SEC Uses Disposal Proposal to Require Written Reg. S-P Safeguard Procedures
Since 2001, SEC-registered advisers have been required to adopt procedures designed to safeguard customer information. However, those procedures were never required to be in writing.
Thatís about to change.
The SEC last week quietly posted proposed amendments to Reg. S-P designed to implement a provision of the Fair Credit Reporting Act (FCRA) dealing with the disposal of consumer report information (more on that below). Taking the "well, while weíre at it" approach to rulemaking, the SEC used the proposal to fix something that undoubtedly has been irking it since the ink dried on Reg. S-P back in 2001: the fact that the safeguard procedures required to be adopted under Reg. S-P have not been required to be in writing.
In the course of examining advisers, funds, and broker-dealers for compliance with the safeguard rule, said the SEC, "our staff has identified firms that lack written policies and procedures that address the safeguarding of customer information and records." The SEC said it was "taking this opportunity" to require those procedures to be in writing, something that the Commission said "would impose no significant burden on the firms subject to the safeguard rule because they have been required to have reasonable policies and procedures since 2001." The new amendment, they explained, "only requires them to document these policies and procedures."
The upshot: the amendment is likely going to be adopted. So, to save yourself a step down the line, make sure your compliance program includes written safeguard procedures (something the SEC has already suggested in the compliance program adopting release).
Turning to the main purpose of the SECís proposal: the rulemaking would amend Reg. S-P to require SEC-registered advisers that have consumer report information to adopt procedures reasonably designed to make sure the information doesnít fall into the wrong hands after it has been disposed by the firm. Registered and unregistered funds, most broker-dealers, and registered transfer agents also would be subject to this requirement. Firms that receive consumer report information for business purposes would have to "properly dispose" of it "by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
What, exactly, is a consumer report? And do advisers even get that sort of stuff?
FCRA generally defines a consumer report as any written or oral communication by a consumer reporting agency containing information bearing on an individualís "credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living" used or collected for the purpose of establishing the consumerís eligibility for creditworthiness, employment, or a number of other business-related purposes.
Many advisers may find that they do not obtain information from consumer reporting agencies. However, advisers that run background checks on their employees or investors may find that they do have this information, and therefore would be required to adopt the new procedures.
Keep in mind that "consumer report information" is broader than the "customer information" covered in current Reg. S-P. Interestingly, the SEC said that it expects that an entity subject to Reg. S-Pís safeguard rule "would already have addressed the disposal of customer records and information as one part of its overall safeguard policies and procedures."
Helpfully, the SEC explained that the proposal would not require "perfect destruction" in "every instance." Instead, it would require reasonable steps to protect against unauthorized access, given factors such as the informationís sensitivity, the size of the adviser (or other disposing entity) and the complexity of its operations, and the costs and benefits of different disposal methods. The SEC provided some ideas as to what might be reasonable disposal methods. Among them: "burning, pulverizing, or shredding" papers and "destruction or erasure of electronic media" containing consumer report information.
Like the recent Reg. S-AM amendments, which also implemented a FCRA provision, the disposal proposal features a lightening-fast 30 day comment period.