Email FacebookTwitterMenu burgerClose thin

Financial Data Protection Laws Advisors Need to Know

Published on
Written by Rebecca Lake, CEPF®
Edited by Marie White
 & Arturo Conde, CEPF®
Share

Financial data protection laws exist to regulate the way that consumers’ information is managed and shared. Some of these laws are applied at the federal level, while others are state-specific. Advisors who offer services abroad may also be subject to financial privacy laws passed by other countries. It’s critical to know which laws you must observe in handling client data.

Ready to grow your client base? SmartAsset AMP helps you connect with leads.

Understanding Financial Privacy Laws

Financial privacy laws or data protection laws are laws designed to protect consumers’ sensitive information. Federal privacy laws can apply to a variety of financial institutions and entities, including:

In short, if you’re a financial advisor, you’re subject to federal rules. Whether you’re also required to adhere to state-mandated privacy rules or privacy laws passed by foreign governments depends on where you operate and advertise your business.

Financial Data Protection Laws for Advisors

Sifting through legal regulations can be time-consuming, and as an advisor, you only have so many hours in the day. To save time, we’ve highlighted some of the most relevant financial privacy laws to be aware of.

Gramm-Leach-Bliley Act (Privacy Rule)

The Gramm-Leach-Bliley Act of 1999 applies to financial institutions, which are defined as “companies that offer consumers financial products or services like loans, financial or investment advice, or insurance.” Under the Act, financial advisors must do two things:

  • Clearly explain how they share information
  • Protect clients’ sensitive information

Financial services providers, including advisors, must publish privacy notices explaining information-sharing policies. When sharing these notices with clients, you must allow them an opportunity to opt-out.

This is outlined under the Act’s Privacy Rule, and it pertains to your clients’ nonpublic personal information (NPI). Nonpublic personal information is any personally identifiable financial information that financial institutions collect, excluding publicly available information.

Examples of NPI include:

  • Any information clients share to access financial services or products you offer, including their name, address, Social Security number and income
  • Information you get about a client from a transaction that involves your financial products or services, such as a credit card number they used for payment
  • Data you collect about a client in the course of providing financial services or products, such as credit report information

Publicly available information is any information you have reason to believe is readily available or widely distributed in the public space. For example, information about property a client owns that’s on file with the county register of deeds would be considered public record.

RIAs must provide clients with a privacy notice describing which nonpublic personal information they collect, how it’s used and whether it’s shared with any affiliated third parties. If you engage in restricted sharing of personal information with unaffiliated third parties, you must disclose that in the notice and tell your clients how they can opt out.

You must publish your notice in a clear, conspicuous place and update it annually. The simplest way to do that may be to publish the notice on a dedicated page of your website. You can also deliver privacy notices electronically to subscribers who have given consent to be added to your email list.

Gramm-Leach-Bliley Act (Safeguards Rule)

Advisors updating their notice in accordance with financial data protection laws.

The Safeguards Rule requires financial institutions to “develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect consumer information.”

In other words, advisors must have a written plan for managing client data security. The plan must be suitable for the size and scope of your business and protect consumers’ nonpublic personal information.

According to the Federal Trade Commission, the objectives of such a security program should be to:

  • Ensure security and confidentiality of client information
  • Protect against anticipated security threats or hazards
  • Bar unauthorized access to information that could result in harm or inconvenience to your clients

You’re also required to designate an individual within your firm who’s responsible for implementing and supervising your security program. This might be something your chief compliance officer (CCO) handles, but the FTC does not require you to use someone in-house for this task. The person you choose must report to your firm’s board of directors.

The FTC has a checklist advisors and other financial institutions are expected to follow to adhere to the Safeguards Rule. You must:

  • Conduct a risk assessment to identify potential security threats
  • Periodically review who has access to client information
  • Create a data inventory that notes where information is collected, stored and transmitted
  • Encrypt client information, or otherwise security using an approved method
  • Evaluate the security of any apps or online tools your firm develops
  • Implement multi-factor authentication for accessing client information
  • Dispose of client information securely
  • Anticipate and evaluate changes to your information system or network
  • Maintain a log of authorized users’ activity and monitor for unauthorized access

You must also routinely stress-test your system to make sure the safeguards you’ve implemented are effective and train your staff to recognize and report risks or security threats. You’ll need to keep your security program up to date, monitor your service providers, and develop an emergency response plan if a security breach occurs.

