Regulation S-ID, commonly known as the Identity Theft Red Flags Rule, is designed to help protect investors from the risks of identity theft. Red flags are defined as a pattern, practice, or specific activity indicating the possible existence of identity theft.
Registered Investment Advisers (RIAs) and broker-dealers are required to design and operate identity theft prevention programs that are appropriately tailored to their businesses. Firms are also expected to update their programs in response to the increased threat and changing nature of identity theft.
Regulation S-ID requires an identity theft prevention program to include policies and procedures that provide for appropriate responses to detected red flags. Those policies and procedures must be commensurate with the degree of risk posed. To formulate an appropriate response, a firm should consider aggravating factors that may increase the risk of identity theft. For example, one factor might be a data security incident that results in unauthorized access to a customer’s account records. Another factor could be a notification that a customer has given account information to someone under false pretenses.
SEC takes action against three firms for violating Regulation S-ID
On July 27, 2022, three firms paid a steep price for violating the Identity Theft Red Flags Rule. The actions taken against these firms offer valuable lessons for RIAs, since they are subject to the same rule.
The SEC alleged that from at least January 2017, to October 2019, the firms’ identity theft prevention programs did not incorporate reasonable policies and procedures to identify pertinent red flags related to their customers’ accounts. The SEC also concluded that the firms’ programs did not include reasonable policies and procedures for responding appropriately when identity theft was detected. Furthermore, the firms did not ensure that their programs were updated periodically to address identity theft risks faced by customers.
Among the specific allegations made by the SEC, one firm failed to exercise appropriate and effective oversight over all its service provider arrangements. The firm also failed to train members of its staff on how to implement one of its identity theft prevention programs. The firm is a broker-dealer and an investment adviser registered with the SEC.
According to the SEC, the second firm failed to conduct periodic reviews of new or existing types of customer accounts to determine whether and how its identity theft prevention program should apply to them. The firm also failed to involve its board of directors in the oversight, development, implementation, and administration of the program. In addition, the firm failed to train its employees, so they could effectively implement the program. The firm is a dual-registered broker-dealer and investment adviser.
The third firm failed to involve its board of directors in the oversight, development, implementation, and administration of its identity theft prevention program. It also failed to exercise appropriate and effective oversight of service provider arrangements. The firm is an SEC-registered broker-dealer.
The SEC found that each of these three firms violated Rule 201 of Regulation S-ID. In addition to stiff fines ranging from $1.2 million to $425,000, each firm agreed to cease and desist from future violations of the Identity Theft Reg Flags Rule and to be censured. The press release for the SEC’s enforcement actions is located at https://www.sec.gov/news/press-release/2022-131.
Although many RIAs do not have boards of directors, they might still find themselves in the SEC’s crosshairs if they fail to comply with the Identity Theft Red Flags Rule. It is not enough for RIAs to implement identity theft prevention programs. They must also review new or existing client relationships periodically to ensure that their identity theft prevention program will be effective in dealing with these different types of accounts. In addition, RIAs must conduct training sessions, so their employees fully understand the firm’s identity theft prevention program and are able to help to implement it effectively.
It is imperative that firms design, implement, and enforce policies and procedures that are intended to ensure compliance with Regulation S-ID. RIAs’ policies and procedures should also ensure compliance with Rule 30(a) of Regulation S-P, better known as the Safeguards Rule. The Safeguards Rule requires firms to adopt written policies and procedures to address the administrative, technical, and physical safeguards that are necessary to protect customers’ records and information.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.