May 13, 2008
It is a commendable effort to streamline the information security and privacy aspects of this business via regulation. In addition to the generic principles and guidelines, I would also suggest offering a model / guideline controls framework that can be adapted according to the size and risk profile of the business.
Something similar to AAF 01/06. The framework will also be useful for SAS70 purposes as in most cases it will tread into the service organisations territory otherwise it will be left at the auditor and clients discretion to be able to curtail the attestable controls.
Re broker-dealer and investment advisers, the final decision should rest with the investor/client and the firm should provide the leavers contact information only upon request of the investor/client. Direct solicitation of the client from leaver should be disallowed for a certain period of time to protect both client and the firm business.