U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
Implementing the New Privacy Regulations

Luncheon Address by

John H. Walsh

Chief Counsel, Office of Compliance Inspections and Examinations

SIA Legal & Compliance Regional Conference
San Francisco
September 25, 2001

Thank you. I am very glad to be here.

Before I do anything else, let me remind you that the views I am about to express are my own, and not necessarily those of the Commission or my colleagues on the Commission's staff.

Today, I am going to talk about what we are doing in the examination program to oversee your implementation of Regulation S-P, the Commission's new privacy rule. But before I do, I think we should pause, for just a moment, to remember that the attack on the World Trade Center was only two weeks ago. These have been eventful weeks, but the attack remains fresh in our minds.

Anyone who has been around this business, for any length of time, understands that working in the securities industry, despite its size and diversity, is like working in a small town. Our own neighborhood, legal and compliance, is smaller still. Whether we practice in a street firm, a law firm, or a regulator, we work in a national community of friends, relatives, colleagues, former colleagues, and people whose paths meet ours, often again and again. A lot of our neighbors were in the World Trade Center. We are all in mourning, and in shock.

Nonetheless, I am glad this conference has gone forward. I believe, in going forward, in our own small way, we are showing that we will not be diverted from our goals.

Certainly, protecting in investors' financial privacy is an important regulatory goal. Indeed, it has become a significant issue on almost every level of policy and regulation.

Congress has played a leadership role. It established the basic framework for the regulatory regime in the Gramm-Leach-Bliley Act and continues to give this area a lot of attention. There are currently several dozen privacy bills circulating on Capitol Hill.

State legislatures are working on privacy bills. In one closely watched bill, California considered a standard that would have gone above and beyond federal law.

Other countries are also addressing these issues. For example, our European allies are implementing their own privacy standards. Discussions have been held about how the U.S. approach relates to theirs.

State insurance regulators are involved. Through the National Association of Insurance Commissioners, the NAIC, they have developed privacy standards and a supervisory program for insurance companies.

The Federal Trade Commission has issued regulations that could affect some members of the securities industry, specifically transfer agents and state registered investment advisers.

Bank regulators, including the Federal Reserve and the Comptroller of the Currency, have issued regulations and supervisory procedures.

And finally, last but not least, the Commission has issued Regulation S-P. From this point, I am going to focus on Regulation S-P. We should remember, however, that Regulation S-P is part of a much broader movement to protect and enhance financial privacy.

Everyone here should know that Regulation S-P is fundamentally a disclosure rule. You must disclose your privacy policies and procedures in a document called the Privacy Notice. This is the heart of the Rule. When it works as intended, investors will obtain the information they need to select among competing firms based on the level of privacy protection each provides.

Of course, Regulation S-P has other requirements as well. It has rules on minimum standards of delivery, how to distinguish between consumers and customers, how to treat joint accounts, and more. It requires firms that share confidential information with non-affiliates to offer consumers and customers the opportunity to opt out of the sharing, unless it is done pursuant to certain defined exceptions. Finally, it requires securities firms to establish policies and procedures to safeguard customer records and information.

In the examination program, we are giving Regulation S-P a lot of attention. As always, our work began after the Commission made its legal and policy decisions, and issued the Rule. Our mission is to foster your compliance, search out violators, and keep the Commission informed. We are doing all of this with Regulation S-P.

Specifically, what are we doing?

We started examining for compliance with Regulation S-P early this year - several months before the full compliance date of July 1.

It might seem odd that we were examining firms before they were required to be compliant. But we believe early examinations play an important preventive role. Getting out into the field, before a regulation is in force, gives us an opportunity to monitor the industry, and to warn laggards, before it is too late.

Our program had two tracks.

On the first, regional and district offices asked a series of general questions in the context of regular examinations. We asked how the firm was managing its privacy program, progressing on drafting its Notices, and various related questions. We conducted several hundred of these reviews.

At the same time, in a small sample of firms, teams from headquarters conducted in-depth reviews. Reviews on this second track lasted several days, and were focused exclusively on Regulation S-P.

We selected firms for this smaller sample on several grounds, including affiliations, business model, products offered, and others. When people discover they have been selected for a more searching review, I think it is natural to ask — "what have we done to deserve this?" The fact is you may have been selected for any number of reasons.

We believe the combination of these two types of reviews — wide and shallow, and narrow and deep - provides us with a higher quality perspective than any one type of review could provide on its own. For those of you who were around for the Y2K program, this should sound familiar. We used the same kind of approach back then as well. And, in fact, just like Y2K, we encountered firms, right up to the full compliance date, that said "Regulation What?" Luckily, they were mostly small outfits that could catch up quickly.

