When an examination team visits an RIA, their first impression may be negative. As the team sits in the waiting area or in a conference room, they may overhear private conversations involving clients. The team might see client files lying around the office instead of being put away in cabinets, or walk by an unattended computer and notice that clients’ financial statements are in full view on the screen.
Both clients and regulators expect that financial information will be treated with the utmost confidence. Failure to do so can set the tone for a very unpleasant regulatory examination.
During on-site investigations, examiners will look at whether the firm and its supervised persons guard their clients’ privacy. Just as examiners will get a sense of whether a firm has implemented a culture of compliance, they will also notice if employees take their clients’ privacy seriously.
Effective November 13, 2000, the SEC adopted Regulation S-P, the privacy rules promulgated under Section 504 of the Gramm-Leach-Bliley Act (GLBA). Section 504 of the GLBA required the SEC and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers. Under the GLBA, a financial institution must provide its customers with a notice of its privacy policies and practices. Furthermore, it must not disclose nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution provides certain information to the consumer and the consumer has not elected to opt out of the disclosure.
The Federal Trade Commission (FTC) has privacy jurisdiction over state-registered investment advisors. The FTC has stated that an RIA’s compliance with the sample clauses in the SEC rule will satisfy the FTC as well.
Regulation S-P permits financial institutions, in certain circumstances, to share nonpublic personal information with nonaffiliated third parties. They may share this information regarding consumers and customers with nonaffiliated third parties without giving them notice and the opportunity to opt out. This sharing arrangement with a nonaffiliated party may occur in the following instances:
- As necessary to effect, administer, or enforce a transaction that a consumer requested or authorized
- In connection with processing or servicing a financial product or service authorized by a consumer
- In connection with maintaining or servicing a consumer’s account with the institution
Based on these exceptions, an RIA is not required to provide clients with the opportunity to opt out before sharing their nonpublic personal information with entities such as:
- a nonaffiliated broker-dealer in order to execute trades the customer has authorized;
- a nonaffiliated custodian holding securities on behalf of the customer; and
- certain service providers.
An RIA may also share information with nonaffiliated third parties as permitted or required by law. For example, an RIA may provide clients’ information in response to a subpoena or a request from securities regulators.
Privacy Policies and Procedures
Regulation S-P is just one element of an RIA’s policies and procedures relating to privacy and confidentiality. Some firms incorporate Regulation S-P in the confidentiality and/or privacy sections of their compliance manuals. Regulation S-P only applies to personal information and individuals, not corporate entities or pension plans. Nevertheless, the duty to keep information private and confidential is owed to all clients, not just those who must receive notices pursuant to Regulation S-P.
Policies and procedures should ensure compliance with Regulation S-P, and reinforce an RIA’s duty to preserve clients’ privacy. During a regulatory exam, examiners will look at:
- whether clients were provided with a copy of the RIA’s privacy notice at the inception of their relationship with the firm;
- whether the RIA shares information;
- whether clients may opt out of any information-sharing arrangements;
- whether the policy is thorough, accurate, and complete;
- whether the policy is effective in protecting clients’ privacy;
- whether there is evidence of the privacy notice being delivered to clients yearly; and
- whether the firm’s compliance officer keeps a log or other records to document delivery of the privacy notice at the inception of the relationship and annually thereafter.
If a firm’s privacy notice is sent electronically, an RIA should retain documentation, such as a read receipt, proving that clients received the information. RIAs should also maintain documentation showing that clients consented to receiving important communications via electronic mail.
RIAs must be concerned about more than just federal regulations. Massachusetts enacted regulations requiring business owners to protect the personal information of their residents. These regulations apply to both SEC and state-registered RIAs with clients in Massachusetts. Even if an SEC-registered firm has only one client in Massachusetts, it is still required to comply with the regulations, since there is no de minimis exception in this case. The new regulation became effective on May 1, 2009.
Pursuant to that regulation, RIAs must develop and implement a “comprehensive, written information security program.” At a minimum, the program must:
- designate an employee or employees to maintain and supervise the program’s implementation;
- identify records, systems and media containing personal information;
- assess risks and safeguards;
- implement ongoing employee training programs;
- institute security policies;
- review security measures at least annually; and
- document actions taken in conjunction with security breaches.
The regulations also mandate certain computer system security requirements. Other states may pass similar regulations.
Mistakes that Demonstrate a Lack of Concern for Client Privacy
Many major corporations have had their computer systems hacked, which jeopardizes their customers’ privacy. The threat of identity theft is significant, even if an individual or company acts quickly and decisively. Because RIAs owe a fiduciary obligation to protect their customers’ privacy, the failure to do so is a very serious violation.
Examiners may observe activity that causes them concern about clients’ confidentiality such as:
- files being left in open areas where anyone might see them.
- employees not logging off their computers when they leave the area and infrequently changing their passwords.
- employees having access to all files, not just the ones they are responsible for handling.
- making no attempt to restrict access to private information to individuals with a need to know it.
- conversations regarding clients being held in close proximity to other employees and/or visitors to the office.
- file cabinets and file rooms being left unlocked.
In addition, examiners will be very concerned if documents containing clients’ personal information are discarded without shredding them. Data should be erased when disposing of computers, diskettes, and hard drives. To address these concerns, policies and procedures should address the disposal of sensitive information.
Preventing Misuse of Nonpublic Information
It is vital that RIAs do everything within their power to prevent misuse of nonpublic information. The language used in Section 204A of the Investment Advisers Act can be found in Figure 27-1.
Figure 27-1. Section 204A. Prevention of Misuse of Nonpublic Information
“Every investment adviser subject to section 204 shall establish, maintain, and enforce written policies and procedures reasonably designed, taking into consideration the nature of such investment adviser’s business, to prevent the misuse in violation of this Act or the Securities Exchange Act of 1934, or the rules or regulations thereunder, of material, nonpublic information by such investment adviser or any person associated with such investment adviser. The Commission, as it deems necessary or appropriate in the public interest or for the protection of investors, shall adopt rules or regulations to require specific policies or procedures reasonably designed to prevent misuse in violation of this Act or the Securities Exchange Act of 1934 (or the rules or regulations thereunder) of material, nonpublic information.”
*Used with permission from National Compliance Services, Inc.
An RIA might never recover if an employee is caught using inside information to make profitable trades. Even the employees who knew nothing about the individual’s misconduct will be adversely affected by the scandal.
The Big Picture
Whether an RIA is SEC or state-registered, the firm must have policies and procedures in effect designed to protect their clients’ privacy. Policies and procedures should explicitly require an RIA to send out its privacy notice each year. An RIA is not required to send out the firm’s privacy policies, just a privacy notice. RIAs should keep a copy of the cover letter, the notice, and a list of the clients to whom it was sent.
Clients should acknowledge receipt of the privacy notice at the inception of the agreement, and an RIA must also document that it sent out the firm’s privacy notice annually. We will look more closely at the records retention requirements for privacy notice acknowledgements and other documents in Books and Records Rule.
An RIA’s fiduciary obligations do not end when it’s time to destroy documents that are beyond the required retention period. RIAs should use extreme care, ensuring these records are destroyed in a manner consistent with the firm’s policies and procedures and that each client’s private information is protected. Throwing files in a dumpster without shredding them is unlikely to satisfy an RIA’s fiduciary obligation. If an RIA uses a shredding service, that company should sign a confidentiality agreement since it will have access to non-public information. The shredding company should also be bonded.
Supervised persons often follow the lead of the firm’s management. If the head of the firm gossips or speaks freely about a client’s financial situation, supervised persons may do the same. Ultimately, a client’s privacy might be compromised.