Recent SEC Enforcement Actions Signal Key Lessons for Reg S-ID Compliance

3 August 2022
View Debevoise In Depth
Key takeaways:
  • On July 27, 2022, the Securities and Exchange Commission (“SEC”) separately charged three financial institutions with violations of Rule 201 of Regulation S-ID (“Reg S-ID”), also known as the Identity Theft Red Flags Rule (“Red Flags Rule”). The Reg S-ID enforcement settlements highlight the SEC’s agency-wide focus on Reg S-ID compliance. Notably, these are the first Reg S-ID cases that the SEC has brought since 2018, when the Commission brought its first-ever Reg S-ID action.
  • The SEC’s orders establish that registrants must craft Identity Theft Prevention Programs (“ITPP”) that are particularized to each firm and updated to cover new risks. Given the evolving identity theft threat landscape, firms should consider building cross-functional teams drawing resources from the business, compliance, legal, privacy, and cyber areas to address these cybersecurity risks. . . continue reading.