# Regulation S-P — Consumer Financial Privacy ## What It Is Regulation S-P (17 CFR Part 248) implements the privacy provisions of the Gramm-Leach-Bliley Act (GLBA) for SEC-registered entities. It requires broker-dealers, investment companies, and SEC-registered investment advisers to protect consumer financial information and provide privacy notices. In 2024, the SEC adopted amendments to Regulation S-P that significantly expand requirements, including mandatory incident response programs and notification obligations. ## Who It Applies To - SEC-registered investment advisers - SEC-registered broker-dealers - SEC-registered investment companies - Transfer agents registered with the SEC ### Exempt Reporting Advisers ERAs are **not directly subject** to Regulation S-P. However: - ERAs should follow Regulation S-P as best practice - State-registered advisers may be subject to similar state privacy rules - The antifraud provisions of the Advisers Act require reasonable data protection regardless of registration status ## Core Requirements ### 1. Privacy Notice (Initial and Annual) Provide a clear, conspicuous privacy notice to investors that describes: - Categories of nonpublic personal information (NPI) collected - Categories of NPI disclosed to third parties - Categories of third parties to whom NPI is disclosed - Policies for protecting NPI - The investor's right to opt out of certain disclosures **Initial notice**: Delivered at or before the time the investor relationship is established. **Annual notice**: Delivered at least once every 12 months during the relationship. (Exception: annual notice is not required if the adviser only discloses NPI in ways that do not trigger opt-out rights and the privacy policy has not changed.) ### 2. Opt-Out Rights Before disclosing NPI to nonaffiliated third parties (with certain exceptions), the adviser must: - Provide notice of the right to opt out - Give a reasonable opportunity to opt out - Honor opt-out requests **Exceptions** (no opt-out required): - Disclosures to service providers under contract (administrators, auditors, custodians) - Disclosures required by law or regulation - Disclosures with investor consent - Disclosures to protect against fraud ### 3. Safeguards Rule Adopt written policies and procedures to protect customer records and information, including: - Administrative safeguards (employee training, access controls) - Technical safeguards (encryption, secure systems) - Physical safeguards (locked files, secure offices) ### 4. Disposal Rule Properly dispose of consumer information when no longer needed. Shred physical documents, securely delete electronic records. ### 5. Incident Response Program (2024 Amendments) The SEC's 2024 amendments require: - Written incident response program for unauthorized access to customer information - Investigation of detected incidents - Notification to affected individuals if sensitive information is compromised - Notification must occur as soon as practicable but no later than 30 days after the adviser becomes aware of the incident - Compliance deadline: Larger firms by December 2025, smaller firms by June 2026 ## What Counts as Nonpublic Personal Information (NPI) - Social security numbers, passport numbers, tax ID numbers - Account numbers and balances - Transaction history - Income, net worth, and financial statements - Any information collected through the investor relationship that is not publicly available ## How It Applies to Palace Fund ### Korean Investor Data Palace Fund collects significant NPI from Korean investors: - Korean passport numbers and national ID numbers - Korean bank account information (for distributions) - Financial statements and net worth declarations (for accredited investor verification) - Wire transfer information - Korean tax identification numbers This data must be protected under Regulation S-P (if registered) and as a matter of best practice and fiduciary duty. ### Practical Privacy Program for a Small Fund 1. **Privacy notice**: Draft and deliver a privacy notice to each investor at subscription. Include it in the subscription package. 2. **Data collection**: Only collect information necessary for fund operations, regulatory compliance, and tax reporting. 3. **Storage**: Store investor data securely. Use encrypted storage for electronic records. Lock physical files. 4. **Access controls**: Limit access to investor NPI to the fund manager and necessary service providers (administrator, auditor, legal counsel). 5. **Service provider contracts**: Ensure that service providers with access to investor data are contractually obligated to protect it. 6. **Disposal**: When investor data is no longer needed (after retention periods expire), securely destroy it. ## Action Items 1. **Draft a privacy notice**: Include categories of information collected, how it is used, who it is shared with, and safeguard practices. Deliver to investors at subscription. 2. **Create a written information security policy**: Document administrative, technical, and physical safeguards for investor data. 3. **Implement data security measures**: Encrypted file storage, strong passwords, two-factor authentication on all systems containing investor data. 4. **Service provider due diligence**: Ensure that the fund administrator, auditor, legal counsel, and custodian have adequate data protection practices and include confidentiality provisions in engagement agreements. 5. **Build an incident response plan**: Document procedures for detecting, investigating, and responding to data breaches. Include investor notification procedures. 6. **Retain records**: Keep privacy notices and records of data handling for at least 5 years. 7. **Cross-reference Korean privacy law (PIPA)**: Korean investors' data may also be subject to Korean privacy requirements. Ensure practices satisfy both US and Korean standards. ## Key Takeaway Regulation S-P applies directly only to SEC-registered advisers, but any fund handling investor personal and financial data should follow its principles. For Palace Fund with Korean investors, protecting passport numbers, financial data, and banking information is both a legal obligation and a trust requirement. Draft a privacy notice, implement security safeguards, and ensure service providers protect data as well.