Pomegra Wiki

Regulation S-P Customer Privacy Notice Requirements

Under Regulation S-P, the SEC requires every broker-dealer and investment adviser to give customers a clear, written privacy notice that discloses what personal and financial information the firm collects, who it shares it with, and how it protects it. The regulation specifies when firms must deliver the initial notice, how often they must update it, and what opt-out rights customers have.

The scope of Regulation S-P

Regulation S-P applies to any firm engaged in the business of buying or selling securities, providing investment advice, or managing investment company portfolios. It covers large multinational banks with brokerage arms and independent financial advisers with a handful of clients. The rule does not apply to accountants, lawyers, or insurance agents (unless they are also acting as investment advisers or brokers).

The regulation has two core requirements: a Privacy Notice and a Security Notice.

The Privacy Notice must explain what information the firm collects, how it uses that information internally, and whether and to whom it discloses customer information. The Security Notice must describe the firm’s policies and procedures for safeguarding customer records and information from unauthorized access or use.

What must the Privacy Notice contain?

The Privacy Notice must be written in plain English, organized in a way that makes clear what each section covers, and be accurate and complete as of the date of delivery.

Categories of information collected: Firms must describe the categories of nonpublic personal information they collect. This includes:

  • Information from customers directly (name, address, account holdings, transaction history)
  • Information from third parties (credit bureaus, background checks, identity verification services)
  • Information from customer activity (trading patterns, cash positions, investment mix)

Use of information: Firms must disclose how they use customer information. Typical uses include:

  • Executing customer transactions
  • Maintaining accounts and customer service
  • Evaluating eligibility for products or services
  • Marketing purposes (if the firm intends to contact customers about new services)
  • Compliance with legal and regulatory obligations

Sharing of information: This is the section most relevant to customer opt-out rights. Firms must disclose:

  • Whether they share customer information with affiliates (related companies)
  • Whether they share customer information with nonaffiliates (unrelated third parties)
  • The purposes for which sharing occurs (e.g., to complete transactions, for regulatory compliance, for marketing)
  • Categories of nonaffiliates with whom information is shared (e.g., service providers, research firms, third-party advisers)

Protection of information: Firms must describe their policies and procedures for securing customer data:

  • Who has access to customer information within the firm
  • What safeguards are in place (encryption, firewalls, access controls)
  • How the firm disposes of customer records
  • Incident response and breach notification procedures

Timing: Initial and annual notices

The firm must provide the Privacy Notice:

  • Initially: Before or when the customer relationship begins. If the firm is sending the notice before the customer becomes a customer (e.g., to a prospective client), the notice must be accurate as of the time it is sent. If sent at the time of account opening, it must be accurate as of that date.
  • Annually: At least once per calendar year while the customer relationship continues. The firm may include the annual notice in a regular account statement or send it as a separate document.

If a firm materially revises its privacy practices, it must provide an updated notice to all customers no later than 30 days after the material change. A material change is one that affects how the firm uses or shares customer information, or that broadens the categories of nonaffiliates it discloses to.

The opt-out right: Scope and limits

Regulation S-P grants customers a limited opt-out right. A customer may opt out of the disclosure of nonpublic personal information to nonaffiliates, but only if the disclosure is not necessary to effect, administer, or enforce a transaction that the customer requests or authorizes.

This means:

  • If a customer asks the firm to buy shares on an exchange, the firm may disclose information to the exchange and clearinghouse as needed to execute the trade—and the customer cannot opt out of that.
  • If a customer asks the firm to check credit in order to open a margin account, the firm may disclose information to the credit bureau—and the customer cannot opt out of that.
  • But if the firm wants to share customer information with a marketing partner or third-party research firm, the customer can opt out.

How to opt out: Firms must provide customers with a clear and conspicuous method to opt out—either by telephone, mail, electronic mail, or in person. The firm must honor the opt-out within a reasonable time (generally 30 days). An opt-out applies to future disclosures only, not to information already disclosed.

The broker-dealer vs. investment adviser distinction

Both broker-dealers and investment advisers must comply with Regulation S-P. However, the practical focus differs slightly.

A broker-dealer often collects and shares customer information for account maintenance, order routing, settlement, and clearing. Its Privacy Notice emphasizes execution, clearance, and customer service. Many broker-dealers also share data with research providers or affiliated investment advisers.

An investment adviser typically collects customer information to understand the client’s financial situation, investment objectives, and risk tolerance. Its Privacy Notice emphasizes advisory services, portfolio management, and performance reporting. Investment advisers are less likely to share customer data with third parties, though some do share it with custodians, sub-advisers, or back-office service providers.

Examples of privacy practice disclosures

A typical Privacy Notice might say:

“We collect information about you from:

  • Information you provide to us (name, address, employment, investment objectives)
  • Information from your account activity (trading history, cash balance)
  • Information from third parties such as credit bureaus

We use this information to:

  • Execute your transactions
  • Manage your account
  • Evaluate your eligibility for accounts or services

We may share your information with:

  • Affiliates (ABC Brokerage Services Inc.)
  • Service providers (custodians, clearing firms, accountants)
  • Nonaffiliates, but only if you do not opt out

You may opt out of sharing with nonaffiliates by calling 1-800-555-1234 or visiting our website.”

A firm that engages in more extensive sharing (e.g., because it is part of a large diversified financial services conglomerate) must disclose this clearly and provide easy opt-out mechanisms.

Compliance and enforcement

The SEC and FINRA examine broker-dealers and investment advisers regularly for compliance with Regulation S-P. Common violations include:

  • Failure to provide initial or annual notices: A firm that opens accounts without delivering a Privacy Notice faces enforcement.
  • Materially inaccurate notices: If a firm’s actual practices deviate from what the notice says, this is a violation. For example, if the notice says the firm does not share information with nonaffiliates, but it does, the firm must be corrected.
  • Failure to honor opt-out requests: If a customer opts out and the firm continues to share information, it has violated the rule.
  • Inadequate safeguards: If a firm’s Security Notice promises encryption but does not provide it, and a breach occurs, the firm may face enforcement action.

Penalties can include cease-and-desist orders, civil fines, and requirements to notify affected customers and provide remedial training. Large firms have settled Regulation S-P cases for tens of millions of dollars when breaches exposed thousands of customers’ information.

Updates and evolving standards

Regulation S-P was adopted in 2000, well before widespread data breaches and modern privacy concerns became acute. The SEC has indicated interest in modernizing the rule to address data security more explicitly and to align with state privacy laws like California’s CCPA and GDPR-style transparency requirements. However, as of now, the rule remains in force as written.

A prudent firm reviews its Privacy and Security Notices regularly, updates them to reflect actual practices, and ensures that all customer-facing staff understand what the firm promises about information handling.

See also

  • SEC regulations for broker-dealers — broader registration and conduct rules
  • Investment adviser privacy and compliance — advice-specific privacy requirements
  • Data security and breach notification — safeguarding customer information
  • FINRA conduct and suitability rules — customer protection beyond privacy
  • Customer opt-out rights and disclosure — related privacy elections
  • Fair Credit Reporting Act and privacy — consumer privacy outside securities

Wider context

  • SEC enforcement and penalties — how regulators address compliance failures
  • State privacy laws and CCPA — broader privacy frameworks
  • Data breaches and incident response — managing security failures