Identity Theft and Privacy Notice

As you know I'm not happy about the ID Theft/Red Flags rules for introducing firms that offer margin accounts through their clearing firms. Doesn't make sense that these firms are considered 'creditors.' But don't get me started on bad rules that require time, money and effort for the sake of token compliance. Yuk. But a trusted informant from another consulting firm told me that FINRA is obsessing about compliance with these new rules--even though they don't take effect until June 1 and even though FINRA does not have authority to enforce the rules (FTC does). So gear up. Read this Notice Red Flags Rule and Template Procedures and customize the template FINRA provides.

On Privacy (wait, why is this separate from ID theft: isn't protecting customer information all under the same umbrella? Ugh. Whatever.): I came across this, about changes to Reg. S-P: eCFR Link to S-P Amendment. The Reg change eliminates the 'sample clauses' that most of you are using in your Privacy Notices right now. After this year, you won't be able to use those clauses to meet the disclosure requirements under Reg. S-P. Rather, there is a new 'model privacy form.' As of 2011, firms must either use the model form or be sure that their custom privacy notices meet all Reg. S-P criteria. You don't have to wait until 2011--the model form may be used now, and will give you the comfort of knowing your notice meets federal requirements (i.e., it is a safe harbor). You may want to begin the process of switching over from your currently-used notice.

There are two versions of the new model form: Notice with Opt-Out and Notice without Opt-Out. You'll want to decide which is right for your firm and then customize it. Remember, Privacy Notices are NOT required for institutional customers; for individuals, you must deliver the Notice at account opening and yearly thereafter.

Now go forth and confidently protect the privacy and identies of your customers. And do it in a well-documented fashion. Or else.