Regulation S-ID, sometimes referred to as the “Red Flags Rule,” lays out specific SEC requirements for how broker-dealers should approach the risks of identity theft. Advances in electronic communications and current remote working conditions have made it easier than ever to collect, manage and transfer individuals’ private data. The ongoing challenge of protecting personal information calls for vigilant data security controls.
A Recent Regulation S-ID Violation
A recent letter of Acceptance, Waiver, and Consent (AWC) of December 2020 describes the violations and settlement of Rule 201 of Regulation S-ID and FINRA Rule 2010 by a FINRA-registered broker-dealer whose principal business is distributing mutual funds and variable life insurance.
The action showcases the increasingly aggressive focus of regulators when it comes to identity theft. In addition, an even more recent complaint was filed in April against the Chief Executive Officer and the Chief Compliance Officer of this broker-dealer. This action constitutes the first case against named individuals for breaching Reg S-ID (although an earlier major enforcement was taken against Voya Financial Advisors in 2018).
Regulation S-ID Rule 201: Definition and Purpose
The purpose of Rule 201 of Reg S-ID is to protect the customer data held by financial and credit institutions by ensuring that firms have in place adequate policies and procedures to identify and safeguard against customer identity theft. SEC-registered broker-dealers need to develop and implement a written Identity Theft Prevention Program to cover existing accounts.
Under Rule 201, a broker-dealer program must include reasonable policies and procedures to detect relevant red flags of identity theft, take appropriate responses, and maintain up-to-date measures. It is clearly insufficient to establish paper policies without the necessary framework to implement them. This caution is especially relevant to digital broker-dealers who collect all customer information via websites and apps, because they are collecting data via forms over open internet protocols. Such collection methods create potential security and phishing risks, even with secure (i.e., SSL) submission.
The Role of FINRA Rule 2010
FINRA Rule 2010, also stated in the AWC, can be enforced in conjunction with Reg S-ID. It requires FINRA members to observe high standards of commercial honor and equitable principles of trade. The language used in this provision is intentionally broad because Rule 2010 is FINRA’s ‘catch all’ provision. It can be used to identify and potentially penalize unethical broker or brokerage firm conduct that might not be a direct violation of any other rule.
The identity theft programs are not overly prescriptive—regulated entities must craft procedures specific to their operations and size. SEC 2013 guidelines describe how a principle of flexibility predominates: “…rather than singling out specific red flags as mandatory,” institutions can determine which such signals are relevant to their particular businesses. The rationale for this latitude is the changing nature of identity theft, allowing “financial institutions or creditors to respond and adapt to new forms of identity theft and the attendant risks as they arise.”
Common Identity Theft Prevention Red Flags
While 2013 guidelines leave it to firms’ discretion to decide which red flags to consider, they do suggest typical categories. You should pay extreme attention to these five signals.
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers
- Suspicious documents that might be forged
- Changed information, such as a suspicious address change
- Unusual account usage
- Notice from customers, victims of identity theft, or law enforcement authorities regarding possible identity theft
Factors Leading to the AWC Complaint
The AWC states that the broker-dealer failed to:
- Develop and implement a written identity theft protection program
- Include policies and procedures to detect identity theft red flags
- Implement procedures to mitigate identity theft exposures
- Align policies to the firm’s actual operating model
These issues display an egregious disregard of the spirit and letter of the rules with extremely troubling behavior. The company’s CEO and its CCO ignored hundreds of undeliverable notifications from external email accounts for four months, starting in April 2018.
In August 2018, the firm’s outside email vendor informed the CEO and the CCO that 17,000 emails on the account had been compromised. Learning of the breach, the company still neglected to implement its own procedures, take steps to mitigate risks, or notify customers whose information had been compromised. At least 200 of the impacted emails included social security numbers, account numbers, driver’s license numbers, and dates of birth.
The volume of messages involving customer data was massive. Moreover, the company only addressed remediation when FINRA staff inquired about the email communications during the firm’s 2019 cycle exam, which turned up an anomaly that led to further investigation.
FINRA noted that the firm’s generic policies and procedures were “not tailored to the firm’s actual business model.” For example, although the program provided that the firm’s legal department would actively investigate incidents of suspected identity theft, the company did not even have a legal department.
Regulation S-ID Rule 201 Violations Can Be Costly
FINRA imposed the following penalties: a fine of $65,000, a requirement to update its identity theft program within six months, and a mandate to contact affected customers within three months. The inclusion of non-monetary remedial actions underscores the importance FINRA places on Reg S-ID and security programs.
CCO Takeaways Regarding Regulation S-ID Rule 201
Takeaways from the settlement suggest the following key steps for broker-dealers to ensure compliance with Regulation S-ID 201:
- Include written procedures in an identity theft program for identifying and detecting red flags
- Specify in writing who is to take what steps in the event of a breach and in what precise time frame
- Tailor the identity theft program to the firm’s particular business model, the electronic tools used, and any specific firm vulnerabilities
- Promptly report any breach and notify affected customers
- Regularly update the program to address evolving requirements
If you are unsure of your responsibilities in identity theft protection or how to design the right compliance program to avoid Regulation S-ID Rule 201 Violations, please be in touch.