Investment Advisers and Broker Dealers: Do you see the Red Flags?
Identity theft is a recurring issue for financial firms, such as Investment Advisers and Broker Dealers, and their clients. Every year, individuals and firms experience monetary losses resulting from identity theft. One specific area where investors are at risk is a firm’s handling of approvals for third party-payments from accounts. Fraudulent phone calls and emails requesting payments can be difficult to detect.
The SEC released Regulation S-ID in 2013, or the Red Flags Rule, to require financial firms to adopt and implement compliance programs that prevent, detect and mitigate the risk of Identity Theft. The Red Flags Rule requires firms to develop an “appropriately tailored” program, which would include the methods by which firms authenticate client requests for payments.
However, a Recent Risk Alert issued by the SEC’s Division of Enforcement (DOE) notes insufficient compliance by financial firms with the Red Flags Rule. This Risk Alert follows three notable SEC enforcement actions for violations of the Red Flags Rule -- against JP Morgan Securities, UBS Financial Services and Trade Station, with monetary penalties in the aggregate of more than $2.5 million.
The Red Flags Rule requires firms to develop, implement and update policies and procedures for “covered accounts” – accounts that are used primarily for personal, family or household purposes and provide for the firms to make third party payments per instructions from the account owners. As the methods by which clients interact with financial firms have changed, including less personal contact, operational changes such as the acceptance of emailed instructions and the establishment of accounts online rather than in person, firms need to review and update their Red Flags Rule policies and procedures, which were likely drafted and adopted when Reg S-ID was released, in 2013. Ineffective ITPPs can leave individual retail investors exposed to identity theft and potential losses in their accounts.
The Risk Alert, issued on December 5, 2022, described its findings in examining compliance with the Red Flags Rule, which require financial firms to develop, implement and maintain policies and procedures called Identity Theft Prevention Programs (“ITPPs”), including operational procedures for account opening, management, payments, review and recordkeeping.
Specific deficiencies noted by the DOE related to
Failure to identify covered accounts – some firms didn’t assess the applicability of adopting and implementing an ITPP based account type,
Failure to adopt policies and procedures (P&Ps) to identify additional covered accounts as firms added account types (such as online accounts or retirement accounts), new clients, or experienced organizational changes such as mergers with other firms,
Failure to conduct Risk Assessments and periodically evaluate and update their existing ITPPs, and
Failure to consider previous experience with identity theft.
The DOE examined firms’ written programs and found that they were deficient –
Firms had programs that were not tailored to their business model and/or not updated to accommodate more recent operational changes, and
Firms had programs that were incomplete.
The DOE stated “firms relied on a template with fill-in-the blanks that had not been completed. Other firms adopted Programs that simply restated the requirements of the regulation without including processes for complying with the regulation.”
The Risk Alert continued to describe observations of the DOE that included the use of non-customized generic P&Ps, without a careful analysis of how to apply the requirements to their unique business model. Further, the examined firms didn’t consider the effectiveness of their programs by reviewing identity theft events in their firm and adjusting their ITPPs accordingly.
Steps to comply with the Red Flags Rule and protect against Identity Theft
In conducting an annual compliance review, firms should review their existing ITPPs to determine if they are adequately addressing the risk to their client accounts. Effective ITPPs will include customization for
Identification of Red Flags which will alert an employee to potential identity fraud,
Detection and Response to Red Flags,
Periodic Updates, particularly in response to changes in account operations, or business reorganizations or mergers, and
Effective Administration of the ITPP including providing information to the appropriate management team, training of staff, and evaluation of service providers.
The DOE’s comments about “fill-in-the-blanks” and generic programs are relevant to all compliance policies and procedures. The SEC continues to issue new compliance rules and increase its scrutiny of firms’ operations and compliance. Firms are expected to customize, continually monitor and update all fully customized compliance procedures. Truly effective compliance policies require ongoing analysis and revision, for potential shortfalls, new rules and changes within a firm’s business organization. Annual compliance reviews and risk assessments should include a comprehensive evaluation of all compliance policies in light of firm operations and experience.
Review the December 5, 2022 Risk Alert here: https://www.sec.gov/files/risk-alert-reg-s-id-120522.pdf?utm_medium=email&utm_source=govdelivery
Lauri London is in private law practice with Cohen & Buckmann P.C. and advises corporate clients on investment adviser regulation and compliance, executive compensation, and employee benefits. For more information about Lauri and her practice, visit https://cohenbuckmann.com/lauri-b-london.
This article is for general informational purposes only and does not constitute legal advice. The information above is not a complete list of all regulatory and/or compliance requirements that apply to SEC- registered investment advisers. For legal advice specific to your firm’s compliance issues, consult with counsel.