As we have previously discussed, Rule 30 of Regulation S-P (“Regulation S-P”) issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information. For state registered investment advisers, the Federal Trade Commission (“FTC”) has enacted Safeguard Rules which are similar to Regulation S-P and apply to state registered investment advisers. Additionally some states have enacted their own information security requirements that apply to SEC and state registered investment advisers.
In addition to these requirements of Regulation S-P and the FTC Safeguard Rules, each investment adviser must develop a privacy policy notice that must be provided to each client at the time of establishing a relationship with the client and not less than annually during the continuation of the relationship with the client. We typically recommend that the initial privacy policy notice be provided at the same time the investment adviser initially provides its Form ADV Part 2A Disclosure Brochure to the client. It is then recommended that the annual delivery of the privacy policy notice take place at the same time the investment adviser provides its annual offer or delivery of the Form ADV Part 2A. It is important to note, however, that the privacy policy notice must be delivered to clients annually and not simply offered.
At a minimum, an investment adviser’s privacy policy notice should include the following information:
- A general description of the investment adviser’s policies and procedures to protect the confidentiality, security and integrity of clients’ non-public personal information;
- Categories of clients’ non-public personal information collected by the investment adviser;
- Categories of clients’ non-public personal information disclosed by the investment adviser;
- If applicable, categories of all affiliates or non-affiliated third-parties of the investment adviser that may receive the information; and
- If applicable, an explanation of a client’s right to opt-out or opt-in to the investment adviser’s disclosures and the method used to exercise that right.
The SEC has created a safe-harbor model form that includes all of this information and satisfies the disclosure requirements under Regulation S-P.
RIA Compliance Consultants will be presenting a webinar, “Establishing Information Security Programs for Registered Investment Advisers”, on Thursday, September 13, 2012 at 12:00pm CDT to provide investment advisers guidance on the importance of establishing and implementing written information security programs designed to protect confidential client information. Click here to register for this event.
If your investment adviser needs assistance creating a privacy policy notice, developing a written information security plan or would like help reviewing an existing plan, RIA Compliance Consultants can assist you. If you are an existing client of RIA Compliance Consultants, contact your consultant to discuss your needs. If you have not previously worked with RIA Compliance Consultants, click here to schedule a time to speak with one of our compliance consultants.
Posted by Bryan Hill
Labels: Compliance Program, Information Security, Privacy Policy