Warning to RIAs: Don’t Let Your Privacy Policy Stay Private

Posted on

On November 17, 2009, an act of God occurred: eight federal agencies agreed on something. That something was a set of four model privacy notice forms that could be delivered to consumers (including investment advisory clients) to satisfy the information disclosure requirements of the Gramm-Leach-Bliley Act (GLB). Said another way, use of a model privacy notice allows registered investment advisors to dock their boats in a regulatory ‘safe harbor,’ protected from the storms of GLB and Regulation S-P enforcement.

Regulation S-P is what the SEC adopted in response to the passage of GLB, and it requires an RIA to disclose its privacy and information-sharing practices to its clients at the beginning of the advisory relationship and annually thereafter (or if such practices have changed). An RIA may effect delivery of its privacy notice electronically, so long as the client has consented to such electronic delivery. Use of a model form is entirely optional, but regulators intended the models to serve as an easy, simple way for clients to compare the various information gathering and sharing practices of financial institutions.

So what are the pros and the cons of using one of the model forms? For starters, it’s hard to pass on the opportunity to take advantage of a regulatory safe harbor, as they are few and far between. Even though the failure to deliver a passable privacy notice may appear to be a trivial regulatory violation in comparison to fraud or fiduciary blunders, it is an easily-identifiable deficiency that may ultimately contribute to a weak overall compliance program in the eyes of examiners.

The model privacy forms are also fairly short (one double-sided page in the shortest available option), succinct (no superfluous disclosures) and easy to read. If you want to check out each of the four model forms themselves, start on page 87 of the official release here. RIAs can even build the form online here if they don’t want to pull their hair out trying to duplicate the form manually in a software program. The online form-builder is somewhat awkward, however, so don’t be surprised if certain typed-in text doesn’t fit or creates funky spacing.

There are a few potential downsides to consider as well. The content, layout, typeset, dimension and orientation requirements are extremely strict and must be followed explicitly in order to qualify for the safe harbor. Adding to or modifying the appearance of the model form is very limited, and is explained further in the SEC’s Small Firm Compliance Guide.

Some RIAs may prefer to add more of a marketing twist to their privacy notices, as there are no layout or standardized language requirements for privacy notices that fall outside of the model forms. Others may want to combine their privacy notice language with other unrelated regulatory disclosure language, which is not permitted in the model forms. Lastly, the model forms do not allow for much elaboration, clarification or tailoring to an RIA’s specific practices, which may prompt a firm to shoehorn the square peg of its practices into the round hole of the model form.

The initial and annual privacy policy notice delivery requirements are imposed upon RIAs of all sizes, so it’s important to fulfill this obligation even as a small or solo practice. Eight federal agencies haven’t agreed on much of anything since that historic November in 2009, but one thing is certain: I don’t think we’ll be receiving a model privacy notice from the NSA anytime soon.

* * *
This article originally appeared on October 24, 2013 in ThinkAdvisor.