On July 27, 2022, the SEC charged three broker dealers for violations of the Identity Theft Red Flags Rule (also known as “Regulation S-ID”), with penalties ranging from $425,000 to $1,200,000.1 The regulation requires that certain financial institutions, including broker-dealers, investment advisers, and investment companies, implement and administer a written Identity Theft Prevention Program (“ITPP” or “Program”) that is “designed to detect, prevent and mitigate identity theft” in connection with the opening of a “covered account” or any existing “covered account.”2 None of the orders stemmed from actual identity theft incidents or stated customer harm, but were instead based on alleged program deficiencies. The settlements’ release in one day parallels last year's SEC multi-matter settlement concerning Regulation S-P and may signify a trend of increased scrutiny.
The settlements, which come four years after the SEC’s lone prior Regulation S-ID enforcement action (where actual customer harm was alleged)3 shed additional light on the features of an adequate ITPP. These settlements also underscore the need for firms to review their ITPPs for compliance gaps since lacking an adequate ITPP and its associated policies and procedures could lead to enforcement action even in the absence of specific instances of identity theft.
Key compliance takeaways from these settlements include:
- Reasonable policies and procedures to identify, detect and respond appropriately to relevant red flags4
- Reasonable policies and procedures to identify, detect, and respond to relevant red flags should specifically identify red flags tailored to the firm’s business and the nature and scope of its brokerage and/or advisory activities and should include specific steps to respond. Regulators expect more than broad generalizations without further detail (like listing “additional due diligence” as a response) or re-stating the regulation and listing all examples provided in Appendix A to Regulation S-ID.
- An ITPP should describe the firm’s practices with respect to identity theft identification, prevention, and response. In addition to taking steps to prevent identity theft, a firm should document such steps as part of a written ITPP (either explicitly or by reference).
- Periodic updates to the Program5
- An ITPP should include reasonable policies or procedures to provide for periodic updates to the Program including a process to incorporate any necessary updates to reflect the firm’s experiences with identity theft or changes in business practices such as the manner in which covered accounts may be opened.
- An ITPP should be updated, and material changes may be warranted, when there are significant changes in business practices and offerings, or external cybersecurity risks related to identity theft.
- Periodic identification of covered accounts6
- An ITPP should provide policies or procedures for periodically identifying covered accounts, including new types of accounts offered, via risk assessment. Characterizing all accounts as covered accounts may be insufficient if the firm does not conduct risk assessments or other evaluations to determine the types of covered accounts it offers or maintains, and to identify applicable red flags.
- Annual Reports to the Board or Senior Management7
- Annual reports to the board or senior management, which are a necessary component of oversight of the ITPP, should include sufficient information addressing the Program’s effectiveness. Such information can include detail about significant identity theft-related incidents and management responses (whether at your firm or at other firms per public reports) and metrics related to identity theft to enable the board or senior management to be sufficiently involved in the oversight, implementation, and administration of the ITPP.
- Training as Necessary8
- Training provided to staff must be ITPP-specific and should include how to identify, detect, monitor, and respond to red flags involving identity theft.
- Oversight of Service Provider Arrangements9
- The regulation requires firms to monitor third-party service providers that perform activities in connection with covered accounts, and firms “should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.”10 A firm’s failure to comply with its own policies and procedures regarding service provider monitoring may constitute failure to provide effective oversight. Thus, if firms over-include service providers in their ITPPs, then they must monitor that larger set of service providers or else risk being found in violation of Regulation S-ID.
Firms should review their ITPPs, placing particular emphasis on identifying red flags tailored to their business and on conducting regular compliance reviews to update those red flags and related policies and procedures to reflect changes in business practices and risk.
The press release with links to the orders is available here
17 C.F.R. § 248.201(d)(1). A “covered account” is offered or maintained primarily for personal, family, or household purposes that involve or are designed to permit multiple payments or transactions. See id. at § 248.201(b)(3).
See In the Matter of Voya Financial Advisors, Inc., Admin. Proc. No. 3-18840 (Sept. 26, 2018).
See § 248.201(d)(2)(i)-(iii).
See § 248.201(d)(2)(iv).
See § 248.201(c).
See § 248.201(e)(3).
17 C.F.R. § 248.201, Appendix A, Section VI(c).