Skip to main content
icon-search-14x14

EXAMS Publishes Risk Alert Regarding Regulation S-ID Compliance

Client memorandum | December 6, 2022

Authors: Joanna D. Rosenberg, Jessica Forbes, Philip Heimowitz, Mark Highman, Steven Lofchie, Nihal Patel

The Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (“SEC”) has published a risk alert (“Risk Alert”) identifying a number of practices by registered investment advisers and broker-dealers (together, “firms”) that EXAMS staff characterized as inconsistent with the objectives of Regulation S-ID[1] and that may leave retail customers vulnerable to identity theft and financial loss.[2] The Risk Alert outlines risks and practices falling into the following broad categories: (1) identification of covered accounts, (2) establishment of a written identity theft prevention program as required under Regulation S-ID (“Program”), (3) required elements of the Program, and (4) administration of the Program.

Regulation S-ID

Regulation S-ID applies to SEC-regulated entities including, among others, registered broker-dealers and registered investment advisers that maintain “covered accounts.”[3] Under Regulation S-ID, firms are required to periodically determine whether they offer or maintain covered accounts. If a firm offers or maintains covered accounts, Regulation S-ID requires the firm to develop and implement a Program to detect, prevent, and mitigate identity theft.[4]

Regulation S-ID requires each Program to include reasonable policies and procedures to identify relevant red flags[5] for the firm’s covered accounts, detect and respond appropriately to perceived red flags, and update the Program periodically to reflect any changes in risks to customers and to the safety and soundness of the firm from identity theft.[6] Regulation S-ID also requires firms to provide for the continued administration of the Program through various approvals, staff training, and oversight of service providers.[7]

Identification of Covered Accounts

EXAMS staff observed firms that failed to conduct: (i) an assessment of whether any of their accounts were covered accounts, and as a result, failed to implement a Program as required under Regulation S-ID; (ii) periodic assessments to identify new and additional covered accounts; and (iii) risk assessments in connection with the identification of covered accounts.

Establishment of the Program

EXAMS staff observed the following issues with respect to the establishment of written Programs: (i) firms that established a generic Program that was not tailored or appropriate for their business model (including firms that relied on a template with incomplete fill-in-the-blanks and firms that simply restated the requirements of Regulation S-ID without including processes for complying with those requirements) and (ii) Programs that did not cover all required elements of Regulation S-ID (including that policies and procedures maintained outside of the written Program constituted the firm’s process for detecting, preventing, and mitigating identity theft).

Required Elements of the Program

EXAMS staff also observed Programs that lacked elements required by Regulation S-ID, including:

  • Reasonable policies and procedures to identify, detect, and respond appropriately to any red flags. Specifically, EXAMS staff observed firms:
  • that failed to identify red flags specific to their covered accounts, such as firms with online accounts that listed red flags related to the physical appearance of a customer, and firms that included red flags related to consumer reports even though those firms did not obtain consumer reports;
  • that did not have a process or did not follow existing procedures to evaluate actual experiences with identity theft in order to determine if additional red flags should be added to their Program; and
  • that did not identify any red flags in their Program.

EXAMS staff also observed firms that inappropriately relied on existing policies and procedures (e.g., anti-money laundering procedures) to satisfy certain elements of a Program required by Regulation S-ID, and firms that claimed to have procedures for detecting and responding to specific red flags, when no such procedures existed.

  • Reasonable policies and procedures to ensure that the Program is updated periodically to reflect changes in risks to customers and the firm from identity theft. Specifically, EXAMS staff observed firms that did not update their identified red flags after making significant changes to the ways in which their customers open and access accounts, and firms that had gone through business changes or reorganizations but failed to incorporate the new business lines into their existing Program or failed to approve a new Program for the new business lines.

Administration of the Program

EXAMS staff observed Programs that did not provide for continued administration of their Programs as required by Regulation S-ID. For example, EXAMS staff observed firms that did not provide sufficient information to allow for evaluation of the Program’s effectiveness, firms that did not have robust processes around employee training, and firms that relied on service providers but did not evaluate the service provider’s controls to monitor for identity theft.

EXAMS staff suggested that firms review their practices, policies and procedures with respect to their Programs, and consider whether any improvements are necessary.

Conclusion

The SEC has recently brought a number of significant enforcement actions against firms for violations of Regulation S-ID.[8] We encourage our clients to review their Programs for compliance with Regulation S-ID, with particular focus on the practices identified in the Risk Alert.

[1] 17 C.F.R. Part 248, Subpart C.

[2] Risk Alert, Observations from Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID (Dec. 5, 2022).

[3] A “covered account” is (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Rule 201(b)(3) of Regulation S-ID. Entities likely to be subject to Regulation S-ID include (a) most registered broker-dealers (e.g., broker-dealers offering margin or custodial accounts), (b) most registered investment companies (e.g., registered investment companies that allow individuals to wire transfers to other parties or that offer check writing privileges) and (c) some registered investment advisers (e.g., registered investment advisers that can direct transfers or payments from individual accounts to third parties based on the individual’s instructions or that act as agents on behalf of individuals).

[4] Rule 201(d)(1) of Regulation S-ID.

[5] “Red flag” is defined in Regulation S-ID to mean a pattern, practice, or specific activity that indicates the possible existence of identity theft. Rule 201(b)(10) of Regulation S-ID.

[6] See Rule 201(d)(2) of Regulation S-ID.

[7] See Rule 201(e) of Regulation S-ID.

[8] See Fried Frank Regulatory Intelligence, Three Broker-Dealers Settle SEC Charges for Identity Theft Prevention Deficiencies (July 28, 2022).

This communication is for general information only. It is not intended, nor should it be relied upon, as legal advice. In some jurisdictions, this may be considered attorney advertising. Please refer to the firm’s data policy page for further information.

Email Disclaimer

I have read and understood the terms of use of this web site which appear below, and specifically agree to those terms, on behalf of myself and anyone else on whose behalf I am contacting anyone at Fried Frank using this site or in any way connected with this site:

The information and materials offered on this site are for general informational purposes only, do not constitute and should not be considered to be legal advice, and are presented without any representation or warranty whatsoever, including as to the accuracy or completeness of the information. No one should, or is entitled to, rely in any manner on any of the information at this site. Parties seeking advice should consult with legal counsel familiar with their particular circumstances.

Prior results do not guarantee a similar outcome.

No attorney-client relationship is created by our transmission of information from this site or by any communication by others to us (or to any of our attorneys, staff, employees, agents or representatives) through or in any way connected with this site. Users communicating with us (or to any of our attorneys, staff, employees, agents or representatives) are cautioned that we do not undertake to hold such communications or their contents in confidence and, accordingly, that they should be careful not to communicate confidential information to us. Users are further cautioned that we may represent a party directly adverse to them either now or at a later date, and that we remain free to do so notwithstanding any information which is communicated to us by the user or any other person or any solicitation of our services by the user or any other person. An attorney-client relationship between Fried Frank and users of this site or anyone else is created only by a written engagement letter signed by a partner of Fried Frank, and no course of communication shall constitute an undertaking to receive confidential information in connection with a discussion of possible future representation unless such undertaking is contained in a written letter agreement signed by a partner of Fried Frank specifying the conditions of such receipt and countersigned by a person with authority to bind the prospective client.

Links to information on sites other than those operated by, or on behalf of, Fried Frank are for your convenience only and are not an endorsement or recommendation of those sites. Fried Frank does not take any responsibility for information at these sites, nor makes any representation or warranty with respect to these sites or their information.

By clicking "Accept", I specifically agree to these terms, on behalf of myself and anyone else on whose behalf I am contacting anyone at Fried Frank.