Financial Advisor’s Guide to Privacy and Data Security Laws


Complying with the patchwork of privacy and information security laws is an often daunting task for financial advisors. But beware: Doing so hastily or haphazardly can expose you to extensive confidentiality obligations, regulatory scrutiny and, in some cases, hefty fines.

Lisa Zivkovic, Morrison Foerster Privacy and Data Security Group.

Broadly speaking, advisors are required to adhere to certain confidentiality and security obligations with respect to clients’ personal information and to explain their information sharing practices to clients via privacy notices. Some laws also require advisors to provide clients with the ability to opt out of certain sharing of their personal information with third parties (other than vendors), while other laws go even further by requiring active consent before advisors can share personal information with third parties (not including vendors).

What confidentiality and security obligations apply to your practice? It depends on the state or country in which you operate and where your customers reside. In some cases, confidentiality obligations only apply where the clients are individuals investing for their personal benefit, as opposed to institutional investors.

Here’s the latest on the top laws, rules, and proposed rules advisers need to know.

Gramm-Leach-Bliley Act Privacy Notice
The Gramm-Leach-Bliley Act of 1999 requires financial institutions – defined as companies that offer financial products or services such as investment advice – to explain their information-sharing practices to customers and to protect sensitive data client.

Specifically, it requires SEC-registered financial advisers to provide individuals who invest for personal, family or household purposes with a GLBA-specific privacy notice. The notice should describe what nonpublic personal information is collected from customers, how it is used, and whether it is shared with affiliated third parties. In addition, the notice must specify whether the financial advisor engages in the restricted sharing of personal information with unaffiliated third parties and, if so, describe how clients can exercise their right to opt out of such sharing.

The law also prohibits financial advisors from sharing their clients’ non-public personal information with unaffiliated third parties, other than vendors, for joint marketing or other purposes, unless clients have been given the opportunity to refuse such sharing. Similar state laws in California, North Dakota and Vermont impose additional requirements, such as obtaining prior consent from customers in order to share their personal information with unaffiliated third parties. However, California and Vermont do not require advisors to obtain such prior consent if the sharing is for joint marketing purposes and if the advisors offer clients the option to opt out, among other requirements.

This GLBA-specific privacy notice is generally drafted from A model created by federal regulators which, used correctly, provides financial advisors with protection from liability under the law. Note that the information contained in such a notice must be updated annually.

SEC Proposed Cybersecurity Management Rules for RIAs and Funds
In March 2022, the SEC proposed cybersecurity rules for financial institutions, including investment advisers registered under the Investment Advisers Act 1940. If adopted, the rules will establish explicit cybersecurity compliance and breach notification requirements, including:

· Cybersecurity policies and procedures including periodic assessment of information systems, controls designed to minimize user risk, procedures for managing threats and vulnerabilities, and security incident response and recovery procedures cybersecurity

Annual reviews of cybersecurity policies and procedures and written reports outlining the review and its findings

A requirement to report material cybersecurity incidents to the SEC within 48 hours of determining that an incident has occurred

Disclosure of cybersecurity risks and incidents to clients

· Record-keeping requirements requiring advisors to keep records of their cybersecurity programs for five years.

General Data Protection Regulation
The GDPR also imposes confidentiality obligations on advisers, including US advisers, who are established in the European Union or who offer investment opportunities to EU individuals.

Whether an investor is “established” in the EU is a complex issue that needs to be assessed on a case-by-case basis. Such analysis will include whether the advisor has a physical presence in the EU or whether the data processing activities are inextricably linked to the activities, such as revenue collection, of a local EU establishment.

A GDPR-regulated advisor will need to have a GDPR privacy notice and adhere to several other privacy and cybersecurity requirements. For example, if an advisor is not established in the EU, they must appoint a local representative in the EU for clients with questions about their privacy rights. Also under the GDPR, customers have rights, including access to their personal information and the right to have it corrected or deleted upon request. Additionally, many jurisdictions, including the European Union, United Kingdom, Canada, Japan, and others, require financial advisers to post a privacy notice on the website that discusses their collection practices, of use and sharing of data with regard to the personal information of users of the site.

The GDPR also requires strict data protection requirements on a company – and the penalties for non-compliance can be high. Financial advisors should work closely with privacy and security advisors to mitigate this risk by developing and fully implementing the appropriate privacy notice and cybersecurity policies and procedures.


Comments are closed.