The SEC Division of Examinations recently published a risk alert summarizing observations from exams of registered investment advisers and broker-dealers related to compliance with Reg. S-ID, which is generally designed to protect and prevent retail customers from identity theft and financial loss. Reg. S-ID requires certain registered investment advisers and broker-dealers (as well as certain investments) to establish and implement a written program designed to detect, prevent, and mitigate identity theft for covered accounts offered and maintained primarily for personal, family, or household purposes that involve, or are designed to permit, multiple payments or transactions. Covered accounts also include any other accounts that pose a reasonably foreseeable risk to customers of identity theft.
The risk alert follows several recent enforcement actions in which financial institutions were charged with violating Rule 201 of Reg. S-ID. The deficiencies identified by the SEC in those enforcement actions are echoed in this alert, including failure to exercise appropriate and effective oversight of service provider arrangements; failure to adequately involve boards of directors in the oversight, development, implementation, and administration of identity theft prevention programs; and failure to train employees to effectively implement identity theft prevention programs.
Through the risk alert, SEC staff aims to help firms that offer or maintain covered accounts to implement their identity theft prevention programs. One key takeaway is that the staff believes each firm must treat its written program as a living document and appropriately tailor it to the firm’s business. Firms must also periodically revisit the program to address evolving risks to their customers and the safety and soundness of the firm from identity theft.
Identification of Covered Accounts
Firms are required to ascertain whether they offer or maintain covered accounts and reevaluate this determination on a periodic basis. The staff noted that firms failed to identify covered accounts, in part because firms did not perform initial and/or periodic assessments to determine whether they had covered accounts or identified all categories of covered accounts (e.g., online accounts and retirement accounts). Notably, while not required under Reg. S-ID, the staff found that firms did not keep records of their assessment of covered accounts. The staff also observed that just because firms identified covered accounts, it did not mean that their identification processes included a risk assessment (e.g., taking into consideration the methods provided to open, maintain, and closed accounts; methods to access different types of covered accounts; or previous experiences with identity theft).
Establishment of an Identity Theft Prevention Program
Reg. S-ID requires that firms tailor their identity theft prevention programs to be “appropriate to the size and complexity of the firm and the nature and scope of its activities.” The staff observed programs that were not tailored to firm business models and did not contain all the elements mandated under Rule 201. In certain instances, firms were observed using incomplete templates and adopting programs that simply repeated the requirements of Rule 201 without adopting processes to comply with it.
Required Elements of an Identity Theft Prevention Program
Reg. S-ID also stipulates that written identity prevention programs must include reasonable policies and procedures that not only identify, detect, and respond to red flags relevant to identity theft, but also account for periodic updates that reflect changes in risks to customers and to the safety and soundness of the firm from identity theft. The staff observed circumstances where firms did not have these policies and procedures. And, as obvious as it may seem, the staff imparts through its observations that (i) these policies and procedures and red flags must be relevant and adapted to a firm’s business and the type of accounts offered; (ii) simply listing the examples of red flags included in Appendix A of Reg. S-ID is not sufficient; and (iii) policies and procedures should include red flags and not only a list of “policy statements without any actionable procedures.” Firms are also reminded to learn from, and adopt procedures in response to, their experiences with identity theft.
Administration of an Identity Theft Prevention Program
Firms have ongoing obligations under Reg. S-ID, including administering the identity theft prevention program, which involves obtaining approval of the initial written program, engaging board or senior management in oversight, training staff, and overseeing arrangements with service providers. Through staff observations, firms are reminded to provide board or designated senior management with adequate information to assess the efficacy of the firm’s program, establish processes to determine the population of employees to train, and assess the controls implemented by its service providers to monitor for identity theft.
Firms are encouraged by the SEC to review their identity theft prevention programs in light of these observations and consider whether enhancements to their programs are needed. Firms can expect to see questions related to these deficiencies in future exams, and may gain additional insight related to Reg. S-ID compliance when the SEC’s Division of Examinations publishes its list of priorities for 2023. We will keep an eye out for this in the coming months.
Nicholas J. LosurdoPartner
Lauren A. SchwartzAssociate