PRIVACY EXAMINATIONS BY THE SEC

[14162] November 19, 2001 TO: PRIVACY ISSUES WORKING GROUP No. 5-01 COMPLIANCE ADVISORY COMMITTEE No. 58-01 RE: PRIVACY EXAMINATIONS BY THE SEC In a recent speech before broker-dealers, the Chief Counsel of the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission provided some insight as to the process the Commission staff is using to examine for compliance with Regulation S-P. According to the Chief Counsel, OCIE is “giving Regulation S-P a lot of attention.” He noted that firms should expect some level of review of compliance with the regulation in most examinations by the SEC and by self-regulatory organizations. He also noted that from the examinations conduct to date, OCIE has seen “substantial expenditures” by firms in complying with Reg. S-P and that firms have seen privacy as a competitive issue – i.e., “offering enhanced protection is good for business.” Although the speech was directed to an audience of broker-dealers, it should provide insight to investment companies and investment advisers about what to expect in connection with a privacy examination. With respect to what the staff is looking for in these examinations, he highlighted the following: • Does the firm’s notice contain all the required information? • If the firm must offer an opt-out, does the opt-out include all required information, is the method of opting out reasonable, and does the firm have an internal system for implementing opt-out requests? • Does the firm’s method of delivery comply with the regulation? • If information is shared with non-affiliates pursuant to an exception, does the sharing comply with the terms of the exception? • Has the firm reduced its privacy policies and procedures to writing – i.e., does it have an internal working document that can serve as a management tool, as a standard for internal accountability, and as an internal control? • What role has senior management played in developing or approving the privacy program and to signal its attention or lack thereof to the firm’s privacy program? • How is the firm staffing its privacy program? • Has the firm conducted internal audits or reviews to assess its strengths and weaknesses? • What sort of training is provided to staff relating to privacy compliance? 2 In addition to highlighting these areas of review, the Chief Counsel discussed the following questions that have arisen in OCIE’s examinations: • Who conducted the due diligence for the disclosures in the privacy notice? He noted that firms “may be getting tough questions from an SEC examiner about how [the firm] can support its claims.” • Is the firm’s notice clear and conspicuous? The Chief Counsel noted that, rather than having SEC examiners make subjective judgments about a firm’s disclosure, the SEC is setting up a Privacy Complaint Form on its website so investors can report the following information to the SEC relating to privacy: they did not receive a privacy notice; the notice was too long, too complicated, or too difficult to read; the notice contained typeface that was too small to read; they were discouraged from opting out by a representative of the company or by the language of the notice; the opt out procedure was very complex or difficult to understand; when they tried to opt out they were unable to do so; they believed the company improperly shared information after the customer opted-out; and, they believe the company has allowed someone unauthorized access to their personal financial information. • Do you have a reasonable system of privacy management? The Chief Counsel noted that the larger and more complex the organization, the greater the need to get its privacy program under management control. • Are you paying attention to restrictions on the information coming in to the firm? While the SEC has seen “lots of attention” given to how nonpublic personal information leaves an organization, they have seen less attention given to possible restrictions attached to the information as it enters the organization. The Chief Counsel cautioned firms not to forget the restrictions on reuse and redisclosure of such information. • How are you treating joint account holders? The Chief Counsel noted that Reg. S-P specifically requires that if a firm allows joint account holders to opt out separately, it must also allow each one to opt out for all. He noted that the SEC has seen problems in this regard with voice response units and training for call center operators. He recommends that firms double check their scripts and training materials to address this issue. A copy of the Chief Counsel’s speech is attached. Tamara K. Reed Associate Counsel Attachment 3 Attachment (in .pdf format)