(Article from Registered Funds Regulatory Update, January 2023)
For more information, please visit the Registered Funds Resource Center.
On December 5, 2022, the SEC’s Division of Examinations issued a Risk Alert highlighting the most frequently observed Regulation S-ID compliance issues from recent examinations of SEC-registered investment advisers and broker-dealers (collectively, “firms”). Regulation S-ID requires firms that offer or maintain certain covered accounts to identify these accounts and develop and implement an Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in the identified accounts. Generally, Regulation S-ID covers accounts that are used primarily for personal, family, or household purposes that are designed to permit multiple payments or transactions, or any other account for which there is a reasonably foreseeable risk to customers from identity theft. The Staff noted that such personal, family, or household accounts could include registered investment companies that allow wire transfers or check writing privileges or individual accounts at registered investment advisers when the adviser can direct transfers or payments to third parties.
The Staff observed that firms failed to identify covered accounts by not:
- conducting an assessment of whether any of their accounts were “covered accounts;”
- reassessing and identifying new covered accounts over time (such as after a merger with another firm);
- identifying new types of accounts that were covered accounts, such as online accounts or retirement accounts.
Regulation S-ID requires an Identity Theft Program to be appropriate given the size and complexity of the firm and the nature and scope of its activities. The Staff noted several common deficiencies that were observed during recent examinations, including:
- failing to tailor the Identity Theft Program to the business model, such as by using a generic Program or merely restating the requirements of Regulation S-ID;
- failing to cover all the required elements of Regulation S-ID;
- relying on pre-existing policies and procedures, such as anti-money laundering procedures, that were not designed to detect and respond to identity theft concerns;
- failing to reconcile identified procedures for detecting and responding to specific red flags with actual procedures; and
- failing to conduct a risk assessment of the methods of opening, closing, and accessing different types of accounts, such as online accounts.
The Staff also described common deficiencies with respect to firms’ identification of “Red Flags.” Under Regulation S-ID, Red Flags are patterns, practices, or specific activities that indicate the possible existence of identity theft. Like other aspects of the Identity Theft Program, the identification and detection of Red Flags must be relevant to each firm’s business model and its actual experience with identity theft.
The Risk Alert also noted several deficiencies related to inadequate Identity Theft Program implementation and administration. Specifically, the Staff noted firms failing to:
- provide sufficient information to senior management designated to oversee the Identify Theft Program;
- sufficiently train employees on the requirements of Regulation S-ID; and
- evaluate the controls in place for service providers who perform activities in connection with covered accounts.
Observations From Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID, SEC Division of Examinations Risk Alert (Dec. 5, 2022), available at: https://www.sec.gov/files/risk-alert-reg-s-id-120522.pdf.