On April 10, 2013, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) jointly adopted identity theft red flags rules (the Rules) and corresponding guidelines requiring certain SEC and CFTC-regulated entities to implement identity theft prevention programs. The Rules took effect on May 20, 2013, with a compliance date of November 20, 2013.
The Rules apply to firms, including SEC-registered investment advisers and CFTC-registered commodity trading advisors (CTAs) and commodity pool operators (CPOs), that qualify as “financial institutions” or “creditors”1 and that offer or maintain “covered accounts.” Such persons are required to establish a program to address risks of identity theft.
Do the Rules Impose New Compliance Obligations?
Firms subject to the Rules are already subject to existing identity theft red flags2 rules, which contain the same essential requirements. By way of background, the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) shifted oversight of existing identity theft rules that apply to SEC and CFTC-regulated entities from the Federal Trade Commission (FTC) to the SEC and CFTC. Under the Fair Credit Reporting Act of 1970 (FCRA), the FTC and other agencies were required to issue identity theft red flags rules for certain regulated entities. The FTC issued final rules in 2007, which covered entities regulated by the SEC and CFTC. In 2010, the Dodd-Frank Act amended the FCRA, adding the SEC and CFTC to the list of agencies required to prescribe and enforce identity theft red flags rules.
The Rules are substantially similar to the FTC’s existing identity theft red flag rules, with no additional requirements beyond the current FTC rules. However, in the adopting release, it is specifically noted that SEC staff anticipates that certain entities, particularly investment advisers, may qualify as “financial institutions” which may lead some of these entities that had not previously complied with the FTC rules to now determine that they should comply with the Rules.
Who Is Subject to the Rules?
The Rules require each “financial institution” and “creditor” that offers or maintains “covered accounts” to develop and implement a written identity theft prevention program. “Financial institution” is defined as an entity that, directly or indirectly, holds a transaction account belonging to a consumer. For example, an SEC-registered investment adviser may be deemed a financial institution if:
However, it is noted in the adopting release that an SEC-registered investment adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account, because the adviser would not be making the payments to third parties.
“Creditor” is defined as an entity (including a CTA or CPO) that regularly extends, renews or continues credit or makes credit arrangements. For example, a private fund adviser that regularly lends money, short-term or otherwise, such as by recognizing investments in the fund before receiving a wire transfer or clearance of a check, may be considered a creditor.
Under the Rules, a financial institution or creditor must establish a red flags program if it offers or maintains “covered accounts”. All financial institutions and creditors must periodically assess whether they offer or maintain “covered accounts,” which include:
What Should You Do Now?
If you are an SEC-registered investment adviser or a CFTC-registered CTA or CPO, you should review your business practices to determine whether you are subject to this new Regulation S-ID (or corresponding CFTC rules). If so, you will need to take the following additional steps:
An appendix to the Rules contains guidelines intended to assist firms in the formulation and maintenance of a compliant identity theft prevention program that complies with the Rules. You should consult the guidelines when formulating your program.
The full text of the Rules is available here.