Now that we have passed the full compliance date, the stakes are raised. We have to treat a violation more seriously, and I expect we will issue more deficiency letters. But the basic structure of our program remains in place.

Regional and district offices will continue to review firms' compliance in the context of regular examinations. You should expect some level of review in most examinations. In addition, using our risk-based approach, in selected examinations, the staff may conduct a more in-depth review. Finally, the New York Stock Exchange and NASDR have also incorporated Regulation S-P into their examination programs.

At the same time, we will continue to conduct stand-alone in-depth reviews of selected firms. These will generally be directed toward a specific goal. For example, we are currently planning a joint examination sweep with the NAIC. Our goal is to examine selected financial complexes that include both an insurance company and a securities firm. Combined teams of SEC and state insurance examiners will take a consolidated look at the complexes' privacy programs. This will be the first time that SEC examiners and state insurance examiners have gone into the field together to conduct a joint sweep.

When we conduct these examinations — regional and district offices, headquarters, and coordinated sweeps — what are we looking for?

On one level, we are simply working our way through the many technical requirements of the Rule:

  • Does your Notice contain all the required information?
  • If you must offer opt outs, does your Opt Out Notice contain all the required information?
  • Does your method of delivery comply with the Rule?
  • Do you offer a reasonable method of opting out?
  • Have you, in fact, established an internal system for implementing the opt outs you receive?
  • If you share information with non-affiliates pursuant to an exception, does the sharing actually comply with the terms of the exception?

This is a long and complex regulation. Just working through its technical requirements is a demanding job.

Nonetheless, good compliance only begins with technical implementation. We are also interested in the culture of compliance you have established. In particular, with our risk-based approach to examinations, your culture of compliance will help us determine whether we need to conduct a detailed review of your technical compliance.

What do we look for?

  • Have you reduced your privacy policies and procedures to writing? I do not mean just the summary contained in your Privacy Notice. Instead, do you have an internal working document that can serve as a management tool, as a standard for internal accountability, and as an internal control?
  • What role has senior management played in developing or approving your privacy program? Good compliance always starts at the top. What has your senior management done to signal its attention and interest, or lack thereof?
  • How are you staffing the program? Have you gathered the expertise and sophistication you need to handle your organization's level of complexity?
  • Have you assessed your own strengths and weaknesses through internal audits or consultant reviews? A number of firms are having this done, and have been willing to share the reports with us.
  • What sort of training do you provide to your staff? This is critical. Your compliance is only as good as its weakest link. If you have untrained employees talking to clients about privacy, and that could be anyone who has client contact, you may be setting yourself up for future problems.

In short, we are approaching Regulation S-P just like any other Commission rule. Ultimately, we want to know if you are complying with its technical requirements. However, in regular examinations, where we look, and how deeply we look, will be determined by our assessment of your culture of compliance.

What have we seen in our examinations so far? Let me start with a few general observations.

First, we have seen substantial expenditures. At the high end, particularly for complexes containing multiple types of financial firms, we have seen expenditures in the millions of dollars. I don't care how big a business you work for; when a compliance project gets into the millions of dollars, people start to notice. On the other hand, at the low end, smaller and simpler firms appear to be spending much less.

Second, we are seeing real attention to competitive issues. We have seen a number of firms go beyond the requirements of the Rule, such as by restricting information sharing with affiliates, or offering opt outs where none was required. Generally, it appears firms are doing this because they believe people care, and they have concluded that offering enhanced protection is good for business.

In this regard, firms also seem to be watching each other very carefully, and worrying that they may lose customers to rivals offering better protection. We have seen firms suddenly change policies in mid-course, including one that did so after it had begun mailing its Notices, because of these concerns.

Finally, these competitive and business decisions can carry a serious price tag. We visited one firm that considered two levels of privacy protection. I'll call them "basic" and "enhanced." "Basic" would provide what the Rule requires. "Enhanced" would provide additional voluntary protection, essentially, offering an opportunity to opt out when none was required. I don't want to give actual dollar amounts, but the firm determined that the "enhanced" option would cost ten times as much as the "basic."

The bottom line — the privacy race, like the arms race, is not cheap. Firms are betting real money on how their customers will respond to privacy issues.

I would like to conclude by raising a few questions that have come up in our examinations. You may want to think about these as you work on your own internal best practices.

(1) Who conducted the due diligence for the disclosures in your Privacy Notice?

To put this another way: are you ready to live with the claims you made?

