Skip to main content

SEC Staff Risk Alert Highlights Common Deficiencies in Identity Theft Prevention Programs

December 6, 2022

The SEC’s examination staff is sharing common compliance issues observed in recent exams of investment advisers and broker-dealers under Regulation S-ID (the Identity Theft Red Flags Rule). The rule requires firms that offer or maintain “covered accounts” to have an identity theft prevention program that is designed to detect, prevent, and mitigate identity theft.

The Division of Examinations Risk Alert highlights the following issues involving (i) the identification of covered accounts, (ii) the establishment and administration of identity theft prevention programs, and (iii) policies and procedures:

Identification of Covered Accounts

  • Failure to identify covered accounts and as a result do not implement a program as required under Regulation S-ID.
  • Failure to identify new and additional covered accounts. Although some firms initially identify covered accounts, issues include failure to periodically assess whether new or other categories of accounts are covered accounts, omitting online accounts and retirement accounts, not reassessing new accounts after a merger, and not maintaining documentation showing the firm’s analysis.
  • Failure to conduct risk assessments based on the methods used to open, maintain, and close accounts; methods to access different types of accounts; or previous experiences with identity theft.

Establishment of the Program

  • Generic programs or templates that are not tailored to the firm’s business or programs that merely restate the rule.
  • Program did not cover all required elements of Regulation S-ID or reliance on other policies and procedures without incorporating them directly or by reference into the firm’s identity theft prevention program.

Required Elements

  • Identification of red flags. Some firms fail to identify red flags specific to their covered accounts, and instead list examples regardless of their relevance. Others do not add red flags to their programs following actual experiences with identity theft (g., account takeovers). In addition, certain firms include only generic language for identifying, detecting, responding to, and updating red flags without identifying any actual red flags or establishing actionable procedures to address compliance with the rule.
  • Detect and respond to red flags. Some firms rely on existing policies and procedures (g., anti-money laundering procedures) that are not designed to detect and respond to identity theft red flags. Also, firms identify procedures for detecting and responding to specific red flags that do not exist in practice or are not relevant.
  • Periodic Program Updates. Some firms do not update their red flags after significantly changing the ways clients open and access their accounts – such as by offering online portals – or after adding new business lines.


  • Did not provide sufficient information to the board or senior management. Certain firms do not appear to provide sufficient information to the board or senior management, either by failing to submit any reports or by submitting reports that do not contain sufficient information to evaluate the effectiveness of the program. Other issues are inadequate employee training and failure to evaluate service providers’ controls.

The Risk Alert, Observations From Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID (Dec. 5, 2022), is available at Regulation S-ID is currently under review pursuant to the Regulatory Flexibility Act for its impact on small entities.

You are now leaving Investment Adviser Association

The IAA provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by the IAA, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to

Click the link above to continue or CANCEL