February 1, 2023

Volume XIII, Number 32

Advertisement

January 31, 2023

Subscribe to Latest Legal News and Analysis

January 30, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

UNITED STATES: SEC Throws A Flag On the Red Flags Programs

On 5 December 2022, the staff of the Division of Examinations (Staff) of the Securities and Exchange Commission (SEC) issued a risk alert identifying practices that are inconsistent with Regulation S-ID, thereby exposing retail customers to potential identity theft.

Regulation S-ID, which applies to SEC-regulated entities that are financial institutions or creditors under the Fair Credit Reporting Act (including most registered broker-dealers, registered investment companies and registered investment advisers), requires the establishment of programs designed to detect, prevent, and mitigate identity theft in connection with covered accounts (each, a Program). Programs must include reasonable policies and procedures to identify, detect, and respond to red flags relevant to identity theft.

The following are some of the most common deficiencies identified by the Staff:

  • Failure to Identify Covered Accounts. Firms did not conduct initial or periodic assessments to identify covered accounts. Some firms did not conduct risk assessments, which impacted their ability to develop controls relevant to their red flags. 

  • Failure to Establish Tailored Programs and to Periodically Update. Firms relied on templates or generic Programs that (i) were not tailored to the firms’ particular business, (ii) did not cover all of the required elements of Regulation S-ID, and/or (iii) lacked actionable procedures. Firms also failed to modify Programs to incorporate significant account changes or new business lines.

  • Failure to Identify, Detect and Respond to Red Flags. Firms did not identify red flags specific to covered accounts or, in some cases, did not identify any red flags.  Some firms relied on pre-existing policies and procedures (e.g., anti-money laundering procedures) to satisfy this requirement, even though they were not designed to detect and respond to identity theft red flags. Firms also failed to evaluate actual experiences with identity theft and add red flags when appropriate.

  • Lack of Program Administration. Firms did not provide sufficient information to directors or senior management to enable them to evaluate their Programs’ effectiveness; hold robust training for employees; or exercise appropriate service provider oversight.

Copyright 2023 K & L GatesNational Law Review, Volume XII, Number 340
Advertisement
Advertisement
Advertisement

About this Author

Associate

Jessica Cohn is an associate in K&L Gates' Washington, D.C., office and a member of the Asset Management and Investment Funds practice area. Jessica advises registered investment companies and their independent board members on regulatory, compliance, and transactional matters arising under the U.S. federal securities laws, including on issues related to fund organization, registration, regulatory filings, changes to, and the implementation of, investment strategies, acquisitions and fund adoption transactions, and utilizing a manager-of-managers structure. Jessica...

202-778-9039
Of Counsel

Keri Riemer is of counsel in the Asset Management and Investment Funds group. She provides guidance to investment managers and funds on a broad range of federal securities law issues, and has extensive experience representing registered investment companies and their advisers. With her experience as Senior Counsel at the Securities and Exchange Commission, in-house counsel at a large asset management firm and outside counsel at law firms, Keri brings a unique perspective to helping clients address legal and regulatory challenges relating to their business growth goals...

212-536-4809
Advertisement
Advertisement
Advertisement