Legal Opinion
Test Your Computer NOW for Spyware, Hacker Tools and Other Threats
"GLBA" Gramm Leach Bliley Act
On November 12, 1999, President Clinton signed into law the Gramm Leach Bliley Act (GLBA) (Public Law 106-102). Subtitle A of Title V of the Act, captioned "Disclosure of Nonpublic Personal Information" (NPI), limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose their privacy policies and practices with respect to information sharing.

  Note: For information regarding the rules as they relate to brokers or dealers, contact George Lavdas or Jerome Roche, Office of Chief Counsel, Division of Market Regulation, (202) 942-0073, or regarding the rules as they relate to investment companies or registered investment advisers, Penelope W. Saltzman or Hugh P. Lutz, Office of regulatory Policy, (202) 942-0690, Division of Investment Management, Securities and Exchange Commission, 450 5th Street, N.W., Washington, D.C. 20549.
It is the policy of the Congress under GLBA to assert that each financial institution shall have an affirmative and continuing obligation to:
  1. To insure the security and confidentiality of customer records and information
  2. To protect against any anticipated threats or hazards to the security of such records
  3. To protect against unauthorized access to, or use of such records or information which could result in substantial harm or inconvenience to any customer
Whether or not an enterprise is operated by a single individual is not determinative as to whether the entity is a ''financial institution.'' If an individual is in the ''business of engaging in financial activities,'' that business is included in the definition of a ''financial institution'' even as an individual.

In order to implement Title V of GLBA, final regulations were passed in nearly identical form by all the financial institution regulatory agencies and the Federal Trade Commission.

  These rules, were consistent and comparable with the proposals published by the Commission and appeared in the Federal Register at 65 FR 8770 (Feb. 22, 2000) (OCC, FRB, FDIC, and OTS jointly), 65 FR 10988 (Mar. 1, 2000) (NCUA), and 65 FR 12354 (Mar. 8, 2000) (SEC). These proposed regulations were at 64 FR 59918 (Nov. 3, 1999). This rule is effective November 13, 2000. Full compliance is required by July 1, 2001.


Who Applies GLBA Regulations:

      These agencies all adopted very similar guidelines to implement GLBA:
  • SEC - S-P (Securities and Exchange Commission)
  • FTC (Federal Trade Commission)
  • NASD (National Association of Securities Dealers)
  • OCC (Office of the Comptroller of the Currency)
  • NIST (National Institute of Standards and Technology)
  • FCRA (Fair Credit Reporting Act)
      Interagency Guidelines Establishing Standards for Safeguarding Customer Information ("security guidelines"). See 66 Fed. Reg. 8616 (February 1, 2001).

      What are the Primary Steps:
  • Executive management involvement
  • Risk and vulnerability driven, based on regular ongoing risk assessments
  • Written information security plan that includes policies and procedures
  • Employee training and periodic testing with regulatory updates
  • Control of information to 3rd-parties

GLBA Overview

Requires that you establish appropriate professional standards and safeguards to insure the security and confidentiality of customer information and protect client records against anticipated threats and hazards or unauthorized access which could result in harm or inconvenience.
  • Financial Advisors are responsible for maintaining the security of their systems, workspaces and communications to protect the security and integrity of all places in which Customer Information is utilized.
  • Financial Advisors shall implement and maintain appropriate measures designed to comply with the Privacy Regulations and to meet the objectives for Safeguarding Customer Information, as amended from time to time.
  • Financial Advisors must establish and maintain adequate safeguards against any disaster, loss, or alteration of Information in Financial Advisor's possession and in no event, less than a professional standard for care.
The Steps:

Assess Risk:
  • Identify external and internal threats to customer information
  • Assess the likelihood of potential damages
  • Determine the adequacy of current controls
  • Create a written information security program and assign a manager
  • Management must oversee and remain accountable for program
Manage and Control Risk:
  • Design a comprehensive program appropriate for "size and scope of operations"
  • Provide ongoing training for employees
  • Regularly test key controls - Physical Access Controls
  • Encryption of customer data while in transit or in storage
  • Regular backup of critical data

Federal Trade Commission

The Federal Trade Commission has (FTC) has adopted the "safeguards rule" which requires each financial institution or relevant individual to "develop, implement, and maintain a comprehensive information security program that is written for easy reference and contains three key areas where a security "system" is to be addressed ; administrative, technical and physical.

The term "system" is an umbrella term to include the hardware, software, physical, administrative, and organizational issues to be considered when addressing information security. FTC regulation can extend beyond existing laws. Under its authority to protect consumers, the FTC is in a position to adopt regulations which cross the boundaries of all industries.
Securities and Exchange Commission - SEC S-9 Requirements

The Securities and Exchange Commission adopted Regulation S-P, privacy rules promulgated under section 504 of the Gramm-Leach-Bliley Act which requires the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information (NPI) and includes requirements for registered advisers to adopt appropriate policies and procedures that address safeguards.

  The Commission is adopting Regulation S-P under the authority set forth in section 504 of the G-L-B Act [15 U.S.C. 6804], sections 17 and 23 of the Exchange Act [15 U.S.C. 78q, 78w], sections 31 and 38 of the Investment Company Act [15 U.S.C. 80a-30(a), 80a-37], and sections 204 and 211 of the Investment Advisers Act [15 U.S.C. 80b-4, 80b-11].

SEC Rule 206(4)-7

The SEC requires registered advisors to implement and maintain policies and procedures appropriate for their advisory business. If you are examined, the examiner will review such items as; recordkeeping, client disclosures and your security plan which includes; policies, procedures, and client disclosures.

A primary focus is the firm's compliance with rule 206(4)-7, requiring advisors to have internal programs to enhance compliance with the federal securities laws. The SEC has indicated that each advisor should first identify any conflicts and factors creating risks or exposure for the firm and its clients and design policies and procedures that address those risks.

The rule requires SEC-registered advisors to prevent violations of applicable securities laws, including the Investment Advisers Act of 1940. The examiner will review their policies and procedures for adequacy and effectiveness of implementation. Also, they must designate a compliance person to be responsible for administering the policies and procedures which must be designed to prevent violations from occurring, detect violations that have occurred, and promptly correct any violations that occur.

The SEC is currently issuing deficiencies to firms that fail to consider and account for emergency situations and with their ability to effectively service clients.

Data Backup:

An SEC-registered advisor should be prepared to produce electronic correspondence during a regulatory examination. SEC-registered advisors must maintain electronic correspondence pursuant to recordkeeping rule 204-2. State-registered advisors have to comply with state recordkeeping rules.

SEC Rule 204-2(a)(7) requires advisors to keep records of any recommendation or advice given, receipt, disbursement or the order or delivery of securities. Rule 204-2(g) states that records can be preserved on electronic media, but advisors must index the records to permit easy location and retrieval of any specific record and must establish procedures to reasonably safeguard records from loss, alteration or destruction.

As with all other correspondence and records covered by rule 204-2, electronic mail must be maintained for five years, except with respect to composite performance documentation that must be maintained for an extended period of time pursuant to rule 204-2(a)(16). The SEC may request electronic correspondence for specific clients or for a specific period of time.
Advisor Security Inc. © 2006 All Rights Reserved Privacy Policy    Legal Policy              A Wizbang Media Design