Quick Answer
Regulation S-P governs a firm's treatment of nonpublic personal information, requires privacy notices, limits disclosure to nonaffiliated third parties, and generally gives customers an opt-out choice when no exception applies. Firms also safeguard customer records and information from unauthorized access or use, including when information is shared outside the firm.
Regulation S-P and Nonpublic Personal Information
Regulation S-P addresses privacy of customer financial information and the safeguarding of personal information. Its central category is nonpublic personal information (NPI), customer financial information that is not publicly available.
The regulation requires a firm to:
- Provide customers with notice of its privacy policies and practices.
- Establish conditions before disclosing NPI to nonaffiliated third parties.
- Give customers an opportunity to opt out of most such disclosures, subject to exceptions.
- Protect customer records and information from unauthorized access or use.
Privacy notice -> informed customer -> controlled sharing and safeguarded information.
Customer-Facing Privacy Disclosures
Privacy disclosures explain the firm's:
- Privacy policies and practices
- Information-sharing practices
- Controls applicable when information is shared outside the firm
Outside-firm sharing does not end the firm's responsibility for privacy controls or applicable disclosure conditions.
| Situation | Core privacy result |
|---|---|
| Customer financial information is not publicly available | It is NPI and is subject to Regulation S-P treatment |
| NPI is disclosed to a nonaffiliated third party and no exception applies | Customer generally has an opportunity to opt out |
| Information is shared outside the firm | Privacy controls and disclosure conditions still apply |
Exam Tip: Gotchas
- For most disclosures of NPI to nonaffiliated third parties, the customer choice is opt out, not opt in, when no exception applies.
- Regulation S-P is broader than a disclosure form. It also requires safeguards against unauthorized access or use.
Think of it this way: A privacy notice explains the firm's information path, while the safeguards control who can get onto that path.