Key Takeaways
- Regulation S-P requires SEC-registered entities to deliver initial privacy notices at account opening and annual notices thereafter
- The Safeguards Rule mandates written information security programs with administrative, technical, and physical safeguards
- SEC's 2024 amendments to Regulation S-P require incident response programs and customer notification within 30 days of a breach
- The Red Flags Rule requires identity theft prevention programs to detect warning signs in account activity
Privacy and Confidentiality Requirements
For CFP professionals working with SEC-registered entities, Regulation S-P provides the specific rules implementing GLBA's privacy requirements. Major amendments adopted in May 2024 significantly strengthened safeguarding and breach notification obligations, with compliance deadlines in December 2025 (large entities) and June 2026 (smaller entities). Understanding these requirements is essential for both exam success and professional practice.
Regulation S-P: The SEC's Privacy Rule
The SEC adopted Regulation S-P in 2000 to implement GLBA's privacy requirements for entities under its jurisdiction. The regulation applies to:
- SEC-registered broker-dealers
- SEC-registered investment advisers
- Registered investment companies (mutual funds)
- Transfer agents registered with the SEC
Core Requirements of Regulation S-P:
| Requirement | Description |
|---|---|
| Privacy Notices | Initial and annual notices describing information practices |
| Opt-Out Rights | Opportunity to limit sharing with nonaffiliated third parties |
| Safeguards Rule | Policies and procedures to protect customer information |
| Disposal Rule | Proper disposal of consumer report information |
Privacy Notice Requirements Under Regulation S-P
Initial Privacy Notice:
Covered institutions must provide an initial privacy notice to each customer not later than the time the customer relationship is established. For investment advisers, this typically means before or at the time of entering into an advisory contract.
The initial notice must clearly and conspicuously disclose:
- Categories of nonpublic personal information collected
- Categories of information disclosed to affiliates and nonaffiliates
- Categories of third parties receiving information
- Disclosure policies for former customers
- How customer information is protected
- Opt-out rights and methods
Annual Privacy Notice:
Unless qualifying for the FAST Act exception, covered institutions must provide an annual privacy notice to customers with whom they have a continuing relationship. The annual notice must be delivered:
- At least once during any 12-month period
- In a form the customer can reasonably be expected to receive
Clear and Conspicuous Standard:
Privacy notices must be written in a manner that is clear and conspicuous, meaning:
- Reasonably understandable (plain language, logical organization)
- Designed to call attention to the nature and significance of the information
The Safeguards Rule: Protecting Customer Information
Regulation S-P requires covered institutions to adopt written policies and procedures that address administrative, technical, and physical safeguards for customer information. The goal is to protect against:
- Unauthorized access to customer records
- Anticipated threats to the security or integrity of records
- Potential hazards that could result in substantial harm or inconvenience
Required Safeguards Program Elements:
| Safeguard Type | Examples |
|---|---|
| Administrative | Employee training, access controls, vendor oversight |
| Technical | Encryption, firewalls, intrusion detection |
| Physical | Locked file cabinets, secure data centers, building access controls |
2024 Amendments to Regulation S-P: Major Changes
In May 2024, the SEC adopted significant amendments to Regulation S-P, representing the most substantial changes since the regulation's adoption. These amendments took effect in stages, with the first compliance deadline having passed:
Compliance Deadlines:
| Entity Size | Compliance Deadline | Status (as of Jan 2026) |
|---|---|---|
| Large entities (RIAs with $1.5B+ AUM, investment companies with $1B+ net assets, all broker-dealers except small entities) | December 3, 2025 | Now in effect |
| Smaller entities | June 3, 2026 | Upcoming |
Key New Requirements:
1. Written Incident Response Program:
Covered institutions must develop and maintain a written incident response program designed to:
- Detect unauthorized access to or use of customer information
- Respond to and recover from security incidents
- Assess the nature and scope of incidents
- Contain and control incidents to prevent further harm
2. Customer Notification Requirement:
When an institution becomes aware that unauthorized access to customer information has occurred or is reasonably likely to have occurred, it must provide written notice to affected customers:
- Timing: As soon as practicable, but not later than 30 days after becoming aware
- Content: Must describe the incident, types of information involved, and contact information for the institution
- Exceptions: Notification may be delayed if a law enforcement agency determines it would impede an investigation
3. Service Provider Oversight:
Institutions must require service providers to:
- Implement and maintain appropriate safeguards
- Notify the covered institution of security incidents involving customer information
- Provide notification within 72 hours of becoming aware of a breach
4. Expanded Scope:
The amendments extended safeguards and disposal requirements to transfer agents for the first time.
