March 28, 2013

The AdvisorAssist CCO Series: Privacy & Information Security

A central element of your RIA firm’s fiduciary duty is the protection of clients’ confidential information. These responsibilities are laid out in your firm’s Privacy Policy.

A topic that is closely-related to your duty of privacy and confidentiality is information security. Formal information security policy manuals for RIAs, a proposed (but not yet codified) regulatory requirement, offer many best practices that help advisors demonstrate their commitment to protecting client information.

The RIA Firm's Privacy & Information Security Responsibilities In a Nutshell

Supervised Persons of an RIA firm must keep confidential at all times any nonpublic information that they obtain during the course of carrying out their advisory responsibilities.

This includes client or prospective client identities, their identifying information (e.g. addresses, dates of birth, social security numbers), their investments and their account activity. (Some states maintain distinct definitions of identifying information that must be protected, like zip codes in MA.)

As a policy, Supervised Persons must not release confidential or nonpublic information without consulting the Chief Compliance Officer (“CCO”) in advance. When disclosure is necessary to conduct business for a client, nonpublic personal information should be limited to the extent necessary or appropriate.

At least annually, RIA firms must provide notice to clients describing the firm’s privacy policies, to the extent required by law. This can be accomplished by delivering a copy of the firm’s Privacy Policy.

Your firm’s Privacy Policy should contain the following:
  1. What information you collect from clients
  2. What sources you collect information from, over and above information provided by the client
  3. Your firm’s basis for sharing this information
  4. Any state-specific privacy regulations (Currently CA, MA and VT have specific privacy laws that extend beyond federally-mandated rules.)
Advisors must also ensure that appropriate safeguards are in place to protect client information (i.e. information security practices).

Through the Regulator's Eyes

In 2000, the SEC adopted Regulation S-P, which covers the rules related to Privacy of Customer Financial Information. In the hyper-networked, digital world we live in, regulators obviously want to continue to ensure the general public that their private information is adequately safeguarded. Regulation S-P requires advisors to adopt and maintain written supervisory procedures to protect the privacy of customer data.

There is a proposed amendment to Reg S-P that would (if adopted) require advisors to have an “Information Security Program” in place to ensure the security and confidentiality of personal information, protect against any anticipated threats or hazards to the security or integrity of personal information, and protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any client.

Again, while not currently a requirement, advisors should review this proposed amendment and begin to adopt certain best practices that it contains.

CCO Best Practices for Privacy

  • Provide a copy of your firm’s Privacy Policy to new clients along with your investment advisory agreement.
  • Deliver a copy of your Privacy Policy to all clients at least annually. This is most easily accomplished by including it with your annual ADV delivery in April (October RIA firms with 6/30 fiscal year ends.)
  • Confirm that your investment advisory agreements contain an acknowledgement of receipt of the privacy notice, if required.

CCO Best Practices for Information Security

  • Identify any reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of personal information and personal information systems. Consider potential options to mitigate or eliminate these risks.
  • Adopt written policies that address the proper disposal of personal information that is not required to be maintained for Books and Records purposes.
  • Be judicious about the amount of personal information that you collect and limit it to what is necessary to perform your duties.
  • Adopt a “clear desk” policy (so that employees don’t leave sensitive information out in the open) and ensure that physical client files are locked when not in use.
  • Limit systems access to active users (Supervised Persons) only and delete access credentials for departed staff.
  • Ensure that work computers are setup to require periodic updates of strong passwords. Here’s a great tool to test exactly how strong your passwords are: HowSecureisMyPassword.net.
  • Encrypt and password protect all portable electronic devices.
  • Use encryption when sending data electronically.
  • Secure and password protect wireless networks.
  • Install (and update!) firewalls and anti-virus protection for all computers that are used to access client data (including personal computers if employees do work from home).
  • Monitor and limit the information that is brought into your firm by new employees and ensure that this information is in accordance with the privacy policies of their prior employer and does not breach confidentiality agreements.
  • Take reasonable steps to select and retain service providers that maintain appropriate safeguards for the personal information at issue. Request copies of your service providers’ information security protocols.
  • Include information security training as part of your annual CCO meeting with Supervised Persons.


The AdvisorAssist CCO Series is a collection of blog posts that cover each of the elements of your RIA's compliance program.  Each post will provide an overview of one compliance topic, including our insights on how regulators view each topic as well as some practical steps to help Chief Compliance Officers address this topic. As always, we would welcome your comments and thoughts.
Brian Lauzon

Image by David Goehring

0 comments:

Post a Comment