Top 12 Regulatory Deficiencies for RIAs — #4 Privacy Policies

Trending

What You Need to Know

The fourth most common compliance deficiency for RIA firms involves the creation, delivery and enforcement of the firm’s privacy policy.

All RIAs must have a privacy policy in place that outlines how they protect their clients’ confidential information. Advisors are expected to include the following in their privacy policy:

  • What information is collected from clients;
  • What sources that information is collected from (over and above information provided by the client);
  • The firm’s basis for sharing this information;
  • What safeguards you have in place to protect client information; and
  • Any state-specific privacy regulations the firm is subject to.

    • This privacy policy must be distributed to all new clients, as well as all ongoing clients on an annual basis. Any subsequent changes to the privacy policy necessitates an additional delivery to clients as well.

    Why You Should Care

    Identify theft, cyber fraud and high profile security breaches have become common occurrences. The media attention they receive has undoubtably heightened your clients' sensitivity to protecting their personal information.

    Your privacy policy can become a very compelling relationship management tool, as it serves as a proof statement to clients that you respect and guard their information. Likewise, it should be used internally to lay out for your employees some simple protocols to guide their decisions when handling confidential client information.

    As a general policy, supervised persons should not release confidential client information without first consulting with the CCO. This mitigates your regulatory risk by ensuring that nonpublic information is disclosed only to the extent it is needed to conduct business for that client.

    Our Recommendations

    To ensure that your firm is keeping up with regulatory requirements and industry best practices in this area:

  • Provide a copy of your firm’s privacy policy to new clients along with your investment advisory agreement and Form ADV Part 2. (Since Form ADV Part 2 and the privacy policy follow similar delivery rules, we usually recommend combining these two documents.)
  • Deliver a copy of your privacy policy to all clients at least annually.
  • Confirm that your investment advisory agreements contain an acknowledgement of receipt of your privacy policy.
  • Train your staff on the content, purpose and importance of your firm’s privacy policy.