Most Recent Amendment Date : September 15, 2012
Registered Advisor with the U.S. Securities and Exchange Commission.
Licensed to conduct investment business by the Bermuda Monetary Authority.
Licensed by the Cayman Islands Monetary Authority to conduct investment business.
The SEC’s Regulation S-P (Privacy of Consumer Financial Information), which was adopted to comply with Section 504 of the Gramm-Leach-Bliley Act, requires registered investment advisers such as Bermuda Investment Advisory Services Limited (BIAS) to disclose to their clients, who are Natural Persons, its policies and procedures regarding the use and safekeeping of client records and information.
Information is collected from Clients at the inception of their accounts and occasionally thereafter, primarily to determine accounts’ investment objectives and financial goals and to assist in providing Clients with requested services. Information is also gathered to satisfy the licensing requirements of our governing jurisdiction as well as for Anti-Money Laundering (AML) and Anti-Terrorist Financing (ATF) needs.
While BIAS strives to keep Clients’ information up to date, Clients are requested to monitor any information provided to them for errors.
Additionally, the SEC has adopted amendments to Rule 30 under Regulation S-P which require registered financial institutions such as BIAS to adopt written policies and procedures to properly dispose of sensitive consumer information. The amendments are designed to protect consumers against the risks associated with unauthorized access to information and mitigate the possibility of fraud and related crimes, including identity theft.
In developing this policy and procedures, BIAS considered the material risks associated with protecting Non-Public Personal Information. This analysis includes risks such as:
- Information about activities of BIAS and its Clients that is required to be maintained is not accurately recorded and stored and is not protected from unauthorized access, alteration, and destruction.
- Information about Clients is not maintained or used in ways that ensures such information is safe from unauthorized use.
- False or misleading disclosures are made to Clients about how their Non-Public Personal Information is used and protected from unauthorized use.
BIAS has established the following guidelines as an attempt to mitigate these risks.
BIAS will not disclose Client records and information including Non-Public Personal Information and Consumer Report Information (collectively, “Client Information”) to anyone unless such disclosure is permitted or required by law.
1 - BIAS shall not sell Client Information to anyone.
2 - BIAS will restrict access to Client Information to individuals within BIAS who require the information in the ordinary course of servicing Clients’ accounts. Client information is used only for business purposes.
3 - BIAS has developed procedures to safeguard Client records and information (See Attachment A).
4 - Client Information may only be given to third-parties under the following circumstances:
- To broker/dealers to open brokerage accounts;
- To other firms as directed by Clients, such as accountants, lawyers, etc.;
- To specified family members (as authorized by law and/or the Client);
- To third-parties as needed to provide requested services; and
- To regulators and others, when required by law.
6 - BIAS shall provide a Privacy Notice (See Attachment B) to Clients upon inception of the relationship and annually thereafter. The Privacy Notice shall be furnished to Clients in a written format and be lodged on the companies websites – www.bias.bm and www.bias.ky -- and BIAS will maintain a record of the dates when the Privacy Notice is provided to Clients.
9 - If an Employee receives a complaint regarding a potential identity theft issue (be it from a Client or other party), the Employee should immediately notify the CCO. The CCO will thoroughly investigate any valid complaint, and maintain a log of all complaints as well as the result of any investigations.
10 - In the event that unintended parties receive access to Client Information, BIAS will promptly notify those Clients of the privacy breach.
11 - Extraneous documents containing any Client Information or sensitive consumer information shall be burned; shredded or destroyed (this includes documents earmarked for recycling). In addition, any Client Information saved in a storage medium that is being sold or disposed of, must be removed from the medium. In the event that BIAS maintains contracts with service providers for services involving the disposal or destruction of consumer report information, the contracts must explicitly require the “proper” disposal of documents containing Client Information.
Procedures to Safeguard Client Records and Non-Public Personal Information
BIAS shall strive to: (a) ensure the security and confidentiality of consumer, customer and former customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of consumer, customer and former customer records and information; and (c) protect against unauthorized access to or use of consumer or customer records or information that could result in substantial harm or inconvenience to any customer. Accordingly, the following procedures will be followed:
- Security and Protection of Customer Information
- Information Systems
- Access to Offices and Files
- Old Information
- Identity Theft
Only a limited number of authorized BIAS employees have access to customer information. All BIAS employees are trained to use extreme caution not to divulge either verbally or in writing, any personal customer information to anyone unauthorized by the customer. All documents containing customer information must be stored in a secured site, whether physically or electronically, with access limited to employees or registered personnel only. Any documents containing customer information that are to be disposed of must be shredded. Under no circumstances are any customer documents to be disposed of, such as duplicate statements, in a manner other than by shredding.
If a client requests information by telephone, BIAS requires the client to provide account information verification before divulging any account information.
Access to personal computers and files containing customer information must be limited to employees or registered persons only.
BIAS limits access to client non-public personal information to those persons who need to know it or who are permitted by law to receive it. BIAS maintains physical, electronic and procedural safeguards to protect the confidentiality of all client information.
