Name of Supervisor (“designated Principal”):
Designated Principal: CCO Frequency of Review: In daily course of business
How Conducted: Privacy notice process; Review RR activity/correspondence; Customer file reviews; Enforce information security procedures; train personnel in information protection
How Documented: Privacy notices, opt out records; Account information; Records of monitoring and testing, if required, of internal systems; ensure and document third party monitoring/testing of systems, if applicable. 3010 Checklist: SEC Regulation S-P, Notices 00-66, 05-49
Comments: Also reference Business Continuity Plan for technical details on document back-up. and the Company’s ID Theft Prevention Program, if applicable. The Company has adopted the following supervisory procedures in order to comply with Regulation S-P and to protect the privacy of customer financial information.
The designated Principal shall ensure compliance with these procedures, and shall use the following text, in addition to other materials, such as technical manuals and office procedures instructions, in order to comprehensively train employees with regard to their obligations under the regulation. Employees are encouraged to review Regulation S-P and Notices 05-49 and 00-66 to augment their comprehension of privacy requirements.
Safeguarding Customer Records and Information The Company and its employees are
required to attempt to:
• Insure the security and confidentiality of customer records and information;
• Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
• Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The Company’s offices are locked when the business is closed; unauthorized access is prohibited. Customer records are maintained in locked cabinets and/or in electronic form that is protected by password entry only and only those employees who are authorized and have been registered may have access to such records. Unauthorized access is strictly prohibited. The Company’s computer system is protected by firewall and anti-virus software. As described herein, the Company’s IT staff or outside vendor will monitor changes in technology used by Company personnel and will ensure that these changes do not result in gaps in information protection (“monitor, evaluate and adjust”); training of personnel is required when technologies change to ensure continued customer information protection.
Personnel are required to comply with the Company’s information barriers, which are described elsewhere in this WSP Manual. Control of the flow of information between personnel, departments and outside vendors is an important tool in protecting non-public information.
Destruction of hard-copy confidential customer information is accomplished via a paper shredder. In the event the Company wishes to purge electronic records or dispose of computer equipment the hard drive will be removed or magnetically erased to ensure that no confidential company or customer information can be retrieved by unauthorized parties. Remote access to company computers will be strictly controlled and protected through passwords and encryption technology.
The Company shall also ensure that any information maintained by a third-party, including but not limited to their clearing firm, is protected and that destruction of confidential company or customer information is done in a manner so as to protect it from unauthorized access. The treatment of such confidential information by third-parties should be contained within the Company’s contract with these parties or in a separate confidentiality agreement signed by the vendor.
Monitoring/Testing of Controls: The Company will monitor the controls it uses to
safeguard its customers’ personal information. Monitoring will be conducted to ensure the effectiveness of:
i. access controls on personal information systems,
ii. controls to detect, prevent and respond to unauthorized access to personal information, and
iii. employee training related to the Company’s information security procedures. For (i) and (ii), monitoring will generally consist of designated IT personnel’s routine maintenance of IT and other systems (such OMS, electronic communications software, and database systems) and troubleshooting when required. Such maintenance may include, among other processes, ensuring that firewalls, anti-virus software, and encryption technology are in place and functioning; and that all data relay systems, such as those used to route orders to the clearing firm, are secure. In addition to maintenance and troubleshooting, IT personnel will respond to and correct perceived failure of any system that could result (or has resulted) in a privacy breach. Noted deficiencies will be corrected immediately, and all such instances will be documented and reported to the CCO.
For (iii), the CCO is responsible for ensuring that employees are properly trained in the use of all systems so as to conform to the safeguards described herein and expected by regulators.
The Company makes use of outside vendors to provide and maintain its electronic systems that contain personal information. The CCO is responsible for ensuring that outside service providers are selected and retained based on their competence and ability to maintain safeguards over personal information as required and that they are obligated under contract to implement and maintain such safeguards. Outside vendors are expected to report to the Company their ongoing monitoring and/or testing of the systems provided; the Company may require independent evaluations of third-party systems in higher risk situations, or may require additional tests, evaluations and reports from a third party provider, should its security monitoring be considered inadequate or not specific enough to meet the Company’s needs. The CCO will determine if such additional monitoring, testing or reporting is required, and will oversee completion.
The monitoring and, if applicable, testing, described herein, whether conducted by the Company and/or its outside vendors will be supervised by the CCO and documented. Such records will be maintained for three years.
If any person associated with the Company detects or become aware of any breaches to the Company’s electronic or paper records that could comprise confidential information, he or she must immediately notify the Executive Representative and/or CCO. The Executive Representative and/or CCO shall investigate any reported breaches. If the breach comprised customer confidential information, the Executive Representative and/or CCO will immediately notify state or federal regulatory authorities, if applicable, take any necessary steps to secure the information from future breaches and notify customers regarding the compromise and any remedies available to them to detect or prevent possible identity theft or other issues relating to the breach.
The threat of potential threats to the security of customer information is also addressed in the Company’s Business Continuity Plan, as are the Company’s information back-up systems—please reference that document for details. For a discussion of permitted communications via electronic means and protection of information, see the sections called “Electronic Mail” and “Use of Electronic Media.” In addition, the Company’s Identity Theft Prevention Program addresses safeguards for preventing online account intrusion and subsequent compromise of customer information security, such as internet authentication methods. This Manual does not address those specific procedures: Company personnel should consult the ITPP for related procedures. The respective designated Principals shall be responsible for overseeing the strict adherence to these policies.
