan Broker Files racial discrimination suit against company
- $3.3Mn Winning Bid for Lunch with Warren Buffett
- Julie Erhardt is SEC's New Acting Chief Risk Officer
- Chyhe Becker is SEC's New Acting Chief Economist, Acting Director of Economic and Risk Analysis Division
- Getting a Handle on Virtual Currencies - FINRA
We seek to provide information, insights and direction that may enable the Financial Community to effectively and efficiently operate in a regulatory risk-free environment by curating content from all over the web.
Stay Informed with the latest fanancialish news.
NEWSLETTERS & ALERTS
OCIE Offers Guidance on Complying with Regulation S-P
by Howard Haykin
PRIVACY AND OPT-OUT NOTICES. Some registrants did not provide Initial Privacy Notices, Annual Privacy Notices and Opt-Out Notices to their customers.
- When such notices were provided to customers, the notices didn’t accurately reflect firms’ pols and procedures;
- Some Privacy Notices didn’t inform customers of their right to opt out of the registrant sharing their nonpublic personal information with nonaffiliated 3rd parties.
LACK OF POLICIES AND PROCEDURES. Some registrants did not have the required written pols and procedures.
- Some documents restated the Safeguards Rule but didn't include pols and procedures related to administrative, technical, and physical safeguards.
- Some written pols and procedures contained numerous blank spaces designed to be filled in by registrants.
- Some firms had policies that addressed the delivery and content of a Privacy Notice, but didn’t contain any written pols and procedures required by the Safeguards Rule.
POLICIES NOT IMPLEMENTED OR NOT REASONABLY DESIGNED TO SAFEGUARD CUSTOMER RECORDS AND INFORMATION. Some registrants did not appear to have implemented or reasonably designed their written pols and procedures so as to:
- ensure the security and confidentiality of customer records and information;
- protect against anticipated threats or hazards to the security or integrity of customer records and information; and,
- protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to customers.
- For example …
- Personal devices. Some pols and procedures were not reasonably designed to safeguard customer information on personal devices.
- Electronic communications. Some pols and procedures did not address the inclusion of customer personally identifiable information (“PII”) in electronic communications.
- Training and monitoring. Certain pols and procedures that addressed privacy requirements were not reasonably designed because employees were not provided adequate training on these methods and firms failed to monitor if the policies were being followed by employees.
- Unsecure networks. Some pols and procedures did not prohibit employees from sending customer PII to unsecure locations outside of the registrants’ networks.
- Outside vendors. Some registrants failed to follow their own pols and procedures regarding outside vendors.
- PII inventory. Some pols and procedures did not identify all systems on which the registrant maintained customer PII.
- Incident response plans. Written incident response plans did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.
- Unsecure physical locations. Customer PII was stored in unsecure physical locations, such as in unlocked file cabinets in open offices.
- Login credentials. Customer login credentials had been disseminated to more employees than permitted under firms’ pols and procedures.
- Departed employees. There were instances where former employees of firms retained access rights after their departure.