Subscribe to the Non-Human & AI Identity Journal

Reasonable Steps Verification

The evidence-based process an issuer uses to confirm that an investor qualifies as accredited before allowing participation in a Rule 506(c) offering. It is not a one-time checkbox. The control depends on documented methods, dated evidence, and a defensible decision trail that can survive regulatory scrutiny.

Expanded Definition

Reasonable steps verification is the issuer’s documented process for deciding whether an investor can be treated as accredited in a Rule 506(c) offering. The core idea is not simply collecting a form or making a verbal confirmation. It is an evidence-led review that supports a defensible conclusion, based on the facts available at the time, the risk profile of the offering, and the consistency of the issuer’s internal records. In practice, this means the issuer should be able to explain why the chosen method was proportionate and why the resulting evidence was sufficient.

Definitions vary across vendors and compliance advisors on the exact combination of documents, third-party confirmations, and review procedures that will satisfy the standard, because no single checklist is universally sufficient. The most reliable way to think about the term is as a governance control with traceability, not as a one-off gate. Guidance from NIST Cybersecurity Framework 2.0 is useful here because it reinforces the broader principle of repeatable, documented, risk-informed decision-making.

The most common misapplication is treating reasonable steps verification as a form completion exercise, which occurs when issuers accept unreviewed attestations without corroborating evidence or a dated decision record.

Examples and Use Cases

Implementing reasonable steps verification rigorously often introduces friction at the point of investor onboarding, requiring issuers to weigh a smoother subscription process against stronger evidentiary support and lower regulatory exposure.

  • An issuer reviews tax returns, brokerage statements, or similar financial evidence, then records the basis for concluding that the investor meets the accredited threshold.
  • A third-party verification letter is accepted, but only if it is current, signed by a qualified professional, and retained with the offering file as supporting evidence.
  • An internal compliance team compares the investor’s statements with dated documentation and logs the reviewer’s reasoning, rather than relying on a self-certification alone.
  • An investor who has already been verified for a prior offering is reassessed when circumstances have changed, because prior status does not automatically prove current eligibility.
  • Where the process intersects with digital onboarding, organisations may use secure document handling and identity proofing controls informed by NIST identity proofing guidance to reduce fraud and preserve the evidentiary trail.

In practice, the best use cases are those where the issuer can show a clear link between the verification method, the evidence collected, and the final eligibility decision. That matters especially when investors are onboarded through portals, intermediaries, or remote workflows, because the process must still stand on its own if later reviewed.

Why It Matters for Security Teams

For security, legal, and compliance teams, reasonable steps verification matters because it is a control around trust. If the process is weak, an issuer may admit ineligible participants, create avoidable enforcement risk, or generate records that cannot defend the decision after the fact. The control is also relevant to identity governance because it depends on the integrity of the evidence, the authenticity of the person providing it, and the protection of the records that support the conclusion. Where digital workflows are involved, the organisation should think about document integrity, access control, and review logging as part of the verification chain, not as separate concerns.

Practitioners should treat the process as an operationally auditable decision path, similar in spirit to how IOSCO guidance on compliance and market conduct expects firms to preserve accountability around investor-facing controls. The issue becomes more serious when the evidence trail is incomplete, because a later challenge can expose that the issuer relied on convenience rather than proof. Organisations typically encounter the real cost only after an examination, investor dispute, or enforcement inquiry, at which point reasonable steps verification becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV-01 CSF emphasizes documented, repeatable governance decisions that support defensible control outcomes.
NIST SP 800-63 IAL2 Identity proofing guidance informs evidence quality and confidence in remote investor verification.

Document the verification method, owner, and review path so eligibility decisions are auditable.