Speak To A Live Person:
888.302.4594

Red Oak Blog

News that affects your business and ours.
 
Wednesday, July 13 2011

Consumer Privacy

Financial markets and the financial services industry in general operate on some of the most sophisticated technology currently available. Technology has allowed greater transparency, lower costs, increased client access and greater efficiencies; however, with greater use of technology comes the possibility of its misuse. With the advent of the internet, information, both public and private, can be quickly collected and disseminated; information, especially accurate consumer information, is a highly prized commodity for producers as well as consumers.

July marks a decade since the SEC required financial institutions to comply with Regulation S-P, section 504 of the Gramm-Leach-Bliley Act (“GLB”). The past decade also demonstrates marked growth in identity theft and theft of other personal information stored electronically by companies, corporations and government and educational institutions that provide products and services to clientele and the general public. Theft of client and consumer information damages not only the reputation of those consumers whose information is misused but also the reputation of those entities that have the responsibility and obligation to protect their clients’ personal information. Identity theft is one of the fastest growing crimes in North America, Europe and Asia and one of the most difficult to prosecute.

The portion of GLB that covers privacy utilizes three key concepts: the Financial Privacy Rule, the Safeguards Rule and Pretexting Protection. Each of these concepts is outlined as follows and codified at 15 U.S.C. §§ 6801-6809 and 15 U.S.C. §§ 6821-6827:

  • The Financial Privacy Rule requires financial institutions to provide each client with a privacy notice at the time the relationship is established and annually thereafter. The privacy notice should explain the information collected about the client, where that information is shared, how that information is used, and how that information is protected. The notice must also identify a client’s right to opt out of the information being shared with third parties pursuant to the provisions of the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the client should be notified again for acceptance. Each time the privacy notice is reestablished, the client has the right to opt out again. The third parties receiving the personal information are held to the acceptance terms of the client under the original relationship agreement.
  • The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ personal information. The Safeguards Rule applies to information of any clients past or present of the financial institution’s products or services. This plan must include:
    • The appointment of an employee or employees to manage safeguards
    • The implementation of a risk management process applied to each department handling personal information
    • Development, monitoring and testing of programs to secure personal information
    • Update safeguards as needed with the changes in how information is collected, stored, and used.
  • Pretexting is the act of attempting to gain access to personal information without the proper authority to do so; the most common acts of pretexting include impersonation of clients and phishing, where unsuspecting consumers provide personal information to bogus websites or email addresses. In the United States, pretexting is punishable as a common law crime of False Pretenses and under GLB, financial institutions must create and implement safeguards to protect against pretexting activities.

For investment advisers, their clients’ trust is of the utmost importance for a successful relationship. A key part of engendering that trust is to have a well-developed program to secure clients’ personal information and to have a sound privacy policy that clearly communicates the importance an adviser places on protecting its clientele and their critical personal financial information. Failing to have adequate safeguards and policies can place an adviser’s clients at undue risk and ultimately imperil an adviser’s most important asset: its reputation.