What Every Investment Adviser Should Know About Privacy Laws and Rules

The Gramm-Leach-Bliley Act of 2001 ("GBLA") imposes restrictions and obligations on financial institutions -- including registered investment advisors -- with respect to the disclosure of nonpublic personal information of customers and non-customers. Generally, GBLA requires all RIAs:

  1. to adopt a privacy policy consistent with GBLA;
  2. to provide notice of that policy to customers, and in some cases non-customers; and
  3. to give all consumers, including both customers and non-customers, the right to refuse permission for certain types of disclosures by "opting out."

These requirements are further clarified through Rule 313 of the Federal Trade Commission ("FTC"), applicable to state-registered RIAs, and through Regulation S-P for SEC-registered RIAs. This article discusses the details of the requirements of GLBA and FTC Rule 313.

At the outset, it is important to note that the Rule makes a distinction between "customers" and "consumers." It is easy to get confused if you are not familiar with legal principles of statutory and rule interpretation. The Rule says, by way of relevant example, "An individual who provides nonpublic personal information to you in connection with obtaining or seeking to obtain financial, investment, or economic advisory services is a consumer, regardless of whether you establish a continuing advisory relationship." Suffice it to say that all customers are consumers but not all consumers are customers.

A clear, conspicuous and accurate description of the RIA's privacy policies must be delivered in a notice to each customer at the time of formation of the customer relationship. Usually, this will mean at the time the client signs the advisory agreement. A good practice is to review the terms of the privacy notice when reviewing the client advisory agreement and enclose a copy with the materials given to the client for their personal files. The Rule also requires the RIA to provide a copy or description of the privacy policy once annually to each customer.

The privacy notice adopted by the RIA must describe the types of nonpublic personal information collected by the RIA from customers and noncustomers.

Generally, this will include such details as a person's date of birth, social security number, financial account numbers, account balances, sources and amounts of income, credit card numbers, and sometimes telephone numbers.

Telephone numbers and other information that are readily available from public sources are not, by definition, "nonpublic." The notice must also identify the categories of nonpublic personal information the RIA discloses, the categories of affiliates and nonaffiliates to whom the RIA discloses such information, and an explanation of the right to opt out, among other things.

Non-customer consumers do not have to be provided such initial or annual notices if the RIA does not disclose such information to non-affiliated third parties.

Similarly, there are a number of "exceptions" to the notice and opt out requirements that apply in slightly differently ways to customers and non-customer consumers. If the RIA only discloses such information under any of these limited exceptions, then the notice requirement is not triggered as to non-customer consumers, and the opt-out requirement is not triggered as to any consumer (i.e., neither customers nor noncustomers).

Those exceptions include:

  1. to process, service, effect, or enforce a transaction requested by the consumer;
  2. to protect the confidentiality or security of the RIA's records;
  3. to protect against fraud, unauthorized transactions, or other liability;
  4. to resolve consumer disputes or inquiries;
  5. to respond to regulators or law enforcement officers as permitted by other law, or to comply with subpoenas or other legal process;
  6. to a consumer reporting agency as permitted by the Fair Credit Reporting Act;
  7. in connection with a merger, sale, or transfer of the business; and
  8. with the client's express consent, provided it has not been revoked.

The opt-out notice must be clear and conspicuous, must state that the RIA discloses or reserves the right to disclose nonpublic personal information about consumers to nonaffiliated third parties, and must explain and provide a reasonable means to opt out of such disclosures. What constitutes reasonable means varies under the circumstances, but there is a "safe-harbor" provision that expressly identifies as reasonable providing a form with a check-off box in a prominent position sent contemporaneously with the opt-out notice or providing an electronic means or a toll-free telephone number as a means to opt out. It is unreasonable to require the consumer to write his or her own letter, or to use a previouslysent check-off form.