7.10.1 Who is Protected?
The regulation protects only individuals; thus, trusts, partnerships and corporations are not protected. Beneficiaries of trusts, 401(k) participants, shareholders of corporations or partners of partnerships are not protected. IRA beneficiaries are protected since they are individuals.
Institutional investors are not covered by the regulation and no disclosures are required to be made to institutional customers.
7.10.2 What is Protected?
With certain exceptions set forth below, the Company is required to protect “Nonpublic Personal Information” (“NPI”) defined as “Personally Identifiable Financial Information” (“PIFI”) acquired from the customer PLUS any list, description or other grouping of customers derived from using any PIFI. In general, PIFI would include all information of a personal nature supplied on account applications, questionnaires and other information provided in order to obtain accounts, obtain credit, enter into advisory or other relationships, etc.
NPI does not include information that the Company has taken steps to verify and reasonably believes could lawfully be obtained from federal, state or local government records, widely distributed media (telephone book, television, website or radio program) or disclosures to the general public required to be made by federal state or local law.
In addition, regulation S-P protects account number information. The Regulation (with certain exceptions) prohibits the Company under any circumstances from
disclosing to any non-related third party (“NTP”) other than a consumer reporting agency, a customer account number or similar form of access number or access code for a credit card account, deposit account or transaction account if such disclosure is for use in telemarketing, direct mail marketing or other electronic mail marketing. Regulation S-P also controls “re-disclosure and reuse” of any NPI. Regulation S-P specifically requires the Privacy Notice to state that the Company may disclose NPI about former customers as well as current ones. The Regulation does not require that a Privacy Notice be provided to any former customer.
THE COMPANY AS A POLICY DOES NOT DISCLOSE ANY CONSUMER OR CUSTOMER NON-PUBLIC INFORMATION TO NON-RELATED THIRD PARTIES OTHER THAN IN CONTROLLED CIRCUMSTANCES AS SPECIFICALLY ALLOWED BY REGULATION S-P.
7.10.3 How is it Protected?
With certain exceptions (consult Rule) the Company may not disclose NPI of any customer to any NTP without prior notice and consent by the customer. An NTP is any person, firm or corporation that is not controlled by, controlling or under common control with the Company. NOTE: if any other government regulator treats the Company as an “affiliate” of a company regulated by it, then the Company is also an “affiliate” of that company for purposes of regulation S-P and may disclose NPI to that company.
7.10.4 Notice Requirements
Initial Privacy Notice Requirement The Regulation requires the Company to
provide an Initial Privacy Notice to (a) every customer at all times and (b) every customer and “consumer” (see note below) where the Company intends to disclose that customer’s NPI to any NTP under any non-exempt circumstances. Each recipient must also be provided with a “reasonable” time to “opt out” or not.
NOTE: If the Company does not share NPI, it does not have to provide initial and
annual notices or opt-out choices to each “consumer”—that is, an individual who obtains or has obtained a financial product or service from the Company that is to be used primarily for personal, family, or household purposes. Typically, a “consumer” has no further contact with the Company other than the one-time delivery of products or services (versus a customer, who has an on-going relationship with the Company). The designated Principal must ensure that this distinction is well understood and accurately applied.
The Initial Privacy Notice must be provided to the customer, with certain exceptions, AT OR BEFORE the time the Company establishes the customer relationship or BEFORE the Company makes any disclosures of that customer’s NPI to a NTP. The Initial Privacy Notice may be provided in written or electronic form (if the customer is able to acknowledge receipt electronically).
The exceptions are as follows: The Initial Privacy Notice may be provided at a “reasonable” later time where (a) the customer relationship has been established without the customer’s knowledge or consent (i.e., an ACATS transfer or SIPC trustee transfer); (b) where to provide the Notice would substantially delay the
customer’s transaction and the customer has agreed to receive the Notice at a later date; or (c) where the NTP establishes an account or purchases securities on behalf of the customer.
Once provided to a particular individual, the Initial Privacy Notice does not have to be provided again every time a new product or service is obtained by that individual, as long as the Initial Privacy Notice and any subsequent Annual Privacy Notices (see below) are current and accurate as to that product or service.
“Opt Out” Provision: Because the Company does not share NPI, it does not offer
an opt-out provision in its Privacy Notice.
Annual Privacy Notice: Appointed personnel of the Company are required to
provide an Annual Privacy Notice to each Customer every 12 months as long as he/she remains a customer. Once he/she ceases to be a customer no further Notice is required. Annual Privacy Notices are sent in March of each year to all covered persons. The Annual Privacy Notice may be delivered over the Company’s website.
7.10.5 Books and Records Requirement
The Company maintains records to evidence its delivery of Privacy Notices to customers. Copies of Notices are kept in the customer’s account records. The Company is committed to protecting the confidentiality, security and integrity of all its customers’ nonpublic personal information. Compliance with the procedures described herein is intended to ensure such protection.
7.10.6 Superseding Authorities/State Regulations
Regulation S-P does not modify, limit or supersede the Fair Credit Reporting Act (15 U.S.C. 1681), particularly Section 603 that allows companies to provide selected credit information to lenders. In addition, Regulation S-P does not supersede, alter or affect any state law or regulation that establishes and imposes different information protection standards. Accordingly, the Company should be aware of comparable provisions in states where it is doing business. For example, some jurisdictions, including Massachusetts and Nevada, have enacted legislation that establishes minimum standards to safeguard personal information in electronic records. These laws contain potential penalties against persons and entities for failures to adequately safeguard electronic information containing personal information. The CCO must attempt to conform to these State regulations when applicable.
7.11 Forwarding Material Information – Not Applicable