In the last few years, cybersecurity, with an emphasis on protection of customer data, has topped the exam priorities and risk alerts of both the Financial Industry Regulatory Authority (“FINRA”) and the Securities and Exchange Commission (the “SEC”). And, as the global pandemic pushes the financial services industry into the second year of a work from anywhere business environment, the deployment and continued improvement of cybersecurity controls to secure customer and firm data are critical.
Perhaps it should come as no surprise that regulations underpinning cybersecurity practices are coming to the fore. A case in point is the announcement of FINRA’s letter of Acceptance, Waiver, and Consent (“AWC”) with Supreme Alliance LLC (“Supreme”) in December 2020 for violations of the SEC’s Regulation S-ID, also known as the identity theft red flags rule, and FINRA Rule 2010. FINRA’s settlement with Supreme is significant as it potentially signals a more aggressive and meaningful focus on Reg S-ID, which saw its first major enforcement in 2018 when the SEC fined Voya Financial Advisors, Inc. $1 million for violating it as well as the SEC’s Reg S-P.
This post will analyze the unique fact pattern of Supreme and offer practical suggestions for compliance officers navigating the nuances of identity theft protection and cybersecurity in this new, remote work world.