The Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (“SEC”) has published a risk alert (“Risk Alert”) identifying a number of practices by registered investment advisers and broker-dealers (together, “firms”) that EXAMS staff characterized as inconsistent with the objectives of Regulation S-ID[1] and that may leave retail customers vulnerable to identity theft and financial loss.[2] The Risk Alert outlines risks and practices falling into the following broad categories: (1) identification of covered accounts, (2) establishment of a written identity theft prevention program as required under Regulation S-ID (“Program”), (3) required elements of the Program, and (4) administration of the Program.

Regulation S-ID

Regulation S-ID applies to SEC-regulated entities including, among others, registered broker-dealers and registered investment advisers that maintain “covered accounts.”[3] Under Regulation S-ID, firms are required to periodically determine whether they offer or maintain covered accounts. If a firm offers or maintains covered accounts, Regulation S-ID requires the firm to develop and implement a Program to detect, prevent, and mitigate identity theft.[4]

Regulation S-ID requires each Program to include reasonable policies and procedures to identify relevant red flags[5] for the firm’s covered accounts, detect and respond appropriately to perceived red flags, and update the Program periodically to reflect any changes in risks to customers and to the safety and soundness of the firm from identity theft.[6] Regulation S-ID also requires firms to provide for the continued administration of the Program through various approvals, staff training, and oversight of service providers.[7]

Identification of Covered Accounts

EXAMS staff observed firms that failed to conduct: (i) an assessment of whether any of their accounts were covered accounts, and as a result, failed to implement a Program as required under Regulation S-ID; (ii) periodic assessments to identify new and additional covered accounts; and (iii) risk assessments in connection with the identification of covered accounts.

Establishment of the Program

EXAMS staff observed the following issues with respect to the establishment of written Programs: (i) firms that established a generic Program that was not tailored or appropriate for their business model (including firms that relied on a template with incomplete fill-in-the-blanks and firms that simply restated the requirements of Regulation S-ID without including processes for complying with those requirements) and (ii) Programs that did not cover all required elements of Regulation S-ID (including that policies and procedures maintained outside of the written Program constituted the firm’s process for detecting, preventing, and mitigating identity theft).

Required Elements of the Program

EXAMS staff also observed Programs that lacked elements required by Regulation S-ID, including:

  • Reasonable policies and procedures to identify, detect, and respond appropriately to any red flags. Specifically, EXAMS staff observed firms:
    • that failed to identify red flags specific to their covered accounts, such as firms with online accounts that listed red flags related to the physical appearance of a customer, and firms that included red flags related to consumer reports even though those firms did not obtain consumer reports;
    • that did not have a process or did not follow existing procedures to evaluate actual experiences with identity theft in order to determine if additional red flags should be added to their Program; and
    • that did not identify any red flags in their Program.

EXAMS staff also observed firms that inappropriately relied on existing policies and procedures (e.g., anti-money laundering procedures) to satisfy certain elements of a Program required by Regulation S-ID, and firms that claimed to have procedures for detecting and responding to specific red flags, when no such procedures existed.

  • Reasonable policies and procedures to ensure that the Program is updated periodically to reflect changes in risks to customers and the firm from identity theft. Specifically, EXAMS staff observed firms that did not update their identified red flags after making significant changes to the ways in which their customers open and access accounts, and firms that had gone through business changes or reorganizations but failed to incorporate the new business lines into their existing Program or failed to approve a new Program for the new business lines.

Administration of the Program

EXAMS staff observed Programs that did not provide for continued administration of their Programs as required by Regulation S-ID. For example, EXAMS staff observed firms that did not provide sufficient information to allow for evaluation of the Program’s effectiveness, firms that did not have robust processes around employee training, and firms that relied on service providers but did not evaluate the service provider’s controls to monitor for identity theft.

EXAMS staff suggested that firms review their practices, policies and procedures with respect to their Programs, and consider whether any improvements are necessary.

Conclusion

The SEC has recently brought a number of significant enforcement actions against firms for violations of Regulation S-ID.[8] We encourage our clients to review their Programs for compliance with Regulation S-ID, with particular focus on the practices identified in the Risk Alert.