The U.S. Securities and Exchange Commission (the "SEC") recently highlighted certain key compliance risks stemming from SEC regulations governing identity theft prevention, conflicts of interest and disclosure obligations, among other issues. Specifically, on December 5, 2022, the SEC's Division of Examinations ("Exams") published a Risk Alert that provides guidance to broker-dealers and investment advisers on reviewing and enhancing their compliance programs related to identity theft prevention under Regulation S-ID. Subsequently, on January 30, 2023, Exams published a Risk Alert that provides guidance to broker-dealers on evaluating and improving their compliance with Regulation Best Interest ("Reg B-I").
Each Risk Alert highlights observations of non-compliance and provides notice that the SEC Exams staff are serious about Regulation S-ID and Reg B-I compliance. As is typical, once the SEC has provided guidance to the industry, identified risk areas are further incorporated into future examinations. Where the Exams staff continues to find non-compliance among registrants, enforcement investigations are likely to follow. Accordingly, to ensure compliance and mitigate associated regulatory risks, broker-dealers and investment advisers should review their practices, policies, and procedures with respect to Regulation S-ID and Reg B-I to address the compliance issues identified in the recent Risk Alerts.
Regulation S-ID Compliance Deficiencies
Regulation S-ID, which went into effect in 2013, is intended to protect customers from identity theft by requiring broker-dealers and investment advisers to develop, implement, and administer a written identity theft prevention program. Programs must be reasonably designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
On December 5, 2022, Exams published a Risk Alert to notify broker-dealers and investment advisers of various deficiencies Exams found while conducting examinations for compliance with Regulation S-ID. These findings included deficient practices, policies, and procedures regarding the development and implementation of an identity theft prevention program.
Exams noted that several firms failed to identify their covered accounts. Of those that did initially identify their covered accounts, certain firms failed to conduct periodic assessments to identify all categories or new types of accounts that were covered accounts. It was common for online accounts, retirement accounts, and other special purpose accounts to be omitted. While several firms did periodically identify covered accounts, the process often did not include a risk assessment that considered the methods provided for opening, maintaining, closing, and accessing different types of covered accounts or the firm's previous experiences with identity theft. Without the risk assessment, firms' abilities to develop controls relevant to their red flags were impacted.
Exams also observed several insufficient Regulation S-ID Programs ("Programs"). Many firms established generic Programs that were not tailored to or appropriate for their business model. In some cases, firms used an incomplete, fill-in-the-blanks template. Other firms simply restated the regulation's requirements without including processes for compliance. Some firms represented to staff that other policies and procedures constituted the firm's process for detecting, preventing, and mitigating identity theft, but those procedures had not been incorporated directly or by reference into the Program.
The Exams Risk Alert further found that many Programs did not cover all the required elements of Regulation S-ID, including the identification of red flags for identity theft. Certain firms failed to identify red flags specific to their covered accounts by listing general examples of red flags from Appendix A of Regulation S-ID. Many firms either did not have a process or did not follow existing procedures to evaluate their experiences with identity theft to determine if any red flags should be added to their Programs. There were also Programs that used generic language for identifying, detecting, responding to, and updating red flags, but did not include any actual red flags identified by the firm. The Exams Risk Alert stated the Programs were "merely policy statements without any actionable procedures."
Exams staff noted that firms did not have policies and procedures to detect and respond appropriately to detected red flags. Some firms relied on pre-existing policies and procedures, like anti-money laundering procedures, when such procedures were not designed to detect and respond to identity theft red flags. Within certain firms that did have procedures for detecting and responding to specific red flags, actual procedures often did not exist or failed to contain any relevant process related to that red flag.
According to the Exams Risk Alert, some firms also failed to update their red flags after making significant changes to the way in which customers open and access their accounts, such as creating online customer portals, or after undergoing business changes or reorganizations, such as mergers or acquisitions.
The Risk Alert also stated that firms have a requirement to provide for the continued administration of their Program. Among other deficiencies, Exams staff found firms that did not provide sufficient periodic reports to its board of directors or designated senior management for their evaluation of the Program's effectiveness. There were also firms that inadequately trained its employees by merely telling them to "be aware" of identity theft.
Take Away for Regulation S-ID Risks
Regulation S-ID compliance will remain a potential issue for certain future examinations conducted by the Exams staff. Accordingly, broker-dealers and investment advisers should proactively review and assess their practices, policies, and procedures related to Reg S-ID and address the key compliance risks identified by the Exams staff. Firms should contemplate the following compliance steps addressed by the Exam staff in the Risk Alert while considering whether improvements are needed to better achieve compliance: (i) determine and periodically reassess their covered accounts; (ii) conduct risk assessments, taking into consideration (A) the methods they provide for opening, maintaining, closing, and accessing covered accounts and (B) their previous experiences with identity theft; (iii) develop and implement a written Regulation S-ID Program that (A) is tailored to their business model, (B) incorporates policies and procedures that cover all required elements of Regulation S-ID, (C) includes policies and procedures to incorporate, identify, detect, and respond to relevant and specific red flags for the covered accounts offered by the firm, and (D) updates periodically to reflect changes in risks to customers; and (iv) provide for the continued administration of the program by (A) providing sufficient information to its board of directors or senior management through periodic reports and (B) training employees adequately.
