Soon after an SEC announcement in the spring of 2013, we advised that the SEC would be imposing a new identity theft prevention rule, Regulation S-ID, under the Dodd-Frank Act.
Investment advisors that are subject to Regulation S-ID were required to implement a written identity theft prevention program by Nov. 20, 2013. Any investment advisors that are subject to Regulation S-ID and have not implemented a written program should do so as soon as possible.
Who Is Subject to Regulation S-ID?
Regulation S-ID applies to SEC-registered investment advisors that maintain covered accounts. While the exact definition of a covered account is somewhat complex, at its core a covered account is one that is designed to permit multiple payments to third parties and has a “reasonably foreseeable risk” that someone could perpetrate an identity theft attack and defraud or use the investment advisor as a conduit to steal client funds from that account.
If an investment advisor or its representative is deemed to have custody of any client accounts, those accounts should be treated as covered accounts for the purposes of Regulation S-ID. However, the SEC does not directly equate a covered account with an account for which an advisor is deemed to have custody, which signifies the SEC's intention to apply Regulation S-ID more broadly.
In fact, page 17 of the 115-page release issued jointly by the SEC and the Commodity Futures Trading Commission states as follows:
Investment advisors who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisors bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions. If such an advisor does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the advisor by posing as an investor.
Apparently in response to the argument that investment advisors that do not maintain physical custody of client funds (such as a bank or a broker-dealer or custodian) should not be required to comply with Regulation S-ID, the joint release further states:
The red flags program of a bank or other qualified custodian that maintains physical custody of an investor's assets would not adequately protect individuals holding transaction accounts with such advisors, because the advisor could give an order to withdraw assets, but at the direction of an impostor. Investors who entrust their assets to registered investment advisors that directly or indirectly hold transaction accounts should receive the protections against identity theft provided by these rules.
Accordingly, investment advisors that maintain accounts permitting the advisor to direct transfers to third parties should take a close look at their practices and determine if there is a reasonably foreseeable risk that someone could abuse that particular rule to abscond with its clients’ funds. While the term “reasonably foreseeable” is subjective, an advisor that chooses not to implement a written identity theft prevention program and later suffers an identity theft attack to the detriment of its clients will be in an uncomfortable position to say the least.
Given the aggressive regulatory environment, we encourage advisory firms to err on the side of caution and implement a written identity theft prevention program if the advisor maintains accounts which permit the advisor to direct transfers to third parties, which, in the event of an identity theft attack, could potentially result in the misappropriation of its clients’ funds.