SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies

Alysa Austin, Katherine Doty Hanniford
Alston & Bird
Contact
LinkedIn
Facebook
X
Send
Embed

Alston & Bird

On July 27, 2022, the Securities and Exchange Commission (SEC) separately settled three enforcement actions with broker-dealers and investment advisers for alleged deficiencies relating to the prevention of customer identity theft, in violation of the SEC’s Identity Theft Red Flags Rule, or Regulation S-ID. Regulation S-ID requires registered financial institutions, broker dealers, and investment advisers that offer or maintain one or more covered accounts to maintain a written identify theft prevention program designed to detect, prevent, and mitigate identity theft pertaining to covered accounts.

Without admitting or denying the SEC’s findings, each firm agreed to pay penalties ranging between $425,000 to $1.2 million. The SEC’s orders found that, between at least January 2017 to October 2019, the firms’ identity theft prevention programs did not include reasonable policies and procedures to identify relevant red flags in connection with customer accounts or incorporate those red flags into their programs.

The SEC orders state that the firms’ programs further lacked reasonable policies and procedures to respond appropriately to detected identity theft red flags, or to ensure that such programs were updated periodically to reflect changes in identity theft risks to customers. In particular, the SEC faulted the firms variously for policies and procedures that (i) merely restated the wording of Reg S-ID without stating how the firm would actually identify or respond to red flags; (ii) were not sufficiently tailored to the firm and its covered accounts; and (iii) had not been updated to keep pace with the changing threat landscape. The SEC also took issue with certain of the firms’ training procedures and compliance reporting to senior management and the board of directors, finding these to be insufficient and not in compliance with Reg S-ID.

Importantly, the SEC’s orders suggest that there will be greater scrutiny around a company’s implementation of and overall compliance with Regulation S-ID. “Today’s actions are reminders that broker-dealers and investment advisers must design and operate identity theft prevention programs that are appropriately tailored to their businesses and update them in response to the increased threat and changing nature of identity theft,” said Carolyn M. Welshhans, Acting Chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit.

Companies looking to benchmark existing programs should consider the following from the SEC orders:

  • Develop and maintain reasonable policies and procedures to respond appropriately to detected identity theft red flags;
  • Update your customer identity program periodically to reflect changes in identity theft risks to customers;
  • Ensure there is board of directors’ oversight in the development, implementation, and administration of such program;
  • Exercise appropriate and effective oversight of all service provider arrangements; and
  • Ensure staff are effectively trained to implement the program.

We will continue to follow and report on these developments.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Alston & Bird
Contact
more
less

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide