Privacy of Consumer Financial Information
Once firms collect sensitive client information through account openings, transactions, and advisory relationships, they have an obligation to protect it. Regulation S-P establishes the privacy framework for broker-dealers, investment advisers, and investment companies.
Who Is Covered
| Regulation | Covers |
|---|---|
| Securities and Exchange Commission (SEC) Regulation S-P | SEC-registered broker-dealers, SEC-registered investment advisers, registered investment companies (mutual funds) |
| North American Securities Administrators Association (NASAA) IA Privacy Rule | State-registered investment advisers |
Privacy Notice Requirements
Firms must provide privacy notices at specific times to inform customers how their information is collected, used, and shared.
| Notice Type | When Required | Content |
|---|---|---|
| Initial privacy notice | At the beginning of the customer relationship (when account is opened) | How nonpublic personal information is collected, used, and shared |
| Annual privacy notice | Annually thereafter | Same content as initial notice; reminder of opt-out rights |
| Opt-out notice | Before sharing nonpublic personal information (NPI) with nonaffiliated third parties | Clear description of the consumer's right and method to opt out |
Annual Notice Exception
A firm is exempt from providing annual privacy notices if it:
- Shares NPI with nonaffiliated third parties only when an exception applies, AND
- Has not changed its privacy policies since the last notice sent
Exam Tip: Gotchas
- Initial notice = account opening. Annual notice = every year thereafter. Firms that never share NPI with nonaffiliated third parties and never change their policies may skip the annual notice entirely.
Nonpublic Personal Information (NPI)
NPI includes personally identifiable financial information provided by the consumer, resulting from a transaction, or obtained through providing financial services.
What Counts as NPI
- Social Security numbers
- Account balances
- Transaction history
- Income information
- Tax returns
What Is NOT NPI
- Publicly available information (e.g., publicly filed court records, publicly listed phone numbers)
Opt-Out Requirements
Consumers must be given a reasonable opportunity to opt out before the firm shares their NPI with nonaffiliated third parties.
- The opt-out method must be clear and conspicuous (mail-in form, phone number, website, etc.)
Exceptions Where No Opt-Out Is Required
| Exception | Example |
|---|---|
| Service providers who need information to process transactions | Clearing firms |
| Required by law | Responding to subpoenas, regulatory inquiries |
| Fraud prevention | Sharing data to detect or prevent fraud |
| Affiliates (related companies under common control) | Parent company and subsidiary |
Exam Tip: Gotchas
Sharing with affiliates does NOT require an opt-out. Sharing with nonaffiliated third parties DOES require an opt-out. The exam tests this distinction directly. Remember: affiliates = no opt-out needed; nonaffiliated third parties = opt-out required.
Safeguarding Requirements
Broker-dealers and advisers must adopt written policies and procedures reasonably designed to:
- Ensure the security and confidentiality of customer records and information
- Protect against anticipated threats to the security or integrity of records
- Protect against unauthorized access that could result in substantial harm or inconvenience to any customer
Firms must also designate a person responsible for information security.
NASAA IA Privacy Rule (State-Registered Advisers)
State-registered investment advisers have additional privacy obligations under the NASAA Investment Adviser Information and Security Privacy Rule:
- Deliver a privacy policy to clients upon initial engagement
- Deliver the privacy policy annually thereafter
- Adopt physical security and cybersecurity policies and procedures
- Maintain copies of privacy and security policies separate from the adviser's primary systems (backup requirement)