Employees shall maintain the confidentiality of information acquired in connection with their employment with BIAS, with particular care taken regarding Non-Public Personal Information. Employees shall not disclose Non-Public Personal Information, except to persons who have a bona-fide business need to know the information in order to serve the business purposes of BIAS and/or Clients. BIAS does not disclose, and no Employee may disclose, any Non-Public Personal Information about a Client or former Client other than in accordance with these procedures.
C. Information Systems
BIAS has established and maintains its information systems, including hardware, software and network components and design, in order to protect and preserve Non-Public Personal Information.
Passwords and Access.
Employees use passwords for computer access, as well as for access to specific programs and files. Non-Public Personal Information shall be maintained, to the extent possible, in computer files that are protected by means of a password system secured against unauthorized access.
Access to specific BIAS databases and files shall be given only to Employees who have a bonafide business need to access such information. Passwords shall be kept confidential and shall not be shared except as necessary to achieve such business purpose. User identifications and passwords shall not be: stored on computers without access controls, written down, or stored in locations where unauthorized persons may discover them. Passwords shall be changed if there is reason to believe the password has been compromised and, in any event, changed periodically to maximize the Security of Non-Public Personal Information. All access and permissions for terminated Employees shall be removed from the network system promptly upon notification of the termination.
To avoid unauthorized access, Employees shall close out programs and shut-down their computers when they leave the office for an extended period of time and overnight. Terminals shall be shut-down when not in use during the day and laptops shall be secured when leaving BIAS’ premises. Confidentiality shall be maintained when accessing the BIAS network remotely through the implementation of appropriate firewalls and encrypted transmissions.
BIAS will maintain appropriate programs and controls (which may include anti-virus protection and firewalls) to detect, prevent and respond to attacks, intrusions or other systems failures.
As a rule, Employees shall treat e-mail in the same manner as other written communications. However, Employees shall assume that e-mail sent from non-BIAS computers is not secure and shall avoid sending e-mails that include Non-Public Personal Information to the extent practicable. E-mails that contain Non-Public Personal Information (whether sent within or outside BIAS) shall have the smallest possible distribution in light of the nature of the request made.
Electronic media, on which Non-Public Personal Information is stored, shall be formatted and restored to initial settings prior to any sale, donation, or transfer of such equipment.
Employees shall avoid placing documents containing Non-Public Personal Information in office areas where they could be read by unauthorized persons, such as in photocopying areas or conference rooms. Documents that are being printed, copied or faxed shall be attended to by appropriate Employees. Documents containing Non-Public Personal Information which are sent by mail, courier, messenger or fax, shall be handled with appropriate care. Employees may only remove documents containing Non-Public Personal Information from the premises for bona-fide work purposes. Any Non- Public Personal Information that is removed from the premises must be handled with appropriate care and returned to the premises as soon as practicable.
Employees shall avoid discussing Non- Public Personal Information with, or in the presence of, persons who have no need to know the information. Employees shall not discuss Non-Public Personal Information in public locations, such as elevators, hallways, public transportation or restaurants. As a specific condition of employment, all employees sign an acknowledgement to the effect that any breach of this policy is grounds for immediate dismissal.
F. Access to Offices and Files
Access to offices, files or other areas where Non-Public Personal Information may be discussed or maintained is limited, and Employees shall enter such locations for valid business purposes only. Meetings with Clients shall take place in conference rooms or other locations where Non-Public Personal Information will not be generally available or audible to others. Visitors shall generally not be allowed in the office unattended.
G. Old Information
Disposal Policy. Rule 30(a) of Regulation S-P requires advisers to have their safeguard policies and procedures in writing, including disposal policies. Non-Public Personal Information that is no longer required to be maintained shall be destroyed and disposed of in an appropriate manner.
BIAS owns an onsite commercial grade shredder that will destroy our unwanted confidential documents on-site to 5/8” sized pieces of paper which are then baled and recycled.
H. Identity Theft
An identity thief can obtain a victim’s personal information through a variety of methods. Therefore, Employees shall take the following actions to prevent identity theft:
- When providing copies of information to others, Employees shall make sure that non-essential information is removed and that Non-Public Personal Information which is not relevant to the transaction is either removed or redacted.
- The practice of dumpster diving provides access for a would-be thief to a victim’s personal information. Therefore, when disposing of paper documents, paperwork containing Non-Public Personal Information shall be shredded, burned or otherwise destroyed.
- To avoid a fraudulent address change, requests must be verified before they are implemented and confirmation notices of such address changes shall be sent to both the new address and the old address of record.
- Employees may be deceived by pretext calling, whereby an “information broker” or “identity thief” posing as a Client, provides portions of the Client’s Non-Public Personal Information (i.e., Social Security Number) in an attempt to convince an Employee to provide additional information over the phone, which can be used for fraudulent purposes. Employees shall make every reasonable precaution to confirm the identity of the Client on the phone before divulging Non-Public Personal Information.
- BIAS prohibits the display of Client identification numbers (such as Social Security or Passport Numbers) on any documents that are generally available or widely disseminated (i.e., mailing lists, quarterly reports, etc.). Employees could be responsible for identity theft through more direct means. Insider access to information could permit a dishonest Employee to sell Clients’ Non-Public Personal Information or to use it for fraudulent purposes. Such action is cause for disciplinary action at BIAS’s discretion, up to and including termination of employment as well as referral to the appropriate civil and/or criminal legal authorities.