Oct. 30, 2023
Dear Securities and Exchange Commission, I am writing to voice my concerns regarding the proposed rule on Safeguarding Advisory Client Assets. While I understand the SEC's intent to enhance investor protections and address gaps in the custody rule, I believe the current proposal lacks consideration for privacy and security concerns, particularly when it comes to handling digital assets. One prominent issue that the proposed regulations fail to adequately address is the risk of identity theft. As the rule aims to expand the coverage of investments held in a client's account, it also inadvertently forces many participants in decentralized finance (DeFi) to collect user information as part of their compliance requirements. This creates an alarming situation where sensitive taxpayer information could be stored without the necessary safeguards, making it easier for malicious actors to exploit vulnerabilities and commit identity theft. By imposing reporting obligations that encompass personal and financial data, the proposed rule inadvertently becomes a potential breeding ground for cyber attacks and increases the likelihood of security breaches. Rather than enhancing investor protection, this framework encourages the creation of substantial databases for identity thieves to target, posing a severe risk to individuals who place their trust in advisory firms to safeguard their assets. Moreover, the requirement to collect and store user information under the guise of tax reporting also creates the unintended consequence of forming attractive "honey pots" for identity theft. Despite the SEC's commitment to improved investor protection, the proposed rule may inadvertently promote the creation of vulnerable repositories of personal data, facilitating a favorable environment for digital criminals. To address these concerns, the SEC should prioritize developing robust guidelines and standards for the proper handling and storage of client information. By developing comprehensive privacy and security protocols, advisory firms can mitigate the risks associated with identity theft, ensuring that investor assets remain secure from potential vulnerabilities. In addition to identity theft concerns, it is crucial to recognize the unique challenges presented by digital assets. The proposed rule lacks appropriate guidance and clarification on safeguarding crypto assets, which have become an increasingly prevalent investment category. The absence of a comprehensive framework specific to digital assets increases the vulnerability of these assets to theft and loss. To bridge this regulatory gap, the SEC should work towards establishing a clear and robust framework specifically tailored to digital assets. Such a framework should address issues such as exclusive control, multi-signature arrangements, and external audits to provide the necessary protection for clients holding these assets. Only by acknowledging the uniqueness of digital assets and their associated risks can the SEC provide strong safeguard measures that align with regulation and market realities. Furthermore, it is imperative that the SEC gives careful consideration to the cybersecurity practices of qualified custodians and imposes stricter requirements on custodial arrangements. By fostering a culture of due diligence and accountability among qualified custodians, investors will have greater peace of mind knowing that their digital assets and personal data are effectively protected. In conclusion, I urge the SEC to reconsider certain aspects of the proposed rule on Safeguarding Advisory Client Assets and provide clearer guidance that addresses the privacy and security concerns associated with digital assets. The suggested changes must prioritize protecting client assets and maintaining robust privacy and security standards to reduce the risk of identity theft and cyber attacks. By doing so, the SEC can reinforce investor confidence and ensure that the advisory industry operates in a manner consistent with both the protection of client assets and the privacy and security needs of investors. Thank you for considering my comments, and I trust that you will give them due consideration as you continue to refine the proposed rule. Sincerely, Marius Johnsen