SEC Risk Alert Highlights Firms' Identity Theft Failures
The agency found violations that could leave customers vulnerable to identity theft and financial loss.
The Securities and Exchange Commission’s exam division has discovered broker-dealer and advisor infractions related to its Identity Theft Red Flags Rule, Regulation S-ID, which the agency said Monday may leave retail customers vulnerable to identity theft and financial loss.
In a just-released risk alert, the agency explains that Reg S-ID applies to SEC-regulated entities that qualify as financial institutions or creditors under the Fair Credit Reporting Act and requires SEC-regulated financial institutions and creditors to determine whether they offer or maintain covered accounts.
SEC-regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts include most registered broker-dealers; registered investment companies that allow individuals to wire transfers to other parties or that offer check writing privileges; and some registered investment advisors who can direct transfers or payments from individual accounts to third parties based on the individual’s instructions or who act as agents on behalf of individuals.
“If a firm determines that it has such accounts, it must establish a Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account,” the SEC said.
The risk alert cited the following deficiencies found in SEC exams related to Reg S-ID compliance:
- Firms failed to conduct an assessment of whether any of their accounts were “covered accounts” and as a result did not identify covered accounts at the firm and failed to implement a program as required.
- Failure to identify new and additional covered accounts.
- Firms lacked policies and procedures to identify, detect and respond to red flags relevant to identity theft, and failed to ensure such policies were updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
- Firms failed to identify relevant red flags for covered accounts and incorporate those red flags into their program.
(Image: Shutterstock)