Compliance exams of broker dealers and investment advisers by the U.S. Securities and Exchange Commission (SEC) prompted the regulator to warn industry firms about the risk of weak identity theft protections.
Based on results of recent compliance exams, the SEC’s examinations division issued a risk alert that aims to help industry firms ensure they are adequately guarding against identity theft and complying with the regulations regarding identity theft protection.
In those compliance reviews, SEC staff “identified practices that are inconsistent with the objectives of [its regulations], which may leave retail customers vulnerable to identity theft and financial loss,” the regulator warned in its alert.
Some of the deficiencies include failing to identify accounts that are particularly at risk of identity theft, which require identity theft protections.
Additionally, some firms identified at-risk accounts but didn’t carry out ongoing reviews to identify new account types that may qualify as at-risk accounts. “For example, firms may have merged with other entities but then never conducted a reassessment to see whether any new accounts should be included in the program,” it said.
Firms also omitted online accounts, retirement accounts and other special purpose accounts from their evaluations of covered accounts, it said. They also failed to document the analysis of their accounts, and failed to carry out risk assessments, the alert noted.
The reviews also found shortcomings in the identity theft protections that some firms adopted, including programs that lacked required elements or were inappropriate for their specific businesses.
“For example, some firms created written programs that had generic language for identifying, detecting and responding to, and updating red flags but the programs did not include any actual red flags identified by the firms. As such, the written programs were merely policy statements without any actionable procedures,” it said.
It also found weaknesses in the oversight of these programs at firms, inadequate training, and firms that failed to evaluate controls of service providers.
Based on its findings, the SEC called on firms to “review their practices, policies, and procedures with respect to their identity theft programs and to consider whether any improvements are necessary.”