Compliance and Regulatory Alerts | 12-16-22
SEC Exams Division Warns Firms Against Lax Compliance on Rules to Prevent Identity Theft
The SEC Division of Examinations (“Division”) issued a risk alert for registered broker-dealers and investment advisers that offer or maintain “covered accounts” in order to better protect retail customers from identity theft. The alert was issued because recent firm examinations revealed practices “inconsistent” with Regulation S-ID, (“Identity Theft Red Flag Rules”) which could subject retail investors to identity theft and financial loss. Several weeks earlier, the SEC Office of Investor Education and Advocacy (“Office”) issued a risk alert to inform investors how to handle investment accounts if they become victims of identity theft or a data breach. Here’s an overview.
Deficiencies in Regulation S-ID Compliance
Under the SEC rule, if a firm holds a covered account (i.e. an account that a financial institution maintains, primarily for personal, family, or household purposes), it must have a compliance program that can “detect, prevent, and mitigate identity theft.” The rule also provides guidelines to assist entities in the formation of the programs necessary to satisfy the obligation.
These guidelines require firms to develop a program to assess whether the rule is applicable by determining whether the firm offers or maintains covered accounts. If it does, firms must have a written program tailored to the size of the firm and the scope of its activities. The firm must have policies and procedures, updated periodically, that are reasonably capable of identifying, detecting, and responding to known red flags concerning identity theft. And finally, firms must administer and oversee the program elements to ensure the protection of investor’s personal information. Such administration must include Board participation, Board and senior management supervision, adequate training and oversight on related third-party service providers.
In its examinations, the Division observed numerous deficiencies in implementing each of these requirements. The Division cited examples where firms failed to identify covered accounts (including online accounts), failed to adequately assess risks related to covered accounts or failed to document those assessments, and failed to periodically update these accounts, all of which affected the firm’s ability to develop red-flag controls.
In addition, the Division found compliance programs that were not appropriately tailored to the firm’s business or were missing essential program elements. These program deficiencies included failures to identify red flags; failures to detect and respond to red flags and failures to update identified red flags—in one case after changing methods for opening and accessing accounts. Another specific case involved a firm that had undergone a business reorganization but had failed to incorporate new covered accounts into the existing compliance program. On matters of governance and program administration, the Division cited multiple types of reporting failures to the Board and senior management, inadequate training, and failures to monitor and control third-party service providers as to identity theft.
Investor Instructions after Identity Theft or Data Breach
The Investor Office alert was an update to a July 2021 publication on ways to safeguard personal financial information. Information at risk included social security numbers, account numbers, phone numbers, and account passwords. The alert focused on what to do after such private data was compromised.
The Office recommended several immediate steps for investors to take, including contacting the financial institution, changing online account passwords, closing compromised accounts, activating multi-factor authentication (if available), and monitoring investment accounts for suspicious activity. The Office also recommended placing a credit freeze or fraud alert with the national credit bureaus and to consider creating an identity theft report which could help with debt collectors and business accounts. The Office described the process for submitting a theft report, which involves filling out an FTC online complaint form, drafting an FTC identity theft affidavit, and then contacting local authorities with the affidavit.
At year’s end, the SEC Divisions are accumulating data from their exams and reports and sharing their findings and assorted guidance. These alerts, however, highlight areas broker dealers and investment advisers should note, given the likelihood they will be targeted in an examination. Combatting identity theft remains a high priority. Bates will keep you apprised.
How Bates Helps:
Bates supports firms navigating compliance with SEC rules. Our compliance team includes senior compliance staff and former regulators with expertise in the development of policies, procedures, supervisory and compliance processes, and best practices to enhance compliance and supervisory systems.