On December 5, 2022, the Division of Examinations (Division) published a Risk Alert that reported observations from recent examinations of SEC-registered investment advisers (RIAs) and broker-dealers related to their compliance with Regulation S-ID. The goal of the Risk Alert was to help RIAs and broker-dealers to develop and implement an identity theft prevention program for firms that offer or maintain covered accounts.
The Risk Alert defined a “covered account” as follows:
A “covered account” is (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
The Division’s examiners found that certain firms:
- Failed to identify covered accounts;
- Did not implement written identity theft programs;
- Did not include mandatory elements of Regulation S-ID in their programs; and
- Improperly administered their Regulation S-ID programs.
The Risk Alert provided these important observations related to Regulation S-ID.
Failure to identify covered accounts
Certain firms neglected to identify all of their covered accounts. Some firms correctly identified covered accounts initially but failed to conduct periodic assessments. In certain cases, examiners discovered that firms omitted online accounts, retirement accounts, and other special purpose accounts. There were instances where firms merged with other entities but never conducted a reevaluation to determine if any new accounts should be included in the program.
Establishment of a written identity theft program
Regulation S-ID requires firms to develop and implement a written program that is appropriate for the size and complexity of the firm, as well as the nature and scope of their activities. Examiners observed the following issues:
- Firms’ identity theft programs were not tailored to their businesses; and
- Firms’ programs did not cover all of Regulation S-ID’s required elements.
Generic programs with boilerplate language will not cut it with examiners. In some instances, firms used a template with fill-in-the-blanks that had not been completed.
Mandatory elements of a Regulation S-ID program
Programs must establish reasonable policies and procedures to identify, detect, and respond to identity theft red flags. In addition, programs must incorporate reasonable policies and procedures to ensure that they are updated periodically to reflect changes in identity theft risks faced by customers.
Firms’ programs lacked the required elements, such as procedures to identify red flags showing the possible existence of identity theft. Certain firms implemented inappropriate red flags. For example, some firms that only offered online accounts incorporated red flags related to the customer’s appearance. Some firms’ programs required them to obtain consumer reports for customers but this did not always occur. Certain firms did not include any specific identity theft red flags in their program and only used generic language for identifying, detecting, and responding to them. Examiners criticized those programs as being mere policy statements without any actionable procedures.
Administration of Regulation S-ID’s required elements
Firms must ensure that their programs will be administered on an ongoing basis by:
- Obtaining approval of the initial written program from either their board of directors, an appropriate committee of the board of directors, or a designated senior management employee in cases where firms do not have a board;
- Involving the board or senior management in the oversight and administration of the program;
- Training employees; and
- Exercising appropriate oversight of service provider arrangements.
Firms should not put their Regulation S-ID identity theft program on auto-pilot. They need to continue evaluating their program’s effectiveness and should provide ongoing training on Regulation S-ID. If they rely on a service provider, they must evaluate the firm’s efforts to prevent identity theft.
The Risk Alert is available here.
Takeaways
When the SEC publishes a Risk Alert, RIAs should take immediate steps to review, and if needed, revamp their policies and procedures to address examiners’ concerns. RIAs should use the guidance in a Risk Alert to strengthen their policies and procedures.
Violating Regulation S-ID can result in more than just critical comments from examiners. On July 27, 2022, three firms were sanctioned for violating Regulation S-ID. Although these firms were not RIAs, compliance with the regulation is just as important for investment advisers.
The SEC found that these three firms violated Rule 201 of Regulation S-ID. In addition to stiff fines ranging from $1.2 million to $425,000, each firm agreed to cease and desist from future violations and to be censured. The press release for the SEC’s enforcement actions is available here.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.
RIA Compliance Group, LLC – 701 SE 6th Ave, Suite 201, Delray Beach, FL 33483 – Tel: 561-600-0564 – sales@ria-compliance.com
Recent Comments