Summary: For 85 years, the Securities and Exchange Commission – SEC has been at the forefront of protecting the American economy and customers. Their stance on protecting customers’ private information has been rather stringent, levying fines and penalties on organizations like fining many brokerage firms US $750,000 for failing to protect PII. This blog looks into SEC's role in defending customers’ rights and safeguarding their personal financial information.
The Securities and Exchange Commission (SEC) is responsible for safeguarding the personal financial information of US citizens. SEC does this by regulating the financial industry and enforcing laws that require companies to keep consumer information safe, like the Privacy of Consumer Financial Information regulation and the Disposal of Consumer Report Information. The recent fine imposed on Morgan Stanley highlighted the role of the SEC as an ombudsman.
What is SEC & Its Role in Protecting Financial Information?
SEC is an independent agency of the US federal government responsible for protecting investor rights and maintaining the integrity of the securities markets. One of the ways the SEC does this is by ensuring that companies and individuals registered with the SEC comply with federal securities laws. The SEC also regulates how securities are traded in the stock exchange market and can take enforcement action against companies or individuals who violate the securities laws. The scope of SEC powers is extensive, but this blog will focus only on its role in protecting financial information.
As per SEC Release 34-42974, Regulation S-P requires that licensed broker-dealers, investment firms, and investment advisors “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”
SEC adopted section 504 of the Gramm-Leach-Bliley Act in the form of Privacy of Consumer Financial Information (Regulation S-P, Privacy Rules). According to Section GLBA Sec 504, the commission and other federal agencies must create regulations outlining the notice requirements and limitations on financial institutions’ ability to disclose non-public personal information (NPI) about customers. The regulation came into effect on 13th Nov 2000 and became a compliance requirement from 1st July 2001.
Furthermore, to ensure the Disposal of Consumer Report Information, the SEC amended Regulation S-P via Release 34-50781, which mandates that financial institutions develop policies and practices to protect customer information. The amendment implements requirements in Section 216 of the Fair and Accurate Credit Transactions Act of 2003. It states that anyone who maintains or owns consumer report information, or any compilation of consumer report information derived from a consumer report, for a business purpose is required to dispose of the information correctly. The amendments also require the policies and procedures adopted under the safeguard rule to be in writing. It came into effect on 11th Jan 2005 and became a compliance requirement from 1st July 2005.
What Does Privacy of Consumer Financial Information Mean?
The GLBA Subtitle A of Title V limits the circumstances in which a financial institution may disclose NPI about a consumer to unaffiliated third parties. It necessitates that a financial institution discloses to all its customers the institution’s privacy policies and practices concerning information sharing with affiliates and non-affiliates.
Let’s take a look at the various provisions of the regulation and what they mean:
- Subpart A (Sections 248.4 to 248.9)
“Privacy and Opt-Out Notices”
It covers the delivery of initial and annual notices about a financial institution’s privacy policies and practices. It also covers how customers can opt-out of their institution sharing their Non-public personal information (NPI) with third parties.
- Subpart B (Sections 248.10 to 248.12)
“Limits on Disclosure”
This subpart proposes restrictions on the disclosure of NPI to non-affiliated parties and re-disclosure or reuse of information that a financial institution distributes to third parties. It also restricts sharing of account number information for marketing reasons.
- Subpart C (Sections 248.13 to 248.15)
This subpart provides the exceptions that allow brokers, dealers, banks, etc., from the provisions of providing privacy and opt-out notices to customers. In addition, this exception allows disclosure of information to non-affiliated parties if it is required for handling or servicing the customer’s account or if required by applicable local, state, or federal laws.
- Subpart D (Sections 248.16 to 248.18)
“Relation to Other Laws; Effective Date”
This subpart includes clauses that describe how the rule interacts with specific other laws and provide an effective date and a compliance date to the regulation.
- Subpart E (Section 248.30)
“Procedures to safeguard customer information and records”
This part discusses ways to protect consumer records and information. It requires that proper standards be established for financial institutions regarding administrative, technical, and physical safeguards. Accordingly, the regulation requires every broker-dealer, fund, and registered adviser to devise & adopt policies and procedures to ensure they abide by the safeguards. Furthermore, it requires that the policy address the following areas as well:
(a) Protect against potential threats or hazards to customer records and information security or integrity.
(b) Ensure the security and confidentiality of customer records and information.
(c) Prevent unauthorized access to or use of customer records or information that could cause any customer significant harm or inconvenience.
What Does Disposal of Consumer Report Information Mean?
The Fair Credit Reporting Act (“FCRA”) was modified by Section 216 of the FACT Act, which added a new requirement for those who store or hold consumer information generated from consumer reports for commercial or business purposes. The entity should ensure the proper disposal of that information. This clause was implemented to safeguard consumers from the risks associated with unlawful access to their personal financial information in customer reports, frauds, identity thefts, etc. The amendment also requires that the policies should be “written.”
Let’s take a look at the various provisions of the amendment and what they mean:
“Disposal of consumer report information and records”
The rule requires that when disposing of information, it would be necessary for covered businesses to take reasonable precautions to prevent unlawful access to or use of the information. However, the interpretation of reasonable has been left to the organization considering the sensitivity of the consumer report data, the scope and scale of the operations, the advantages and disadvantages of various disposal strategies, and pertinent technological advancements.
“Procedures to safeguard customer records and information”
The amendment also envisioned updating the safeguard rules to mandate the writing of policies and procedures under the safeguard rule. As identifying these policies & procedures and checking for compliance with safeguard rules in the absence of reasonable documentation is challenging.
Regulation S-P provides an exhaustive framework that discusses in detail the background of the regulation, comments from customers and industry experts, section-by-section analysis, comparison charts, cost-benefit analysis, etc., that can be read here.
SEC: A Custodian for Safeguarding Customers’ Information
The disposal rule aims to lower the risk of fraud and related crimes, including identity theft, by preventing the unauthorized disclosure of information from consumer reports. It requires covered entities to take reasonable precautions to guard against unauthorized access to consumer reports during disposal else, the organization will bear the ramifications of huge penalties just like Morgan Stanley. The SEC has recently implemented its widely reported commitment to pursue laws with greater vigor, evident in the tough stance that SEC has taken against erring organizations. The message is clear organizations must ensure they follow and abide by the laws or be ready to face legal and financial ramifications.