New SEC Risk Alert Puts Investment Advisers’ Identity Theft Policies Under the Microscope

New SEC Risk Alert Puts Investment Advisers’ Identity Theft Policies Under the Microscope

Identity theft is on the rise, and the U.S. Securities and Exchange Commission has taken notice of weaknesses in registered investment advisers’ controls. On December 5, 2022, the SEC Division of Examinations (“EXAMS”) published a Risk Alert, showcasing its observations of problems with identity theft prevention programs. The Risk Alert notes improvements that investment advisers can make to their identity theft prevention programs. 

This Alert was published after the SEC found that many advisers’ programs fell short of Regulation S-ID requirements for the effective development, implementation, and maintenance of identity theft plans for SEC-registered investment advisers that maintain covered accounts. EXAMS highlighted four areas of identity theft program deficiencies. If your firm’s identity theft program falls short of EXAMS standards, there are many enhancements to make that could improve the reasonableness and effectiveness of your program.

FOUR AREAS OF DEFICIENCY AND STEPS THAT CAN BE TAKEN TO SET UP AN EFFECTIVE IDENTITY THEFT PROGRAM:

(1) Deficient Identification of Covered Accounts

The first broad category applies to all investment advisers, as Regulation S-ID requires every IA to conduct a risk analysis to assess whether they offer or manage “covered accounts”. Here, the SEC noted that many IAs failed to effectively search for any “covered accounts” that may be under their management. Many firms also failed to conduct periodic assessments of their accounts; moreover, when periodic assessments took place, IAs would often fail to identify categories of accounts that were “covered accounts”. They also often omitted special purpose accounts from their assessments.

Action Step: Identify Covered Accounts: Clarify, Categorize, and Record

Your firm may improve its “covered accounts” identification practices by making them more rigorous and methodical. Make sure your firm institutes periodic assessments of your accounts, where you routinely search for any “covered accounts” that may be under your management. Make sure your program also identifies all categories of accounts that are “covered accounts”. While Regulation S-ID does not require IAs to maintain documentation regarding “covered account” identification, the SEC actively encourages firms to take up the practice of recording the results of your firm’s findings.

(2) Tailoring Identity Theft Programs to Specific IA Business Models

EXAMS noticed that many identity theft programs were not tailored to the IA’s unique business models. For example, firms with unique services often relied exclusively on a fill-in-the-blank template for developing their programs, when these templates covered more broadly applicable red flags.

Action Step: Effectively Tailor Identity Theft Programs to Your Business Model

While fill-in-the-blank templates are good starting points for creating an identity theft program, be sure to amend the list of red flags in your policy to exclude any portions that are irrelevant to your business model. At the same time, amend the document so that it addresses identity theft concerns that are pertinent to the way your firm operates. For example, if your firm exclusively provides online services, then you may want to delete any identity theft procedures that concern in-person meetings.

(3) Red Flag Policies

The SEC found that many IAs had ineffective policies for detecting and responding to red flags. Furthermore, many IAs lacked reasonable policies to ensure their identity theft programs were being updated periodically to reflect evolving changes in identity-theft-related risks to customers and firms.

Action Step: Update Policies and Establish Periodic Assessments

Always ensure that your program’s red flag policies are designed and periodically updated to adequately detect and respond to modern red flags. Don’t let your Regulation S-ID program get stale as your firm evolves. Make sure the red flag procedures are in place at the firm and that they are being followed. Ensure staff are adequately trained to spot potential identity theft, wire fraud, and imposter accounts.

(4) Administration of the Identity Theft Program

Finally, the SEC noted issues concerning the effective administration of an identity theft program. Firms didn’t provide sufficient information regarding their programs to their boards/management through periodic reports. EXAMS also noted that many employees were often inadequately trained to comply with the program. Furthermore, some firms that utilize third-party service providers didn’t evaluate the controls that these providers had in place to monitor and protect against identity theft.

Action Step: Effective Administration: Keep the Board informed, Train Staff Effectively, and Evaluate Service Provider Identity-Theft Programs

Regarding effective administration of an identity-theft program, firms must:

(1) Obtain approval of the initial written Program from the board of directors/relevant managerial committee or team.

(2) Involve the board/management in oversight of the administration of the program.

(3) Train staff as necessary.

(4) Exercise appropriate oversight of service provider arrangements.

In designing an effective administration policy for your program, use these requirements as your rubric. Make sure your firm is providing sufficient information to your board or senior management through periodic reports. Identify which employees should receive training and take steps to ensure their training is helpful for both the firm and for them. And if your firm utilizes any third-party service providers, be sure to evaluate the controls that provider has in place so that they may effectively monitor for identity theft.

The SEC Risk Alert is available at https://www.sec.gov/files/risk-alert-reg-s-id-120522.pdf

Struggling with cyber-security preparedness? Talk with us today.

Disclaimer: The information contained in this communication is for informational purposes only. Confluence/StatPro is not providing, legal, financial, accounting, compliance or other similar services or advice through this communication. Recipients of this communication are responsible for understanding the regulatory and legal requirements applicable to their business.

Subscribe today and receive our latest industry updates and articles.