IARD Privacy Impact Assessment

U.S. Securities and Exchange Commission

Investment Adviser Registration Depository (IARD)
PRIVACY IMPACT ASSESSMENT (PIA)

July 8, 2014

Privacy Impact Assessment
Investment Adviser Registration Depository (IARD)
(subsystem Private Fund Reporting Depository (PFRD))

General Information
1. Name of Project or System.
Investment Adviser Registration Depository (IARD)
2. Describe the project and its purpose or function in the SEC’s IT environment.
IARD is a web-based electronic registration depository of information filed on Form ADV
by investment advisers that eliminated the need for paper filings of Form ADV. IARD is
used to help the SEC staff process applications for registration or exemption and related
forms under the Investment Advisers Act of 1940 and to implement the Federal securities
laws and rules. Sections 203(c) and 204 of the Advisers Act [15 U.S.C. §§ 80b-3(c) and 80b4] authorize the SEC to collect the information required by Form ADV. The SEC collects
the information for regulatory purposes, such as deciding whether to grant registration.
Filing Form ADV is mandatory for advisers who are required to register with the SEC. The
SEC maintains the information submitted on this form and makes it publicly available.
The IARD serves as a readily accessible database to receive, and respond to, inquiries
regarding disciplinary actions, proceedings and public information about investment advisers
and persons associated with investment advisers. Only limited personally identifiable
information is collected by IARD which are (i) social security numbers (only for trusts
usually) to identify legal entities when no other identifiers are available, (ii) private addresses
if the advisory business is run from a private address since a location of the business is
needed for OCIE inspections and correspondence from the SEC, and (iii) CRD numbers,
which are assigned by FINRA, are provided to individuals who need to list an identification
number on Form ADV (this number is automatically assigned by the system after a social
security number and birth date for an individual are entered).
Any personal identifying information collected is required to positively identify the location,
person, or entity as part of the registration and examination of investment advisers as
provided under the Investment Advisers Act of 1940 and the rules the SEC has adopted
thereunder.
PFRD (Private Fund Reporting Depository) is an IARD sub-system of information filed on
Form PF by SEC-registered investment advisers that advise one or more private funds and
have at least $150 million in private fund assets under management . PFRD is used to collect
non-public information under the Investment Advisers Act of 1940 and to implement the
Federal securities laws and rules. Section 204(b) of the Advisers Act [15 U.S.C. §80b-4(b)]
authorizes the SEC to collect the information required by Form PF.
The information collected on Form PF is designed to facilitate the Financial Stability
Oversight Council's (FSOC) monitoring of systemic risk in the private fund industry and to
assist FSOC in determining whether and how to deploy its regulatory tools with respect to
nonbank financial companies. The SEC and CFTC may also use information collected on
Form PF in their regulatory programs, including examinations, investigations and investor
protection efforts relating to private fund advisers. Filing Form PF is mandatory for advisers
1

Privacy Impact Assessment
Investment Adviser Registration Depository (IARD)
(subsystem Private Fund Reporting Depository (PFRD))
that satisfy the criteria described in Instruction 1 to the Form [17 C.F.R. §275.204(b)-1]. The
SEC does not intend to make public information reported on Form PF that is identifiable to
any particular adviser or private fund, although the SEC may use Form PF information in an
enforcement action. Only limited PII is collected on the signatory of the form, i.e. name,
title, email address, and telephone number, by Form PF or contained in PFRD.
IARD is a contractor system. Financial Industry Regulatory Authority (FINRA) Regulation,
Inc., a self-regulatory organization subject to SEC oversight, is the contractor.

3. Requested Operational Date? The IARD system has been operational since 2001. The PFRD
subsystem has been operational since 2012. The IARD PIA was last completed on July 11,
2011. This PIA is being updated to reflect the collection of Form PF in the PFRD, which is a
subsystem of the IARD system.
4. System of Records Notice (SORN) number? SEC-10, Correspondence file Pertaining to
Registered Investment Advisers, and SEC-50, Investment Adviser Records.
5. Is this an Exhibit 300 project or system?

No

Yes

6. What specific legal authorities, arrangements, and/or agreements allow the collection of this
information? Investment Advisers Act of 1940, section 204.
Specific Questions
SECTION I - Data in the System
1. What data about individuals could be collected, generated, or retained?
Form ADV and variant Form ADV data is collected. This includes name of investment
advisers (usually a firm name, but it could be the name of an individual if the adviser is
formed as a sole proprietorship), name of owners, birth date of individual owners (used
solely to create a CRD number for use on the Form ADV), social security number of
individual owners (used solely to create a CRD number for use on the Form ADV), social
security number of a trust, mailing address of advisory business, telephone number of
advisory business/Chief Compliance Officer/Contact employee, email address of Chief
Compliance Officer/Contact employee, fax number of advisory, CRD number, SEC number,
IRS tax number of owners (if no CRD number), Employer ID number of owners (if no CRD
number), criminal/civil judicial/regulatory disclosures required by Item 11 of Form ADV for
the advisory, employees, and certain affiliates of the adviser, year of birth/formal post high
school education/business background/material disciplinary information of supervised
employees providing investment advice (Form ADV Part 2B).
Form PF collects full name (same as name filed on Form ADV) and SEC number; name;
email address; and contact number of individual signing on behalf of firm or related persons.
2. Does the project/system use or collect the social security number (SSN)? (This includes
truncated SSNs)
2

Privacy Impact Assessment
Investment Adviser Registration Depository (IARD)
(subsystem Private Fund Reporting Depository (PFRD))
No.
Yes. If yes, provide the function of the SSN and the legal authority to collect.
Yes. Social security numbers are collected in order to (1) assign a CRD number for use on
the Form ADV by owners, (2) identify an owner that is a trust. The authority to collect the
SSN is the Investment Advisers Act of 1940.
3. What are the sources of the data?
Investment adviser businesses provide the information as part of a registration statement.
4. Why is the data being collected?
Any personal identifying information collected is required to positively identify the location,
person, or entity as part of the registration and examination of investment advisers as
provided under the Investment Advisers Act of 1940 and the rules the SEC has adopted
thereunder.
5. What technologies will be used to collect the data?
The data will be collected through a secure, online web-form (Form ADV and Form PF) or a
secure, XML filing (Form PF) through the IARD system. The IARD system is based upon
the CRD (Central Registration Depository) system for broker-dealers owned and operated by
FINRA.
SECTION II - Attributes of the Data (use and accuracy)
1. Describe the uses of the data.
The information collected is used consistent with the routine uses outlined in SORNs SEC10 and SEC-50. Any personal identifiable information collected is used for identification of
owners or the adviser in relation to reviewing the registration requests, conducting
inspections and examinations of the investment adviser, and enforcement actions against the
investment adviser.
2. Does the system analyze data to assist users in identifying previously unknown areas of note,
No
Yes If yes, please explain:
concern or pattern?
3. How will the data collected from individuals or derived by the system be checked for
accuracy?
IARD and PFRD are depositories of data from Form ADV and Form PF. The data collected
is that entered by the investment adviser. It would be fraudulent to file inaccurate
information on Form ADV and Form PF.
SECTION III - Sharing Practices
1. Will the data be shared with any internal organizations?
No
Yes If yes, please list organization(s): IARD data (except for social security
numbers, private residence addresses, and contact information for Chief Compliance
Officer/Contact employee) is publicly available through IAPD (investment adviser public
disclosure) website www.adviserinfo.sec.gov. All SEC divisions and offices may use IARD
data, but OCIE, IM, OIEA, and Enforcement are the primary users. Other government
3

Privacy Impact Assessment
Investment Adviser Registration Depository (IARD)
(subsystem Private Fund Reporting Depository (PFRD))
agencies may access and use the data including State agencies, FBI, and the Department of
Labor. Investment Adviser Act of 1940, section 204 provides that the SEC shall have a
“readily accessible electronic or other process, to receive and promptly respond to inquiries
regarding registration information (including disciplinary actions, regulatory, judicial, and
arbitration proceedings, and other information required by law or rule to be reported)
involving investment advisers and persons associated with investment advisers.”
PFRD contains limited PII on the signatory page, i.e., name, email address, and telephone
number of the individual signing on behalf of the firm or related persons. Access to this data
is controlled by established policies and procedures for Form PF.
2. Will the data be shared with any external organizations?
No
Yes If yes, please list organizations(s): External recipients including State
agencies, FBI, and the Department of Labor access the data via the IARD. PFRD data is
shared with other agencies, such as FSOC, under an MOU and a data sharing protocol. How
is the data transmitted or disclosed to external organization(s)? Data is obtained online
through IAPD using an Internet Web browser based application or by logging into IARD
online via a secure Internet Web browser-based application. PFRD data is downloaded in a
secure, encrypted method.
3. How is the shared data secured by external recipients?
The IARD system has undergone a security assessment and authorization review, which
describes the IT security requirements and procedures required by federal law and policy to
ensure that the information is appropriately secured. Access to PFRD data is secured by
policies and procedures contained in an MOU and a data sharing protocol with FSOC. FSOC
has undergone a security assessment and authorization review by the SEC.
4. Does the project/system process or access PII in any other SEC system?
No
Yes. If yes, list system(s). The IARD system may share information with FINRA’s CRD
system when the adviser is also registered as a broker-dealer (dual registrant, registered on
CRD system and IARD system).

