Client Confidentiality and Privacy

CFP Board’s new Code of Ethics and Standards of Conduct (“Code and Standards”), which takes effect on October 1, 2019, includes a duty of Confidentiality and Privacy that identifies the specific circumstances when it would not be a violation of the Code and Standards to disclose a Client’s non-public personal information, limits a CFP® professional’s use of the information, requires a CFP® professional to take reasonable steps(directly or through the CFP®Professional’s Firm) to protect the security of the information, and requires a CFP® professional to adopt, implement, and provide notice to Clients of policies regarding the protection, handling, and sharing of the information.

The duty of Confidentiality and Privacy in the new Code and Standards requires that “A CFP® professional must keep confidential and may not disclose any non-public personal information about any prospective, current, or former Client,” subject to specific exceptions.

A CFP^® professional may disclose information for ordinary business purposes:

1. With the Client’s consent, so long as the Client has not withdrawn the consent;
2. To a CFP^® professional’s employer, partners, employees, or other persons with whom the CFP^® professional is providing services to or for the Client, when necessary to perform those services;
3. As necessary to provide information to the CFP^® professional’s attorneys, accountants, and auditors; and
4. To a person acting in a representative capacity on behalf of the Client. 

A CFP^® professional may disclose information for legal and enforcement purposes:

1. To law enforcement authorities concerning suspected unlawful activities, to the extent permitted by the law;
2. As required to comply with federal, state, or local law;
3. As required to comply with a properly authorized civil, criminal, or regulatory investigation or examination, or subpoena or summons, by a governmental authority;
4. As necessary to defend against allegations of wrongdoing made by a governmental authority;
5. As necessary to present a civil claim against, or defend against a civil claim raised by, a Client;
6. As required to comply with a request from CFP Board concerning an investigation or adjudication; and
7. As necessary to provide information to professional organizations that are assessing the CFP® professional’s compliance with professional standards.

The new Code and Standards prohibits a CFP^® professional from using any non-public personal information about a Client for his or her direct or indirect personal benefit, whether or not it causes detriment to the Client, unless the Client consents.

The Confidentiality and Privacy standard also requires a CFP^® professional to take reasonable steps to protect the security of non-public personal information about any Client, including the security of information stored physically or electronically, from unauthorized access that could result in harm or inconvenience to the Client. The standard requires adoption and implementation of policies regarding the protection, handling, and sharing of a Client’s non-public personal information and written notice to Clients of those policies. These steps and policies for protecting a Client’s non-public personal information may be implemented either directly by the CFP^® professional or through the CFP^® Professional’s Firm.

CFP Board intends for the Confidentiality and Privacy standard to be consistent with regulatory requirements that apply to a CFP^® Professional’s Firm. The standard does not require the CFP^® professional to disclose the information; rather, the standard identifies the information that a CFP^® professional may disclose without violating CFP Board’s Code and Standards. CFP Board has adopted a safe harbor that states a CFP^® professional shall be deemed to comply with this Section if the CFP^® Professional’s Firm is subject to, and the CFP^® Professional complies with, Regulation S-P under the federal securities laws or substantially equivalent federal or state laws or rules.