Aesop, the SEC, and the $2.5 Million Regulation S-ID Lesson
By Victoria Olson, CRCP, Senior Consultant
Reading enforcement actions against investment advisers serves two purposes for me: (1) I get a chance to pat myself on the back and rejoice that it wasn’t my firm, and (2) I learn about what went wrong (allegedly), and then I take a look at my compliance program to make sure I’m not doing the same thing. This is a practice I picked up as a kid reading Aesop’s Fables — if you can learn the lesson from reading, you don’t have to suffer the same fate in real life! To that end, I’m here to tell you that it seems like it’s time for all of us to take a good look at our Identity Theft Prevention Programs (the “Programs”).
The common thread of recent Regulation S-ID violations
On July 27, the SEC announced three settlements totalling over $2.5 million relating to violations of Regulation S-ID.¹ The charges against J.P. Morgan Securities, UBS Financial Services, and TradeStation Securities reveal a common thread: policies and procedures that were not reasonably tailored to the firms’ businesses, and a lack of effective supervision of the Programs.
- The JPM action notes that the policies they adopted included the verbatim red flags provided in Appendix A to Regulation S-ID, but did not describe how the firm specifically was supposed to identify such red flags or respond to red flags when detected.
In addition, the Order states that JPM also did not make subsequent updates to its identity theft prevention program based on the firm’s own experiences. On top of that, JPM did not effectively oversee its service providers’ Programs.
The policies adopted included the verbatim red flags provided in Regulation S-ID, but did not describe how the firm specifically was to identify such red flags or respond to red flags when detected.
- UBS initially adopted identity theft prevention policies in 2008, and the SEC Order states that the firm did not make material changes to its Program even when Reg S-ID became effective in 2013 and through the relevant period (January 2017-October 2019). The Order notes numerous deficiencies including a lack of reviews to identify covered accounts, red flags not tailored to the business, a lack of procedures to identify or respond to red flags, and a lack of procedures to update the Program. The SEC also took issue with a lack of oversight of the Program by the board of directors, noting deficiencies in the information provided to the board, and specifically that board minutes do not reflect any discussion of compliance with Reg S-ID.
The Order notes numerous deficiencies, including a lack of reviews to identify covered accounts, red flags not tailored to the business, a lack of procedures to identify or respond to red flags, and a lack of procedures to update the Program.
- TradeStation was apparently in a similar state. The Order against them notes there had been no material changes to the Program since it was initially adopted in 2013 and throughout the relevant period, and the procedures were not reasonably tailored to TradeStation’s business. In particular, TradeStation’s Program only identified those red flags that were provided as non-comprehensive examples in Supplement A to Appendix A of Regulation S-ID, some of which were inconsistent with online account opening practices.
The Program also failed to establish reasonable procedures to respond to red flags when detected, or to periodically review and update the Program based on the firm’s experiences. Finally, the SEC identified inadequate administrative procedures, citing shortcomings in reports to the firm’s board of directors and a lack of oversight of service providers’ Programs.
The Order notes there had been no material changes to the Program since it was initially adopted in 2013 and throughout the relevant period, and the procedures were not reasonably tailored to the firm’s business.
What does this mean to me and you?
- Review where risks of identity theft may exist in your business
- Document types of accounts and note the methods by which clients can access their accounts
- Evaluate the risks presented by, or alleviated by, each of these methods
- Evaluate the firm’s experiences with identity theft occurrences and attempts
- Examine identity theft risks your service providers may pose
- Document the entire process
- Are there any gaps in your policies and procedures, or opportunities to strengthen the existing program?
- Do you have specific, customized procedures?
- Does your list of red flags reflect risks and circumstances that relate to your business?
- Do you need to add any new red flags?
- Document that the review occurred, the date of the review, and any changes
- Don’t go it alone
- Ask the folks who are involved in doing the work (e.g., meeting with clients, opening and servicing accounts) for their input
- Finally, make sure to update the principals responsible for Program oversight, now and on a regular basis
Turning knowledge into regulatory resiliency
In The Lion, the Ass & the Fox, Aesop teaches us the importance of learning from the misfortunes of others, not to mention that a lion’s opinion of fairness may differ from your own. So, while the exact regulatory violations we read about from time to time will vary, you can pretty much be assured that the SEC won’t be satisfied if the extent of tailoring policies and procedures is limited to dropping in the firm’s name or leaving them to gather dust. Learn the lessons from others and be wary that you may need to please a lion.
Contact us at CSS, A Confluence Company, to learn more about how we can help evaluate your program and strengthen your procedures and processes.
¹ Each of the orders indicates that the firm has undertaken substantial remedial efforts, and the settlements were reached in consideration of such undertakings.