If you think investors will be interested in your Privacy Notices, you can bet we will be interested too. If your Marketing Department is sensitive to privacy issues, that is great. On the other hand, you may want to keep a careful eye on what is being done to "jazz-up" the Notice. Too much, and you may be getting tough questions from an SEC examiner about how you can support your claims.

Fundamentally, have you read your Privacy Notice? Have you gone through it line-by-line and asked yourself; are we ready to substantiate each one of these assertions? Are we ready to deliver on each of these promises?

(2) Is your Notice clear and conspicuous?

This is an issue that is receiving a lot of attention.

Some observers have opined that the current round of Privacy Notices are neither clear nor conspicuous. At the same time, others have indicated that it is not always easy to determine, in the abstract, what is clear and what is conspicuous.

To address these concerns, the examination program and the Commission's Office of Investor Education and Assistance are setting up a Privacy Complaint Form on the SEC's Internet Web Site. Our goal is to avoid having SEC examiners make subjective judgments about your disclosure. Instead, we are going to the best source for information on whether investors are experiencing problems, investors themselves.

The potential areas of concern identified on the form are probably what you would expect. Investors can tell us that:

  • They did not receive a privacy notice.
  • The privacy notice was too long, too complex, or too difficult to read.
  • The privacy notice contained typeface that was too small for them to read.
  • They were discouraged from opting out by a representative of the company, or by the language of the privacy notice or opt out notice.
  • The opt out procedure was very complex or difficult to understand.
  • When they tried to opt out, they were unable to do so.
  • Even though they opted out, they believe the company has improperly shared their personal financial information.
  • And finally, they believe the company has allowed someone to gain unauthorized access to their personal financial information.

You can expect us to be mindful of any complaints we receive. In addition, in examinations, you can expect us to review any complaints that went directly to you.

(3) Do you have a reasonable system of privacy management?

The larger and more complex your organization, the more you need to get your privacy program under management control.

When we arrive in a shop and the privacy management team gives us a professional briefing, it is a good experience for everyone. On the other hand, when we witness arguments, on the registrant's side of the table, over who is responsible for what, it does not fill us with confidence.

Also, this is an ongoing enterprise. You need to stay on top of changes in how your organization uses customer information. You need to manage privacy for the long haul.

(4) Are you paying attention to restrictions on the information coming into your firm?

We have seen lots of attention given to how nonpublic personal information leaves an organization. Unfortunately, we have seen less attention given to possible restrictions attached to the information when it enters the organization. Do not forget the restrictions on reuse and redisclosure.

(5) How are you treating Joint Account Holders?

Remember — the Rule specifically states that if you allow joint account holders to opt out separately, you must also allow each one to opt out for all. We have seen problems in this regard with Voice Response Units and training for call center operators. You may want to double-check your scripts and training materials.

In sum, we are looking very carefully at Regulation S-P. It should have your attention as well. But I am confident that the securities industry will be ready, because protecting customers' financial privacy is not a new issue. Securities firms have routinely gathered and protected confidential client information for many years. You gather it, because you need it to provide your services. You protect it, not least because you want to keep it out of the hands of your competitors.

Indeed, some of you might say that your most common problem arises when employees guard information too zealously. When registered representatives slowly and patiently build up a "book" of confidential client information, they are loath to share it with anyone, including, on occasion, supervisors, employers, and regulators.

I have seen this myself. There is one examination in particular that I often think of in this context. It took place several years before the Commission adopted Regulation S-P.

When I started to interview a local manager about his client files, he insisted that I describe, in detail, how the Commission protects the confidentiality of examination information. Then, even after he was willing to go forward, he repeatedly interrupted me to remind me that I was asking for confidential information and to engage me in further dialogue. It was not an easy interview.

At first I thought he was trying to obstruct the interview. But, when he finally started to provide answers, his information checked out. Eventually, I started to think, each time the dialogue resumed, perhaps he means what he says. What he said was that his clients trusted him, and to vindicate their trust, he believed he must protect their confidences.

And just in case you're wondering, his clients were not celebrities, or the rich and famous. He had a fairly ordinary book of business in a small city.

By the end of the interview, I was impressed, and I told him so. I told him that I respected his sense of duty to his clients.

And I continue to believe that his spirit — defending client confidences as a matter of trust — will carry us through the implementation of Regulation S-P.

Moreover, as I look at the wider world, and the stressful events in it, I suspect that the same spirit of duty, and the same vigor in protecting those who trust us, will carry us through a lot more than Regulation S-P.

Thank you very much.



Modified: 11/14/2001