Speech by SEC Staff:
Implementing the New Privacy Regulations
Luncheon Address by
John H. Walsh
Chief Counsel, Office of Compliance Inspections and Examinations
SIA Legal & Compliance Regional Conference
September 25, 2001
Thank you. I am very glad to be here.
Before I do anything else, let me remind you that the views I am about to express are my own,
and not necessarily those of the Commission or my colleagues on the Commission's staff.
Today, I am going to talk about what we are doing in the examination program to oversee your
implementation of Regulation S-P, the Commission's new privacy rule. But before I do, I think we
should pause, for just a moment, to remember that the attack on the World Trade Center was only two
weeks ago. These have been eventful weeks, but the attack remains fresh in our minds.
Anyone who has been around this business, for any length of time, understands that working in
the securities industry, despite its size and diversity, is like working in a small town. Our own
neighborhood, legal and compliance, is smaller still. Whether we practice in a street firm, a law
firm, or a regulator, we work in a national community of friends, relatives, colleagues, former
colleagues, and people whose paths meet ours, often again and again. A lot of our neighbors were in
the World Trade Center. We are all in mourning, and in shock.
Nonetheless, I am glad this conference has gone forward. I believe, in going forward, in our own
small way, we are showing that we will not be diverted from our goals.
Certainly, protecting in investors' financial privacy is an important regulatory goal. Indeed,
it has become a significant issue on almost every level of policy and regulation.
Congress has played a leadership role. It established the basic framework for the regulatory
regime in the Gramm-Leach-Bliley Act and continues to give this area a lot of attention. There are
currently several dozen privacy bills circulating on Capitol Hill.
State legislatures are working on privacy bills. In one closely watched bill, California
considered a standard that would have gone above and beyond federal law.
Other countries are also addressing these issues. For example, our European allies are
implementing their own privacy standards. Discussions have been held about how the U.S. approach
relates to theirs.
State insurance regulators are involved. Through the National Association of Insurance
Commissioners, the NAIC, they have developed privacy standards and a supervisory program for
The Federal Trade Commission has issued regulations that could affect some members of the
securities industry, specifically transfer agents and state registered investment advisers.
Bank regulators, including the Federal Reserve and the Comptroller of the Currency, have issued
regulations and supervisory procedures.
And finally, last but not least, the Commission has issued Regulation S-P. From this point, I am
going to focus on Regulation S-P. We should remember, however, that Regulation S-P is part of a
much broader movement to protect and enhance financial privacy.
Everyone here should know that Regulation S-P is fundamentally a disclosure rule. You must
disclose your privacy policies and procedures in a document called the Privacy Notice. This is the
heart of the Rule. When it works as intended, investors will obtain the information they need to
select among competing firms based on the level of privacy protection each provides.
Of course, Regulation S-P has other requirements as well. It has rules on minimum standards of
delivery, how to distinguish between consumers and customers, how to treat joint accounts, and
more. It requires firms that share confidential information with non-affiliates to offer consumers
and customers the opportunity to opt out of the sharing, unless it is done pursuant to certain
defined exceptions. Finally, it requires securities firms to establish policies and procedures to
safeguard customer records and information.
In the examination program, we are giving Regulation S-P a lot of attention. As always, our work
began after the Commission made its legal and policy decisions, and issued the Rule. Our mission is
to foster your compliance, search out violators, and keep the Commission informed. We are doing all
of this with Regulation S-P.
Specifically, what are we doing?
We started examining for compliance with Regulation S-P early this year - several months before
the full compliance date of July 1.
It might seem odd that we were examining firms before they were required to be compliant. But we
believe early examinations play an important preventive role. Getting out into the field, before a
regulation is in force, gives us an opportunity to monitor the industry, and to warn laggards,
before it is too late.
Our program had two tracks.
On the first, regional and district offices asked a series of general questions in the context
of regular examinations. We asked how the firm was managing its privacy program, progressing on
drafting its Notices, and various related questions. We conducted several hundred of these reviews.
At the same time, in a small sample of firms, teams from headquarters conducted in-depth
reviews. Reviews on this second track lasted several days, and were focused exclusively on
We selected firms for this smaller sample on several grounds, including affiliations, business
model, products offered, and others. When people discover they have been selected for a more
searching review, I think it is natural to ask "what have we done to deserve this?"
The fact is you may have been selected for any number of reasons.
We believe the combination of these two types of reviews wide and shallow, and narrow and
deep - provides us with a higher quality perspective than any one type of review could provide on
its own. For those of you who were around for the Y2K program, this should sound familiar. We used
the same kind of approach back then as well. And, in fact, just like Y2K, we encountered firms,
right up to the full compliance date, that said "Regulation What?" Luckily, they were
mostly small outfits that could catch up quickly.
