June 28, 2023

SEC Proposes Changes to Regulation S-P to Enhance Protection of Customer Information


SEC Proposes Changes to Regulation S-P to Enhance Protection of Customer Information

On March 15, 2023, the SEC announced proposed changes to Regulation S-P, with a comment period to remain open for 60 days and a compliance date of one year from publication. As we monitor the progress of this proposal, we would like to provide you with some critical information on the current rule and this proposal. Regulation S-P Background: Since its original adoption in 2000, Regulation S-P’s intent is to protect the privacy of consumer financial information, but with changing technology and industry changes, including remote work, the SEC believes the regulation is in need of updates. Currently Regulation S-P requires Advisors to notify clients affected by certain types of data breaches that could put clients at risk for identity theft, to implement policies and procedures to protect client data and records, and how to appropriately dispose of consumer report information. 

Click here to learn more about Regulation S-P Enhancements

The New Proposal Enhancements:

Customer Notification: Creating a minimum standard for Advisors to provide data breach notifications - as soon as reasonably possible, but no later than 30 days. 

All affected individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization would need to be notified. 

Incident Response Program: Requiring Advisors to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. 

The program would need to be reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information with applicable controls in place. These requirements may also be placed on Advisor’s relationships with third party service providers. 

Enhanced Safeguards and Disposal Rule: Creating a synonymous definition of “customer information” across the Safeguard and Disposal rules. 

Customer information would now refer to a record containing “nonpublic personal information”) about “a customer of a financial institution,” whether in paper, electronic or other form that is handled or maintained by the covered institution or on its behalf. This definition would cover nonpublic personal information that a covered institution collects about its own customers and nonpublic personal information it receives from a third party financial institution about customers of that financial institution.

Exemption to the Annual Privacy Delivery: Offering an exemption for Advisors if the firm satisfies two conditions. 

First, the Advisor can only provide nonpublic personal information to nonaffiliated third parties in accordance with the exceptions set forth in Regulation S-P, and

Second, the Advisor cannot have changed its policies and practices with regard to disclosing nonpublic personal information from the most recent delivery of its privacy notice.

Should the proposed rule be adopted by the SEC, Advisors will have a period of time to comply with the rule. AdvisorAssist will work with you to customize your policies as needed to ensure your policies address the final rule..



Post a Comment