SEC Adopts Amendments to Regulation S-P
SEC RELEASES
Introduction
The SEC adopted amendments to Regulation S-P that was originally first proposed on March 15th, 2023.
These amendments will apply to the following below:
- Registered Investment Advisers (“RIAs”);
- Broker Dealers;
- Investment Companies; and
- Transfer Agents.
The goal of these amendments is to increase consumer financial information protection in our modern age. With the increased risk of harm to investors due to technological changes since the initial Regulation S-P in 2000, a minimum standard at the Federal level for institutions should help provide additional protection.
Rule Changes
- Covered institutions must adopt an Incident Response Program as part of their written policies and procedures under the Safeguards Rule.
- The program must be reasonably designed to detect, respond to, and recover from unauthorized access of customer information.
- There are also requirements for the Incident Response Program to establish, maintain, and enforce the policies and procedures reasonably designed for oversite of service providers.
- Covered institutions must notify individuals who have had or may have had their information accessed or used without authorization.
- The notice is as soon as practical, but no later than 30 days.
- The notice must include:
- Details of the incident.
- What data was breached.
- How the individual can take steps to protect themselves.
- The Safeguards and Disposal Rules of S-P are expanded to cover both nonpublic personal information obtained by the Firm and similar information obtained by a different financial institution.
- Covered institutions, other than funding portals, must make and maintain documentation showing the steps taken to comply with the Safeguards and Disposal Rule.
- Transfer Agents registered with the Commission or another appropriate regulatory agency are now included with the Safeguards and Disposal Rule.
- Small entities will have a longer effective date; small entities are defined as:
- Broker Dealers that had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or if not required to file audited financial statements, on the last business day of its prior fiscal year and is not affiliated with any person that is not a small entity.
- A Transfer Agent that:
- Received less than 500 items for transfer and less than 500 items for processing during the preceding six months;
- Transferred items only of issuers that are small entities;
- Maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year; and
- Is not affiliated with any person that is not a small entity.
- An Investment Company that has, together with other Funds in the same group of related Funds, had net assets of $50 million or less as of the end of its most recent fiscal year.
- An RIA that:
- Manages less than $25 million in assets;
- Has total assets of less than $5 million on the last day of its most recent fiscal year; and
- Does not control, is not controlled by, and is not under common control with another Investment Adviser that manages $25 million or more in assets, or any person that has had total assets of $5 million or more on the last day of the most recent fiscal year.
Vigilant’s Conclusion
With the requirement to adopt new policies and procedures (e.g., Incident Response Program), Firms should perform a Gap Analysis of their current policies and procedures to determine what steps need to be taken to comply with the new amendments.
Large entities will have 18 months after the date of publication to comply. Smaller entities will have 24 months after the date of publication.
It is vital that Firms document the steps they are taking and reach out to experienced compliance professionals to determine the next best steps.
Connect with Vigilant to help evaluate your compliance program and structure it for success in this turbulent regulatory climate.