Because of the increasing number of information security breaches involving broker-dealers and investment advisory firms, the SEC determined there is a potential for identity theft and possible other misuse of personal financial information. They are concerned that firms are not regularly reevaluating and updating their systems to keep up with the increasingly sophisticated modes of attack, such as “phishing” sites that target the financial sector.
As a result of these threats, the Securities and Exchange Commission (SEC) has proposed amendments to Regulation S-P that, if passed, will require broker-dealers and registered investment advisors to adopt a comprehensive information security program. A part of this proposed rule introduces mandatory recordkeeping requirements and limits client information that registered representatives may take with them when moving from one brokerage or advisory institution to another.
These are still considered proposed amendments to Regulation S-P; however, we now also have the FACT Act. You may be familiar with the FACT Act (the Fair and Accurate Credit Transactions Act of 2003) as a banking regulation; however, legislation was passed in 2008 that broadened the definition of “financial institution.” This broadened definition could mean that some broker-dealers and registered investment advisors are now covered under the requirements of the Act, and necessitates the implementation of a Written Identity Theft Program by May 1, 2009.
Chief compliance officers (CCOs) should first determine if the firm is considered a “financial institution” or a “creditor” under the Act’s definition. Firms that directly or indirectly hold transaction accounts belonging to a consumer meet the definition of financial institution. The inclusion of “indirectly” means that firms that introduce customers to a clearing firm, product sponsor or investment company that holds accounts would be considered a financial institution under this definition. (Keep in mind that the definition of “consumer” within the ACT refers only to individuals – not institutions.) In addition, if your firm regularly extends, renews or continues credit or regularly arranges for the extension, renewal or continuation of credit, you meet the definition of “creditor.” This includes introducing or clearing firms providing margin or firms arranging loans to both individuals and/or institutions. If your firm meets these definitions, a formal Written Identity Theft Program must be drafted.
Another consideration in protecting customer information is that 44 states have adopted ¾ or are in the process of adopting in 2009 ¾ their own identity theft programs requiring, at a minimum, data encryption by any entities that own, license, store or maintain personal information about residents of their state. Personal information in most jurisdictions is defined as a resident’s first and last name, or first initial and last name, along with one of the following elements:
- Social Security number
- Driver’s license or resident ID number
- Financial account, credit or debit account number, with or without security code or personal identification code.
Personal information that is publicly available is exempt.
The following is a list of things firms should consider including in their Identity Theft Program to ensure compliance with state privacy requirements and the FACT Act, as well as SEC Reg S-P, when enacted.
- If you use a wireless network, it needs to be encrypted.
- Any personal data sent over the Internet or saved on laptops or flash drives should also be encrypted.
- Ensure your firewall is supported and up-to-date with the latest firmware and security enhancements.
- Make certain strong password policies are in place.
- All backup and offsite data containing personal information needs to be encrypted and password protected.
- Any information that is stored on a handheld device should be protected with password policy capabilities in place.
Firms must also consider paper document storage and protection when developing their program. Things to consider in this area would include:
- Ensure that documents containing private information are not left on a desk or other areas where they are visible to persons who should not have them, such as cleaning crews and persons not affiliated with the broker-dealer;
- Ensure that documents are not just thrown in the trash but are disposed in a manner to protect confidential information;
- Only obtain information necessary to achieve the purpose intended. If you don’t need to run a credit check or get confidential medical history, then don’t.
Regulatory Compliance is monitoring regulatory developments in this area and will provide more information on the amendments to Regulation S-P as they become available. For more guidance on the FACT Act or the proposed amendment to Regulation S-P or things to consider when constructing the firm’s Identity Theft Program, contact your Compliance Partners account manager at (603) 434-3594 or (888) 734-2667.
Back to top
Back to Newsletter
|
