Red Flag Rules Compliance Deadline Approaches
In April 2013, the SEC and the U.S. Commodity Futures Trading Commission jointly issued final rules (the "Red Flag Rules") requiring certain investment advisers and other regulated entities to develop and implement written identity theft prevention programs ("Reg S-ID Programs") designed to detect, prevent and mitigate identity theft in connection with new accounts and certain existing accounts by November 20, 2013.
The Red Flag Rules do not apply to all investment advisers. In fact, in the adopting release to the Red Flag Rules, the SEC estimated that the rules will only apply to approximately 15% of registered investment advisers. It is also important to note that the Red Flag Rules only apply to advisers to consumer or individual accounts, meaning that advisers that only manage institutional client accounts do not need to comply with the rules.
Investment Advisers Covered by the Rules
The Red Flag Rules only apply to investment advisers that: (1) meet the definition of "financial institution" or "creditor"; and (2) offer or maintain "covered accounts." While the analysis of these defined terms and whether an adviser is subject to the Red Flag Rules is complicated and should not be undertaken without a full understanding of an adviser's activities and business practices, an investment adviser should generally only be subject to the rules if it:
1. Regularly lends money;
2. Has authority to direct a client redemption, distribution, dividend, interest or other proceeds to third parties (based on the client's instructions); or
3. Is authorized on behalf of a client to withdraw assets from the account to pay bills or direct payments to third parties.
If an investment adviser engages in or has the ability to engage in any of these activities, it should carefully review the Red Flag Rules and the SEC's adopting release to determine whether it is required to establish a Reg S-ID Program. A review of the adopting release is critically important because it contains examples of conduct that could be interpreted as falling within the above-referenced definitions, but does not require compliance with the Red Flag Rules (e.g., automatic fee deduction authority, billing clients in arrears).
Lastly, as a best practice, advisers that do not technically fall within the scope of the Red Flag Rules should still consider whether there is any potential for identity theft and whether they have had any issues with potential identity theft in the past. If you have any questions about the Red Flag Rules, please do not hesitate to contact us.