SEC Risk Alert on Prevention of Identity Theft and Reg S-ID
What happened?
The Division of Examinations (“EXAMS”) issued a Risk Alert to assist firms with identity theft prevention programs required under Regulation S-ID. Financial institutions (including broker-dealers and registered investment advisors) must determine whether they offer “covered accounts” and are subject to this regulation. Generally, a covered account is either an account that a financial institution offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or is any other account that poses a reasonably foreseeable risk to customers of identity theft. The most frequently observed compliance issues were:
- Failure to initially identify covered accounts and new or additional covered accounts through periodic assessments
- Failure to conduct risk assessments especially around sources of new accounts such as mergers, on-line offerings and branch offices.
- Failure to tailor identity theft programs to the firm’s business and to the requirements of Regulation S-ID.
- Falling short of the requirements, including those for (1) identification of red flags, (2) response to red flags, and (3) periodic updates to the identity theft program.
- Poor administration of the identity theft program, such as (1) insufficient reporting to the board or designated senior management, (2) inadequate training for employees, and (3) inadequate controls for service providers to monitor identity theft.
What does this mean for me?
This risk alert follows perennial warnings about data security and the importance of safeguarding client accounts and personal identifiable information. If you haven’t assessed your identity theft program or failed to take ever-evolving cybersecurity risks into account, now is the time to close that gap.
Fairview® provides full-service compliance support for registered investment advisers by creating and implementing comprehensive, sustainable compliance programs, including ongoing testing and evaluations to ensure firms are remaining compliant with SEC regulations. We make sure that internal controls are built into your operations processes and the latest cybersecurity threats, making compliance features inherent to the culture of your firm. Contact us today for additional information about maintaining your compliance program.
If you have any questions on how to comply with identity theft program requirements under Regulation S-ID or need support managing service providers, Fairview Cyber can help. We support firms in complying with SEC expectations by offering comprehensive cyber and data security solutions for businesses focused on protecting client data. Contact us today to learn more.