On April 19, 2013, the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC” and, together with the SEC, the “Commissions”) published final rules (“Red Flag Rules”) in the Federal Register (the “Adopting Release”) requiring each “financial institution” or “creditor” that offers a ”covered account” to develop and implement by November 20, 2013 a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts and the opening of new accounts (a “Program”). The Red Flag Rules serve as the SEC and CFTC versions of the “red flag” rules that the banking regulators and the Federal Trade Commission (“FTC”) adopted in 2007 (the “Joint Red Flag Rules”) and in effect transfer jurisdiction from the FTC to the Commissions for entities under their regulation. For entities that adopted programs under the Joint Red Flag Rules, little will change; however, based on statements in the Adopting Release, entities such as investment advisers, commodity pool operators and commodity trading advisors that did not previously comply with the Joint Red Flag Rules will need to carefully assess whether they fall within the scope of the Red Flag Rules.

In general, the Red Flag Rules do not contain new substantive requirements and are substantially similar to the red flag rules issued by the FTC. The Commissions expressly noted in the Adopting Release that entities subject to their respective enforcement authorities, whose activities fall within the scope of the Red Flag Rules, should already be in compliance with the Joint Red Flag Rules. Therefore, to the extent that broker-dealers, registered investment companies, investment advisers, futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers and major swap participants are already in compliance with the Joint Red Flag Rules and have adopted a Program, little will change with respect their current compliance obligations or Programs. Entities that are already in compliance with the Joint Red Flag Rules should review their Program and update them as necessary (e.g., to change rule citations from the FTC to SEC/ CFTC versions of the rules).

The Adopting Release does contain examples and minor language changes designed to help guide entities within the SEC’s enforcement authority in complying with the new rules and in assessing whether they are required to adopt a Program under the Red Flag Rules. Most notably and as discussed below, the Adopting Release describes a number of examples in which a registered investment adviser would be subject to the Red Flag Rules and would be required to adopt and implement a Program. 

Recently registered commodity pool operators and commodity trading advisors, as well as dually registered entities (i.e., entities that are subject to both SEC and CFTC regulation with respect to their activities), also should consider the applicability of the Red Flag Rules, especially if they had not implemented a Program under the Joint Red Flag Rules. Similarly, if a commodity pool operator or commodity trading advisor had not implemented a Program under the Joint Red Flag Rules in the past, they should consider whether the Red Flag Rules as articulated by the CFTC apply to them going forward.

Determining Whether the Red Flag Rules Apply. Unlike a number of regulations that apply simply on the basis of an entity being registered with the SEC or CFTC, determining whether an entity is subject to the Red Flag Rules requires a two step analysis. First, for the Red Flag Rules to apply, the entity must meet the definition of “financial institution” or “creditor.” Second, the entity must offer and maintain one or more “covered accounts.” If an entity meets both prongs, then it will need to adopt a Program. If the entity meets only the first prong, then the entity is not required to adopt a Program but will need to periodically assess its accounts and relationships to determine whether it has covered accounts. Therefore, allowing a customer to do something new, such as send account proceeds to a third party, may trigger the Program requirement, even if the financial institution or creditor was not subject to the rule before.

Examples of SEC and CFTC Regulated Entities that are Financial Institutions and/or Creditors for Purposes of the Red Flag Rules. Like the Joint Red Flag Rules, the Red Flag Rules apply to “financial institutions” and “creditors.”  In general, “financial institution” includes “any other person that, directly or indirectly, holds a transaction account belonging to a consumer.” “Transaction account” includes “an account on which the. . . account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”

The Adopting Release lists the following as illustrative examples of an SEC-regulated entity that could fall within the meaning of the term “financial institution”: (i) a broker-dealer that offers custodial accounts; (ii) a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and (iii) an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payment or transfers out of those accounts to third parties.”

Tracking the Joint Red Flag Rules, the Commissions’ definitions of “creditor” refer to the definition of “creditor” in the Fair Credit Reporting Act. The CFTC definition of creditor in the Red Flag Rules states that creditor includes any futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer, or major swap participant that regularly extends, renews, or continues credit; regularly arranges for the extension, renewal, or continuation of credit; or in acting as an assignee of an original creditor, participates in the decision to extend, renew, or continue credit.

Applicability to SEC Registered Investment Advisers and CFTC Registered Commodity Pool Operators and Commodity Trading Advisors. In the view of the regulators, investment advisers that have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risk of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risk of identity theft and loss of assets as consumers holding accounts with other financial institutions. If an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor or client. Although not expressed in the Adopting Release, as a practical matter, commodity pool operators and commodity trading advisors face the same types of potential risks with respect to identity theft.

