Customer Privacy Rules and Disclosures

Quick Answer

Regulation S-P governs a firm's treatment of nonpublic personal information, requires privacy notices, limits disclosure to nonaffiliated third parties, and generally gives customers an opt-out choice when no exception applies. Firms also safeguard customer records and information from unauthorized access or use, including when information is shared outside the firm.

Regulation S-P and Nonpublic Personal Information

Regulation S-P addresses privacy of customer financial information and the safeguarding of personal information. Its central category is nonpublic personal information (NPI), customer financial information that is not publicly available.

The regulation requires a firm to:

  • Provide customers with notice of its privacy policies and practices.
  • Establish conditions before disclosing NPI to nonaffiliated third parties.
  • Give customers an opportunity to opt out of most such disclosures, subject to exceptions.
  • Protect customer records and information from unauthorized access or use.

Privacy notice -> informed customer -> controlled sharing and safeguarded information.

Customer-Facing Privacy Disclosures

Privacy disclosures explain the firm's:

  • Privacy policies and practices
  • Information-sharing practices
  • Controls applicable when information is shared outside the firm

Outside-firm sharing does not end the firm's responsibility for privacy controls or applicable disclosure conditions.

SituationCore privacy result
Customer financial information is not publicly availableIt is NPI and is subject to Regulation S-P treatment
NPI is disclosed to a nonaffiliated third party and no exception appliesCustomer generally has an opportunity to opt out
Information is shared outside the firmPrivacy controls and disclosure conditions still apply

Exam Tip: Gotchas

  • For most disclosures of NPI to nonaffiliated third parties, the customer choice is opt out, not opt in, when no exception applies.
  • Regulation S-P is broader than a disclosure form. It also requires safeguards against unauthorized access or use.

Think of it this way: A privacy notice explains the firm's information path, while the safeguards control who can get onto that path.