On April 10, 2013, the Securities and Exchange Commission and the Commodity Futures Trading Commission jointly adopted new identity theft red flag regulations, which are being imposed pursuant to their respective authority under the Dodd-Frank Act and the Fair Credit Reporting Act (FCRA). To learn more about this new regulation, which may take effect between November and December 2013, I sat down with my colleague, Cary Kvitka.
Kvitka advised that under the new regulations, a red flag is defined as a “pattern, practice or specific activity that indicates the possible existence of identity theft.” The red flag regulations will apply to investment advisory firms deemed to have custody of client funds or securities for the purposes of ADV Part 1, Item 9 and ADV Part 2A, Item 15, and who are correspondingly subject to annual surprise CPA examinations.
Kvitka further advised that the red flag regulations will apply to those firms that are required to be registered under the Advisers Act who also meet the definition of “financial institution” or “creditor” under the FCRA, and who maintain or offer “covered accounts.”
While the definition of “creditor” generally does not apply to most investment advisory firms, the term “financial institution” may apply to firms that report having custody on form ADV because under the FCRA, a “financial institution” is any “person that, directly or indirectly, holds a transaction account belonging to a consumer.”
A “transaction account” is “a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers or other similar items for the purpose of making payments or transfers to third persons.”
The term “covered account” is intentionally flexible and basically describes any account: “designed to permit multiple payments or transactions” and “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”