Failures Cited in SEC Alert on Identity Theft

A recent Risk Alert (the “Alert”) issued by the SEC’s Division of Examinations (“EXAMS”) discusses how both investment advisers and broker-dealers are failing to meet the requirements under Reg S-ID regarding the prevention of identity theft. The Alert summarizes the various deficiencies found during examinations of broker-dealers and investment advisers. Although the Alert is quite general in its discussion, it provides insight into what the Staff is looking for in Reg S-ID Programs (the “Programs”) and their implementation.

A formal Reg S-ID Program is required for any broker-dealer or investment adviser firm that has “covered accounts,” which are defined as (1) accounts used primarily for personal, family, or household purposes and are designed for multiple payments and transactions, and (2) any account where there is a foreseeable risk from identity theft, including financial, operational, compliance, reputation, or litigation risks. Therefore, it is mostly retail firms that must comply with Reg S-ID.

EXAMS has found deficiencies in these Programs to include the following areas:

  • Identification of Covered Accounts – Some firms omitted accounts as covered accounts due to recent mergers or acquisitions that caused accounts to not be included; others failed to conduct regular assessments of covered accounts to ensure accounts were being properly identified, and certain firms had risk assessments that were non-existent or failed to consider changes to how accounts were opened or maintained (especially when switching from branch accounts to online accounts).
  • Creation of the Reg S-ID Program – Many firms used boiler plate templates for policy creation that did not fit the firm’s business model or missed specific requirements of the regulation due to the use of separate policies not incorporated in the Program.
  • Implementation of the Reg S-ID Program – The Staff found firms failed to detect and respond to Red Flags or used outdated or irrelevant policies that did not capture new customer risks, such as changes to the account opening or maintenance process.
  • Program Administration – Reg S-ID Programs require approval from the Board, a Board Committee or senior management. Many of the exams found Programs that did not provide adequate documentation and support to the Board or senior management in order to evaluate the Program. In addition, employee training was found to be lacking in the details needed to properly identify risks, and the service providers relied upon for oversight of covered accounts were not properly monitored.

Clearly, the examination staff is reviewing Reg S-ID Programs at registered firms with covered accounts.  Broker-dealers and investment advisers with covered accounts should keep this in mind when developing compliance testing for the coming year.

View Risk Alert, “Observations from Broker-Dealer and Investment Adviser Compliance Examinations related to Prevention of Identity Theft under Regulation S-ID,” December 5, 2022