Soon after an SEC announcement in the spring of 2013, we advised that the SEC would be imposing a new identity theft prevention rule, Regulation S-ID, under the Dodd-Frank Act.
Investment advisors that are subject to Regulation S-ID were required to implement a written identity theft prevention program by Nov. 20, 2013. Any investment advisors that are subject to Regulation S-ID and have not implemented a written program should do so as soon as possible.
Who Is Subject to Regulation S-ID?
Regulation S-ID applies to SEC-registered investment advisors that maintain covered accounts. While the exact definition of a covered account is somewhat complex, at its core a covered account is one that is designed to permit multiple payments to third parties and has a “reasonably foreseeable risk” that someone could perpetrate an identity theft attack and defraud or use the investment advisor as a conduit to steal client funds from that account.
If an investment advisor or its representative is deemed to have custody of any client accounts, those accounts should be treated as covered accounts for the purposes of Regulation S-ID. However, the SEC does not directly equate a covered account with an account for which an advisor is deemed to have custody, which signifies the SEC’s intention to apply Regulation S-ID more broadly.
In fact, page 17 of the 115-page release issued jointly by the SEC and the Commodity Futures Trading Commission states as follows: