Community banks often hold physical securities certificates for customers as a matter of ordinary business practice for a number of reasons. For example, banks may accept physical certificates as collateral for loans. Regardless of the reason, banks that hold physical securities certificates are required by Rule 17f-1 to register with the U.S. Securities and Exchange Commission’s (the “Commission”) Lost & Stolen Securities Program (the “Program”). Community banks need to be aware that failure to register may constitute a violation of federal law and, if discovered by a bank examiner or auditor, could lead to a negative compliance criticism. Violations of Rule 17f-1 can also result in enforcement action by the Commission that could include monetary fines, cease and desist orders and other terms. The purpose of this article is to provide a high-level summary of the Program’s mechanics and registration requirements.

The Program and the Securities Information Center

The Commission established the Program in 1977 to reduce trafficking in lost, stolen, missing, and counterfeit securities. The Program is, in essence, a database of securities reported to the Commission as required under Rule 17f-1.[1] The database can be accessed by banks, brokers, transfer agents and other reporting institutions who may run inquiries to determine if the securities that have come into their possession – whether by pledge, transfer or otherwise – have been listed as lost, stolen or counterfeit.

The Commission itself does not run the Program. Instead, the Commission has designated the Securities Information Center (the “SIC”) to manage and maintain the database that underpins the Program.[2] The SIC is a division of Refintiv, the former financial and risk business of Thomson Reuters. As such, the Program represents a novel private-public partnership for administering a government-mandated securities compliance program.

Registration with the SIC

If an entity is a “reporting institution” as defined by Rule 17f-1, it is required to register with the SIC. The term “reporting institution” includes national securities exchanges (and their members), registered securities associations, brokers, dealers, municipal securities dealers, government securities brokers, government securities dealers, registered transfer agents and registered clearing agencies (and their participants).[3] Most importantly for community banks, the term also includes every “member of the Federal Reserve System and bank whose deposits are insured by the Federal Deposit Insurance Corporation.”[4] Accordingly, all banks – whether a state member bank, a non-member bank or a national bank – are deemed to be “reporting institutions” and required to register unless exempt from registration.

Registration Exemptions

Even though registration with the SIC is mandatory for banks, Rule 17f-1 does provide a few exemptions. Community banks may qualify for the exemptions applicable to:

  • a reporting institution that, within the last six months, has limited its securities activities exclusively to uncertificated securities, global securities issues or any securities issue for which neither record nor beneficial owners can obtain a negotiable securities certificate; or
  • a reporting institution whose business activities, within the last six months, did not involve the handling of securities certificates. [5]

In order to be exempt from registration, a bank must be able to document that it has refrained from activities involving physical securities certificates for a period of six months prior to asserting an exemption’s applicability. The SIC considers newly chartered banks that do not handle physical securities certificates to be automatically exempt.[6] As such, de novo banks do not need to register with the SIC unless they intend to handle physical securities for customers.

For registered banks, once the exemption requirements are satisfied, the bank must send a notice letter to the SIC on bank letterhead with original signatures stating that (i) it does not handle physical securities certificates and (ii) it is formally requesting an exemption.[7] Ideally, the notice should be sent to the SIC at least 60 days prior to the next billing cycle to avoid semi-annual registration and usage fees (see below).

Required Inquiries and Access to the SIC

Unless a reporting institution is exempt (as described above), Rule 17f-1 mandates certain required inquiries with respect to every physical securities certificate that comes into a bank’s possession or keeping, whether by pledge, transfer or otherwise.[8] The purpose of such required inquiries is to determine whether the securities certificate has been reported as missing, lost, counterfeit or stolen. For example, if a bank accepts physical securities certificates as collateral for a loan or for deposit into its vault for safekeeping, the bank is required to make an inquiry on the SIC database by the end of the fifth business day after the certificate comes into its possession.[9] A further inquiry must also be made before the certificate is sold or sent to another reporting institution.[10] Note that a bank need not file a suspicious activity report for lost, missing, counterfeit, or stolen securities if it files a report with the SIC pursuant to the reporting requirements of Rule 17f-1.[11]

In addition to the registration exemptions available to reporting institutions, there are certain exemptions that may eliminate the need for Rule 17f-1’s required inquiries with respect to a given transaction. For example, if a bank receives a physical securities certificate directly from an issuer at the time of issuance or in connection with a transaction with an aggregate value of $10,000 or less, the bank need not run an inquiry against the SIC database to determine whether the securities are lost, stolen, counterfeit or missing.[12]

There are two levels of access to the SIC’s database: (i) direct access and (ii) indirect access. Both levels of access require registration with the SIC, but there is a difference in how a direct access reporting institution makes its required inquiries versus an indirect. Direct access reporting institutions report missing, lost, stolen, and counterfeit securities directly to the SIC and make the required inquiries directly against the SIC’s database on their own. By contrast, indirect access reporting institutions may make reports directly to the SIC but must have an agreement with a registered third-party direct access inquirer who will make the required inquiries on their behalf.[13] Indirect access reporting institutions should be aware that the third-party making inquiries on their behalf (e.g., transfer agents or similar vendors) might assess costs and service charges on a different basis than that used by the SIC.

Registration and Fees

Registration materials and other helpful information are available on the SIC website – Before registering with the SIC, a bank must have received a financial industry numbering standard (“FINS”) number from the Depository Trust and Clearing Corporation (“DTCC”). If a bank is uncertain as to whether it already has a FINS number, that information can be requested from DTCC via email at [email protected]. Non-exempt banks that have never registered or have a lapsed indirect access relationship with a third-party will want to reach out to DTCC first to obtain or confirm their FINS number and then contact the SIC customer service center help line at (877) 300-2578 to discuss next steps.

Reporting institutions pay a semi-annual $25 registration fee and semi-annual usage fees to support the cost of the Program. The usage fees are determined by the SIC based on the size and type of the reporting institution. For larger banks and brokerage institutions with high activity rates, usage fees may be many thousands of dollars annually. However, even small community banks can find that their usage fees may amount to several thousand dollars per year. As such, it is important for community banks to determine whether they must register or, alternatively, are eligible for an exemption.