The Securities and Exchange Commission has published a review of financial firms’ identity theft programs, in case anyone is looking for helpful hints and tips on how to strengthen your own program. Most of the SEC’s advice, however, boils down to a company sincerely thinking about its risks here.
The advice came in the form of a risk alert published on Monday by the SEC’s Division of Examinations, which oversees the compliance obligations of broker-dealers and investment advisers. One of those obligations is Regulation S-ID, more commonly known as the Identity Theft Red Flags Rule. It requires that firms must develop and implement an identity theft prevention program if they offer “covered accounts” to customers (really, any account that lets a customer conduct transactions electronically).
The risk alert recaps what Exams Division staffers observed during recent reviews of those identity theft programs. The findings are just as useful for any other business worried about identity theft, so let’s take a look at what the Exams Division found.
First were some common failures related to identifying covered accounts:
- Failure to identify covered accounts. Like, the guilty firms here didn’t conduct any assessment of their accounts at all, and therefore never bothered to build an identity theft prevention program either. That’s an automatic Reg S-ID violation because the rule says firms “must determine… whether they offer or maintain covered accounts.” You can’t determine anything without an assessment.
- Failure to identify new or additional covered accounts. This happened when firms did perform one assessment, and perhaps even flagged a set of covered accounts that needed protection; but the firms then failed to perform more assessments to determine whether any new accounts (say, from a newly acquired subsidiary, or a new line of product offerings) also qualified as covered accounts
- Failure to perform a risk assessment. This could be an issue if your operations somehow changed since you last performed an assessment of covered accounts, and your risks of identity theft had subsequently changed. For example, your firm might change its processes for opening accounts, or expand from allowing only in-person account openings to online account openings. If your risk assessment doesn’t address those new conditions, then it’s outdated and you might undercount the covered accounts you have.
The Exams Division also faulted some firms for programs that were poorly designed or implemented. Reg S-ID requires firms to develop a written program “appropriate to the size and complexity of the firm and the nature and scope of its activities.” But the Exams Division still encountered firms that, for example, relied on templates with fill-in-the-blank fields that employees hadn’t filled in. Other firms adopted programs that simply restated the requirements of Regulation S-ID without including processes to, ya know, actually comply with the regulation.
Red Flags for Identity Theft
Regulation S-ID also says identity theft prevention programs must have “reasonable policies and procedures to identify, detect, and respond to red flags that are relevant to identity theft.” This means firms must (1) develop a set of red flags that might suggest identity theft is afoot; (2) be able to detect those red-flag events when they happen; and (3) respond as necessary to determine whether identity theft actually is happening.
So what did the Exams Division see go wrong here? Several issues.
- Failing to identify specific red flags relevant to the firm’s operations. Instead, some firms just listed examples of red flags that Regulation S-ID provides in an appendix. Others listed red flags related to customers visiting physical branch offices, even though the firms only offered online accounts. A few just didn’t bother to include any red flags at all.
- Failing to review previous incidents of identity theft, to see whether you needed new or additional red flags. For example, if firms had suffered previous incidents of account takeovers, then they should monitor their password reset procedures more closely. Some firms didn’t take such steps.
- Relying on the wrong procedures to respond to identity theft red flags. Some firms just took existing procedures for other compliance obligations (say, anti-money laundering programs), dropped those procedures into their identity theft prevention programs, and called it a day. The Exams Division calls it bogus, and warns firms not to do it.
- Failing to update procedures after major business reorganizations or mergers. This one is rather self-explanatory: the firm’s operations changed (say, going from physical branches to online access as well), but the identity theft red flags and procedures stayed unchanged.
Plus a few other warnings about poor reporting to the board, poor employee training, and all the other routine headaches we’ve come to expect in implementing a compliance program.
Broader Lessons in Compliance
One point that strikes me about this risk alert is how it keeps harping on what should be fundamentals for a compliance program. Perform a risk assessment; be sure your risk assessment addresses how your firm actually operates; identify red flags that are relevant to your business; write policies that address the issue at hand, rather than drop in generic language you found from an online template or another part of your compliance program.
We could give those same warnings for any compliance effort, from anti-fraud accounting controls to export controls to anti-retaliation programs. If the Exams Division is still warning financial firms about basic, block-and-tackle compliance issues — yikes. That doesn’t say much for most financial firms these days.
My next question is when a firm’s failure to address these issues flagged by the Exams Division will lead to a more painful encounter with the Enforcement Division. For example, several years ago the SEC fined Voya Financial Advisors $1 million for violating the rule, when hackers posed as Voya contractors and duped the company into giving them access to customer accounts. The SEC’s beef was that Voya had already fallen for the same scam several years earlier, and hadn’t updated its controls and procedures to avoid a repeat offense.
So clearly if you recognize your own bad habits in the Exam Division observations above, you have work to do.
More broadly, however, the shortcomings identified in this risk alert can be used to guide other information protection obligations you might also have — even if you’re a non-financial company, not subject to Regulation S-ID. The best practices that would rectify the shortcomings mentioned above would also boost compliance for numerous other data protection regulators, such as the Federal Trade Commission, the Consumer Financial Protection Bureau, or various European data privacy agencies.
The point in the risk alert is that you should perform risk assessments and then implement procedures that are thoughtfully tailored to your operations. It’s good advice no matter what particular privacy rule is driving you nuts.