Weekly RoundUp
March 23, 2023

SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information

In this Weekly Roundup Issue. The Securities and Exchange Commission (SEC) proposed changes to Reg S-P to enhance protection of customer information, and reopened the comment period on proposed cybersecurity rules and amendments. These and other developments are discussed in more detail below.

Regulatory Developments

SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information

On March 15, the SEC proposed amendments to Regulation S-P that would enhance the protection of customer information by requiring broker-dealers, investment companies, registered investment advisers, and transfer agents to provide notice to individuals affected by certain types of data breaches that may put them at risk of identity theft or other harm, among other methods. Currently, Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to adopt written policies and procedures for the protection of customer records and information. Regulation S-P also requires the proper disposal of consumer report information. 

If this updated version Regulation S-P is adopted, it would change the rule’s requirements to address the expanded use of technology and corresponding risks since the Commission originally adopted Regulation S-P in 2000. The SEC’s proposal would require broker-dealers, investment companies, registered investment advisers, and transfer agents (collectively, covered institutions) to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. The proposed amendments would also require, with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization. The proposal would require a covered institution to provide this notice as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The proposing release will be published in the Federal Register and the public comment period will remain open until 60 days after the date of publication.

“Though Regulation S-P currently requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches. I think we should close this gap. Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves.” 

– SEC Chair Gary Gensler

SEC Reopens Comment Period for Proposed Cybersecurity Rules and Amendments

On March 15, the SEC reopened the comment period on proposed rules and amendments regarding cybersecurity and risk management for registered investment advisers, registered investment companies and business development companies, which were initially proposed in February 2022 (the Cyber Proposal). The initial comment period ended nearly a year ago, in April 2022. In the SEC’s press release, they make clear that the comment period for the Cyber Proposal is being reopened to allow those interested additional time to analyze the issues given recent regulatory developments that may have bearing on the Cyber Proposal. 

The Cyber Proposal, involving amendments to both the Investment Advisers Act of 1940 and the Investment Company Act of 1940, is aimed at enhancing cybersecurity preparedness and improve cyber resilience. The Goodwin client alert on the subject from February 2022 can be found here.

The FCA’s 2023/24 Priorities for UK Payments: Firms and Investors, Take Note

On March 16, the UK Financial Conduct Authority (FCA) published its letter Portfolio Letter: FCA priorities for payments firms to the CEOs of UK Payment Institutions (PIs), Electronic Money Institutions (EMIs), and Registered Account Information Service Providers, all of whom it regulates. The Letter is relevant both to those managing the firms and those looking to establish or invest in them, highlighting areas of regulatory risk that not only a business but any due diligence report will need to address.    

Read more in a recent client alert.


Check Out Goodwin’s Latest Industry Insights

2022 Consumer Financial Services Year in Review
This in-depth report summarizes major regulatory, litigation, and enforcement activity that impacted the consumer financial industry in 2022, and identifies the key trends for 2023.

Consumer Finance Insights (CFI) Blog
The latest on consumer finance regulation, litigation, and enforcement.

FinReg + Policy Watch Blog
Stay on top of developments affecting the financial services community. 

Digital Currency + Blockchain Perspectives Blog
Stay on top of digital currency industry news, regulatory developments and issues.

Samantha M. Kirby
William McCurdy

Serene Qandil