Identity Theft Red Flags Rules (Reg S-ID) - Compliance Date: November 20, 2013
The Securities and Exchange Commission ("SEC") in conjunction with the Commodities Futures Trading Commission ("CFTC") released final regulations for Regulation S-ID ("Reg S-ID"). Reg S-ID requires certain investment advisers, broker-dealers, investment companies and other entities to establish programs to address the risks of identity theft. Reg S-ID applies to the following entities:
There is a two-pronged test to determine whether a financial services entity needs to adopt an identity theft prevention program under Reg S-ID. The entity must assess:
(1) if it is a "financial institution" (defined as a bank, credit union, or any other person (such as an investment adviser) that, directly or indirectly, holds a transaction account belonging to...an individual consumer) or "creditor" (defined as a person that regularly extends, renews, or continues credits or arranges for or participates in the decision as an assignee of a creditor to extend, renew, or continue credit); and
(2) if any of the accounts held by the entity are "covered accounts."
A "transaction account" is defined as an account on which the...account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. A "covered account" is defined as an account that a financial institution offers or maintains, primarily for personal, family or household purposes, that involves or is designed to permit multiple payments or transactions. If an entity meets both prongs, it will need to adopt a program. However, even if an entity only meets the first part of the test, it will still need to annually assess its accounts and relationships to determine whether it has covered accounts (and, if so, at that point adopt a program).
The SEC has stated that even investment advisers who do not accept actual custody of their clients' accounts will be subject to the new rule as "financial institutions" if they have the ability to direct transfers or payments to third parties from a client account, or if they act as agents on behalf of individual clients. If an investment adviser facilitates or directs bill payments for its clients or otherwise acts as their agent for financial purposes, the rules will likely apply whether or not the investment adviser otherwise has custody of client assets.
The rules require each affected adviser to develop a program that is appropriate to the adviser's size, complexity, and nature and scope of its activities. The program could either be a standalone document or part of the adviser's policies and procedures manual.
Those investment advisers subject to the regulation should seriously consider the appropriateness of adopting an identity theft prevention program. Please reach out to your Sadis & Goldberg contact for further clarification on how these changes affect you or for assistance in complying with the new rule.