SEC Risk Alert for Identity Theft Under Regulation S-ID

Published on Dec 6th, 2022 |

SEC Releases

Brief Introduction

The SEC published a risk alert on December 5^th related to Regulation S-ID after recent Compliance Examinations of Investment Advisers and Broker Dealers.

Regulation S-ID requires the development and implementation of an identity theft prevention program when covered accounts are offered or maintained.

4 Staff Observations During Examinations

Proper Identification of Covered Accounts
- Firms failed to conduct any assessments for “covered accounts”.
- Other firms initially identified covered accounts but failed to conduct ongoing assessments.
  - New account categories were created that would be considered covered accounts, but were not identified.
  - Accounts were added when firms merged, but no assessment of the new accounts occurred.
- Failure to conduct risk assessments of their methods to open, maintain, and close covered accounts in relation to identity theft.
Proper Establishment of a Program
- Generic Programs not tailored to business model
  - Some firms had programs made from incomplete templates, while others created programs that acknowledged the requirements under S-ID without any indication on how they would comply.
- Programs failed to fully comply with S-ID
  - Programs must include a process for detecting, preventing, and mitigating identify theft.
  - Firms implied that policies and procedures outside the program would meet the requirements, but upon examination they did not.
Proper Elements Within the Program
- Inadequate Identification of Red Flags
  - Programs must have written policies that describe red flags for identity theft that are relevant to the services provided.
  - Some firms used examples from the Appendix A of Regulation S-ID without any relevant examples to the firm’s accounts.
  - Firms with only online accounts listed red flags related to the physical appearance of a customer.
  - Firms had no process of assessing if their identified red flags needed to be adjusted based on security data.
- Poor Detection of and Response to Red Flags
  - Policies and procedures must provide for the detection and appropriate response to red flags, but many programs were lacking.
  - Firms used pre-existing procedures, such as anti-laundering procedures, that were not designed to flag identity theft.
  - Programs had red flags identified without any process indicating how to handle the red flag.
- No Relevant Program Updating
  - Firms failed to provide necessary updates to their programs.
  - Some firms did not adjust their program after significant changes were made to their account opening processes.
  - Firms merged with or acquired other firms and did not account for the new business lines in their program.
Proper Administration of the Program
- Inadequate Reporting to Senior Management
  - Firms did not provide periodic reports to senior management or provide reports with inadequate information to evaluate effectiveness of the program.
- Inadequate Training of Staff
  - Firms had insufficient training for identity theft, and failed to identify which employees required identity theft training.
  - In some situations, the training was a single sentence telling employees to be aware of identity theft.
- Inadequate Evaluation of Service Providers
  - Service providers servicing covered accounts were not evaluated for proper identity theft programs.

Vigilant’s Final Conclusion

Registered Broker-Dealers and Investment Advisers are encouraged to review their policies and procedures related to their Programs required under Regulation S-ID.

Firms should consider a full evaluation of their Programs to examine if they are currently compliant and have the proper procedures for staying compliant.

Vigilant can provide a full evaluation of your Program through a Mock Exam, or provide ongoing and tailored Compliance Solutions maintaining your Compliance Program.