FYI: OCIE issued a Risk Alert listing examples of the most common deficiencies or weaknesses identified in IA and BD examinations under the Reg. S-P privacy rules, more specifically the privacy notice requirements and the Safeguards Rule, which requires registrants to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.
As has become an increasingly common feature of OCIE Risk Alerts, the deficiencies listed in the Alert cover almost every aspect of the relevant rule requirements. For example, firms were found:
• not providing required privacy and opt-out notices,
• not reflecting disclosed policies in actual practice,
• not having written policies and procedures addressing safeguards, or having policies and procedures but not reasonably designing them to prevent violations,
• not addressing personal devices under relevant policies,
• not addressing personal information in electronic communications,
• not providing adequate training and monitoring,
• not following the firm’s own policies and procedures,
• not requiring vendors to safeguard privacy,
• not inventorying all systems containing private information,
• not having adequate incident response plans,
• not storing private information in secure physical locations,
• not blocking terminated employees from access to private information.
The Alert encourages firms to review their systems and procedures in light of these findings in order to ensure their own compliance.
Reg. S-P Risk Alert: https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.
Separately, OCIE and FINRA have announced the 2019 Compliance Outreach Program for BDs scheduled for June 27, 2019, at the Federal Reserve Bank in Chicago. The agenda is TBA. The event will be webcast for those unable to attend in person. Announcement: https://www.sec.gov/info/complianceoutreach-bd.htm.
* * *