Exam Tip: The 30-day customer notification deadline and 72-hour service provider notification requirement are key testable concepts from the 2024 Regulation S-P amendments.
Definition of Sensitive Customer Information
The 2024 amendments introduced a definition of "sensitive customer information" for determining when notification is required:
Information is considered sensitive if unauthorized access could "create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information."
Examples of Sensitive Information:
- Social Security numbers (substantial risk by itself)
- Account numbers combined with access credentials
- Financial account information that could enable unauthorized transactions
- Username/password combinations
FTC Safeguards Rule for Non-SEC Entities
Financial institutions not registered with the SEC (such as state-registered investment advisers, tax preparers, and other non-bank financial institutions) are subject to the FTC's Safeguards Rule rather than Regulation S-P.
FTC Safeguards Rule Requirements:
| Requirement | Details |
|---|---|
| Designated Qualified Individual | Appoint someone responsible for the security program |
| Written Risk Assessment | Identify and assess risks to customer information |
| Safeguards Implementation | Implement safeguards based on risk assessment |
| Service Provider Oversight | Assess service provider security practices |
| Continuous Monitoring | Regularly test and adjust safeguards |
| Employee Training | Train personnel on security awareness |
| Incident Response Plan | Maintain a plan to respond to security events |
2024 FTC Amendment - Breach Notification:
Effective May 13, 2024, the FTC requires financial institutions under its jurisdiction to notify the FTC of security breaches affecting 500 or more consumers. Notification must occur:
- As soon as possible, but no later than 30 days after discovery
- Only for breaches involving unencrypted customer information
The Red Flags Rule: Identity Theft Prevention
The Red Flags Rule requires financial institutions and creditors to develop and implement a written Identity Theft Prevention Program. While primarily enforced by the FTC and banking regulators, CFP professionals should understand its requirements.
Program Requirements:
| Component | Description |
|---|---|
| Identify Red Flags | Recognize patterns, practices, or activities indicating identity theft |
| Detect Red Flags | Incorporate procedures to detect red flags in operations |
| Respond to Red Flags | Take appropriate actions when red flags are detected |
| Update the Program | Periodically review and update the program |
Examples of Red Flags:
- Alerts from consumer reporting agencies (fraud alerts, credit freezes)
- Suspicious documents (altered IDs, inconsistent information)
- Suspicious personal identifying information (addresses that don't match, inconsistent birth dates)
- Unusual account activity (sudden changes in patterns, mail returned as undeliverable)
- Notices from customers, law enforcement, or other sources indicating identity theft
Disposal Rule
Both the SEC (Regulation S-P) and FTC require proper disposal of consumer report information derived from credit reports. Covered institutions must take reasonable measures to protect against unauthorized access during disposal, such as:
- Shredding physical documents
- Erasing or destroying electronic media
- Contracting with disposal companies that use appropriate methods
For CFP Professionals
Understanding privacy and confidentiality requirements helps CFP professionals:
- Deliver required disclosures at appropriate times (initial and annual notices)
- Implement appropriate safeguards to protect client information
- Respond to security incidents within required timeframes
- Oversee service providers who have access to client information
- Detect and respond to identity theft warning signs
- Maintain compliance with evolving regulatory requirements
Under the 2024 amendments to Regulation S-P, how quickly must a covered institution notify affected customers after becoming aware of a data breach involving sensitive customer information?
Which of the following is a component of a Red Flags Rule identity theft prevention program?
When must an SEC-registered investment adviser provide an initial privacy notice to a new client under Regulation S-P?