[33829]
October 18, 2021
TO: ICI MembersInvestment Company Directors
Bank, Trust and Retirement Advisory Committee
Broker/Dealer Advisory Committee
Operations Committee
Small Funds Committee
Transfer Agent Advisory Committee SUBJECTS: Cybersecurity
Distribution
Operations
Privacy
Recordkeeping
Technology & Business Continuity
Transfer Agency RE: Protecting Nonpublic Personal Information in a Data-Driven Distribution Model
We are pleased to announce the publication of a new white paper, Protecting Nonpublic Personal Information in a Data-Driven Distribution Model.
Distribution of mutual funds depends more on intermediaries today than ever before.[1] Intermediary distribution strategies often require the exchange of nonpublic personal information (NPPI)[2] between counterparties to meet important regulatory, compliance, oversight, and distribution needs—especially for mutual fund asset managers and their funds' boards of directors. Exchanging NPPI introduces numerous risks for all parties, including the shareholder or intermediary whose information is being shared, the counterparties that send and receive the data, and any entities serving as conduits for information exchange. Risks include unlawful or unnecessary cyber or employee access, constantly shifting regulation regarding NPPI management, and the legal and financial liabilities that could result from an NPPI data breach.
The Investment Company Institute's Broker-Dealer Advisory Committee's Data Strategy Task Force undertook an initiative to identify current business use cases in fund distribution, shareholder servicing and recordkeeping and understand how NPPI is shared between and used by mutual fund companies, intermediaries, and service providers. The white paper describes common practices and offers context and considerations for all parties regarding use and management of NPPI to support business activities. The paper can be considered as one resource in conjunction with an organization's information security policies to assess the extent to which NPPI is appropriately transmitted, received, stored, used, and disposed.
The white paper may be accessed on the ICI website here.
Questions or comments on the white paper may be directed to the undersigned (jeff.naylor@ici.org; 202-326-5844). We hope the paper will assist the industry as it strives to achieve the best possible outcomes for fund shareholders and other stakeholders regarding the use and management of NPPI.
Jeff Naylor
Director, Operations and Distribution
endnotes
[1] Examples of intermediaries include broker-dealers; registered investment advisers (RIAs); bank/trust companies, including private wealth management organizations; recordkeepers for retirement plans, health savings accounts, and 529 qualified tuition plans; and insurance companies.
[2] The paper identifies 11 data points that may be considered NPPI. In some instances, any one data point may not, in and of itself, constitute NPPI; rather, it is the combination of data points available while in transit or at rest that can create NPPI. Page 4 of the paper describes how NPPI is identified.