It is probably fair to say most registered investment advisers, at least those below a certain size, did not pay a great deal of attention to the anti-identity theft, or “red flag” rules jointly adopted by the Federal Trade Commission and the various federal banking agencies in 2007 as required by Congress in its 2003 amendments to the Fair Credit Reporting Act (“FCRA”). And even those who did notice when the red flag rules were adopted could be forgiven for concluding those rules did not apply to them – after all, the red flag rules were aimed at “financial institutions” which “hold” certain “covered accounts” for their clients, and most RIAs diligently avoid holding any sort of custodial account in the first place. Plus, the SEC and state securities commissions had no role in enforcing the red flag rules anyway.

However, a little-noticed provision contained in the Dodd-Frank Act in 2009 extended the reach of the FCRA identify theft provisions to cover “financial institutions” regulated by the SEC and directed the SEC to promulgate rules to enforce them. So in 2012 the SEC (jointly with the CFTC) proposed red flag rules that apply to registered investment advisers. The proposed rules, known as Regulation S-ID, have now been finalized and became effective on May 20, 2013. All affected RIAs must be in compliance with new Regulation S-ID by November 20, 2013.

How Regulation S-ID Works

The introduction to Regulation S-ID states that it applies to any registered broker-dealer, registered investment company, registered business development company, or registered investment adviser that is a “financial institution.” A financial institution is defined as a bank, credit union “or any other person that… holds a transaction account belonging to” an individual consumer. Regulation S-ID applies if any of the accounts held by the financial institution are “covered accounts.” A “covered account” is defined as an “account that a financial institution offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions.”

So, since most investment advisers are noncustodial and rely upon independent custodians to hold their customers’ accounts, Regulation S-ID shouldn’t apply, correct? Unfortunately, no. Despite industry efforts to persuade the SEC otherwise, the SEC concluded that investment advisers, even those who do not accept actual custody of their clients’ accounts, will be considered financial institutions subject to the new rule if they have the ability to direct transfers or payments to third parties from a client account, or if they act as agents on behalf of individual clients. So the applicability of Regulation S-ID to any particular investment adviser will depend upon exactly what services the adviser offers its clients. According to the SEC, for example, if an RIA facilitates or directs bill payments for its clients or otherwise acts as their agent for financial purposes, the rules will likely apply whether or not the RIA otherwise has custody of client assets.

If the new regulation applies to an investment adviser, the adviser will be required to adopt reasonable policies and procedures designed to prevent and detect identity theft. Regulation S-ID includes detailed guidelines (in seven separate Sections covering many pages) that must be considered in determining the contents of the adviser’s Identify Theft Prevention Program. The Program could be either a standalone document or an integral part of the adviser’s general policies and procedures manual. The rules require each affected adviser to develop a program that is “appropriate” to the adviser’s “size and complexity, and to the nature and scope of its activities.”

What You Should Do Now

At a minimum, every investment adviser should, prior to November 20, 2013, conduct an internal review of its business practices to determine whether it is fully subject to Regulation S-ID. Even advisers who conclude that the regulation does not fully apply to them will need to revise their existing policy and procedures manuals to provide for an annual process for determining whether Regulation S-ID becomes applicable to them in the future.

Advisers which determine the rules will fully apply will have to use the Guidelines in Regulation S-ID to develop detailed Identity Theft Prevention Programs tailored to their specific business models.

It is not too soon to address the applicability of Regulation S-ID to your firm.