On December 5, 2022 the SEC’s Division of Examinations (DOE) issued a Risk Alert (see below for a link) describing its findings in evaluating Broker-Dealer (“BD”) and Investment Adviser (“RIA”) compliance with Regulation S-ID (or the “Red Flag” Rules), which requires BDs and RIAs to develop and implement an Identity Theft Prevention Program (“ITPP”).  DOE mentioned a common issue – BD’s and RIA’s use of written policies and procedures that are widely available standard forms, without revisions which consider each firm’s own business model, including operational procedures for account opening, management, review and recordkeeping. 

Reg S-ID requires BDs and RIAs to develop, implement and update an ITPP for “covered accounts” – accounts that are used primarily for personal, family or household purposes that allow firms to act as agents for the account owners and make third party payments based on instructions from the account owners.  With changes over time, including less personal contact, operational changes such as the acceptance of emailed instructions and the establishment of accounts online rather than in person, BDs and RIAs need to review and update their ITPPs, which were likely drafted and adopted when Reg S-ID was released, in 2013.  Ineffective ITPPs can leave individual retail clients of BDs and RIAs exposed to identity theft and the resulting losses in their accounts.

Specific deficiencies noted related to

  • Failure to identify covered accounts – some firms didn’t assess the applicability of adopting and implementing an ITPP based on the types of accounts held;

  • Failure to adopt policies and procedures (P&Ps) to identify additional covered accounts as firms added account types (such as online accounts or retirement accounts), new clients, or experienced organizational changes such as mergers with other firms; 

  • Failure to conduct Risk Assessments and periodically evaluate their existing ITPPs; and

  • Failure to consider previous experience with identity theft. 

DOE examined firms’ written programs and found that they were deficient –

  • Firms had programs that were not tailored to their business model and/or not updated to accommodate more recent operational changes; and

  • Firms had programs that were incomplete.

The DOE stated “firms relied on a template with fill-in-the blanks that had not been completed.  Other firms adopted Programs that simply restated the requirements of the regulation without including processes for complying with the regulation.”

The Risk Alert continued to describe observations of the DOE that included the use of non-customized generic P&Ps, without a careful analysis of how to apply the requirements to their unique business model.  Further, the examined firms didn’t consider the effectiveness of their programs by reviewing identity theft events in their firm and adjusting their ITPPs accordingly.

In conducting an annual compliance review, firms should review their existing ITPPs to determine if they are adequately addressing the risk to their client accounts.  Effective ITPPs will include customized P&Ps for

  •   Identification of Red Flags;

  • Detection and Response to Red Flags;

  •   Periodic Program Updates, particularly in response to changes in account operations, or business reorganizations or mergers; and

  • Administration of the ITPP including providing information to the appropriate management team, training of staff, and evaluation of service providers. 

The DOE’s comments about “fill-in-the-blanks” and generic programs are relevant to all compliance policies and procedures.  The SEC’s on-going releases of new compliance rules and regulations and its increasing scrutiny of firms’ compliance policies require that firms adopt P&Ps specifically developed for their firm and require ongoing analysis and revision, considering P&P effectiveness and the changes within each firm’s business organization. 

Firms should undertake an annual compliance review and risk assessment, which would include diligent evaluation of all P&Ps, including ITPPs, personalized to each firm and its specific operations. 

 Review the Risk Alert here:

https://www.sec.gov/files/risk-alert-reg-s-id-120522.pdf?utm_medium=email&utm_source=govdelivery

 

Lauri London is in private law practice with Cohen & Buckmann P.C. and advises corporate clients on investment adviser regulation and compliance, executive compensation, and employee benefits.  For more information about Lauri and her practice, visit https://cohenbuckmann.com/lauri-b-london.

This article is for general informational purposes only and does not constitute legal advice.  The information above is not a complete list of all regulatory and/or compliance requirements that apply to SEC- registered investment advisers.  For legal advice specific to your firm’s compliance issues, consult with counsel.