On April 10, 2013, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly adopted the Identity Theft Red Flags Rules (“Red Flags Rules”)1 and guidelines as mandated under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.
The Red Flags Rules will require certain SEC and CFTC-regulated entities to implement programs to prevent, detect, and mitigate the effects of identity theft if that entity directly or indirectly holds a “transaction account” belonging to a customer. Specifically, the SEC-regulated entities include broker-dealers, registered investment companies (including any that act as business development firms or operate as employees’ securities firms), and investment advisers. The CFTC-regulated entities include futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers, or major swap participants. “Transaction accounts” are those “on which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”
The Red Flags Rules require each “financial institution” and “creditor” that offers or maintains one or more “covered accounts” (defined below) to develop and implement a written Identity Theft Prevention Program (“Program”). “Financial institution” is defined as any entity such as certain banks and credit unions and any other person that directly or indirectly holds a transaction account.
An investment adviser may be deemed to directly or indirectly hold transaction accounts if it can direct payments or transfers out of those accounts to third parties. If the transaction accounts belong to individuals, these advisers are considered financial institutions for purposes of the Red Flags Rules. For example, an investment adviser would be deemed a financial institution if
In addition, some advisers may meet the definition of “creditor.” This term applies to any person who extends or arranges credit. For example, if a private fund adviser “lends” money regularly in the ordinary course of business, short-term or otherwise, such as by recognizing an investment in the fund before it receives a wire transfer or an investor’s check clears, the adviser could be considered a “creditor.” The term does not apply, however, to an adviser that advances funds on behalf of a person for expenses incidental to a service provided to that person.
The term “covered account” mentioned above includes “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions” and “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” If a financial institution or creditor determines that such risks only apply to certain of its accounts, it may develop and implement a Program that applies only to those accounts or types of accounts.
A financial institution or creditor that engages predominantly in transactions with businesses may determine it does not require a Program because it does not offer or maintain “covered accounts.” If a financial institution or creditor makes this determination initially, it must periodically reassess whether changes to the accounts offered or maintained or other factors set forth in the Rules would require a Program.
Pursuant to the Red Flags Rules, financial institutions and creditors that offer or maintain covered accounts must do the following:
The Red Flags Rules also require persons that issue credit or debit cards to establish and implement reasonable written policies and procedures regarding address change notifications.
The Red Flags Rules will become effective 30 days after publication in the Federal Register (to be determined) and the compliance date will be six months after the effective date.
Please contact ACA consultant or Damon Zappacosta at (212) 868-5940 with any questions.