On December 4, 2015, President Obama signed a highway bill into law, which tacked on an exception to the annual privacy notice requirement for financial institutions that satisfy certain conditions. In legislation that can only be understood by Washington, D.C. insiders, the “Fixing America’s Surface Transportation Act,” better known as the FAST Act, contained amendments to two federal financial privacy laws.

In particular, the new law amends the Gramm-Leach-Bliley Act (“GLBA”). Pursuant to the new law, financial institutions that do not share customer information with nonaffiliated third parties will receive significant regulatory relief. The definition of “financial institution” in the GLBA includes Registered Investment Advisers (“RIAs”), as well as unregistered and private fund advisers. The definition also includes broker-dealers.

Section 75001 of the FAST Act creates an exception to the annual privacy notice delivery requirement for any financial institution that:

  • Only shares nonpublic personal information in accordance with the GLBA without providing consumers with notice and opt-out rights; and
  • Has not revised its policies and procedures with regard to disclosing nonpublic personal information since its last privacy notice was sent to consumers.

The GLBA exception is effective immediately.

Prior to this change, all RIAs were obligated to provide an annual privacy notice to clients of the firm. RIAs must still disclose their privacy policies to clients. However, the annual privacy notice does not need to be sent annually to clients if an RIA meets the above conditions.

Cybersecurity is still on the SEC’s front burner

As GLBA compliance gets easier, firms’ cybersecurity obligations are ramping up. On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released a Risk Alert which announced the Commission’s second round of cybersecurity sweep examinations. The reason for sweeps is to gather information regarding industry practices. A five-page sample document request letter accompanied the Risk Alert. OCIE has begun sending document requests to RIAs selected for inclusion in the sweep exam.

Even if firms are not targeted by the sweep, they can expect similar document requests during a routine compliance examination. Therefore, advisers will benefit by reading the Risk Alert and sample document request, which can be found here.

RIAs should consider incorporating a review of this Risk Alert, as well as the sample document request, as part of cybersecurity training sessions. It is also a good idea for firms to create an incident response plan that can be implemented if a cyber breach occurs.

About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Boca Raton, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.

RIA Compliance Group, LLC – 5301 North Federal Highway, Suite 380, Boca Raton, FL 33487 –
Tel: 561-600-0564 – sales@ria-compliance.com.