Division of Examinations Risk Alert, December 5, 2022: Observations From Broker-Dealer and Investment Adviser Compliance Examinations Related to Prevention of Identity Theft Under Regulation S-ID

The SEC Division of Examinations issued a Risk Alert on December 5, 2022 detailing observations from examinations of investment advisers and broker-dealers related to compliance with Regulation S-ID. 

Summary of Regulation S-ID

Investment advisers that maintain “covered accounts” are required under Regulation S-ID to establish a Regulation S-ID compliance program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or an existing covered account.  For purposes of Regulation S-ID, a covered account means an account that a financial institution offers or maintains primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions.  An investment adviser that has the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who acts as agent on behalf of the individuals, would be determined to be holding covered accounts.  As an example, a client account over which the investment adviser is provided money movement authority pursuant to a client executed third party SLOA would be considered a covered account under Regulation S-ID. 

The compliance program implemented under Regulation S-ID must address/include the following:

• Periodic Identification of Covered Accounts
  • An investment adviser must periodically determine whether it offers covered accounts.  As part of this determination investment advisers must engage in a risk assessment, taking into consideration –
    • The methods the adviser provides to open accounts;
    • The methods the adviser provides to access its accounts; and
    • The adviser’s previous experiences with identity theft.

• Identifying Relevant Red Flags
  • Advisers must identify relevant Red Flags for the advisers’ covered accounts.

• Detecting Red Flags
  • Advisers must establish policies and procedures to address the detection of Red Flags in connection with opening covered accounts and existing covered accounts.

• Responding to Red Flags – Preventing and Mitigating Identity Theft
  • An adviser’s Regulation S-ID compliance program must provide for appropriate responses to the Red Flags detected by an adviser.

• Updating the Compliance Program
  • An adviser must update its Regulation S-ID compliance program periodically, including the Red Flags determined to be relevant, to reflect changes to clients or the safety and soundness of the adviser from identity theft.

• Administration and Oversight of the Compliance Program
  • For advisers required to implement a Regulation S-ID compliance program, the adviser must –
    • Obtain approval of the initial Regulation S-ID compliance program from the board of directors/managers or similar body of the adviser;
    • The board of directors/similar body must designate a senior level employee in the oversight, development, implementation and administration of the Regulation S-ID compliance program;
    • Train staff, as necessary, to effectively implement the Regulation S-ID compliance program; and
    • Exercise appropriate and effective oversight of service provider arrangements.
  • On at least an annual basis the adviser must report to the board of directors/similar body or the designated employee at the senior management level on compliance by the adviser with Regulation S-ID.  The report should address the following issues, as applicable –
    • The effectiveness of the Regulation S-ID compliance program;
    • Service provider arrangements;
    • Significant incidents involving identity theft and management’s responses; and
    • Recommendations for material changes to the advisers’ Regulation S-ID compliance program.

Division of Examinations Identified Compliance Issues Related to Regulation S-ID

The following is a summary of the compliance issues identified in the Risk Alert by the Division of Examinations:

Identification of Covered Accounts

The Division of Examinations observed firms that failed to conduct an assessment of whether any of their accounts were covered accounts.

Failure to Identify New and Additional Covered Accounts

The Division of Examinations noted firms that engaged in initial identification of covered accounts, but failed to conduct periodic assessments, or otherwise failed to identify all categories or new types of accounts that were covered accounts.

Failure to Conduct Risk Assessments

Firms were observed to have periodically identified covered accounts, but failed as part of that process to include a risk assessment taking into account the factors described above.

Establishment of the Regulation S-ID Compliance Program

The Division of Examinations notes in the Risk Alert firms failing to tailor their Regulation S-ID compliance programs to the business of the firm, as well as adopting Regulation S-ID compliance programs that do not address all of the required elements of Regulation S-ID.  The following are examples noted by the Division of Examinations of compliance deficiencies related to the required elements of a Regulation S-ID compliance program:

Identification of Red Flags

Regulation S-ID requires that advisers’ compliance programs include reasonable policies and procedures to identify relevant Red Flags for covered accounts offered by the adviser and incorporate those Red Flags into the compliance program.  The Division of Examinations observed firms that did not have reasonable policies and procedures to identify relevant Red Flags. 

Detect and Respond to Red Flags

The Division of Examinations observed firms that did not have reasonable policies and procedures to detect and respond to relevant Red Flags. 

Periodic Program Updates

The Division of Examinations observed firms that did not update their Red Flags after making significant changes to the ways in which their customers open and access accounts.  In addition, the Division of Examinations noted firms that had gone through business changes, such as mergers or acquisitions of other financial firms, but failed to incorporate these new business lines into their existing compliance program or to approve compliance program revisions for these new business lines.

Administration of the Program

The Division of Examinations highlights the following examples of firms failing to provide for the continued administration of their compliance programs as required by Regulation S-ID:

• Firms did not provide sufficient information to the board of designated senior management;
• Failure to have sufficient training for employees; and
• Failure to evaluate controls for service providers.

Here is the link to the SEC’s Alert:  https://www.sec.gov/files/risk-alert-reg-s-id-120522.pdf