On April 10, 2013, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) jointly adopted identity theft red flags rules (the Rules) and corresponding guidelines requiring certain SEC and CFTC-regulated entities to implement identity theft prevention programs. The Rules took effect on May 20, 2013, with a compliance date of November 20, 2013.
The Rules apply to firms, including SEC-registered investment advisers and CFTC-registered commodity trading advisors (CTAs) and commodity pool operators (CPOs), that qualify as “financial institutions” or “creditors”1 and that offer or maintain “covered accounts.” Such persons are required to establish a program to address risks of identity theft.
Do the Rules Impose New Compliance Obligations?
Firms subject to the Rules are already subject to existing identity theft red flags2 rules, which contain the same essential requirements. By way of background, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) shifted oversight of existing identity theft rules that apply to SEC and CFTC-regulated entities from the Federal Trade Commission (FTC) to the SEC and CFTC. Under the Fair Credit Reporting Act of 1970 (FCRA), the FTC and other agencies were required to issue identity theft red flags rules for certain regulated entities. The FTC issued final rules in 2007, which covered entities regulated by the SEC and CFTC. In 2010, the Dodd-Frank Act amended the FCRA, adding the SEC and CFTC to the list of agencies required to prescribe and enforce identity theft red flags rules.
The Rules are substantially similar to the FTC’s existing identity theft red flag rules, with no additional requirements beyond the current FTC rules. However, in the adopting release, it is specifically noted that SEC staff anticipates that certain entities, particularly investment advisers, may qualify as “financial institutions” which may lead some of these entities that had not previously complied with the FTC rules to now determine that they should comply with the Rules.
Who Is Subject to the Rules?
The Rules require each “financial institution” and “creditor” that offers or maintains “covered accounts” to develop and implement a written identity theft prevention program. “Financial institution” is defined as an entity that, directly or indirectly, holds a transaction account belonging to a consumer. For example, an SEC-registered investment adviser may be deemed a financial institution if:
- It is permitted to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions;3
- It acts as an agent on behalf of clients that are individuals; or
- It manages private funds in which an individual invests money, and the adviser has authority, under an arrangement with the fund or the individual, to direct such individual’s investment proceeds (such as redemptions, distributions or dividends) to third parties according to the individual’s instructions.
However, it is noted in the adopting release that an SEC-registered investment adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account, because the adviser would not be making the payments to third parties.
“Creditor” is defined as an entity (including a CTA or CPO) that regularly extends, renews or continues credit or makes credit arrangements. For example, a private fund adviser that regularly lends money, short-term or otherwise, such as by recognizing investments in the fund before receiving a wire transfer or clearance of a check, may be considered a creditor.
Under the Rules, a financial institution or creditor must establish a red flags program if it offers or maintains “covered accounts”. All financial institutions and creditors must periodically assess whether they offer or maintain “covered accounts,” which include:
- Accounts offered or maintained for personal, family or household purposes that allow multiple payments or transactions; and
- Any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the firm from identity theft, including financial, operational, compliance, reputation or litigation risks.
What Should You Do Now?
If you are an SEC-registered investment adviser or a CFTC-registered CTA or CPO, you should review your business practices to determine whether you are subject to this new Regulation S-ID (or corresponding CFTC rules). If so, you will need to take the following additional steps:
- Develop and implement a written identity theft prevention program designed to detect, prevent and mitigate identity theft in connection with covered accounts. The program needs to be customized and appropriate for the size and complexity of your business and the nature and scope of your activities. You could include your written identity theft prevention program in your compliance manual or as a stand-alone policy. The program should include reasonable policies and procedures to: Identify relevant red flags;
- Detect such red flags;
- Respond appropriately to any red flags detected; and
- Periodically update the program to reflect changes in risks to customers and to the safety and soundness of the firm from identity theft.
- Take steps to ensure that the identity theft prevention program is implemented effectively by involving the firm’s senior management (that is, the Chief Compliance Officer) and by training staff, as necessary.
- Take steps to exercise appropriate and effective oversight of service provider arrangements.
An appendix to the Rules contains guidelines intended to assist firms in the formulation and maintenance of a compliant identity theft prevention program that complies with the Rules. You should consult the guidelines when formulating your program.
The full text of the Rules is available here.