EXAMS Risk Alert Warns Advisers and Broker-Dealers to Beef Up Identify-Theft Practices


Jaqueline M. Hummel

Publish Date


Compliance Alert


  • Compliance
  • SEC

The SEC’s Division of Examinations (“EXAMS”) published its sixth Risk Alert for 2022, titled Observations from Broker-Dealer And Investment Adviser Compliance Examinations Related To Prevention Of Identity Theft Under Regulation S-ID. As the title suggests, EXAMS issued the Risk Alert to let advisers and broker-dealers know how firms are failing to meet their obligations under Regulation S-ID. 

The SEC enacted Regulation S-ID, the “Identity Theft Red Flag Rule,” in 2013. The rule requires financial institutions to implement and administer a written program designed to detect, prevent, and mitigate identity theft for customers with “covered accounts.”  Covered accounts are defined as:

  1. an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or
  2. any other account that poses a reasonably foreseeable risk to customers of identity theft.

Earlier this the year, the SEC entered settlements with three broker-dealers for violation of Regulation S-ID, discussed in more detail in our ACA Regulatory Update – October Edition. Not surprisingly, some findings in the Risk Alert mirror those in the settlements, including firms failing to periodically assess whether they offer or maintain covered accounts; failing to incorporate their experiences with identity theft into their programs; using boilerplate language from Regulation S-ID without tailoring the program to their business model; failing to train staff on existing procedures for identifying and responding to red flags; and failing to involve the firm’s board of senior management in program oversight.  

Our guidance

Broker-dealers and investment advisers should review their process for compliance with Regulations S-ID and be prepared to update their programs. Even investment advisers that do not maintain “covered accounts” should conduct and document an annual assessment to address whether Regulation S-ID applies to them. 

Firms should ensure that their identity theft prevention programs contain four elements: 

  • Identification of relevant red flags
  • Detection of red flags
  • Prevention and mitigation identity theft
  • Periodic updates to the program

The goal of an identity theft prevention program is to protect client and investor personal identifiable information (“PII”). To meet that goal, firms should 

  • Limit the PII they collect and store
  • Encrypt PII at rest and in transit
  • Control access to PII by using multi-factor authentication 
  • Monitoring and actively managing access to administrative/privileged accounts
  • Monitor and log access to systems containing PII.

Two other observations from the Risk Alert included firms’ failures to update their policies and procedures based on their business model and the specific identity theft risks they face, and failure to train employees to identify and act when they see suspicious activity. Firms should consider more frequent cross-functional discussions. For example, client service representatives can share their experience with potential fraudsters and IT teams can discuss the latest social engineering attacks. The lessons learned can then be used in training, so employees understand what to look for and actions to take when suspicious activity is identified.

How we help

We help you to navigate the evolving regulatory landscape while considering the complexity of your firm’s unique compliance requirements. Our compliance advisory team can assist you with developing and maintaining your compliance manual, policies, and procedures for a range of topical challenges. 

Additionally, we provide the following cybersecurity and technology risk solutions that can help your firm ensure strong security preparedness, prevention, and response including:
•    Phishing testing and cyber awareness
•    Policy and program development
•    Penetration testing and vulnerability assessments
•    Cyber incident response planning

For more information about this risk alert, or to find out how we can help your firm, please reach out to your ACA consultant or contact us here.