SECTION IV - Notice to Individuals to Decline/Consent Use
1. What privacy notice was provided to the different individuals prior to collection of data?
(Check all that apply)
Privacy Act Statement
System of Records Notice
Privacy Impact Assessment
Web Privacy Policy
Notice was not provided to individuals prior to collection
2. Do individuals have the opportunity and/or right to decline to provide data?
Yes
No
N/A
Please explain: No, the information is required by law or SEC rule to be provided.
3. Do individuals have the right to consent to particular uses of the data?
4

Privacy Impact Assessment
Investment Adviser Registration Depository (IARD)
(subsystem Private Fund Reporting Depository (PFRD))
Yes
No
N/A
Please explain: No, the information is required by law or SEC rule to be provided and is
public information. The Form ADV contains a Federal Information Law and Requirements
section about the collection and use of the data and a SEC’s Collection of Information
section about the purpose and use of the information.
SECTION V - Access to Data (administrative and technological controls)
1. Has the retention schedule been established by the National Archives and Records
Administration (NARA)?
No If no, please explain:
Yes If yes, list retention period: Currently, all filings on the IARD system are active, none
are archived. These records will be maintained until they become inactive, at which time
they will be retired or destroyed in accordance with records schedules of the United States
Securities and Exchange Commission as approved by the National Archives and Records
Administration.
2. Describe the privacy training provided to users, either generally or specifically relevant to the
program or system?
All SEC staff and contractors receive annual privacy awareness training, which outlines their
roles and responsibilities for properly handling and protecting PII.
3. Has a system security plan been completed for the information system(s) supporting the
project?
Yes If yes, please provide date SA&A was completed:
No If the project does not trigger the SA&A requirement, state that along with an
explanation: The most recent Authority to Operation (ATO) for IARD was granted on
7/17/2013. PFRD was given a targeted SA&A in 2012 and a special PFRD ATO was issued
on 6/5/2012. However, since PFRD was included as a subsystem of IARD during the 2013
SA&A, the ATO for PFRD is also 7/17/2013.
4. Is the system exposed to the Internet without going through VPN?
No
Yes If yes, Is secure authentication required? No Yes; and
No Yes
Is the session encrypted?
5. Are there regular (ie. periodic, recurring, etc.) PII data extractions from the system?
No
Yes If yes, please explain: SEC staff may occasionally extract data to generate reports.
These manual extracts are maintained in accordance with SEC’s policies and procedures for
securing PII data extraction, including securing the extracts in a designated file folder on the
office’s J drive, which access is limited to SEC staff with a need to know. In addition, data
extracts are deleted or destroyed after 90 days, unless a business need warrants additional
holding of the data extract e.g., ongoing examination or investigation. Transmission of any
data extracts is done via a secure method or connection, e.g., Outlook encryption tool,
SMAIL.
5

Privacy Impact Assessment
Investment Adviser Registration Depository (IARD)
(subsystem Private Fund Reporting Depository (PFRD))

6. Which user group(s) will have access to the system?
All SEC divisions and offices may use IARD data, but OCIE, IM, OIEA, and Enforcement
are the primary users. Other government agencies may access and use the data including
State agencies, FBI, and the Department of Labor.
7. How is access to the data by a user determined? The types of access to IARD are: standard
regulator access (view-only access), work queue access (user can change the registration
status of an investment adviser, ie. Approved, revoked, etc. – SEC’s Branch of Registrations
and Examinations in OCIE uses this level of access), Form U6 filing access (user can file a
U6 if needed – SEC’s Office of Secretary may use this access level), query access (view-only
access that cannot access aggregated reports of the data), and administrator access (user can
add, delete, or change a user's access rights). Access procedures are documented in
Attachment 5, “Management And Administration” of the IARD Contract SECHQ1-09-C0114. PFRD access has its own access level and access to this data is controlled by PFRD
policies and procedures.
Are procedures documented?
Yes
No
8. How are the actual assignments of roles and rules verified.
Section 1.7 “Regulator Access” of the IARD Contract delineates the procedures for
assigning, terminating and verifying access to the IARD. Administrator access requires
supervisor approval and contractor review per the contract.
9. What auditing measures/controls and technical safeguards are in place to prevent misuse
(e.g., unauthorized browsing) of data? FINRA is responsible for implementing steps to
control access, use, disclosure, modification, and destruction of information. Such steps shall
include, at a minimum, identification and authentication of users and security controls that
detect unauthorized access attempts. FINRA is also required to establish an access control
policy, which includes features or procedures that enforce access control measures that
provide each user with access to the information to which they are entitled and no more.
Other specifics regarding technical safeguards are described in the SA&A documentation and
the IARD Contract SECHQ1-09-C-0114.

SECTION VI - Privacy Analysis
Given the amount and type of data being collected, discuss what privacy risks were identified
and how they were mitigated.
Social security numbers are the most sensitive personal identifiable information on IARD. These
numbers are redacted both on the internal IARD and on external, public IAPD systems. CRD
numbers are assigned to individuals for use on the Form ADV to add an extra layer of protection
to essentially remove social security numbers from appearing on the Form ADV. Special access
to review social security numbers is available and is provided on a need to know basis only.
Private residental addresses are redacted from the public site. These addresses may be
disclosed per a FOIA request as the adviser is conducting business from this location.
6

Privacy Impact Assessment
Investment Adviser Registration Depository (IARD)
(subsystem Private Fund Reporting Depository (PFRD))

Since the data collected is public and disseminated publicly through the IAPD website, except
for social security numbers and private residence addresses, the larger focus on security was the
integrity of the data to eliminate the possibility of data corruption or deletion. A secure portal to
the webform is created each time a filer accesses IARD to view or file information. All data
collected through IARD by Form ADV and Form PF is approved by SEC rule.

7