Ep. 104: Industry Impacts of Regulation S-ID

On Episode 104 of the CCO Buzz podcast, Compliance Consultants Suzette Hagan and Christopher Hufty take a look at the impacts of Regulation S-ID on the industry.


CCO Buzz: Hello and welcome back to the CCO Buzz! We all know that you’re in the middle of your Annual Updating Amendments, as are we with our clients- so thank you for finding a moment to share with us at the CCO Buzz. Our episodes are designed to be brief, so listeners can easily add us to their day, be it when they’re making their morning coffee, on your drive into the office, or simply just to take a quick five minutes for themselves. No matter the scenario – thank you. Thank you for making us part of your day.

Today we’re in for a treat, as we have two guests with us, Compliance Consultants Suzette Hagan and Christopher Hufty, who’ve recently coauthored an article titled “Risk Alert Review: Elements of Regulation S-ID and the Impact to the Industry.” In the piece, they discuss key factors of the SEC’s recent risk alert regarding identity theft and Regulation S-ID.

With that, let’s begin!

First off, Suzette, welcome to the CCO Buzz and thank you for joining us today. Listeners, Suzette joined Core Compliance early last year – and we finally got her on the podcast – so welcome! In your article, you make this great connection to society and the industry’s dependence on technological advancements as they dictate service demands. Can you share a bit about how exactly they relate to compliance?

Suzette Hagan: Yes. Before I dive in – Hi listeners! Thank you for having me. I’m so excited to be here on the podcast. Working on the Core Team has been great so far – I really enjoy being a solution provider to our clients.

But back to the question. So, listeners right now you’re probably [listening on] your cell phone or on a mobile device, and that mobile device probably has a fair amount of downloaded apps. Be it Twitter, LinkedIn, Uber, their bank, or even email. That – all of that – that’s a form of online exchange and interaction. That instant, real-time gratification is the one era that the financial industry is starting to enter – to be able to meet demands at the touch of a finger. Because hey, if I can order lunch to be here in 30 minutes from a nearby restaurant – I should be able to communicate or transact my investments with the same ease, right?

But as firms join and onboard platforms to meet these new service expectations – they open themselves up to additional risk. Understanding this, Regulation S-ID was created to give some sort of semblance of consumer protection. This recent Risk Alert we wrote about just shines a little light on deficiency areas throughout the industry that they’ve identified in their examinations.

CCO Buzz: Wow, I never thought about how trusting I was until you said that right now. I guess my growing dependency on technology has made me oblivious to how much I actually share and permit access to on my devices – let me just go chuck my phone out the window, right about now – just kidding. So for those of us that haven’t dove into the Risk Alert, what areas or deficiencies were identified?

Chris Hufty: If you had to guess, how many did you think there was?

CCO Buzz: Hmm, I like this. Well, three would be an easy guess, but four is my favorite number – so four?

Chris Hufty: Ironically, there were four areas – that were actually surprising, yet not surprising when you read the Alert, including identification of covered accounts, establishment of an identity theft prevention program, missing or inadequate elements of the program, and overall administration and management of the program.

CCO Buzz: I’m sorry, I’m a little lost here – could you elaborate on how the SEC found and defined some of these deficiencies?

Suzette Hagan: Of course, we go into depth a bit more in our article, but I’m sure Chris and I could skim the surface for listeners. If they want more, they’ll just have to check out our article.

As listeners may know, Regulation S-ID requires firms determine and periodically reassess whether they offer or maintain covered accounts.  In the Risk Alert, a best practice for compliance is for firms to conduct a risk assessment – paying close attention to their processes for opening and accessing client accounts, as well as considering any and all previous instances of identity theft.

Within the Alert, SEC Staff noted that in examinations they found that some firms failed to conduct risk assessments, which prevented them from identifying certain covered accounts on an on-going basis, which in turn is limiting the firm’s ability to develop controls relevant to their red flags.

CCO Buzz: Ok, conduct a Risk Assessment to identify accounts – check. What’s next?