A number of commenters on the proposed rule argued that investment advisers do not “hold” transaction accounts because they do not have custody of client assets (i.e., the assets are custodied at a bank or broker-dealer) and thus would not be “financial institutions” and thus subject to the Red Flag Rules. As stated in the Adopting Release, the SEC has concluded otherwise. For example, the SEC states that even if an investor’s assets are physically held with a qualified custodian, an adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account. An adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account because the adviser would not be making payments to third parties.

It appears that, like SEC-registered investment advisers that do not have custody, commodity pool operators and commodity trading advisors would be treated as potentially having transaction accounts even though by law they cannot have custody of client assets (generally, the assets must be held at a futures commission merchant).

Thus, investment advisers, commodity pool operators and commodity trading advisors that do not currently maintain a Program should revisit the question of whether they are required to adopt one.

Registered Investment Advisers to Private Funds. In the Adopting Release, the SEC explicitly stated that registered investment advisers to private funds also may, under certain circumstances, directly or indirectly hold transaction accounts. If an individual invests money in a private fund, and the adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that adviser would indirectly hold a transaction account. For example, a private fund adviser would hold a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor. Again, investment advisers to private funds that do not currently maintain a Program should revisit the question of whether they are required to adopt one. The same is true for commodity pool operators that currently do not maintain a Program.

Which Financial Institutions and/or Creditors Must Implement a Program. Under the Red Flag Rules, a financial institution or creditor must establish a Program if it offers or maintains “covered accounts.” Account is defined as a continuing relationship established by a person with a financial institution or creditor to obtain a product or services for personal, family, household or business purposes (e.g., a brokerage account or mutual fund account). The Commissions define the term “covered account” as:  (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The CFTC’s definition includes a margin account as an example of a covered account, and the SEC’s definition includes, as examples of a covered account, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties.

The Red Flag Rules require all financial institutions and creditors to assess whether they offer or maintain covered accounts and must do so periodically. As part of this determination, they must conduct a risk assessment that takes into consideration: (i) the methods it provides to open accounts, (ii) the methods it provides to access its accounts; and (iii) its previous experience with identity theft. The Adopting Release notes that financial institutions and creditors should consider whether a reasonably foreseeable risk of identity theft may exist in connection with accounts opened or accessed remotely, such as through the internet or by telephone. Even if they determine that they do not need a Program, they need to periodically reassess that decision to account for changes in their business model, accounts, or identity theft experience.

Required Elements of a Program. A Program must include reasonable policies and procedures to:

• Identify relevant “red flags” for covered accounts and incorporate those red flags into the Program;
• Detect red flags that have been incorporated into the Program;
• Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
• Ensure that the Program (including the red flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.

A “red flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Guidelines in the appendix to the Red Flag Rules include a number of examples of red flags. The examples include inconsistencies in personal indentifying information, incomplete account opening information, changes in account usage, adding an authorized person to an account shortly after the account address has changed, and mail being returned as undeliverable although transactions continue.

Like anti-money laundering programs, the Program adopted must be appropriate to the size and complexity of the entity and the nature and scope of its activities. Entities subject to the Red Flag Rules can leverage their anti-money laundering programs, policies and procedures to safeguard customer records and information under Regulation S-P, the CFTC’s privacy rules and internal anti-fraud policies and procedures in order to develop their Program. Although the Red Flag Rules do not have a “reporting component,” information developed during the course of the Program may trigger a reporting requirement under the suspicious activity reporting requirements applicable to broker-dealers, CFTC registered introducing brokers and mutual funds or under state privacy laws.

The Program must be approved by the entity’s board of directors, an appropriate committee of the board of directors, or, if the entity does not have a board, a designated senior management employee. The rules also provide that the entity must involve the board of directors, an appropriate committee thereof, or a designated senior management employee (e.g., the chief compliance officer) in the oversight, development, implementation and administration of the Program. Furthermore, the rules provide that the entity must train staff, as necessary, to effectively implement the Program. Finally, entities must exercise appropriate and effective oversight of service provider arrangements. The Adopting Release provides little guidance on what such oversight of service providers means in practice.

Conclusion. Entities subject to the Commissions’ enforcement authority that believe they were not subject to the Joint Red Flag Rules should reassess whether they are subject to the Red Flag Rules in light of the information provided in the Adopting Release. Entities that have already adopted a Program pursuant to the Joint Red Flag Rules should review their Programs and update them as necessary.