SEC Regulation S-P - Privacy of Consumer Financial Information

Shifting from what firms communicate to investors, let's look at what firms do with information about investors. SEC Regulation S-P governs the privacy of consumer financial information.

Overview and Scope

SEC Regulation S-P (17 CFR Part 248, Subpart A) implements the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) for SEC-regulated entities.

Applies to:

• Broker-dealers
• Registered investment companies
• Registered investment advisers
• Transfer agents

Key Definitions

Key distinction: All customers are consumers, but not all consumers are customers. A consumer becomes a customer when they establish an ongoing relationship (e.g., opening an account).

Exam Tip: Gotchas

• "Consumer" is broader than "customer." Someone who inquires about a product but never opens an account is a consumer, not a customer. Privacy notice requirements differ between the two.

Privacy Notice Requirements

Financial institutions must provide a clear and conspicuous privacy notice to customers that describes:

• The institution's policies and practices for collecting NPI
• The categories of NPI the institution collects
• The categories of NPI the institution discloses (and to whom)
• The categories of affiliates and nonaffiliated third parties to whom disclosures are made
• The institution's policies for protecting the confidentiality and security of NPI

Timing of Privacy Notices

• Initial notice: Must be provided at the time of establishing a customer relationship
• Annual notice: Must be provided at least once every 12 months during the customer relationship

Annual Notice Exception

If the institution (1) only shares NPI with nonaffiliated third parties under an opt-out exception and (2) has not changed its privacy policies since the last disclosure, the annual notice is not required.

Exam Tip: Gotchas

• The annual privacy notice has an exception, but both conditions must be met: limited sharing (opt-out exceptions only) and no policy changes since the last notice.

Opt-Out Rights

Before disclosing NPI to a nonaffiliated third party, the institution must:

1. Provide a clear and conspicuous opt-out notice describing the right to opt out
2. Give the consumer a reasonable opportunity to opt out before the disclosure
3. Provide a reasonable method to exercise the opt-out (toll-free number, reply form, etc.)

The consumer must be given a reasonable period (typically 30 days) to respond before NPI is shared.

Exam Tip: Gotchas

• Regulation S-P requires opt-out, not opt-in. The consumer must affirmatively choose to opt out. If the consumer does nothing, the institution may share the information. The exam tests whether consumers must opt in or opt out.

Exceptions to the Opt-Out Requirement

No opt-out is required when sharing NPI:

• With service providers and joint marketing partners (under contractual restrictions)
• To process or service a transaction requested by the consumer
• To protect against fraud or unauthorized transactions
• To comply with legal requirements (subpoenas, law enforcement requests)
• For required consumer reporting (credit bureaus)
• With the consumer's consent

Exam Tip: Gotchas

• Service providers and joint marketing partners do not require an opt-out, but contractual restrictions must be in place. This is a commonly tested exception.

The Safeguards Rule

Regulation S-P requires firms to adopt written policies and procedures addressing three types of safeguards:

The safeguards must be reasonably designed to protect the security and confidentiality of customer records and information. Firms must also have an incident response program to address unauthorized access, including timely notification to affected individuals.

Exam Tip: Gotchas

• Three types of safeguards: administrative, technical, and physical. All three are required, not just technical controls like encryption.