Now that we have passed the full compliance date, the stakes are raised. We have to treat a
violation more seriously, and I expect we will issue more deficiency letters. But the basic
structure of our program remains in place.
Regional and district offices will continue to review firms' compliance in the context of
regular examinations. You should expect some level of review in most examinations. In addition,
using our risk-based approach, in selected examinations, the staff may conduct a more in-depth
review. Finally, the New York Stock Exchange and NASDR have also incorporated Regulation S-P into
their examination programs.
At the same time, we will continue to conduct stand-alone in-depth reviews of selected firms.
These will generally be directed toward a specific goal. For example, we are currently planning a
joint examination sweep with the NAIC. Our goal is to examine selected financial complexes that
include both an insurance company and a securities firm. Combined teams of SEC and state insurance
examiners will take a consolidated look at the complexes' privacy programs. This will be the first
time that SEC examiners and state insurance examiners have gone into the field together to conduct
a joint sweep.
When we conduct these examinations regional and district offices, headquarters, and
coordinated sweeps what are we looking for?
On one level, we are simply working our way through the many technical requirements of the Rule:
- Does your Notice contain all the required information?
- If you must offer opt outs, does your Opt Out Notice contain all the required information?
- Does your method of delivery comply with the Rule?
- Do you offer a reasonable method of opting out?
- Have you, in fact, established an internal system for implementing the opt outs you receive?
- If you share information with non-affiliates pursuant to an exception, does the sharing
actually comply with the terms of the exception?
This is a long and complex regulation. Just working through its technical requirements is a
Nonetheless, good compliance only begins with technical implementation. We are also interested
in the culture of compliance you have established. In particular, with our risk-based approach to
examinations, your culture of compliance will help us determine whether we need to conduct a
detailed review of your technical compliance.
What do we look for?
- Have you reduced your privacy policies and procedures to writing? I do not mean just the
summary contained in your Privacy Notice. Instead, do you have an internal working document that
can serve as a management tool, as a standard for internal accountability, and as an internal control?
- What role has senior management played in developing or approving your privacy program? Good
compliance always starts at the top. What has your senior management done to signal its attention
and interest, or lack thereof?
- How are you staffing the program? Have you gathered the expertise and sophistication you need
to handle your organization's level of complexity?
- Have you assessed your own strengths and weaknesses through internal audits or consultant
reviews? A number of firms are having this done, and have been willing to share the reports with us.
- What sort of training do you provide to your staff? This is critical. Your compliance
is only as good as its weakest link. If you have untrained employees talking to clients about
privacy, and that could be anyone who has client contact, you may be setting yourself up for future
In short, we are approaching Regulation S-P just like any other Commission rule. Ultimately, we
want to know if you are complying with its technical requirements. However, in regular
examinations, where we look, and how deeply we look, will be determined by our assessment of your
culture of compliance.
What have we seen in our examinations so far? Let me start with a few general observations.
First, we have seen substantial expenditures. At the high end, particularly for complexes
containing multiple types of financial firms, we have seen expenditures in the millions of dollars.
I don't care how big a business you work for; when a compliance project gets into the millions of
dollars, people start to notice. On the other hand, at the low end, smaller and simpler firms
appear to be spending much less.
Second, we are seeing real attention to competitive issues. We have seen a number of firms go
beyond the requirements of the Rule, such as by restricting information sharing with affiliates, or
offering opt outs where none was required. Generally, it appears firms are doing this because they
believe people care, and they have concluded that offering enhanced protection is good for business.
In this regard, firms also seem to be watching each other very carefully, and worrying that they
may lose customers to rivals offering better protection. We have seen firms suddenly change
policies in mid-course, including one that did so after it had begun mailing its Notices, because
of these concerns.
Finally, these competitive and business decisions can carry a serious price tag. We visited one
firm that considered two levels of privacy protection. I'll call them "basic" and
"enhanced." "Basic" would provide what the Rule requires. "Enhanced"
would provide additional voluntary protection, essentially, offering an opportunity to opt out when
none was required. I don't want to give actual dollar amounts, but the firm determined that the
"enhanced" option would cost ten times as much as the "basic."
The bottom line the privacy race, like the arms race, is not cheap. Firms are betting real
money on how their customers will respond to privacy issues.
I would like to conclude by raising a few questions that have come up in our examinations. You
may want to think about these as you work on your own internal best practices.
(1) Who conducted the due diligence for the disclosures in your Privacy Notice?
To put this another way: are you ready to live with the claims you made?
