Information Security and Privacy: SEC Regulation S-P

Once the firm has collected a customer's identifying information, tax status, and investment history, it holds data the customer never intended to share with the outside world. SEC Regulation S-P (17 CFR Part 248) sets the federal rules for how broker-dealers (BDs), investment advisers, and registered investment companies handle that nonpublic personal information (NPI).

Reg S-P implements Title V of the Gramm-Leach-Bliley Act (GLBA) for SEC registrants.

Who and what does SEC Regulation S-P cover?

Subject Firms

• SEC-registered broker-dealers
• SEC-registered investment advisers
• Registered investment companies

Subject Information: Nonpublic Personal Information (NPI)

NPI includes:

• Information the customer provides: name, address, SSN, income, account balances
• Information derived from the customer relationship: transaction history, recommendations, holdings
• Any publicly unavailable financial information linked to the customer

Who Is Protected

Exam Tip: Gotchas

• Reg S-P protects consumers AND customers, but the timing of notices differs. Every customer is a consumer; not every consumer is a customer. A person who asks for a quote and walks away is a consumer; a person who opens an account is a customer.

What are the three notices required under Regulation S-P?

Reg S-P requires three distinct notices.

1. Initial Privacy Notice

• Delivered to a customer before establishing the customer relationship (at or before account opening)
• Delivered to a non-customer consumer before disclosing NPI to a nonaffiliated third party

The initial notice must describe:

• Categories of NPI collected
• Categories of NPI disclosed and the categories of affiliates and nonaffiliated third parties to whom it is disclosed
• Categories of NPI disclosed about former customers
• The opt-out right and a reasonable means to opt out
• Policies and practices for protecting the confidentiality and security of NPI

2. Opt-Out Notice

Before disclosing NPI to a nonaffiliated third party, the firm must:

• Provide a clear and conspicuous opt-out notice (may be combined with the initial notice)
• Give the consumer a reasonable opportunity to opt out
• Provide a reasonable means to opt out (toll-free number, reply form, electronic opt-out process)

Key features:

• Reasonable opportunity is typically satisfied by giving the consumer 30 days from delivery of the notice
• Partial opt-out is allowed: the consumer may opt out as to certain information or certain third parties
• Opt-out direction is effective until revoked in writing by the consumer

3. Annual Privacy Notice

• Firm must deliver a clear and conspicuous annual notice of its privacy policies at least once in any period of 12 consecutive months for the duration of the customer relationship
• Exception: No annual notice is required if both are true:
  • The firm shares NPI only under Reg S-P exceptions (so the opt-out right does not apply)
  • The firm has not changed its policies since the most recent notice

Exam Tip: Gotchas

• Reg S-P requires three notices: initial + opt-out + annual. A question asking which notice comes first is testing the initial notice, which must reach the customer before the relationship is established.

Which Regulation S-P disclosures bypass the opt-out right?

Certain disclosures do not require an opt-out notice. When an exception applies, the firm is not required to list those exceptions in the initial or annual notices.

Common exceptions include disclosures:

• With the consumer's consent (not yet revoked)
• To service providers and for joint marketing (subject to confidentiality and use restrictions)
• To process, service, or enforce the customer's transaction
• For institutional risk control, fraud prevention, resolving consumer disputes, or investigating illegal activities
• To comply with federal, state, or local laws, subpoenas, or SRO requests
• To consumer reporting agencies per the Fair Credit Reporting Act (FCRA)

Exam Tip: Gotchas

• The opt-out right applies to NPI shared with nonaffiliated third parties for marketing or other non-exception purposes. Customers cannot opt out of disclosures that fall under an exception (service providers, law-enforcement compliance, transaction processing, and so on).

What does the Regulation S-P Safeguards Rule require?

The Safeguards Rule requires firms to adopt written policies and procedures reasonably designed to:

• Insure the security and confidentiality of customer records and information
• Protect against anticipated threats or hazards
• Protect against unauthorized access or use that could cause substantial harm or inconvenience to customers

Safeguards cover:

What does the Regulation S-P Disposal Rule require?

When disposing of consumer report information (or any record derived from it), the firm must take reasonable measures to protect against unauthorized access. Examples:

• Shredding or burning paper records
• Wiping or physically destroying electronic media (hard drives, USB drives)
• Using licensed third-party disposal vendors

Think of it this way: Reg S-P treats a thrown-away customer statement the same way it treats a statement on a production server: if it's recoverable, it's a breach waiting to happen. The Disposal Rule closes the back door that the Safeguards Rule closes at the front.

What are the most tested Regulation S-P privacy rules?

Exam Tip: Gotchas

• Three notices: initial (before relationship), opt-out (before sharing with nonaffiliates), annual (at least every 12 months).
• Annual notice exception: no annual notice if the firm shares NPI only under exceptions and policies are unchanged.
• No opt-out for excepted disclosures: service providers, law enforcement, transaction processing, and similar categories are carve-outs.
• Reasonable opportunity to opt out is commonly 30 days from notice delivery.
• Partial opt-out is allowed: a customer may opt out as to some third parties and not others.