SECURITIES CORNER

The SEC recently adopted amendments to Regulation S-P that will expand the scope of requirements applicable to domestic and foreign brokers, dealers, investment companies, and SEC-registered investment advisers. The purpose of the amendments is to increase the protection of nonpublic personal information and to ensure that customers are notified timely in the event of a security incident.

Regulation S-P was first adopted in 2000 in connection with the Gramm-Leach Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACT Act). Until these amendments, Regulation S-P imposed certain obligations on brokers and institutions, as well as regulated the treatment of nonpublic personal information without any policies or procedure requirements for responding to security incidents.

Generally, these amendments supplement Regulation S-P’s existing obligations but now enumerate certain obligations that must be complied with such as:

•  Incident Response Processes – When an incident occurs involving unauthorized access to or use of customer information brokers and institutions are required to undertake a reasonable investigation of the facts and circumstances and then take the appropriate steps to contain and control the incident.
• Incident Response Program – Brokers and institutions need to establish, maintain, and enforce an incident response program, which includes notifying affected individuals, oversight of service providers, and proper disposal of customer and consumer information.
• Notice to Affected Individuals – Under the new amendments, brokers and institutions need to notify affected person(s) as soon as reasonably practicable, but no later than 30 days, after becoming aware of the unauthorized access to or use of customer information.

These amendments aim to increase the compliance burden on brokers and institutions, specifically those who are not subject to the majority of Regulation S-P. Those that are or will be subject to these amendments should review their policies and procedures to ensure compliance with Regulation S-P as the deadline for compliance is June 3, 2026, for small institutions and December 3, 2025, for large institutions. 

Recently, the Division of Corporation Finance within the SEC issued three new Compliance and Disclosure Interpretations (C&DIs) related to the rules and forms adopted under Regulation AB, the Securities Act, and the Exchange Act with respect to asset-backed securities. While C&DIs would not be legally binding, they were issued to provide guidance to those responsible for compliance with federal securities laws.

1. C&DI 103.01 Securitization Participant – Information publicly available on EDGAR

The purpose of this C&DI focuses on affiliates and subsidiaries who may be considered “securitization participants” under Rule 192. Consistent with prior public statements, the SEC confirmed that merely having access to or receiving information that is publicly available on EDGAR, by itself, did not render an affiliate or a subsidiary a securitization participant.

2. C&DI 112.01 Form Eligibility for Public Utility Securitizations

This C&DI clarified the proper registration process for offering securities backed by securitization property. The SEC confirmed that:

(1) Form SF-1 would be the proper registration statement form; and

(2) Form 10-K, Form 8-K, and Form 10-D would be the proper forms for periodic reporting for public utility securitizations regardless of whether they are structured as stand-alone trusts or “series trusts.”

• The SEC also noted that since series trusts were Exchange Act ABS, these issuers should refrain from making statements in their filings that they were not asset-backed issuers. They should also abstain from stating that their securities were not asset-backed securities because such statements would be inaccurate.

3. C&DI 301.04 Item 1101(c) – Single Asset Securitizations

Lastly, this C&DI states that a security that is supported by the cash flow of a single asset satisfies the requirement in Item 1101(c)(1) of Regulation AB. The requirement provides that an asset-backed security be primarily serviced by the cash flows of a discrete “pool” of receivables or other financial assets. The SEC clarified that the term “pool” does not require more than one asset. Rather, it refers to the general absence of active pool management. Issuers should note that this C&DI did not change the requirements of other rules and regulations.