By: Christopher Hufty, Compliance Consultant
In today’s electronically connected world, more and more exchanges are happening online, in terms of both sensitive information and currency. Be it communication through social media platforms, mobile applications, email, and text messages, or even the purchase and delivery of dinner and weekly groceries. As a society, we’ve entered the technological frontier of online exchange and transactions – and the financial services industry is no different.
But by opening the world to the extensive exchange of online information and instant communication, we also create an environment vulnerable to additional risks.
In December 2022, the SEC issued a Risk Alert, “Observations from Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention Of Identity Theft Under Regulation S-ID[1]” based on observations from recent examinations of both registered investment advisers and broker-dealers by the Division of Examinations (“EXAMS”). While Regulation S-ID was initially enacted in 2013, this Risk Alert is intended to assist firms as they develop, enhance, and implement an identity theft program in response to the increased threats of identity theft and the potential resulting financial loss by retail customers.
Regulation S-ID applies to entities that qualify as financial institutions or creditors under the Fair Credit Reporting Act (“FCRA”). It requires firms to determine whether they maintain or offer covered accounts. Typically, the regulation will apply to accounts that are primarily for personal, family, or household purposes. If a firm is deemed qualified under the FCRA, it must establish a written program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or the maintenance of an existing account.
In this month’s Risk Management update, we will unpack the four areas where deficiencies were most commonly found by the EXAMS Staff in connection with Regulation S-ID, including identification of covered accounts, establishment of an identity theft prevention program, missing or inadequate elements of the program, and overall administration and management of the program.
Identification of Covered Accounts
Regulation S-ID requires is that firms determine and periodically reassess whether they offer or maintain covered accounts[2]. In the Risk Alert, a best practice for firms to review such accounts is to conduct a risk assessment – paying close attention to their processes for opening and accessing client accounts, as well as considering any and all previous instances of identity theft.
While performing a risk assessment may be the initial solution, firms must also question whether their current program meets the criteria of the Regulation. Throughout their examination process, the Exams Staff found that several firms, not only, failed to assess whether any of their accounts were covered accounts, but that some firms were also failing to conduct subsequent periodic assessments, and/or did not properly identify all or new types of accounts that might be covered. In either scenario, these firms were found to lack an adequate identity theft prevention program, leaving them in violation of Regulation S-ID.
Another observation referenced in the Risk Alert, was that some firms, during their assessments and reassessments of covered accounts, omitted online, retirement, and other specialized accounts. The Staff also found that several firms failed to document their assessments. Although documentation is not required by the Regulation, it is invaluable in demonstrating to the regulators what steps the firm has taken to be compliant. This serves as a good reminder that any analysis and findings completed as part of a risk assessment, which are critical to any compliance program, should recorded as part of any firm’s books and records.
The failure to conduct risk assessments is preventing some firms from identifying certain covered accounts on an on-going basis, which in turn is limiting the firm’s ability to develop controls relevant to their red flags.
Establishment of the Program
Another key element under Regulation S-ID is the requirement that firms must develop and implement of an identity theft program that is appropriate for the firm’s size, activity and complexity.
Within the Risk Alert, the EXAMS Staff indicated that some firms failed to adequately tailor their program to their business model, often relying on generic or templated written programs. Another issue identified was in cases where firms included language from the Regulation within their program, but did not detail or create specific procedures and policies for their firm to implement and carry out.
The Staff also found firms that indicated they were doing certain things in the context of identity theft protection but did not document these activities in their written policies and procedures. Moreover, in many cases, the policies and procedures simply did not cover all the required elements of Regulation S-ID.
Required elements of the Program
A requirement of Regulation S-ID noted throughout the Risk Alert is that advisers and broker-dealers need to design and implement an identity theft program. Even for firms that did implement such a program, the Staff found that many of these programs did not address all of the required elements to be compliant with Regulation S-ID.
There are three primary components that firms must incorporate into their policies and procedures to be in compliance with Regulation S-ID. Each firm must include reasonable policies and procedures to identify red flags and incorporate them into their program, detect relevant red flags and promptly respond to mitigate any potential identity theft, and ensure the program is periodically reviewed and updated to reflect changes in risk to the customers and the firm.
| What is a red flag?
