SECURITIES CORNER

The SEC recently approved a final revision to the data privacy rules governing many financial entities, contained in what is known as Regulation S-P. 

The new requirements apply to Registered Investment Advisors (“RIA’s”), Broker-Dealers, investment companies, funding portals, and transfer agents. The final rule requires these entities to develop written protocols to protect clients’ confidential information, have mechanisms in place to identify unauthorized access to such data, and to create an incident response plan which, along with containment and remediation measures, would require regulated entities to notify impacted customers of any breach within thirty days of its discovery. Additionally, the final rule mandates due diligence around a firm’s monitoring of its service providers, who themselves may experience a breach, and to deliver privacy notices to customers on an annual basis (unless there has been no change in policies and procedures year-over-year). These requirements will take effect on July 15, 2024. 

SEC Chair Gary Gensler issued a statement praising the amendments to Regulation S-P. “These amendments will help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.” However, notably absent from the final rule are requirements on service providers themselves. While many of these businesses may be required under state law to disclose breaches, Regulation S-P’s provisions around data protection and incident response planning do not extend to those service providers. The lack of such a mandate heightens the importance of third-party risk management on the part of financial institutions and advisors.

Due to recent changes such as hybrid or remote work to developing technology, off-channel business communications continue to be a problem for firms in the financial services sector. Such communications often include the use of personal devices, forwarding of e-mails through personal e-mail addresses, conversations via text-messages on a personal device, or the use of off-channel applications for business communications. Following an investigation by the Financial Industry Regulatory Authority (“FINRA”) an agency overseen by the SEC, FINRA released a report that found that businesses are succumbing to off-channel communications because of the information present on the firm’s representatives’ business cards and email signatures.  The report also noted that representatives are forwarding communications through personal emails or referencing text message conversations in the bodies of emails. 

Since the SEC and the U.S. Commodity Futures Trading Commission (“CFTC”) started its enforcement of recordkeeping violations involving the use of personal devices and off-channel apps for business communications, the two agencies have yielded more than $2 billion in fines in recent years. 

With the continued focus by the SEC and FTC it is important for firms to clarify for their representatives what channels can be used for communication. Since it is inevitable that a representative will receive off-channel communication that was not initiated by them, it is important that the firm makes sure their policy on those situations is accessible to employees and that the staff have been trained to handled those matters.