On April 10, 2013, the Securities and Exchange Commission and the Commodity Futures Trading Commission jointly adopted new identity theft red flag regulations, which are being imposed pursuant to their respective authority under the Dodd-Frank Act and the Fair Credit Reporting Act (FCRA). To learn more about this new regulation, which may take effect between November and December 2013, I sat down with my colleague, Cary Kvitka.
Kvitka advised that under the new regulations, a red flag is defined as a “pattern, practice or specific activity that indicates the possible existence of identity theft.” The red flag regulations will apply to investment advisory firms deemed to have custody of client funds or securities for the purposes of ADV Part 1, Item 9 and ADV Part 2A, Item 15, and who are correspondingly subject to annual surprise CPA examinations.
Kvitka further advised that the red flag regulations will apply to those firms that are required to be registered under the Advisers Act who also meet the definition of “financial institution” or “creditor” under the FCRA, and who maintain or offer “covered accounts.”
While the definition of “creditor” generally does not apply to most investment advisory firms, the term “financial institution” may apply to firms that report having custody on form ADV because under the FCRA, a “financial institution” is any “person that, directly or indirectly, holds a transaction account belonging to a consumer.”
A “transaction account” is “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers or other similar items for the purpose of making payments or transfers to third persons.”
The term “covered account” is intentionally flexible and basically describes any account: “designed to permit multiple payments or transactions” and “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”
In short, if an investment advisory firm has the capacity to withdraw funds from client accounts and transfer those funds to unrelated third parties (commonly defined as having custody), that firm generally has a “transaction account” and therefore meets the definition of a “financial institution” for the purposes of the updated red flag requirements.
So how should affected firms comply with the red flag regulations?
Develop policies and procedures to identify and respond to red flags. Affected firms are required to adopt policies and procedures designed to detect and address “reasonably foreseeable risks” of identity theft. The red flag policies should be tailored to an affected entity’s business model; the type of accounts maintained for its clients; its methods to open or access the affected accounts; and its prior experiences with identity theft.
Develop oversight plan. Affected firms should develop and approve an oversight plan, which should include assigning specific responsibility for the policies’ implementation to an individual or committee who will report to the board of directors or designated senior management employee as appropriate; and to issue reports to firm management prepared by staff (generally the chief compliance officer) about the firm’s compliance with red flag regulations.
Implement response policies. As part of its red flag policy program, the firm will be required to appropriately respond to identity theft red flags, which could include monitoring a covered account for evidence of identity theft and notifying law enforcement when appropriate.
Update red flag policies as necessary. Finally, the firm is required to periodically review and update the red flag policies as appropriate.