In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) amended the Fair Credit Reporting Act (“FCRA”) to add the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) (together, the “Commissions”) to the list of federal agencies that must jointly adopt and individually enforce identity theft red flags rules. Previously, entities registered with the Commissions were covered by the rules of other federal agencies.
In a recent release jointly issued by the Commissions, the SEC and CFTC set forth rules and guidelines requiring certain regulated entities to establish programs to address the risks of identity theft.1 Although the Commissions’ rules do not contain explicit requirements and do not expand the scope beyond what is already contained in the rules of other federal agencies, private fund advisers, including advisers to hedge funds, private equity funds, and real estate funds, should review their activities and, if required, develop and implement a written identity theft prevention program appropriate to the size and complexity of their business and the nature and scope of their activities.
An “account” is a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household, or business purposes. The SEC used an investment advisory account as an example of an “account.”
A “covered account” is:
- an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or
- any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
The term “transaction account” means a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.
The terms “financial institution” and “creditor” are defined by reference to the FCRA as follows:
- The term “financial institution” means certain banks, certain credit unions, and any other person that, directly or indirectly, holds a transaction account belonging to an individual.
The term “creditor” means any person who regularly extends, renews, or continues credit, or makes such arrangements, that regularly and in the ordinary course of business advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.
- This definition does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.
Scope of the Rules
Under the Commissions’ rules, a financial institution or creditor that is an investment adviser registered or required to be registered under the Investment Advisers Act of 1940 (the “Advisers Act”) must periodically reassess whether it offers or maintains covered accounts.2 The Commissions’ rules only cover private fund advisers who are registered and do not cover private fund advisers who are exempt reporting advisers or otherwise exempt from registration under the Advisers Act.
According to the SEC’s guidance, an investment adviser who has the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who acts as an agent on behalf of individuals, holds transaction accounts and is subject to the Commissions’ rules as a financial institution. The SEC gave the following as examples of when an investment adviser may be seen as holding transaction accounts:
- Even if an investor’s assets are physically held with a qualified custodian, an adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account.
- An adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account because the adviser would not be making payments to third parties.
Moreover, if an individual invests money in a private fund, and the adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that adviser would indirectly hold a transaction account and would be subject to the Commissions’ rules as a financial institution. For example:
- A private fund adviser would hold a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor.
- An investment adviser may not hold a transaction account if the adviser has a narrowly-drafted power of attorney with an investor under which the adviser has no authority to redirect the investor’s investment proceeds to third parties or others upon instructions from the investor.
An investment adviser could also potentially qualify as a creditor and therefore be subject to the Commissions’ rules, if it advances funds to an investor that are not for expenses incidental to services provided by that adviser. For example:
- A private fund adviser that regularly and in the ordinary course of its business lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer, could qualify as a creditor.
- A private fund adviser would not qualify as a creditor solely because its private funds regularly borrow money from third-party credit facilities pending receipt of investor contributions.
Under the Commissions’ rules, a “red flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft. A written identity theft prevention program developed and maintained according to the Commissions’ rules must:
- include reasonable policies and procedures to identify relevant red flags for covered accounts and incorporate those red flags into the program;
- have reasonable policies and procedures to detect the red flags that the program incorporates;
- have reasonable policies and procedures to respond appropriately to any red flags detected; and
- have reasonable policies and procedures to periodically update the program (including red flags determined to be relevant) to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
Administration of a Program
A financial institution or creditor must obtain approval of its initial written program from its board of directors, an appropriate committee of its board of directors, or, if the entity does not have a board of directors, from a designated member of senior management. The board is not required to reapprove an existing program that otherwise meets the requirements of the rules.
The board of directors, an appropriate committee thereof, or a designated member of senior management must be involved in the oversight, development, implementation, and administration of the written program. For an investment adviser, the designated member of senior management may be the chief compliance officer.
Staff must be trained, as necessary, to implement the written program. Service providers must be subject to adequate oversight.
In addition to the joint rules, the Commissions adopted guidelines that are substantially similar to existing guidelines adopted by other federal agencies regarding written identity theft prevention programs. Those guidelines that are appropriate to an institution’s particular circumstances must be included.
Significance of the New Rules
If a private fund adviser does not already have a written identity theft prevention program in place, it may need to formulate and maintain a program to comply with the Commissions’ rules. In particular, private fund advisers who recently registered pursuant to the Dodd-Frank Act should take steps to ensure that they are in compliance with the Commissions’ rules. The SEC has acknowledged that a number of investment advisers may not currently have an identity theft prevention program and that this new guidance may cause some of these firms to determine that they need to comply with the Commissions’ rules by formulating and maintaining a written identity theft prevention program.
The rules will become effective on May 20, 2013, and the compliance date is November 20, 2013.
R. Will Forster