As recently as last week, on Wednesday, April 10, the SEC adopted new Regulation S-ID, the Identity Theft Red Flag Rule (available for download by clicking here
), which requires certain investment advisers (including Private Fund sponsors), broker-dealers, and mutual funds to develop and implement a written identity theft prevention program (“Program”) to detect red flags and prevent identity theft. Regulation S-ID now applies to any investment adviser that “directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.” Lest you think that you are an adviser that doesn’t directly or indirectly hold these transaction accounts for clients because you don’t have custody of client assets but use a third-party custodian, the “SEC has concluded otherwise.” In the adopting release, the SEC makes clear that:
“Investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions. If such an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor. The red flags program of a bank or other qualified custodian that maintains physical custody of an investor’s assets would not adequately protect individuals holding transaction accounts with such advisers because the adviser could give an order to withdraw assets, but at the direction of an impostor.” (Emphasis added.)
If the adviser has authority to withdraw money from a client’s account solely to deduct its own advisory fees, then the adviser would not be deemed to hold a transaction account. However, if the adviser has the authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions (such as, for example, by a standing letter of instruction signed by the client, or by the firm acting as the agent for the client to pass instructions on to the custodial firm so that the custodial firm effects the transfer), then the SEC would deem the adviser to hold a transaction account and thus be subject to all the rules of Regulation S-ID and to have a written Program.
Next Step: Applicable to All Investment Advisers:
The final rules under Regulation S-ID will become effective 30 days after publication in the Federal Register. The compliance date for the final rules will be six months after their effective date. So, it’s not too soon to start to make an assessment of whether and to what extent your investment adviser firm holds, directly or indirectly, transaction accounts with clients.
Next Step: For Investment Advisers Who Do Not Hold Client Transaction Accounts:
If you conclude that you do not hold these kinds of accounts, then Regulation S-ID requires you to periodically reassess whether you must develop and implement a written Program. At the very least, you will need to enhance your written compliance program policies and procedures to incorporate making this periodic assessment. Perhaps the simplest way of doing that is by making it a component of the required annual review of your compliance program that you should already be conducting under Rule 206(4)-7 of the Advisers Act.
Next Step: For Investment Advisers Who Hold Direct or Indirect Client Transaction Accounts
Begin now to inventory the types of transaction accounts you have with clients and the processes you use to make transfers of funds. The SEC’s expectations in the adopting Release are that you will tailor your Program to the size and complexity of your firm and to the nature and scope of your transactional activities. A “one-size-fits-all” approach, which is inherently unreasonable, won’t work.
The final rules provide direction regarding the development and administration of your Program in four areas:
The Program must be in writing and formally approved in writing by either the board of directors, an appropriate committee of the board of directors, or if the firm does not have a board, from a designated senior management employee. This requirement highlights the responsibility of the most senior levels of management to formally approve the Program.
The firm must involve the board of directors, an appropriate committee of the board, or a designated senior management employee (in the absence of a board) in the oversight, development, implementation, and administration of the Program. In many firms, that designated employee may be the Chief Compliance Officer. That person must report to the board or other senior management, at least annually, on compliance by the firm with the Program, and the board or other senior management must approve any material changes, as necessary, to address changes in identity theft risks.
The firm must have an effective staff training program in place to implement the Program.
The firm must exercise appropriate and effective oversight of any service provider arrangements so that the firm remains legally responsible for compliance with the rules, irrespective of whether it outsources its identity theft red flags detection, prevention, and mitigation operations to a service provider. For example, a firm that uses a service provider to open accounts on its behalf, could reserve for itself the responsibility to verify the identity of a person opening a new account, may direct the service provider to do so, or may use another service provider to verify identity. The firm, however, remains ultimately responsible for ensuring that the activity is conducted in compliance with a Program that meets the requirements of the identity theft red flags rules.
Four Required Program Elements
The final rules set out four elements that firms must include in their written Programs:
Relevant Red Flags Identification. The Program’s written policies and procedures must be reasonably tailored to the firm to identify and incorporate relevant red flags. Rather than identifying specific red flags in the rule release, the SEC provides flexibility in determining which red flags are relevant to a firm’s business. Examples of red flags are provided in Section II of the release. Given the changing nature of identity theft, the SEC believes that this element allows firms to respond and adapt to new forms of identity theft and risks as they arise.
Effective Detection of Red Flags. The Program’s written policies and procedures must have reasonable policies and procedures to detect the red flags that the Program incorporates. As in Item 1 above, the SEC doesn’t mandate a specific method of detection but only provides examples of various means to detect them (cf. Section III of the guidelines).
Effective Response to Red Flags. The Program’s written policies and procedures must have reasonable methods to respond to any red flags that are detected. The firm must be able to reasonably assess whether the red flags that are detected evidence a risk of identity theft and, if so, determine how to respond appropriately based on the degree of risk. Section IV of the guidelines sets out a list of aggravating factors and examples that a firm should consider in determining an appropriate response.
Periodic Program Review and Updating. The Program must have written policies and procedures to periodically update the Program (including the red flags determined to be relevant) to reflect the changes in risks to clients and to the safety and soundness of the firm from identity theft.
It’s not too soon to start thinking about the impact of Regulation S-ID on your firm. Please feel free to contact any member of our group if you have any questions or concerns about this new regulation and its applicability to your firm.