Identity Theft Red Flag Rules Effective November 20, 2013
Pursuant to new SEC and CFTC rules, many registered managers, including private fund managers are now required to have identity theft programs in place. Such managers will need to have robust policies in place in order to be compliant with the new rules. Such policies will include: staff training for appearance of red flags, procedures for dealing with red flags, certification of procedures from administrators and/or custodians dealing with investor/customer accounts.
Below we have reprinted an article from the Compliance Focus blog maintained by Sansome Strategies LLC, a regulatory and compliance consulting company described in greater depth below. The article reprinted below can be found here.
Identity Theft Issues for Investment Advisers and Futures Participants
Jennifer Dickinson, Sansome Strategies
A little-known provision of the Dodd-Frank Act shifted responsibility over existing identity theft rules from the Federal Trade Commission to the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”). The rules became effective May 20, 2013 and certain entities regulated by the SEC and CFTC will need to comply by November 20, 2013.
SEC and CFTC registrants that are “financial institutions” or “creditors” and that offer or maintain “covered accounts” for their clients will need to comply with the identity theft rules:
- Financial institution: a bank, credit union or other person who holds a transaction account belonging to a consumer (a transaction account is one that permits withdrawals, payment orders, transfers or similar means for making payments to third parties);
- Creditor: any person that regularly extends, renews or continues credit to others.
- Covered account: any account that a financial institution or creditor offers or maintains:
- Primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and
- There is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks. Examples include: for the SEC, brokerage or mutual fund accounts that permit wire transfers or other payments to third parties; for the CFTC, margin accounts.
Who will be affected, and how?
On the SEC side, broker-dealers, investment companies and investment advisers are considered financial institutions. On the CFTC side, commodity pool operators and commodity trading advisers will be considered creditors if they:
- Regularly extend, renew or continue credit or arrange for the extension, renewal or continuation of credit; or
- Acting as an assignee of an original creditor, participate in the decision to extend, renew or continue credit.
Firms that meet these definitions are required to implement reasonable policies and procedures that:
- Identify “red flags” to prevent identity theft in the covered accounts they manage, and document them in the compliance program. Red flags can exist in the types of accounts the firm manages, the manner in which accounts are opened or accessed, and the firm’s previous experiences (if any) with identity theft;
- Provide for monitoring accounts on an ongoing basis to detect red flags;
- Respond appropriately to red flags;
- Is periodically updated to reflect any changes in risks; and
- Describe the various appropriate responses to red flags.
Whether a firm will meet the definitions will depend significantly on its client base and account structures. Traditional RIAs and other firms that manage accounts for individuals or family offices should look closely at those accounts to determine the types of activities that will be processed in them. A firm that handles bills or other third-party payments on behalf of its clients will need to undertake the most review and implement the most rigorous compliance program contemplated by the rules.
At first blush, fund managers may assume that these rules will not apply to them; however, care should be taken to ensure that investors’ accounts are set up to receive and hold investment amounts, and the only transfers permitted will be for management fees, performance allocations to the manager/general partner as applicable, and withdrawals by (and most importantly, back to) the investor to minimize identity theft risks. Even so, additional procedures around investor intake and withdrawal may need to be implemented.
CPOs and CTAs may undertake a similar evaluation and should also look at their investment strategies to determine the extent to which they meet the creditor definition.
Finally, even if a firm is not registered with the SEC or CFTC, identity theft can be a significant reputational and litigation risk for if they handle third-party payments on behalf of clients or investors. Accordingly state registrants and exempt firms should consider implementation as a best practice.
The rules identify five specific categories that every compliance program should address:
- Alerts, notifications or other warnings received from consumer reporting agencies or other service providers;
- Presentation of suspicious documents;
- Presentation of suspicious personal information (e.g., an unexpected or unusual address change);
- Unusual usage of a particular account; and
- Notices from customers, victims of identity theft, law enforcement agencies or others regarding possible identity theft in an account.
Employees should be trained to identify the above and any other red flags that are specific to the firm’s business.
Appropriate responses to a red flag incident will vary significantly depending on the circumstances. The rules mention:
- Monitoring an account for evidence of identity theft;
- Contacting the customer;
- Changing passwords, security codes or other devices that permit access to an account;
- Reopening accounts with new numbers;
- Refusing to open an account;
- Closing an existing account;
- Refraining from collection activities on an account;
- Notifying law enforcement; and
Determining that a response is warranted in a particular instance.
Other, proactive safeguards can include standardizing the forms and processes used to effect transactions in client accounts, designating a person or team of people to handle those transactions under supervision (and training them to detect identity theft), preparing and reviewing a daily transaction blotter, requiring additional approvals and documentations for higher risk transactions and implementing PINs or security questions and client call-backs, to name a few.
To the extent that safeguards are client or investor-facing (such as call-backs, PINs or other identity verification tools), these should be standardized and clients/investors notified of the procedures so they know what to expect. Obtaining client’s acknowledgment of these processes via the investment advisory or subscription agreement is a good way to handle this clearly and consistently.
To ensure compliance by November 20, 2013, we encourage all firms to reach out to their compliance consultant or legal counsel as soon as possible. Rolling out the program early will afford plenty of time to refine it by the deadline.
About Cole-Frieman & Mallon LLP
Cole-Frieman & Mallon LLP provides legal services to the investment management community. Please reach out to us through our contact form or call Bart Mallon directly at 415-868-5345 if you have questions on implementation.
About Sansome Strategies LLC
Sansome Strategies is a compliance consulting firm specializing in high-touch, outsourced compliance services for businesses in the investment management industry. Clients include investment advisers, futures managers, broker-dealers, hedge funds, and private equity firms. Sansome Strategies provides tailored compliance management solutions to the unique needs of each client and is focused on helping clients build and enhance their business by simplifying the compliance and regulatory process. Sansome Strategies is wholly owned by Karl Cole-Frieman and Bart Mallon. For more information, please contact Sansome Strategies here.