Regulation S-P

Adopted in 2000, Regulation S-P implements the Gramm-Leach-Bliley Act. It was updated in 2024 to reflect evolving technology and cybersecurity threats. Under the updated guidelines, financial advisors and other financial institutions must serve notice to clients if they become aware that their information has been compromised. The notice must be sent within 30 days of learning of a data breach and specify:

  • The nature of the incident and when it occurred, including details of the information believed to have been compromised
  • Instructions for how to contact the advisory firm for more information
  • A recommendation to review account statements and report suspicious activity
  • Instructions on how to obtain a copy of credit reports and place a fraud alert
  • Information on identity theft resources

Notice is not required if you can determine after a reasonable investigation that any compromised information is not likely to be used in a way that would result in substantial harm or inconvenience to your client.

SEC Cybersecurity Rule

In 2023, the SEC formally adopted rules for RIAs requiring them to make certain disclosures regarding cybersecurity incidents and risk management. This rule requires registered advisors to:

  • Report material cybersecurity events on Form 8-K
  • Describe their firm’s security processes for assessing, identifying and managing material cybersecurity risks on Form S-K

If a cybersecurity event occurs, advisors must report it within four business days of determining that it’s material. Exceptions are only allowed in situations where the U.S. Attorney General determines that immediate reporting would pose a threat to national security or public safety. Reports must describe the nature of the event, its scope and timing, and any anticipated material impact on your firm.

Form S-K must outline your cybersecurity processes and how you identify threats, what you do to manage risks, and the potential impacts of a cybersecurity incident. This information must be disclosed to the SEC annually.

Foreign private issuers are also subject to the SEC’s cybersecurity rule. They must use Form 6-K to report material cybersecurity events and Form 20-F to disclose their cybersecurity risk management, strategy and governance procedures.

General Data Protection Regulation (GDPR)

General Data Protection Regulation rules were established in 2018 by the European Union. The law is designed to allow individuals in the EU to control how their data is collected, stored and used.

Territorially speaking, the GDPR applies to:

  • EU-based advisors
  • U.S.-based advisors that have a physical presence and/or employees in the EU
  • U.S.-based advisors that have EU individuals as clients or investors in the funds they manage

If your firm has a professional financial advisor website or email newsletter, it’s important to be cognizant of what the GDPR requires. Here are the key takeaways:

  • Clients (and prospects) have the right to ask you to delete any personal data you’ve obtained, including their name, email address and location.
  • At the request of the client, you must provide them with all the data you’ve collected on them.
  • If you’re using email marketing to generate leads, you must first obtain consent before adding someone to your email list.
  • You must include an opt-in notice on your website allowing visitors to allow or deny the use of cookies in collecting their data.

If you’re working with any third-party service to process client data, that entity must also adhere to GDPR rules.

Frequently Asked Questions (FAQs)

Do Financial Advisors Need a Privacy Notice?

Federal regulations require financial advisors to have a privacy notice and update it annually. This notice must be clear and conspicuous and use plain, uncomplicated language to explain how client information is collected and shared, and how clients can opt out of sharing.

What Is Personally Identifiable Information?

Personally identifiable information is any data that can be used to identify someone, either directly or indirectly. Examples of personally identifiable information include someone’s name, date of birth, Social Security number, address, driver’s license number or bank account number.

What Is a Financial Data Breach?

A financial data breach occurs when an individual or organization uses criminal methods to steal individuals’ financial information. Financial institutions, including brokerages and advisory firms, are obvious targets for a data breach, but cyberthieves can target any organization that collects or stores financial information.

Bottom Line

Familiarizing yourself with financial data protection laws can help you take the necessary steps to keep your clients’ information safe.

Cybersecurity is a growing area of concern for financial advisors and the financial services industry as a whole. Familiarizing yourself with financial data protection laws can help you take the necessary steps to keep your clients’ information safe.

Tips for Growing Your Advisory Business

  • Marketing is another area where it’s important to pay attention to compliance. Outsourcing some of your lead generation efforts to an advisor marketing platform can make managing compliance requirements easier. With SmartAsset AMP, you can target leads for your business and get the tools you need to follow up quickly and compliantly. Schedule a demo to learn how you can leverage it to grow your business.
  • Choosing the right customer relationship management (CRM) software can make collecting, organizing and storing prospect data easier. It also helps with streamlining the client onboarding process and creating a more user-friendly experience.

Photo credit: ©iStock.com/Liubomyr Vorona, ©iStock.com/shapecharge, ©iStock.com/David Gyung