SEC recently finalized rules requiring investment advisers, and other entities under its purview to adopt programs to detect red flags and prevent identity theft. The compliance date is November 20, 2013.
The rules were mandated by the Dodd-Frank Act, which amended the Fair Credit Reporting Act (FCRA) to add the Commodity Futures Trading Commission (CFTC) and the SEC to the list of federal agencies that must jointly adopt and individually enforce identity theft red flags rules.
The new Regulation S-ID is somewhat tricky for investment advisers because it does not apply to everyone. Rather, only an adviser who is a “financial institution” or “creditor” that offers or maintains one or more “covered accounts” are covered by it.
Regulation S-ID defines a financial institution as a bank, credit union “or any other person that… holds a transaction account belonging to” an individual consumer. A “transaction account” is defined under Section 19(b) of the Federal Reserve Acts to include an “account on which the…account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payment or transfers to third persons or others.”
Meanwhile, a “covered account” is defined as an “account that a financial institution offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions.
The SEC has provided some guidance about how these definitions may apply to advisers. For instance, a “financial institution” could be “an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.” The SEC rejected comments that investment advisers should be excluded because they do not have actual custody of the accounts, because, it concluded, the practical risk is the same.
The SEC further advises: “If an individual invests money in a private fund, the adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that adviser would indirectly hold a transaction account.”
The bottom line is that firms should review the rule and its own activities to determine whether new compliance efforts are required. If the rule applies, you must adopt and enforce an identity theft program. While firms have leeway to tailor it to their business, the SEC has stated that whatever is adopted must be designed to:
- Identify red flags for identity theft in the context of the firm’s “covered accounts”
- Detect their occurrence
- Respond appropriately to any flags found, and
- Ensure that the program is updated periodically.
Eckerle Law offers legal advice in a variety of transactional and regulatory matters and serves companies’ plenary business law needs. Its founder, Bettina Eckerle, is a veteran of Debevoise & Plimpton and Wachtell, Lipton, Rosen & Katz. She also served as the General Counsel of two companies en route to IPO. Please visit the Eckerle Law website for more details.