在数据驱动的分发模型中保护非公开个人信息（pdf）

Copyright © 2021 by the Investment Company Institute. All rights reserved. The content contained in this document is proprietary property of ICI and should not be reproduced or disseminated without ICI’s priorconsent. The information contained in this document should be used solely for purposes of assisting firms in making independent andunilateral decisions relevant to their respective business operations. It is not intended to be, and should not be construed as, legal advice. Protecting Nonpublic Personal Information in aData-Driven Distribution Model Contents 3The Risk of NPPI Data Breach 4Scope and Methodology 4Common Definition of Nonpublic Personal Information5Figure 1:Elements of Nonpublic Personal Information6High-Level Information Flow7Figure 2:Potential NPPI Data Flows in Mutual Fund Back-Office Operations7File and Report Inventory8Figure 3: Distribution-Related Files/Reports Used by Mutual Fund Back-Office Operations13Figure 4:Use Case Source Data14Figure 5:Use Case Supporting Data Points 15Questions and Considerations 15Business Process and NPPI Inventory16Business Process and NPPI Analysis and Action18Oversight, Governance, and Risk Management 19Summary and Conclusion Protecting Nonpublic Personal Information in aData-Driven Distribution Model Introduction Distribution of mutual funds depends more on intermediaries today than ever before.1Intermediary distributionstrategies often require the exchange of nonpublic personal information (NPPI)2between counterparties to meetimportant regulatory, compliance, oversight, and distribution needs—especially for mutual fund asset managers andtheir funds’ boards of directors. Exchanging NPPI introduces numerous risks for all parties, including the shareholderor intermediary whose information is being shared, the counterparties that send and receive the data, and any entitiesserving as conduits for information exchange. Risks include unlawful or unnecessary cyber or employee access,constantly shifting regulation regarding NPPI management, and the legal and financial liabilities that could result froman NPPI data breach. The Investment Company Institute’s Broker-Dealer Advisory Committee (ICI BDAC) is committed to improving mutualfund distribution, operational processing, servicing, and support. ICI BDAC created its Data Strategy Task Force tounderstand how NPPI is shared between and used by mutual fund companies and counterparties such as intermediariesand service providers to support current distribution, shareholder servicing, and recordkeeping activities. This paperdescribes common practices and offers context and considerations for asset managers, intermediaries, and serviceproviders regarding use and management of NPPI to support business activities such as regulatory and compliancemanagement, intermediary oversight, distribution, and reporting. The task force considered the following key questions to identify business use cases and practices using NPPI. Thequestions may be helpful to an organization as it evaluates its ongoing use and management of NPPI: »What NPPI does your organization send to or receive from intermediaries and service providers?»How and for what purpose is NPPI used?»Are the uses and benefits of NPPI appropriate or necessary relative to the risks of transmitting, receiving, and/orstoring such information?»Can the business processes be supported through alternate means without NPPI, or through a lesser volume ofNPPI?»If NPPI is required, what action steps does/should your organization take to safeguard and protect NPPI while intransit or at rest within your organization, or while in the possession of your distribution partners and serviceproviders?»Are the safeguards and controls such as user provisioning, storage, retention, and destruction appropriaterelative to regulations and the risk related to the NPPI data points? »Considering your business model and shareholder base, what effect will/does regulation—including stateconsumer privacy laws such as the California Consumer Privacy Act (CCPA) or the European Union’s General DataProtection Regulation (GDPR)—have on your use of NPPI? Asset managers, intermediary partners, and service providers are encouraged to use this document as one resource toassess the extent to which NPPI is appropriately transmitted, received, stored, used, and disposed. Each organizationwill separately determine its internal information security policies and procedures, as well as applicable complianceand regulatory requirements. When possible, all parties are encouraged to remove unnecessary NPPI from theirprocesses and environment, and reduce and protect required NPPI received from or provided to counterparties. Background Decades of growth in defined contribution retirement plans,3mutual fund supermarkets,4clearing arrangements,5managed account platforms,6and omnibus and super-omnibus models7has caused asset managers to becomeincreasingly intermediated from the end investor. This shift h