On March 4, 2008, the SEC announced significant proposed changes to Regulation S-P (see Release No. 34-57427 available at http://sec.gov/rules/proposed/2008/34-57427.pdf). The proposed changes, aimed at enhancing the security of customers’ nonpublic personal information, create significant added administrative and financial burdens for securities firms. The proposed changes also allow registered representatives and advisors to retain certain limited customer information when moving firms. This last proposal comes on the heels of the SEC’s enforcement action last summer against NEXT Financial Group, Inc., alleging violations of Regulation S-P relating to customer information allegedly disclosed in connection with broker transfers.
OVERVIEW OF CURRENT REGULATION S-P
Regulation S-P was adopted in 2000 to implement certain provisions of the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. It requires firms regulated by the SEC to adopt security measures to protect nonpublic personal information about customers and to inform customers about the firms’ privacy policies and practices. It also limits when firms may disclose nonpublic personal information to any nonaffiliated third party without first giving the customer an opportunity to opt out of the disclosure.
SUMMARY OF PROPOSED CHANGES
The SEC is proposing four changes which would:
1. Set more specific and extensive standards for firms’ information security programs for protecting and disposing of customer information, including requiring procedures for responding to data security breaches. Significant new requirements include:
- “designating an employee to oversee the security program, identifying risks in advance and designing policies and measures to prevent those risks, training, monitoring, evaluating and adjusting the information security program”; and
- notifying customers “if misuse of sensitive personal information has occurred or is reasonably possible” and the SEC if a customer might suffer “substantial harm or inconvenience” or when “an unauthorized person has intentionally obtained access to or used sensitive personal information.”
2. Expand the scope of the information protected (to include, for example, employee passwords and user names, personal information about investors or security holders) and extend coverage to persons associated with firms, making them directly responsible for properly disposing of personal information.
3. Require firms to keep records of their policies and procedures for safeguarding and disposing of nonpublic customer information and of their compliance with same.
4. Add a new exception to Regulation S-P allowing limited disclosure of investor information when a registered rep or advisor moves to a new firm. This proposal appears tailored to match the broker protocol that a number of broker-dealers have entered into relating to broker transfers. A firm would be allowed to let its departing reps take a list of the customers serviced by the rep, including a general description of the customers’ accounts and products and contact information. The disclosing firm would also have to keep a copy of the information disclosed.
THE SEC ESTIMATES A SIZEABLE BURDEN TO COMPLY WITH THE PROPOSED CHANGES
The proposed changes will create significant burdens for firms. The SEC estimates smaller institutions would have to spend 2 to 80 hours (or, on average, $18,560) initially to adopt the enhanced procedures. Smaller firms are estimated to spend 12 to 40 hours annually for ongoing compliance, at an estimated average annual cost of $10,764. Larger firms are expected to spend between 40 and 400 hours (or, on average, $172,732) to adopt and implement the new procedures. Going forward, such firms are expected to need 32 to 100 hours for compliance annually, at an estimated average yearly cost of $51,084.
OPPORTUNITY TO COMMENT
Firms and other interested persons may comment on the proposed changes to Regulation S-P. Release No. 34-57427 gives instructions on submitting comments and provides topics on which the SEC is seeking guidance. There currently is no end date for the comment period, but it will likely be set for 60 days after the proposed changes are published in the Federal Register.