Suzette Hagan: Another key element under Regulation S-ID is the requirement that firms must develop and implement an identity theft program that is appropriate for the firm’s size, activity, and complexity.

Within the Risk Alert, the EXAMS Staff indicated that some firms failed to adequately tailor their program to their business model, often relying on generic or templated written programs. Another issue identified was in cases where firms included language from the Regulation within their program but did not detail or create specific procedures and policies for their firm to implement and carry out.

CCO Buzz: Got it, have a program and make sure it’s custom to my business and that the policies and procedures are specific to my firm, as well as carried out accordingly.

Chris Hufty: Next is the elements of the program.

Under Regulation S-ID, advisers and broker-dealers need to design and implement an identity theft program. But within the Risk Alert, even for firms that did implement such a program, the Staff found that many of these programs did not address all of the required elements to be compliant with Regulation S-ID.

CCO Buzz: Ok, you know I’m going to ask – what are these elements?

Chris Hufty: Well, there are three primary components firms must incorporate into their policies and procedures, which include…

  • Reasonable policies and procedures to identify red flags and incorporate them into their program;
  • Methods to detect relevant red flags and promptly respond to mitigate any potential identity theft, and
  • To ensure the program is periodically reviewed and updated to reflect changes in risk to customers and the firm.

CCO Buzz: That doesn’t sound too difficult. But can I ask a silly question here… what is a red flag exactly?

Chris Hufty: That is not a stilly question at all, we often find ourselves defining that with our clients. Simply put, a red flag in this sense is a suspicious pattern or activity that may indicate a risk of identity theft. Within Appendix A of Regulation S-ID there are a handful of examples, including notifications or warnings from a consumer reporting agency; suspicious documents; suspicious personal identifying information – just to name a few.

CCO Buzz: Ok, so we have one more left after the components of the program – what is number four?

Chris Hufty: The Administering of the Program. You see, under the requirements of Regulation S-ID, firms are not only required to have the program, but the program must be maintained with the appropriate governance throughout the structure of the organization. The components of the program cannot be upheld by one person or department of a firm – it has to be a collective understanding and effort – build a culture around the needs of the program.

Under the rule, the Program should:

  • be approved by a governing body or board, such as a Board of Directors or designated Senior Management and documented;
  • It should also involve the governing body in the implementation and management of the Program;
  • And incorporate adequate training with staff; as well as
  • the application of continued oversight, including third-party vendors.

Having these elements establishes the responsibility of everyone, top down – to the program requirements, as well as the firm’s established policies and procedures.

CCO Buzz: Ok, so in a sense, it builds a culture of compliance and a tone from the top?

Chris Hufty: Exactly. I think that is what this Risk Alert was really trying to establish because while the deficiencies may have seemed pretty self-explanatory, understanding how to address and find custom methods that speak to your individual firm [and its] business model, is where firms will create their compliance culture.

CCO Buzz: Wow, I think I finally get it. Thank you so much for enlightening me and listeners. I can’t wait to check out the rest of the article on the Core Compliance website. Before we go, would like to add anything else?

Suzette Hagan:  Yes. There’s numerous ways firms can mitigate identity theft risks for their customers while simultaneously reducing the risk of any SEC examination findings or enforcement actions related to Regulation S-ID. Firms should maintain current policies and procedures tailored to their specific business practices, consistently train staff to identify red flags associated with identity theft and include the board or senior management to ensure adequate oversight of the program. Our article just provides  a few examples of different avenues firms can take to implement a successful identity theft prevention program.

Chris Hufty: For more information or to find out how Core Compliance can assist with the implementation and administration of Regulation S-ID identity theft prevention programs, risk assessments, or enhancing your overall compliance program, please contact us at info@corecls.com or by phone at (619) 278-0020.

CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn, or Twitter @CoreCls. Thank you, and we hope you tune-in to next week’s episode of the CCO Buzz.



Leave a Reply

Your email address will not be published. Required fields are marked *