Privacy Requirements (Regulation S-P)
Broker-dealers collect sensitive personal and financial information from their customers. Regulation S-P establishes the privacy framework that governs how this data is handled in the securities industry.
What You'll Learn
- What nonpublic personal information (NPI) is and what it includes
- The key privacy notices firms must provide
- How the opt-out right works (and its default)
- Exceptions that allow sharing without opt-out
- What firms can never share, regardless of opt-out status
What Is Regulation S-P?
Regulation S-P (SEC Rule 248) implements the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). It applies to broker-dealers, registered investment advisers, and investment companies.
The regulation governs how firms collect, use, share, and protect nonpublic personal information (NPI) about their customers.
Nonpublic Personal Information (NPI)
NPI includes any personally identifiable financial information provided by or collected about a customer:
- Social Security number
- Account numbers
- Transaction history
- Income and net worth
- Account balances
- Information obtained from transactions with the customer
Note: Publicly available information (such as court records or government filings) is generally not considered NPI.
Key Requirements
| Requirement | What It Means |
|---|---|
| Initial privacy notice | Must be provided when the customer relationship is first established |
| Annual privacy notice | Must be sent annually (or the firm must qualify for an exception) |
| Opt-out notice | Must inform customers of their right to opt out of sharing NPI with non-affiliated third parties |
| Safeguard requirements | Firms must adopt written policies and procedures to protect NPI from unauthorized access |
| Disposal rule | Consumer information must be properly disposed of to prevent unauthorized access |
Exam Tip: Gotchas
- The initial privacy notice is delivered at the start of the customer relationship, not after the first transaction.
- A firm may skip the annual privacy notice if it shares NPI only in ways that do not require opt-out and has not changed its privacy policies since the last notice.
The Opt-Out Right
The opt-out right is frequently tested on the SIE exam:
- Customers have the right to opt out of having their NPI shared with non-affiliated third parties
- If the customer does nothing (takes no action), the firm CAN share their information with non-affiliates
- Sharing with affiliates (companies in the same corporate family) does NOT require opt-out
Think of it this way: The default setting is "sharing ON." Unless a customer actively flips the switch to "sharing OFF," the firm is free to share their NPI with non-affiliated third parties.
Exam Tip: Gotchas
- This is opt-out, NOT opt-in. The default is that firms CAN share information with non-affiliates unless the customer specifically says no.
- Sharing with affiliates does not trigger opt-out rights. Only non-affiliated third parties require opt-out.
Exceptions: When Opt-Out Is Not Required
Firms may share NPI without providing an opt-out opportunity in certain situations:
- To process or service transactions requested by the customer
- To protect against fraud
- With service providers who have confidentiality agreements
- As required by law or regulatory request
What Firms Cannot Share
Even with opt-out rights in place, firms may NOT share:
- Account numbers for marketing purposes
- Access codes (PINs, passwords) for marketing purposes
These restrictions apply regardless of whether the customer has opted out. Firms cannot share account numbers or access codes for marketing under any circumstances.
Exam Tip: Gotchas
- Account numbers cannot be shared for marketing purposes, even if the customer has not opted out. This is an absolute prohibition, not subject to the opt-out framework.