EXAMS Publishes Risk Alert Regarding Regulation S-ID Compliance
Client memorandum | December 6, 2022
Authors: Joanna D. Rosenberg, Jessica Forbes, Philip Heimowitz, Mark Highman, Steven Lofchie, Nihal Patel
The Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (“SEC”) has published a risk alert (“Risk Alert”) identifying a number of practices by registered investment advisers and broker-dealers (together, “firms”) that EXAMS staff characterized as inconsistent with the objectives of Regulation S-ID and that may leave retail customers vulnerable to identity theft and financial loss. The Risk Alert outlines risks and practices falling into the following broad categories: (1) identification of covered accounts, (2) establishment of a written identity theft prevention program as required under Regulation S-ID (“Program”), (3) required elements of the Program, and (4) administration of the Program.
Regulation S-ID applies to SEC-regulated entities including, among others, registered broker-dealers and registered investment advisers that maintain “covered accounts.” Under Regulation S-ID, firms are required to periodically determine whether they offer or maintain covered accounts. If a firm offers or maintains covered accounts, Regulation S-ID requires the firm to develop and implement a Program to detect, prevent, and mitigate identity theft.
Regulation S-ID requires each Program to include reasonable policies and procedures to identify relevant red flags for the firm’s covered accounts, detect and respond appropriately to perceived red flags, and update the Program periodically to reflect any changes in risks to customers and to the safety and soundness of the firm from identity theft. Regulation S-ID also requires firms to provide for the continued administration of the Program through various approvals, staff training, and oversight of service providers.
Identification of Covered Accounts
EXAMS staff observed firms that failed to conduct: (i) an assessment of whether any of their accounts were covered accounts, and as a result, failed to implement a Program as required under Regulation S-ID; (ii) periodic assessments to identify new and additional covered accounts; and (iii) risk assessments in connection with the identification of covered accounts.
Establishment of the Program
EXAMS staff observed the following issues with respect to the establishment of written Programs: (i) firms that established a generic Program that was not tailored or appropriate for their business model (including firms that relied on a template with incomplete fill-in-the-blanks and firms that simply restated the requirements of Regulation S-ID without including processes for complying with those requirements) and (ii) Programs that did not cover all required elements of Regulation S-ID (including that policies and procedures maintained outside of the written Program constituted the firm’s process for detecting, preventing, and mitigating identity theft).
Required Elements of the Program
EXAMS staff also observed Programs that lacked elements required by Regulation S-ID, including:
- Reasonable policies and procedures to identify, detect, and respond appropriately to any red flags. Specifically, EXAMS staff observed firms:
- that failed to identify red flags specific to their covered accounts, such as firms with online accounts that listed red flags related to the physical appearance of a customer, and firms that included red flags related to consumer reports even though those firms did not obtain consumer reports;
- that did not have a process or did not follow existing procedures to evaluate actual experiences with identity theft in order to determine if additional red flags should be added to their Program; and
- that did not identify any red flags in their Program.
EXAMS staff also observed firms that inappropriately relied on existing policies and procedures (e.g., anti-money laundering procedures) to satisfy certain elements of a Program required by Regulation S-ID, and firms that claimed to have procedures for detecting and responding to specific red flags, when no such procedures existed.
- Reasonable policies and procedures to ensure that the Program is updated periodically to reflect changes in risks to customers and the firm from identity theft. Specifically, EXAMS staff observed firms that did not update their identified red flags after making significant changes to the ways in which their customers open and access accounts, and firms that had gone through business changes or reorganizations but failed to incorporate the new business lines into their existing Program or failed to approve a new Program for the new business lines.
Administration of the Program
EXAMS staff observed Programs that did not provide for continued administration of their Programs as required by Regulation S-ID. For example, EXAMS staff observed firms that did not provide sufficient information to allow for evaluation of the Program’s effectiveness, firms that did not have robust processes around employee training, and firms that relied on service providers but did not evaluate the service provider’s controls to monitor for identity theft.
EXAMS staff suggested that firms review their practices, policies and procedures with respect to their Programs, and consider whether any improvements are necessary.
The SEC has recently brought a number of significant enforcement actions against firms for violations of Regulation S-ID. We encourage our clients to review their Programs for compliance with Regulation S-ID, with particular focus on the practices identified in the Risk Alert.
 17 C.F.R. Part 248, Subpart C.
 Risk Alert, Observations from Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID (Dec. 5, 2022).
 A “covered account” is (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Rule 201(b)(3) of Regulation S-ID. Entities likely to be subject to Regulation S-ID include (a) most registered broker-dealers (e.g., broker-dealers offering margin or custodial accounts), (b) most registered investment companies (e.g., registered investment companies that allow individuals to wire transfers to other parties or that offer check writing privileges) and (c) some registered investment advisers (e.g., registered investment advisers that can direct transfers or payments from individual accounts to third parties based on the individual’s instructions or that act as agents on behalf of individuals).
 Rule 201(d)(1) of Regulation S-ID.
 “Red flag” is defined in Regulation S-ID to mean a pattern, practice, or specific activity that indicates the possible existence of identity theft. Rule 201(b)(10) of Regulation S-ID.
 See Rule 201(d)(2) of Regulation S-ID.
 See Rule 201(e) of Regulation S-ID.
 See Fried Frank Regulatory Intelligence, Three Broker-Dealers Settle SEC Charges for Identity Theft Prevention Deficiencies (July 28, 2022).
This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.