Identity theft red flags are suspicious patterns and activities that may indicate a risk of identity theft. According to Supplement A to Regulation S-ID’s Appendix A, examples of red flags that firms should consider are: alerts, notifications or warnings from a consumer reporting agency; suspicious documents; suspicious personal identifying information; unusual use of, or suspicious activity related to, the covered account; and notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution. |
During recent examinations, the EXAMS Staff noted multiple issues regarding the identification of red flags. One issue was that some firms failed to identify red flags that were specific to the covered accounts maintained by the firm and simply listed examples from Appendix A. The Staff also found that some firms, while only offering online accounts, identified red flags associated with physically meeting the customers and other firms that relied on policies and procedures that were already in place but were not developed to detect and respond to identity theft red flags. The SEC has made it clear that Regulation S-ID policies and procedures must be tailored to the firm and not be a generic policy statement with no actionable procedures.
Within the Risk Alert, the Staff found that firms were dependent on other policies within their existing policies and procedures to fulfill identity theft Program requirements, but in retrospect those policies and procedures were not intended to meet the specific requirements of Regulation S-ID. In a nutshell, such policies and procedures were not reasonably designed to detect and respond to identify theft red flags.
A key element of any effective identity theft program is the periodic review and update of the policies and procedures to ensure any changes to the customers’ or the firm’s risks from identity theft are addressed. The EXAMS Staff found that multiple firms did not update their programs after implementing significant changes to their businesses. Some firms went through mergers or acquisitions and failed to develop procedures addressing the new business structure. In other instances, some firms changed the way their customers gain access to their accounts yet did not make the necessary update to their programs to incorporate the possibility of additional identity theft red flags.
Administration of the Program
Administering the Regulation S-ID program effectively is just as important as having the proper policies and procedures in place. Under the rule, firms are not only required to have the program, but the program must be maintained with the appropriate governance throughout the structure of the organization. Meaning, the Program should: (1) be approved and by a governing body or board, such as a Board of Directors or designated Senior Management and documented; (2) involve the governing body in the implementation and management of the Program; (3) the incorporation of adequate training with staff; and (4) the application of continued oversight, including third-party vendors.
Throughout its examinations, the Staff observed failures in meeting these standards in various ways, leaving firms vulnerable to potential risk. Some firms did not provide adequate information to the board or senior management, while others provided insufficient training to their staff, and/or failed to provide proper oversight of third-party service providers with respect to their activities in connection with covered accounts. Collectively, all of these areas are instrumental to the successful implementation and administration of an identity theft prevention program and should be a major focus for all firms when reviewing their policies and procedures.
Conclusion
There are numerous ways firms can mitigate identity theft risks for their customers while simultaneously reducing the risk of any SEC examination findings or enforcement actions related to Regulation S-ID. Firms should maintain current policies and procedures tailored to their specific business practices, consistently train staff to identify red flags associated with identity theft and include the board or senior management to ensure adequate oversight of the program. These are just a few examples of different avenues firms can take to implement a successful identity theft prevention program. The SEC has made identity theft a major focus and it is recommended that all financial institutions assess their current policies and procedures and, if necessary, update their existing programs.
Once an adviser or broker dealer has its program in place, maintaining compliance then relies on the testing, retesting, and an overall commitment to further establishing compliance throughout the organization and maintaining components of a compliance calendar, such as their annual review and risk assessment. While daunting, firms are encouraged to leverage third parties – such as Core Compliance & Legal Services, Inc. (“Core Compliance”) – to assess the strength and adequacy of their compliance programs.
To find out more about how Core Compliance can assist with the implementation and administration of Regulation S-ID identity theft prevention programs, risk assessments, or enhancing your overall compliance program, please contact us at info@corecls.com or by phone at (619) 278-0020.
Author: Christoher Hufty, Compliance Consultant, Core Compliance & Legal Services, Inc. Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
[1] https://www.sec.gov/files/risk-alert-reg-s-id-120522.pdf
[2] 17 CFR 248.201(c)