As information technology and electronic communication continue to expand, identity theft poses an increasingly common threat to individuals. On April 10, 2013, the U.S. Securities and Exchange Commission (“SEC”) voted unanimously to adopt rules requiring broker-dealers, mutual funds, investment advisers, and certain other entities regulated by the SEC to adopt programs to detect red flags and prevent identity theft. These rules, jointly adopted with the Commodity Futures Trading Commission (“CFTC”), were adopted in accordance with the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act”), which amended the Fair Credit Reporting Act of 1970 (“FCRA”) to add the SEC to the list of federal agencies that must jointly adopt and individually enforce identity theft red flags rules.
In a statement released by SEC Chairman Mary Jo White, she stated: “Identity theft is a type of fraud that robs millions of Americans of their hard-earned money. Current estimates are that about five percent of American adults fall victim to identity theft fraud each year. It is a risk for everyone, and as technology continues to advance, the risks increase.”
The final rules and guidelines, jointly issued by the CFTC and the SEC, require certain entities regulated by the SEC and CFTC to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The final rules will become effective 30 days after publication in the Federal Register. Compliance with the rules is required six months after the effective date. The rules will result in the SEC adding new subpart C (“Regulation S-ID: Identity Theft Red Flags) to part 248 of the SEC’s regulations [17 CFR part 248], under the Investment Advisers Act of 1940 (“Investment Advisers Act”) [15 U.S.C. 80b] and will apply to an investment adviser that is registered or required to be registered under the Investment Advisers Act of 1940.
Under the final rules, an investment adviser registered or required to be registered with the SEC that is a “financial institution” or “creditor” that offers or maintains one or more “covered accounts” will be required to develop and implement a written identity theft prevention program. Under the final rules “financial institution” is defined by reference to the definition of the term in Section 603(t) of the FCRA. That section defines a financial institution to include certain banks and credit unions, and “any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.”
A “transaction account” is defined under Section 19(b) of the Federal Reserve Acts to include an “account on which the…account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payment or transfers to third persons or others.” In the final rules release, an example of an investment adviser that could be deemed a “financial institution” is “an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.” This means that even if “an investor’s assets are physically held with a qualified custodian, an [investment] adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account.” The final rules release does state that an investment adviser having the ability to withdraw money from an investor’s account solely to deduct the investment adviser’s own advisory fees would not hold a transaction account because the investment adviser is not making the payments to third parties. Additionally, an investment adviser to a private fund also may directly or indirectly hold transaction accounts and would then be considered a “financial institution.” “If an individual invests money in a private fund, the [investment] adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that [investment] adviser would indirectly hold a transaction account.”
Under the final rules, the SEC’s definition of “creditor” refers to the definition of “creditor” in FCRA as amended by the Clarification Act. An investment adviser may be considered a “creditor if it advances funds to an investor that are not for expenses incidental to services provided by that [investment] adviser. For example, a private fund adviser that regularly and in the ordinary course of business lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer, could qualify as a creditor.”
The rules require that each SEC registered investment adviser affected by the new rules “implement a written program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” The program should be appropriate to the size of the investment adviser and the nature and scope of the investment adviser’s activities. In each written program implemented, four elements are required.
- A program must be developed that includes reasonable policies and procedures to identify relevant red flags and incorporate those red flags into the program. As each investment adviser’s business practices may vary, the rules provide flexibility for investment advisers to determine which red flags are relevant to their businesses. This flexibility should allow for investment advisers to respond and adapt to new forms or identity theft risks as they arise.
- Reasonable policies and procedures must be in place to detect the red flags that the investment adviser’s identity theft prevention program incorporates.
- Reasonable policies and procedures must be in place to respond appropriately to any red flags detected by the investment adviser. Additionally, if a red flag is detected, the investment adviser’s identity theft prevention program must outline how the investment adviser will respond based on the degree of risk.
- Reasonable policies and procedures must be in place to periodically update the investment adviser’s identity theft prevention program (including updating red flags determined to be relevant), to reflect changes in risks to customers and to the safety and soundness of the investment adviser from identity theft.
In addition to creating a written identity theft prevention program, requirements concerning the administration of the program are also outlined in the rules. An investment adviser affected by the new rules is required to obtain approval by the board of directors, an appropriate committee of the board, or a designated senior management employee of the initial written program and must involve those who were sought for approval of the program in the actual oversight, development, implementation and administration of the program. An investment adviser’s staff, as necessary, must be trained to effectively implement the program. Additionally, the investment adviser’s identity theft prevention program must include effective oversight of any service provider arrangements since an investment adviser affected by this new rule will remain legally responsible for compliance with the rules even if the investment adviser outsources its identity theft red flags detection, prevention and mitigation operations to a third party service provide.
The final rules release includes guidelines that each investment adviser affected by the new rule must consider when implementing its identity theft prevention program. Additionally, some examples are provided for certain areas to help an investment adviser comply with the rules. To view the guidelines, an investment adviser should review the final rule release in its entirety.
The CFTC and the SEC’s new identity theft red flag rules should be embraced by affected investment advisers as a means to further protect their clients. For more information, RIA Compliance Consultants is hosting a webinar to provide an overview of the requirements under the recently released Identity Theft Red Flags Rules. This webinar, “Understanding the New Identity Theft Red Flag Rules and How SEC Registered Investment Advisers are Affected,” will be hosted May 9, 2013, at 12:00 CDT. The cost of this webinar is $69.95. During this webinar, one of our consultants will discuss which SEC registered investment advisers are affected by the Rule, the new deadline for complying with the rule, and what an investment adviser must do in order to comply by the deadline. Additionally, we will provide a summary of some of the guidelines on identity theft detection, prevention, and mitigation that are provided in the final rule release. For more information or to register for this event, please click here.
To schedule a time to speak to one of our consultants to determine how RIA Compliance Consultants may assist you with developing your Identity Theft Red Flags policies and procedures, please contact your consultant if you are an existing client or for a new client, click here to schedule a time to speak to one of our consultants.
Posted by Bryan Hill
Labels: Compliance Program, Identity Theft, SEC, Written Policies and Procedures
