Compliance Solutions for Investment Advisers

FAQs — Identity Theft Red Flags Rules

 

Definitions and Basic Information

What are the Identity Theft Red Flags Rules?

The Fair Credit Reporting Act required certain federal agencies (including the SEC) to issue joint rules and guidelines (the “Identity Theft Red Flags Rules”) that required business entities subject to their regulation (such as investment advisers) to:

  • Develop and implement a program that includes reasonable policies and procedures to identify relevant red flags for client accounts;
  • Have reasonable policies and procedures to detect red flags;
  • Have reasonable policies and procedures to respond appropriately to any red flags that they detect; and
  • Have reasonable policies and procedures to periodically update their programs to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

What is required under the Identity Theft Red Flags Rules?

Pursuant to the Identity Theft Red Flags Rules, financial institutions and creditors that offer or maintain covered accounts are required to develop and implement a written identity theft prevention program.

What is a financial institution?

A financial institution is a business entity that holds a transaction account belonging to an individual.

What is a transaction account?

A transaction account includes an account on which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders or withdrawal, telephone transfers or other similar items for the purpose of making payments or transfers to third persons or others.

What is a covered account?

A covered account is defined as:

  • An account that a financial institution or creditor offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions; and
  • Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

What is a creditor?

A creditor is a person who regularly extends, renews, or continues credit or any person who makes those arrangements, that regularly and in the course of business advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by on or behalf of the person.

What types of SEC-regulated entities fall within the term financial institution?

The following are examples of SEC-regulated entities that could fall within the term financial institution:

  • A broker-dealer that offers custodial accounts;
  • A registered investment company that enables investors to make wire transfers to other parties or that offer check-writing privileges; and
  • An investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.

Under what circumstances would an investment adviser hold a transaction account?

If the investment adviser has the authority, by power of attorney or otherwise, to withdraw money from a client’s account and direct payments to third parties according to the client’s instructions.

If an investment adviser has the authority to deduct its fees directly from a client’s account would this mean that the adviser holds a transaction account?

Since in this case the adviser would not be making payments to a third party, the answer is no.

What about advisers to private funds?

Registered investment advisers to private funds may also directly or indirectly hold transaction accounts. According the SEC, if the adviser to a private fund has the authority to direct an individual investor’s investment proceeds (e.g., redemptions, distributions, dividends, interest or other proceeds related to the investor’s account) to third parties, then that adviser would indirectly hold a transaction account.

Could an investment adviser be a creditor?

An adviser could potentially qualify as a creditor if it advances funds to a client that are not for expenses incidental to services provided by that adviser, such as a private fund adviser who regularly and in the ordinary course of business lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt of clearance of an investor’s check or wire transfer.

What are some examples of a covered account?

According to the SEC, a covered account includes a brokerage account, a mutual fund account and an investment advisory account.

How should an investment adviser determine whether a covered account is offered or maintained?

In order to determine whether an investment adviser offers or maintains a covered account, the adviser must conduct a risk assessment that takes into consideration:

  • The methods it provides to open its accounts;
  • The methods it provides to access its accounts; and
  • Its previous experiences with identity theft.

 

 

Identity Theft Prevention Program

What are the requirements if an investment adviser determines that the Identity Theft Red Flags Rules apply to their advisory business?

The adviser must develop and implement an Identity Theft Red Flags Rules program (the “Program”) designed to detect, prevent and mitigate identity theft in connection with covered accounts.

Are all investment advisers’ Programs required to be the same?

No.  Each Program is to be appropriately tailored to the size and complexity of the investment adviser and the nature and scope of its activities.

What elements must be included in a Program?

The Identity Theft Red Flags Rules set forth the following four elements to be included in a Program:

  1. It must include reasonable policies and procedures to identify relevant red flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those red flags into the Program;
  2. It must have reasonable policies and procedures to detect the red flags that the Program incorporates;
  3. It must have reasonable policies and procedures to respond appropriately to any red flags that they detect; and
  4. It must have reasonable policies and procedures to periodically update the Program (including the red flags determined to be relevant), to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

 

Administration of the Identity Theft Red Flags Program

How is a Program administered?

