Information Security and Privacy Regulations
Customer screening generates a large amount of sensitive personal data. Regulation S-P governs how broker-dealers collect, use, disclose, and protect this nonpublic personal information (NPI).
What You'll Learn
- How Regulation S-P protects customer data
- Privacy notice requirements (initial and annual)
- When customers can opt out of information sharing
- Exceptions that allow sharing without opt-out
- Safeguarding obligations for firms
Regulation S-P Overview
- Adopted under the Gramm-Leach-Bliley Act (GLBA)
- Applies to broker-dealers, investment companies, and registered investment advisers
- Governs the collection, use, and disclosure of nonpublic personal information (NPI) about consumers
- NPI includes any personally identifiable financial information that is not publicly available (e.g., account numbers, balances, transaction history, SSN)
Think of it this way: NPI is anything a stranger could not find out about you through public records. Your name might be public, but your account balance and trading history are not.
Privacy Notice Requirements
Initial Privacy Notice
Must be delivered to customers at the time of establishing the customer relationship. It must describe:
- Categories of NPI the firm collects
- Categories of NPI the firm discloses
- Categories of affiliates and nonaffiliated third parties to whom disclosures are made
- Policies for protecting the confidentiality and security of NPI
Annual Privacy Notice
- Firms must provide an annual privacy notice to customers describing current policies
- Exception: if the firm's privacy policies have not changed and it only shares NPI under the standard exceptions (below), the annual notice requirement is waived
Exam Tip: Gotchas
- The initial privacy notice is delivered at account opening, not before. The customer relationship must already be established.
- Annual notice is waived if policies have not changed AND the firm only shares under standard exceptions. Both conditions must be met for the waiver to apply.
Opt-Out Rights
Before sharing NPI with nonaffiliated third parties, the firm must:
- Provide an opt-out notice clearly explaining the customer's right to prevent disclosure
- Give the customer a reasonable opportunity to opt out before sharing
- The opt-out must be clear and conspicuous
Exam Tip: Gotchas
- Opt-out applies only to nonaffiliated third parties under Reg S-P. Sharing with affiliates is governed by Regulation S-AM (not S-P) and follows different rules. A customer generally cannot opt out of affiliate sharing under Reg S-P.
- "Clear and conspicuous" is required. Burying the opt-out notice in fine print does not satisfy the requirement.
Exceptions to the Opt-Out Requirement
Even without customer opt-out consent, firms may share NPI in these situations:
| Exception | Description |
|---|---|
| Service providers | NPI shared with nonaffiliated third parties performing services for the firm, provided a contractual agreement prohibits further use |
| Joint marketing | NPI shared with financial institutions in a written joint marketing agreement |
| Processing transactions | NPI shared as necessary to effect, administer, or enforce a customer-requested transaction |
| Legal/regulatory | Disclosures required by law, regulation, or legal process |
Exam Tip: Gotchas
- Service providers can receive NPI without opt-out, but only with a contractual agreement limiting further use. Without the contract, the exception does not apply.
- Reg S-P vs. Reg S-AM: S-P governs sharing with nonaffiliated third parties; S-AM governs marketing based on affiliate-shared information. The exam tests this distinction.
Safeguarding Requirements
- Firms must adopt written policies and procedures to safeguard customer records and information
- Must protect against unauthorized access to or use of customer information
- Must protect against anticipated threats to the security or integrity of customer records
- This is sometimes called the Safeguards Rule under GLBA