This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
SEC Staff Risk Alert Highlights Common Deficiencies in Identity Theft Prevention Programs
December 6, 2022
The SEC’s examination staff is sharing common compliance issues observed in recent exams of investment advisers and broker-dealers under Regulation S-ID (the Identity Theft Red Flags Rule). The rule requires firms that offer or maintain “covered accounts” to have an identity theft prevention program that is designed to detect, prevent, and mitigate identity theft.
The Division of Examinations Risk Alert highlights the following issues involving (i) the identification of covered accounts, (ii) the establishment and administration of identity theft prevention programs, and (iii) policies and procedures:
Identification of Covered Accounts
- Failure to identify covered accounts and as a result do not implement a program as required under Regulation S-ID.
- Failure to identify new and additional covered accounts. Although some firms initially identify covered accounts, issues include failure to periodically assess whether new or other categories of accounts are covered accounts, omitting online accounts and retirement accounts, not reassessing new accounts after a merger, and not maintaining documentation showing the firm’s analysis.
- Failure to conduct risk assessments based on the methods used to open, maintain, and close accounts; methods to access different types of accounts; or previous experiences with identity theft.
Establishment of the Program
- Generic programs or templates that are not tailored to the firm’s business or programs that merely restate the rule.
- Program did not cover all required elements of Regulation S-ID or reliance on other policies and procedures without incorporating them directly or by reference into the firm’s identity theft prevention program.
Required Elements
- Identification of red flags. Some firms fail to identify red flags specific to their covered accounts, and instead list examples regardless of their relevance. Others do not add red flags to their programs following actual experiences with identity theft (g., account takeovers). In addition, certain firms include only generic language for identifying, detecting, responding to, and updating red flags without identifying any actual red flags or establishing actionable procedures to address compliance with the rule.
- Detect and respond to red flags. Some firms rely on existing policies and procedures (g., anti-money laundering procedures) that are not designed to detect and respond to identity theft red flags. Also, firms identify procedures for detecting and responding to specific red flags that do not exist in practice or are not relevant.
- Periodic Program Updates. Some firms do not update their red flags after significantly changing the ways clients open and access their accounts – such as by offering online portals – or after adding new business lines.
Administration
- Did not provide sufficient information to the board or senior management. Certain firms do not appear to provide sufficient information to the board or senior management, either by failing to submit any reports or by submitting reports that do not contain sufficient information to evaluate the effectiveness of the program. Other issues are inadequate employee training and failure to evaluate service providers’ controls.
The Risk Alert, Observations From Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID (Dec. 5, 2022), is available at https://www.sec.gov/files/risk-alert-reg-s-id-120522.pdf. Regulation S-ID is currently under review pursuant to the Regulatory Flexibility Act for its impact on small entities.