SEC risk alert notes compliance issues regarding ID theft rule

The risk alert, issued Monday, aims to help registered broker-dealers, investment firms, and certain investment advisers enact effective policies and procedures to comply with Regulation S-ID, which was implemented in 2013 by the SEC and Commodity Futures Trading Commission as part of the Dodd-Frank Act. The rule requires registered entities to develop and implement an identity theft prevention program for covered accounts that includes how a firm finds possible identity theft attempts and handles them.

“The risk alert makes it clear firms should review and update their policies and procedures when new business lines are acquired or when risk profiles change,” said Ignacio Sandoval, partner at Morgan Lewis and former special counsel within the SEC’s Division of Trading and Markets. “It’s a reminder to give this rule as much weight as you do to other risk monitoring rules.”

Of note, the SEC in June fined JPMorgan Securities, UBS Financial Services, and TradeStation Securities for violations of Regulation S-ID.

Sandoval said the risk alert also highlighted a compliance disconnect that can occur at firms, where what was written into policies and procedures doesn’t keep up with changes in the firm’s business.

“When what’s happening on the ground changes, that has to be reflected in your written program,” he said.

Through their reviews, SEC examiners identified noncompliant practices by registered entities that may leave retail customers “vulnerable to identity theft and financial loss,” the alert said. Examples included:

• Failing to identify covered accounts by not conducting an assessment on accounts, and as a result, failing to implement policies and procedures as required by Regulation S-ID.
• Failing to assess whether new and additional accounts were covered accounts, like when firms merged with other firms. Examples of accounts that should have been covered accounts but were not included online accounts, retirement accounts, and other special purpose accounts.
• Failing to conduct periodic risk assessments that would take into consideration “the methods provided to open, maintain, and closed accounts; methods to access different types of covered accounts; or previous experiences with identity theft.”
• Failing to tailor the program to the business, using a generic program or incomplete template. Some firms “adopted programs that simply restated the requirements of the regulation without including processes for complying with the regulation.”
• Failing to implement all the required elements of Regulation S-ID or noting “other policies and procedures outside of a written program constituted the firm’s process for detecting, preventing, and mitigating identity theft.”

Examiners also identified problems with firms’ identity theft red flag programs, including:

• Failing to have policies and procedures that identified red flags for identity theft and appropriate measures to respond to those findings.
• Failing to follow existing procedures to evaluate red flags.
• Failing to respond to actual experiences with identity theft and establishing a procedure for adding red flags to programs. The risk alert said several firms experienced ongoing account takeovers over several years but did not include additional red flags in their program.
• Policies and procedures that did not include any examples of actual red flags addressed by the firm.
• Failing to have reasonable policies and procedures to respond to red flags but instead repurposing anti-money laundering procedures that didn’t detect whether the fraud was related to identity theft, like the use of forged credentials.
• Failing to update identity theft red flag policies and procedures when making significant changes to the ways in which customers open and access their accounts.
• Failing to incorporate new business lines from mergers and acquisitions into the firm’s identity theft red flags program.

Examination staff also found firms failed to keep their board or senior management informed about the program by not submitting regular reports or submitting reports that did not contain sufficient information for senior management to evaluate the program. They also found firms offered inadequate training to staff about the program or did not identify which employees should receive more training. Further, firms failed to adequately monitor the controls used by service providers that performed activities in connection with covered accounts.