• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies

August 1, 2022 By Alysa Austin and Kate Hanniford

On July 27, 2022, the Securities and Exchange Commission (SEC) separately settled three enforcement actions with broker-dealers and investment advisers for alleged deficiencies relating to the prevention of customer identity theft, in violation of the SEC’s Identity Theft Red Flags Rule, or Regulation S-ID. Regulation S-ID requires registered financial institutions, broker dealers, and investment advisers that offer or maintain one or more covered accounts to maintain a written identify theft prevention program designed to detect, prevent, and mitigate identity theft pertaining to covered accounts.

Without admitting or denying the SEC’s findings, each firm agreed to pay penalties ranging between $425,000 to $1.2 million. The SEC’s orders found that, between at least January 2017 to October 2019, the firms’ identity theft prevention programs did not include reasonable policies and procedures to identify relevant red flags in connection with customer accounts or incorporate those red flags into their programs.

The SEC orders state that the firms’ programs further lacked reasonable policies and procedures to respond appropriately to detected identity theft red flags, or to ensure that such programs were updated periodically to reflect changes in identity theft risks to customers. In particular, the SEC faulted the firms variously for policies and procedures that (i) merely restated the wording of Reg S-ID without stating how the firm would actually identify or respond to red flags; (ii) were not sufficiently tailored to the firm and its covered accounts; and (iii) had not been updated to keep pace with the changing threat landscape. The SEC also took issue with certain of the firms’ training procedures and compliance reporting to senior management and the board of directors, finding these to be insufficient and not in compliance with Reg S-ID. Notably absent was any allegation of customer harm.

Importantly, the SEC’s orders suggest that there will be greater scrutiny around a company’s implementation of and overall compliance with Regulation S-ID. “Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft,” said Carolyn M. Welshhans, Acting Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit.

Companies looking to benchmark existing programs should consider the following from the SEC orders:

  • Develop and maintain reasonable policies and procedures to respond appropriately to detected identity theft red flags;
  • Update your customer identity program periodically to reflect changes in identity theft risks to customers;
  • Ensure there is board of directors’ oversight in the development, implementation, and administration of such program;
  • Exercise appropriate and effective oversight of all service provider arrangements; and
  • Ensure staff are effectively trained to implement the program.

We will continue to follow and report on these developments.

Filed Under: Cybersecurity, Data Protection, Financial Privacy Tagged With: cybersecurity, Data Protection, Identity Theft, Regulatory Enforcement, Securities and Exchange Commission

About Alysa Austin

Alysa Austin is an associate with Alston & Bird’s Privacy & Data Security Team and advises clients on cybersecurity compliance, breach investigations and response, online procedures and policies, and vendor contracts.

[Read Bio]

About Kate Hanniford

Kate Hanniford is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.