On July 27, 2022, the Securities and Exchange Commission (SEC) separately settled three enforcement actions with broker-dealers and investment advisers for alleged deficiencies relating to the prevention of customer identity theft, in violation of the SEC’s Identity Theft Red Flags Rule, or Regulation S-ID. Regulation S-ID requires registered financial institutions, broker dealers, and investment advisers that offer or maintain one or more covered accounts to maintain a written identify theft prevention program designed to detect, prevent, and mitigate identity theft pertaining to covered accounts.
Without admitting or denying the SEC’s findings, each firm agreed to pay penalties ranging between $425,000 to $1.2 million. The SEC’s orders found that, between at least January 2017 to October 2019, the firms’ identity theft prevention programs did not include reasonable policies and procedures to identify relevant red flags in connection with customer accounts or incorporate those red flags into their programs.
The SEC orders state that the firms’ programs further lacked reasonable policies and procedures to respond appropriately to detected identity theft red flags, or to ensure that such programs were updated periodically to reflect changes in identity theft risks to customers. In particular, the SEC faulted the firms variously for policies and procedures that (i) merely restated the wording of Reg S-ID without stating how the firm would actually identify or respond to red flags; (ii) were not sufficiently tailored to the firm and its covered accounts; and (iii) had not been updated to keep pace with the changing threat landscape. The SEC also took issue with certain of the firms’ training procedures and compliance reporting to senior management and the board of directors, finding these to be insufficient and not in compliance with Reg S-ID. Notably absent was any allegation of customer harm.
Importantly, the SEC’s orders suggest that there will be greater scrutiny around a company’s implementation of and overall compliance with Regulation S-ID. “Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft,” said Carolyn M. Welshhans, Acting Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit.
Companies looking to benchmark existing programs should consider the following from the SEC orders:
- Develop and maintain reasonable policies and procedures to respond appropriately to detected identity theft red flags;
- Update your customer identity program periodically to reflect changes in identity theft risks to customers;
- Ensure there is board of directors’ oversight in the development, implementation, and administration of such program;
- Exercise appropriate and effective oversight of all service provider arrangements; and
- Ensure staff are effectively trained to implement the program.
We will continue to follow and report on these developments.