On April 16, the Office of Compliance Inspections and Examinations (OCIE) at the U.S. Securities and Exchange Commission (SEC) issued a risk alert (Alert) regarding compliance issues it had identified recently with respect to broker-dealers’ and investment advisers’ privacy notices and policies and procedures for safeguarding customer information.  Although the Alert will be of most relevance to SEC-regulated firms, cyber-security and data privacy are of equal concern to regulators north of the border and therefore, we think our clients will find these recent findings from OCIE’s compliance exams of interest.

OCIE observed the following common deficiencies:

  • relationship (Initial Notices) and/or on an annual basis (Annual Notices), and some firms did not provide the required notices explaining how customers could opt out of some disclosures of non-public personal information to unaffiliated third parties (Opt-Out Notices and, collectively with the Initial notices and Annual Notices, the Required Notices).
  • In some cases, the Required Notices did not accurately reflect the firms’ policies and procedures.
  • Some firms’ policies and procedures for safeguarding customer information were incomplete (e.g., they described the safeguard requirements in the SEC rule but did not set out the firms’ policies and procedures for administrative, technical and physical safeguards).
  • Some firms’ policies and procedures were inadequate to safeguard customer records and information. For example, OCIE staff observed the following:
    • Employees routinely storing customer information on personal laptops without having policies and procedures to address how the laptops were configured to protect such information.
    • Some firms lacked policies and procedures to prohibit employees from sending unencrypted emails containing personally identifiable information (PII) to customers or from using unsecure networks to send PII.
    • Some firms failed to require outside vendors to agree to keep customer PII confidential, despite having policies and procedures requiring the firm to obtain such agreements.
    • Customer PII was stored in insecure physical locations, such as unlocked file cabinets.