The Securities and Exchange Commission (the “Commission”) yesterday voted unanimously to publish a release proposing for comment certain amendments to Regulation S-P, which governs the privacy of consumer financial information. The amendments would address the Regulation’s provisions relating to the safeguarding and disposal of financial information, and would specify information that may be transferred without customer consent when registered representatives and investment adviser representatives change firms. Reg S-P was adopted in June 2000, pursuant to Section 504 of the Gramm-Leach-Bliley Act.
In its March 4, 2008 press release, the Commission stated that the proposed amendments would provide “more detailed standards” for information security programs and would “help prevent and address security breaches at the institutions the Commission regulates.” In addition, the amendments would “provide a new exception to permit the disclosure of limited personal information when representatives move from one broker-dealer or registered investment adviser to another.” At the Commission’s open meeting, Erik Sirri, Director of the SEC’s Division of Trading and Markets, said that the proposed amendments “should help guard against growing problems such as identity theft and intrusions into online brokerage accounts.”
At the meeting, the SEC staff explained the six elements to the amendments as follows:
(1) Information Security: The proposed amendments would require broker-dealers, registered investment advisers, registered investment companies and registered transfer agents (“registrants”) to develop, implement, and maintain a comprehensive information security program appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of any personal information they utilize. As part of this requirement, registrants will be required to: designate a person to coordinate the program; identify reasonably foreseeable risks; design, document, and implement information safeguards to control those risks; regularly test or otherwise monitor the effectiveness of the safeguards; train staff to implement the program; oversee service providers; and evaluate and adjust the program as needed.
(2) Unauthorized Access: The proposed amendments would require registrants to develop written policies and procedures for responding to unauthorized access to or use of personal information. Such policies and procedures would include notice to affected individuals if misuse is reasonably possible, as well as notice to the SEC or a broker-dealer’s designated examining authority if an affected individual has suffered substantial harm or inconvenience, or if an unauthorized person has intentionally obtained or used information.
(3) Coverage of Safeguard and Disposal Rules: The proposed amendments would extend the coverage of the safeguards and disposal rules to registered transfer agents, natural persons who are associated persons of a broker-dealer or registered transfer agent, and supervised persons of a registered investment adviser. These changes are to help ensure that personal information is disposed of properly by underscoring to employees the importance of following the institution’s policies.
(4) Application of Safeguard and Disposal Rules: The proposed amendments would extend the safeguards and disposal rules to protect personal information, which would encompass any record containing either nonpublic personal information or consumer report information. It also would include information identified with any consumer or with any employee, investor or security holder who is a natural person.
(5) Compliance: The proposed amendments would require registrants to document compliance with the proposed information security program requirements, and to maintain compliance records.
(6) Representatives Who Change Broker-Dealer or Investment Adviser Firms: The proposed amendments would contain a new exception to Reg S-P’s notice and opt-out requirements, which would permit limited disclosures to new firms of investor information when a representative of a broker-dealer or registered investment adviser moves from one firm to another. The information would include: (a) customer name; (b) customer contact information; (c) a general description of the type of account; and (d) a general description of the products held. Mr. Sirri said that the exception “should help give firms flexibility while facilitating the transfer of accounts, promoting investor choice, and providing firms with legal certainty.” (For more detailed information regarding the staff’s comments on this specific provision, please email Brian Rubin at email@example.com.)
The Commission’s proposed rule, which was posted today, is available by clicking here