What You Need to Know
- Advisors need to do all they can to protect clients from identity theft.
- The SEC is looking more closely at steps advisors take to prevent identity theft.
- When possible, add a multi-factor verification to your digital modus operandi.
Here’s a warning: Protecting your clients from identity theft means don’t rely solely on your written identity theft prevention program under regulation S-ID. Make sure you implement a multi-factor authentication where possible.
As we’ve told clients going through the Securities and Exchange Commission examination process, we’ve noticed an uptick in SEC staff inquiries related to identity theft prevention.
Typically these questions are focused on whether registered investment advisors have adopted and are maintaining an effective written identity theft prevention program, especially if their money movement practices clearly subject them to Regulation S-ID. To address these important issues, I spoke with my partner, and our firm expert, Cary Kvitka.
Which RIAs Are Subject to Regulation S-ID?
Regulation S-ID applies to SEC-RIAs that maintain “Covered Accounts.” While the exact definition of a Covered Account is complex, at its core it is an account: 1) designed to permit multiple payments to third parties, and 2) “there is a reasonably foreseeable risk” that someone could perpetrate an identity theft attack, and defraud or use the investment advisor as a conduit to steal client funds from that account.
Cary advised that if an advisor, or its representative, is deemed to have custody of any client funds or securities that it is required to report on Form ADV Part 1, Item 9, then the affected accounts should be treated as Covered Accounts for the purposes of Regulation S-ID. In that case, the RIA should adopt a written identity theft prevention program meeting the requirements of Regulation S-ID. At a minimum, the accounts reported on ADV Part 1 Item 9 would be subject to the written identity theft prevention program.
However, we also caution RIAs to look at all of their money movement practices at that time and decide if there is a reasonably foreseeable risk that someone could abuse that particular practice to abscond with its clients’ funds from accounts that aren’t reported on ADV Part 1, Item 9.
While the term “reasonably foreseeable” is subjective, an advisor that chooses not to implement a written identity theft prevention program and later suffers an identity theft attack to the detriment of its client will be in an uncomfortable position — to say the least.