Tip for Updating Your Compliance Program: Identity Theft Red Flag Rule

Author

Jaqueline Hummel

Publish Date

Type

Article

Topics

  • Compliance

As we start to wrap up Form ADV season, we are reminded that compliance officers face the thankless task each year of reviewing their policies and procedures to determine their adequacy and effectiveness, as required by Advisers Act Rule 206(4)-7. This review entails updating the firm's compliance program to reflect changes to relevant regulations and new regulatory guidance, and confirming the program is appropriately followed by the firm.  

We’ve compiled a series of tips to help you focus on the U.S. Securities and Exchange Commission (SEC) focus areas for 2023. You can read our previous tips here:  

Tip #5 - Update Your Compliance Program to Prevent Identity Theft Under Regulation S-ID 

The SEC Division of Examinations (EXAMS) published its sixth Risk Alert for 2022, Observations from Broker-Dealer And Investment Adviser Compliance Examinations Related To Prevention Of Identity Theft Under Regulation S-ID. As the title suggests, the Risk Alert lets advisers and broker-dealers know how firms fail to meet their obligations under Regulation S-ID.  

Regulation S-ID, the “Identity Theft Red Flag Rule,” aims to protect investors from theft, loss, and abuse of their personal information. It requires financial institutions to implement and administer a written program designed to detect, prevent, and mitigate identity theft for customers with “covered accounts.” Covered accounts are defined as: 

  1. An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or 
  2. Any other account that poses a reasonably foreseeable risk to customers of identity theft.  

In 2022, the SEC entered settlements with three broker-dealers for violation of Regulation S-ID, discussed in more detail in our ACA Regulatory Update – October Edition. Not surprisingly, some findings in the Risk Alert mirror those in the settlements, including firms failing to periodically assess whether they offer or maintain covered accounts, failing to incorporate their experiences with identity theft into their programs, using boilerplate language from Regulation S-ID without tailoring the program to their business model, failing to train staff on existing procedures for identifying and responding to red flags, and failing to involve the firm's board of senior management in program oversight. 

Our guidance 

  • Review your current "red flags" policy and process and be prepared to update it. Even investment advisers that do not maintain “covered accounts” should conduct and document an annual assessment to address whether Regulation S-ID applies to them. Firms should ensure their identity theft prevention programs contain four elements:  
    • Identification of relevant red flags 
    • Detection of red flags 
    • Prevention and mitigation of identity theft 
    • Periodic updates to the program 
  • Implement identity theft protection practices. The goal of an identity theft prevention program is to protect client and investor personally identifiable information (PII). To meet that goal, firms should:  
    • Limit the PII they collect and store 
    • Encrypt PII at rest and in transit 
    • Control access to PII by using multi-factor authentication  
    • Monitor and actively manage access to administrative/privileged accounts 
    • Monitor and log access to systems containing PII 
  • Train employees. Employees should be able to identify suspicious activity and know what to do when they see it. Training should be ongoing, and firms should keep employees up-to-date about the latest suspicious activities so that they can react quickly. 
  • Communicate across business functions. Firms should consider cross-functional discussions. For example, client service representatives can share their experiences with potential fraudsters, and IT teams can inform about the latest social engineering attacks. The lessons learned can then be used in training so employees understand what to look for and actions to take when they identify suspicious activity. 

How we help 

Creating and maintaining a compliance program that meets regulatory requirements can be a daunting task. We can provide a dedicated team of highly experienced professionals to help. 

Introducing ACA Signature, a scalable solution curated to suit your firm’s unique compliance needs. ACA Signature provides financial firms with scalable consulting solutions that can be paired with innovative technology and managed services for staying on top of regulatory and daily obligations. Our team of regulatory experts can build, enhance, or manage your compliance program, helping to mitigate risks and increase operational efficiency. 

Designed by former regulators and compliance experts, ACA Signature provides services and solutions tailored to fulfill your firm’s ongoing compliance obligations. Our team includes former SEC, FINRA, FCA, NFA, CFTC, and state regulators along with former Chief Compliance Officers and senior compliance managers from prominent financial institutions in the industry. With over 20 years’ experience in the compliance industry, ACA is synonymous with quality compliance support. 

Reach out to your ACA consultant, or contact us to find out how ACA Signature can help transform your firm’s compliance program. 

Contact Us 

Listen to our 2023 Regulatory Outlook webcast on demand 

We recently hosted a webcast to review the regulatory changes that will likely have implications on compliance programs in 2023, and provide recommendations to prepare for these changes. Our experts discussed rule proposals and adoption, examination and enforcement trends, and regulatory guidance. Watch our webcast for more insights to help you prepare your compliance program for this year’s focus areas. 

Watch now