Regulation Best Interest Compliance Deficiencies
Reg B-I, which went into effect in June 2020, established a new, enhanced standard for broker-dealers and financial professionals when making recommendations of securities transactions or investment strategies involving securities. Reg B-I requires compliance with four component obligations: (i) providing certain prescribed disclosure, before or at the time of the recommendation, about the recommendation and the relationship between the retail customer and the broker-dealer ("disclosure obligation"); (ii) exercising reasonable diligence, care, and skill in making the recommendation to, among other things, understand the potential risks, rewards, and costs associated with a recommendation, and having a reasonable basis to believe that the recommendation is in the best interest of a retail customer ("care obligation"); (iii) establishing, maintaining, and enforcing written policies and procedures reasonably designed to identify and address conflicts of interest ("conflict of interest obligation"); and (iv) establishing, maintaining, and enforcing written policies and procedures reasonably designed to achieve compliance with Regulation Best Interest ("compliance obligation").
On January 30, 2023, Exams published a Risk Alert to notify broker-dealers to various deficiencies it found while conducting examinations for compliance with Reg B-I. These findings included deficient policies and procedures regarding each of the regulation's four component obligations.
Regarding the conflict of interest obligation, Exams observed broker-dealers that did not have an established structure or written policies and procedures for identifying and addressing conflicts. For example, many firms did not assign a specific position or unit the responsibility to identify and address conflicts. Other firms limited the identified conflicts to conflicts associated with prohibited activities, like "churning", or used high-level and generic language that did not identify an actual conflict (e.g., "we have conflicts related to compensation differences").
Exams further highlighted that several broker-dealers inappropriately relied on disclosure to "mitigate" conflicts that could entice a financial professional to place their interests ahead of the interests of retail customers. Certain broker-dealers failed to establish actual mitigation measures. The Exams Risk Alert stated, "Disclosure alone does not satisfy the conflict of interest obligation for these kinds of conflicts." Broker-dealers are required to establish, maintain, and enforce written policies and procedures designed to identify and mitigate conflicts of interest at the financial professional level, which includes interests that may consciously or unconsciously cause the financial professional to make a biased recommendation.
Regarding the disclosure obligation, Exams staff noted that several broker-dealers had deficiencies in their written policies and procedures. The policies and procedures often did not (i) specify how or when disclosures should be created or updated, (ii) designate who would be responsible for creating or updating the disclosures, (iii) demonstrate how to identify material changes, (iv) identify when material changes should result in new or updated disclosures, or (v) indicate when disclosures had been provided to retail customers. Additionally, Exams staff noted that some broker-dealers did not fulfill their obligation to provide disclosures to retail customers in writing. Rather, most firms only posted the Reg B-I disclosures on their website or referenced the disclosures in other documents provided to customers.
Exams also found that firms with financial professionals holding multiple licenses often failed to establish policies and procedures that ensured that the financial professional disclosed to retail customers the capacity in which they were acting. Firms also did not identify which specific disclosures should be made.
Regarding the care obligation, Exams staff noted that broker-dealers would direct their financial professionals to consider reasonably available alternatives, consider costs, and to document the basis for their recommendations. Yet, there would not be any guidance, systems, or instructions given to the financial professionals as to how to do so.
Regarding the compliance obligation, Exams staff noted that a Reg B-I compliance program needs to be tailored to a firm's business model and is dependent on the size and complexity of the firm. Yet, Exam staff found multiple instances where firms did not tailor their compliance and only restated the regulation's requirements.
Among other deficiencies, the Risk Alert also highlighted instances of firms maintaining surveillance systems that only captured executed transactions to monitor compliance, but did not capture hold recommendations or recommendations that were not accepted by the retail customer. Lastly, broker-dealers offered employee training that included information on Reg B-I, but did not identify the firms' processes for compliance, such as tools or methods that the employees could use to comply.
Take Away for Reg B-I Risks
The Exams staff is expected to incorporate Reg B-I compliance into certain future examinations, particularly for retail-focused examinations where sales practices are included within scope. Accordingly, broker-dealers should proactively review and assess the key compliance risks identified by the Exams staff and consider the following compliance steps addressed by the Exam staff in the Risk Alert as tailored to their own circumstances: (i) create an established structure for identifying and addressing conflicts, including (A) designating a specific unit or position with the responsibility to identify and address conflicts and (B) broadening conflicts beyond those identified with prohibited activities, like "churning"; (ii) establish actual mitigation measures for conflicts; (iii) develop specific written policies and procedures regarding disclosures; (iv) provide customers with written disclosures; (v) provide specific instructions and tools to financial professionals and employees to ensure their compliance; (vi) tailor the Reg B-I compliance program to the firm's business model; and (vii) maintain surveillance systems that capture executed transactions, hold recommendations, and recommendations that are not accepted by the retail customer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.