On 5 December 2022, the staff of the Division of Examinations (Staff) of the Securities and Exchange Commission (SEC) issued a risk alert identifying practices that are inconsistent with Regulation S-ID, thereby exposing retail customers to potential identity theft.
Regulation S-ID, which applies to SEC-regulated entities that are financial institutions or creditors under the Fair Credit Reporting Act (including most registered broker-dealers, registered investment companies and registered investment advisers), requires the establishment of programs designed to detect, prevent, and mitigate identity theft in connection with covered accounts (each, a Program). Programs must include reasonable policies and procedures to identify, detect, and respond to red flags relevant to identity theft.
The following are some of the most common deficiencies identified by the Staff:
- Failure to Identify Covered Accounts. Firms did not conduct initial or periodic assessments to identify covered accounts. Some firms did not conduct risk assessments, which impacted their ability to develop controls relevant to their red flags.
- Failure to Establish Tailored Programs and to Periodically Update. Firms relied on templates or generic Programs that (i) were not tailored to the firms’ particular business, (ii) did not cover all of the required elements of Regulation S-ID, and/or (iii) lacked actionable procedures. Firms also failed to modify Programs to incorporate significant account changes or new business lines.
- Failure to Identify, Detect and Respond to Red Flags. Firms did not identify red flags specific to covered accounts or, in some cases, did not identify any red flags. Some firms relied on pre-existing policies and procedures (e.g., anti-money laundering procedures) to satisfy this requirement, even though they were not designed to detect and respond to identity theft red flags. Firms also failed to evaluate actual experiences with identity theft and add red flags when appropriate.
- Lack of Program Administration. Firms did not provide sufficient information to directors or senior management to enable them to evaluate their Programs’ effectiveness; hold robust training for employees; or exercise appropriate service provider oversight.