A financial institution or creditor that offers or maintains one or more covered accounts must:

  1. Obtain approval of the initial written Program from either its board of directors, an appropriate committee of the board of directors, or if the entity does not have a board, from a designated senior management employee;
  2. Involve the board of directors, an appropriate committee thereof, or a designated senior management employee (such as a chief compliance officer) in the oversight, development, implementation, and administration of the Program;
  3. Train staff, as necessary, to effectively implement its Program; and
  4. Exercise appropriate and effective oversight of service provider arrangements.

Can a financial institution or creditor outsource its identity theft program to a service provider?

Yes, but the financial institution or creditor would remain responsible for compliance with the Identity Theft Red Flags Rules.

 

Guidelines

Where can an investment adviser turn to for help in understanding the Identity Theft Red Flags Rules?

Guidelines have been adopted by the SEC to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the Identity Theft Red Flags Rules.

What do the Guidelines address?

The Guidelines are divided into the following seven sections:

  • Section I – Identity Theft Prevention Program
  • Section II – Identifying Relevant Red Flags
  • Section III – Detecting Red Flags
  • Section IV – Preventing and Mitigating Identity Theft
  • Section V – Updating the Identity Theft Prevention Program
  • Section VI – Methods for Administering the Identity Theft Prevention Program
  • Section VII – Other Applicable Legal Requirements

Can you please explain Section I of the Guidelines (Identity Theft Prevention Program)?

Section I makes clear that a financial institution or creditor may incorporate into its Program its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

Can you please explain Section II of the Guidelines (Identifying Relevant Red Flags)?

Section II(b) sets out examples of sources from which financial institutions and creditors should derive red flags. Section II(c) of the guidelines identifies five categories of red flags that financial institutions and creditors must consider including in their Programs, as appropriate:

  1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
  2. Presentation of suspicious documents, such as documents that appear to have been altered or forged;
  3. Presentation of suspicious personal identifying information, such as a suspicious address change;
  4. Unusual use of, or other suspicious activity related to, a covered account; and
  5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.

Can you please explain Section III of the Guidelines (Detecting Red Flags)?

Section III provides examples of policies and procedures that a financial institution or creditor must consider including in its Program’s policies and procedures for the purpose of detecting red flags.

Can you please explain Section IV of the Guidelines (Preventing and Mitigating Identity Theft)?

Section IV states that a Program’s policies and procedures should provide for appropriate responses to the red flags that a financial institution or creditor has detected. Examples of appropriate responses include monitoring a covered account for evidence of identity theft, contacting the customer, changing any passwords that permit access to a covered account and reopening a covered account with a new account number.

Can you please explain Section V of the Guidelines (Updating the Identity Theft Prevention Program)?

Section V lists factors on which a financial institution or creditor could base the periodic updates to its Program: (i) the experiences of the financial institution or creditor with identity theft; (ii) changes in methods of identity theft; (iii) changes in methods to detect, prevent, and mitigate identity theft; (iv) changes in the types of accounts that the financial institution or creditor offers or maintains; and (v) changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.

Can you please explain Section VI of the Guidelines (Methods for Administering the Identity Theft Prevention Program)?

Section VI consists of the following elements:

Oversight of Identity Theft Prevention Program

Section VI(a) states that oversight by the board of directors, an appropriate committee of the board, or a designated senior management employee should include: (i) assigning specific responsibility for the Program’s implementation; (ii) reviewing reports prepared by staff regarding compliance by the financial institution or creditor with the final rules; and (iii) approving material changes to the Program as necessary to address changing identity theft risks.

Reporting to the Board of Directors

Section VI(b) states that staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated senior management employee, at least annually, on compliance by the financial institution or creditor with the Red Flags Rules. The report should address material matters related to the Program and evaluate issues such as recommendations for material changes to the Program.

Oversight of Service Provider Arrangements

Section VI provides that whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.

Can you please explain Section VII of the Guidelines (Other Applicable Legal Requirements)?

Section VII identifies other applicable legal requirements from the Fair Credit Reporting Act and USA PATRIOT Act that financial institutions and creditors should keep in mind when developing, implementing, and administering their Programs.

What is the deadline for implementing the Identity Theft Red Flags Rules?

The compliance deadline is November 20, 2013.

 

Important Information

The information contained in this Frequently Asked Questions is only a summary and is not intended to be a comprehensive analysis of the rules and regulations applicable to registered investment advisers. It is not intended to constitute legal or compliance consulting advice or apply to any one investment adviser’s particular situation. For more information, please see our Terms of Use.

line