If you think investors will be interested in your Privacy Notices, you can bet we will be
interested too. If your Marketing Department is sensitive to privacy issues, that is great. On the
other hand, you may want to keep a careful eye on what is being done to "jazz-up" the
Notice. Too much, and you may be getting tough questions from an SEC examiner about how you can
support your claims.
Fundamentally, have you read your Privacy Notice? Have you gone through it line-by-line and
asked yourself; are we ready to substantiate each one of these assertions? Are we ready to deliver
on each of these promises?
(2) Is your Notice clear and conspicuous?
This is an issue that is receiving a lot of attention.
Some observers have opined that the current round of Privacy Notices are neither clear nor
conspicuous. At the same time, others have indicated that it is not always easy to determine, in
the abstract, what is clear and what is conspicuous.
To address these concerns, the examination program and the Commission's Office of Investor
Education and Assistance are setting up a Privacy Complaint Form on the SEC's Internet Web
Site. Our goal is to avoid having SEC examiners make subjective judgments about your disclosure.
Instead, we are going to the best source for information on whether investors are experiencing
problems, investors themselves.
The potential areas of concern identified on the form are probably what you would expect.
Investors can tell us that:
- They did not receive a privacy notice.
- The privacy notice was too long, too complex, or too difficult to read.
- The privacy notice contained typeface that was too small for them to read.
- They were discouraged from opting out by a representative of the company, or by the language
of the privacy notice or opt out notice.
- The opt out procedure was very complex or difficult to understand.
- When they tried to opt out, they were unable to do so.
- Even though they opted out, they believe the company has improperly shared their personal
- And finally, they believe the company has allowed someone to gain unauthorized access to
their personal financial information.
You can expect us to be mindful of any complaints we receive. In addition, in examinations, you
can expect us to review any complaints that went directly to you.
(3) Do you have a reasonable system of privacy management?
The larger and more complex your organization, the more you need to get your privacy program
under management control.
When we arrive in a shop and the privacy management team gives us a professional briefing, it is
a good experience for everyone. On the other hand, when we witness arguments, on the registrant's
side of the table, over who is responsible for what, it does not fill us with confidence.
Also, this is an ongoing enterprise. You need to stay on top of changes in how your
organization uses customer information. You need to manage privacy for the long haul.
(4) Are you paying attention to restrictions on the information coming into your firm?
We have seen lots of attention given to how nonpublic personal information leaves an
organization. Unfortunately, we have seen less attention given to possible restrictions attached to
the information when it enters the organization. Do not forget the restrictions on reuse and redisclosure.
(5) How are you treating Joint Account Holders?
Remember the Rule specifically states that if you allow joint account holders to opt out
separately, you must also allow each one to opt out for all. We have seen problems in this regard
with Voice Response Units and training for call center operators. You may want to double-check your
scripts and training materials.
In sum, we are looking very carefully at Regulation S-P. It should have your attention as well.
But I am confident that the securities industry will be ready, because protecting customers'
financial privacy is not a new issue. Securities firms have routinely gathered and protected
confidential client information for many years. You gather it, because you need it to provide your
services. You protect it, not least because you want to keep it out of the hands of your competitors.
Indeed, some of you might say that your most common problem arises when employees guard
information too zealously. When registered representatives slowly and patiently build up a
"book" of confidential client information, they are loath to share it with anyone,
including, on occasion, supervisors, employers, and regulators.
I have seen this myself. There is one examination in particular that I often think of in this
context. It took place several years before the Commission adopted Regulation S-P.
When I started to interview a local manager about his client files, he insisted that I describe,
in detail, how the Commission protects the confidentiality of examination information. Then, even
after he was willing to go forward, he repeatedly interrupted me to remind me that I was asking for
confidential information and to engage me in further dialogue. It was not an easy interview.
At first I thought he was trying to obstruct the interview. But, when he finally started to
provide answers, his information checked out. Eventually, I started to think, each time the
dialogue resumed, perhaps he means what he says. What he said was that his clients trusted him, and
to vindicate their trust, he believed he must protect their confidences.
And just in case you're wondering, his clients were not celebrities, or the rich and famous. He
had a fairly ordinary book of business in a small city.
By the end of the interview, I was impressed, and I told him so. I told him that I respected his
sense of duty to his clients.
And I continue to believe that his spirit defending client confidences as a matter of trust
will carry us through the implementation of Regulation S-P.
Moreover, as I look at the wider world, and the stressful events in it, I suspect that the same
spirit of duty, and the same vigor in protecting those who trust us, will carry us through a lot
more than Regulation S-P.
Thank you very much.