On December 5, 2022, the Division of Examinations of the Securities and Exchange Commission (SEC) released a Risk Alert discussing its observations on Regulation S-ID (Reg. S-ID) from recent examinations of SEC-registered investment advisers and broker-dealers. Reg. S-ID, the SEC’s implementation of the identity theft red flags rule, requires SEC-regulated financial institutions and creditors to develop and implement an identity theft prevention program (Program) with written policies and procedures that are updated periodically. The requirements for the Program are outlined in the text of Reg. S-ID, and there are guidelines in Appendix A to assist firms in creating and maintaining a compliant Program. As Reg. S-ID applies to both SEC and Commodity Futures Trading Commission-regulated entities, financial institutions and creditors should consider their compliance programs accordingly.
The SEC’s attention to Reg. S-ID is not new. The SEC’s Risk Alert follows recent increased enforcement attention, including scrutiny of governance, training and third party oversight. In sum, this Risk Alert identifies several important areas for focus:
- The identification of covered accounts. The SEC staff observed that firms failed to conduct an assessment to identify covered accounts, identify new and additional covered accounts, and conduct risk assessments.
- Establishment and Operation of a Program. The SEC staff observed that Programs were are not tailored to the business of the firm and Programs did not cover all required elements of Reg. S-ID.
- Administration of the Program. The SEC staff observed that firms did not provide sufficient information to the board or designated senior management, conducted inadequate training, and failed to evaluate controls of service providers.
The Risk Alert provides useful insight into key areas of compliance for registered investment advisers and broker-dealers. Specifically, firms subject to Reg. S-ID should consider the following:
- Policies and Procedures: The SEC noted that some firms did not have policies and procedures that adequately covered all of the required elements of a written Program and were not appropriately tailored to the firm’s business model. A Program’s policies and procedures should provide, among other things, detailed information on how to detect and respond to potential and actual incidents of identity theft. The SEC staff acknowledged that Appendix A of Reg. S-ID provides illustrative examples of red flags firms can consider but it is important for firms to tailor their policies and procedures to the nature of their business. Additionally, firms should periodically update their policies and procedures, particularly after undergoing significant changes related to how customers open and access their accounts, or when going through business changes or reorganizations.
- Board of Directors Involvement: Ensure that the board of directors, an appropriate committee, or a senior management employee approve the initial written Program. In addition, the board or senior management should be involved in the oversight and administration of the Program. Specifically, they should receive sufficient information through periodic reports that evaluate the effectiveness of the Program.
- Documentation: The Risk Alert recommends firms maintain documentation concerning their Programs and analysis of covered accounts. While not expressly required by Reg. S-ID, the SEC staff states that such documentation can help identify to auditors and regulators how the firm assessed which accounts are covered accounts. Additionally, firms should create and maintain a process for identifying which accounts are “covered accounts.” This involves conducting periodic risk assessments or evaluations to determine the types of covered accounts that are offered, and using this information to identify relevant red flags. If a firm merges with another entity, it is important to reassess whether any new accounts should be included in the Program.
- Periodically Review and Update Programs: Companies should consider periodic reviews of their Programs and update Programs based on factors such as: (a) the firm’s experiences with identity theft; (b) changes in methods of identity theft; (c) changes in methods to detect, prevent or mitigate identity theft; (d) changes in the types of accounts offered or maintained; and (e) changes in the firm’s structure or service provider arrangements.
- Monitor Controls of Service Providers: Firms relying on service providers to perform activities in connection with covered accounts should evaluate the service provider’s controls for identify theft. This assessment may include, among other things, reviewing the language in their contracts to ensure that the service provider is required to report red flags to the firm and take action to respond to the red flags themselves.
- Training: Implement a training program and assess which employees should be trained. Note that the SEC has deemed some firm’s training processes insufficient when the training was limited to a single sentence telling employees to be aware of identity theft.
The Risk Alert encourages firms to review their Programs and consider if any improvements are necessary. The SEC may ask firms about the topics discussed in the risk alert during future exams, and the SEC’s Division of Examinations may provide additional guidance on compliance with Regulation S-ID when it publishes its list of priorities for 2023. Additionally, the FTC red flags rule may apply to certain customer accounts of non-registered investment advisers and funds (as well as to certain other financial institutions and creditors).
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.