Regulation S-P: Broker-Dealer Customer Data Privacy Rules
The SEC’s Regulation S-P sets the baseline privacy rules for broker-dealers and investment advisers: firms must issue a privacy notice to customers, safeguard nonpublic personal financial information, and limit the circumstances under which they can share that information with affiliates, vendors, and third parties. While not as strict as regulations in some other industries, Reg S-P creates a floor of protection and transparency for customer data in the securities world.
What Regulation S-P Covers
Regulation S-P applies to any firm that is registered as a broker-dealer with the SEC or as an investment adviser. This includes:
- Traditional stock and bond brokers
- Online brokers and robo-advisers
- Registered investment advisers (RIAs)
- Certain mutual fund distributors and transfer agents
The rule governs nonpublic personal financial information, which includes any information about a customer that is not publicly available and either identifies the customer or could be used to identify them. Examples include:
- Account balances and transaction history
- Social Security numbers, addresses, phone numbers
- Banking information and payment methods
- Information on assets, income, or creditworthiness
- Trading activity and investment preferences
The rule does not regulate purely commercial or business information (e.g., details about a firm’s operations) or information that is already public.
Privacy Notice Requirement
Every broker-dealer and adviser must provide customers with a written privacy notice at or before the time they open an account, and annually thereafter. The notice must disclose:
What information is collected. The firm must explain the kinds of nonpublic information it gathers (from application forms, account statements, transactions, credit reports, etc.).
How information is used. The notice must describe the purposes for which the firm uses the data: providing services, maintaining accounts, processing trades, complying with law, and marketing.
Categories of parties with whom information may be shared. The firm must identify the types of entities it may share information with: service providers, affiliates, joint marketers, or others.
Customer rights. The notice must explain the customer’s ability to opt out of certain sharing and how to exercise that right.
Safeguards. The firm must describe the administrative, technical, and physical measures it takes to protect nonpublic information.
The notice must be clear and conspicuous. Burying it in fine print or embedding it in other disclosures does not satisfy the rule. Many firms now provide a standalone privacy policy as a PDF or web page.
Information Sharing and Opt-Out Rights
Regulation S-P sets a tiered framework for disclosing nonpublic information.
Sharing without restriction: A firm can share nonpublic information with its own employees and affiliates to conduct business and comply with law. It can also share information with service providers (like clearing brokers, custodians, or IT vendors) who need the data to perform services for the firm. However, the firm must require these service providers to maintain confidentiality.
Sharing with customer consent: A firm can share nonpublic information with other entities (including nonaffiliated financial institutions or marketers) if the customer explicitly consents in writing. The consent must be affirmative—the customer must opt in.
Sharing with the ability to opt out: For certain purposes—particularly marketing by nonaffiliated third parties or joint marketers—a firm may share nonpublic information unless the customer opts out. The firm must provide a clear opt-out notice and a simple mechanism (like a phone number or web link) for the customer to exercise the right. The customer must have a reasonable opportunity to opt out before information is shared.
Required sharing: Firms must disclose information when required by law (e.g., a subpoena or court order) or to defend against legal claims.
The 2021 Update: Enhanced Safeguards
In February 2021, the SEC modernized Regulation S-P to address the reality of digital account access and increased cyber risk. The updated rule requires:
Cybersecurity program: Firms must establish, implement, and maintain a comprehensive information security program designed to protect the confidentiality, integrity, and availability of customer information systems. This includes:
- Assessing and managing information security risks
- Implementing technical and operational safeguards
- Designing systems to protect against unauthorized access
- Monitoring and testing security controls
Incident notification: If a firm experiences a breach or reasonably believes that nonpublic information has been compromised, it must notify affected customers and the SEC without unreasonable delay. The SEC must be notified if the breach affects more than 500 customers.
Third-party risk management: Firms must assess the data security practices of service providers that have access to nonpublic customer information and ensure they maintain appropriate safeguards.
Access controls and authentication: Firms must employ reasonable measures to authenticate customer identity before allowing access to accounts.
The 2021 amendments reflected the SEC’s view that privacy rules had become outdated as firms increasingly offered online account access, mobile apps, and digital services. Hackers had demonstrated that simple passwords were insufficient, prompting the SEC to mandate stronger controls like multi-factor authentication.
Comparison with Other Privacy Rules
Regulation S-P is often compared to the privacy rules governing banks and insurance companies under the Gramm-Leach-Bliley Act (GLBA). The core concepts are similar—notice, safeguards, opt-out rights—but the details differ.
For example, under GLBA, banks must allow customers to opt out of sharing nonpublic information with nonaffiliated third parties for any purpose. Regulation S-P is somewhat narrower: it primarily restricts sharing for marketing purposes. A firm can still share information with service providers and, in some cases, with other financial institutions for joint marketing without explicit opt-out rights.
The EU’s General Data Protection Regulation (GDPR) is significantly stricter. It requires explicit customer consent for most data processing and grants customers rights to access, correct, and delete their data. Regulation S-P has no blanket right to deletion; instead, it focuses on limiting secondary use and maintaining accurate records.
Practical Impact for Customers
For retail investors, Regulation S-P creates a few tangible protections:
Transparency. You should receive a privacy notice before you open a brokerage or advisory account. Reading it tells you what data the firm collects, what it does with it, and who it shares it with. If something alarms you—say, the firm plans to share your data with many nonaffiliated marketers—you can opt out.
Opt-out ability. If you do not want your information shared with outside marketers or joint marketing partners, you have the right to say no. You should not be pressured to share your contact information or financial details beyond what’s needed to maintain your account.
Breach notification. If the firm experiences a data breach, it must tell you. This gives you a window to monitor your credit, change passwords, or take other protective steps.
Limited recourse. If a firm violates Regulation S-P, you can file a complaint with the SEC or bring a private lawsuit to recover damages. However, the bar for private damages under Reg S-P is high (the firm must have acted with negligence or intent), so many customers pursue claims under state privacy or data breach laws instead.
Enforcement and Penalties
The SEC enforces Regulation S-P through its Office of Compliance Inspections and Examinations (OCIE). Examiners review whether firms have proper notice policies, safeguards, and opt-out procedures.
Violations can result in:
- Cease-and-desist orders
- Fines (sometimes in the millions for large breaches)
- Mandatory remediation (e.g., hiring a security consultant)
- Public censure
- Referral to law enforcement (if criminal activity is suspected)
Some of the largest OCIE settlements have involved firms that failed to detect breaches, delayed notifying customers, or had inadequate internal controls. For example, firms have been fined for storing passwords in plain text, failing to encrypt sensitive data, or lacking basic network monitoring.
See also
Closely related
- Broker — the primary regulated entity under Reg S-P
- Dodd-Frank Act — related SEC regulatory framework
- Securities and Exchange Commission — the regulator
- Gramm-Leach-Bliley Act — comparable privacy rule for banks
- Data Breach — the outcome Reg S-P tries to prevent
- Compliance — broader context for securities regulation
Wider context
- Investment Adviser — a key category of firm covered by Reg S-P
- Cybersecurity and Financial Regulation — the modern regulatory focus on digital security
- Customer Trust and Financial Services — the market incentive behind privacy rules
- Federal Regulation of Securities — the broader regulatory landscape