A new Risk Alert (“the Alert”) focused on branch office supervision and customer data safekeeping has been issued by the Division of Examinations (“EXAMS”). This is the third Alert of 2023, and it discusses Staff findings from examinations conducted on both registered investment advisers and broker-dealers. The SEC discovered issues during these examinations in relation to Reg S-P and customer data. Most weaknesses found were in relation to vendor and technology systems that have access to or maintain customer personal information.
Historically, the regulatory issues surrounding branch offices have been primarily considered a broker-dealer concern as opposed to an advisory one since there are specific FINRA rules regarding branch office supervision (FINRA Rule 3110). Reg S-P, however, covers both broker-dealers and RIAs, and all customer data regardless of the location of that data is covered under the regulation.
The Staff found that branch office governance was lacking in many cases, especially in the following areas:
- Vendor Management
- Email Configuration
- Data Classification
- Access Management
- Technology Risk
All the above areas identified demonstrated weaknesses at the branch office level when they were managed at the branch level as opposed to the home/main office level. Basically, when branches were allowed to own and manage their own vendors, email accounts, data security, access rights, and other technology usage separate and apart from the home/main office is when deficiencies were discovered.
Findings by EXAMS at branch offices included:
- Off policy activities or branch policies that were insufficient to discover and prevent data loss or possible breaches involving customer data
- Inadequate vendor due diligence
- Using email vendors that cannot adhere to Exchange Act Rule 17a-4
- Branch office data not being included in overall firm data policies and oversight
- Password controls being inconsistent among branch offices, creating weak system access points
- System management weaknesses regarding patch management and use of outdated, end of life systems
Investment advisers with multiple offices should consider the Alert in relation to their overall compliance program oversight activities. FINRA Rule 3110 provides useful guidance for firms with branch offices even though it is intended for broker-dealers and no advisory firm is obligated to comply with the Rule. There is currently not a specific rule for registered investment adviser branch offices.
Reg S-P policies should be written in such a way to cover all customer level data, regardless of location. Communication with branch offices regarding Reg S-P data protection policies and practices should be conducted and documented via periodic training and during scheduled branch office audits.