On Dec. 5, 2022, the Securities and Exchange Commission (SEC) issued a risk alert regarding Regulation S-ID, which mandates qualified firms to create identity theft protection programs. Qualified firms include broker-dealers, investment companies and some investment advisers.
According to the SEC, “Through its examinations, EXAMS staff identified practices that are inconsistent with the objectives of Regulation S-ID, which may leave retail customers vulnerable to identity theft and financial loss. Below are examples of the most common deficiencies identified by EXAMS staff in connection with the elements of Regulation S-ID.”
Common failures found through these exams included:
- Failure to identify covered accounts: Firms failed to initially identify covered accounts or failed to periodically assess their accounts to determine any new covered accounts. Additionally, firms failed to conduct risk assessments of said covered accounts, which resulted in a failure to properly identify red flags.
- Establishment of the Program: Firms failed to both create a tailored Program, which accounted for firm-specific needs, or the program did not meet all requirements under Regulation S-ID.
- Required elements of the Program: Firms failed to identify, detect and respond to red flags, putting clients at risk of possible identity theft. Firms also failed to periodically update the Program to address additional risks and red flags based on the market.
- Administration of the Program: Firms failed to provide sufficient information to the board or senior management, a requirement under Regulation S-ID to ensure proper administration over the Program. Additionally, firms failed to adequately train staff and failed to ensure any service providers instituted proper control measures to safeguard against identity theft.
Overarchingly, the SEC advises firms to, “to review their practices, policies and procedures with respect to their Programs and to consider whether any improvements are necessary.”