alerts & publications
SEC and CFTC Adopt Identity Theft Rules That Affect AdvisersApril 30, 2013
On April 10, the Securities and Exchange Commission (the “SEC”) and the Commodity Futures Trading Commission (the “CFTC,” and together with the SEC, the “Commissions”) jointly issued final rules and guidelines that require certain regulated entities, including advisers, to establish programs to address risks of identity theft (the “Red Flags Rules”). Generally, the Red Flags Rules require financial institutions and creditors to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts (“Program”). The Red Flags Rules also include guidelines to assist entities in the formulation and maintenance of their identity theft prevention programs. Commodity pool operators (“CPOs”), commodity trading advisors (“CTAs”), and investment advisers, including advisers to private funds, may qualify as financial institutions or creditors subject to the Red Flags Rules.
Overview of the Red Flags Rules
An entity must first determine whether it is a “financial institution” or “creditor” within the meaning of the Red Flags Rules. If so, the entity must then evaluate on a periodic basis whether it offers or maintains covered accounts. Advisers must carefully assess whether their business activities fall within the definitions provided in the Red Flags Rules because the scope of the Rules and use of certain defined terms differ from other SEC and CFTC privacy rules.
While the scope of the Red Flags Rules includes entities subject to the jurisdiction of the Commissions, the Red Flags Rules apply to such entities if they are “financial institutions.” Financial institutions are defined to include certain banks and credit unions, and any other person that, directly or indirectly, holds a transaction account (as defined by the Federal Reserve Act) belonging to a “consumer.” The Federal Reserve Act defines a “transaction account” to include an account on which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Because “consumer” is defined as an individual, to qualify as a financial institution, an entity must hold a transaction account belonging to an individual. Accordingly, the CFTC rule provides that any commodity trading advisor or commodity pool operator that directly or indirectly holds a transaction account belonging to a consumer would be a financial institution. In the SEC’s view, a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges, or an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties, are entities that could fall within the meaning of “financial institution.”
The Red Flags Rules also apply to entities registered with the Commissions if they are “creditors.” A “creditor” is defined as a person that regularly extends, renews, or continues credit, or makes such arrangements. Moreover, a creditor is a person that regularly and in the course of business advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person. The CFTC’s definition of “creditor” includes certain entities, such as commodity trading advisers. The SEC’s definition of “creditor” includes brokers or dealers offering margin accounts, securities lending services, and short selling services, as well as certain investment advisers, as discussed below. Finally, the Commissions’ definition of “creditors” does not include “indirect creditors,” or persons who regularly borrow money from third-party credit providers.
Once an entity is a considered a financial institution or creditor, as part of a Program it must assess periodically whether it offers or maintains “covered accounts” to or on behalf of “customers.” This may be done by conducting a risk assessment that considers the methods it provides to open its accounts, the methods it provides to access its accounts and its previous experiences with identity theft. A covered account is defined as either (i) an account that a financial institution or a creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions or (ii) any other account offered and maintained for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or the creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The CFTC includes a margin account as an example of a covered account, while the SEC includes a brokerage account with a broker-dealer or an account maintained by a mutual fund that permits wire transfers or other payments to third parties. The Commissions define an “account” as a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes, with already established investment advisory accounts and mutual fund accounts included within the SEC’s specific definition.
Application of the Red Flags Rules to Advisers
Despite commenters arguing that investment advisers do not “hold” transaction accounts, the SEC concluded otherwise and clarified that the definition of “financial institution” does apply to certain investment advisers. The SEC stated that investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions. Furthermore, individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions. The SEC concluded that even if an investor’s assets are physically held with a qualified custodian, an adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account. The SEC noted, however, that an adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account because the adviser would not be making the payments to third parties.
Similarly, the Red Flags Rules apply to private fund advisers if such advisers directly or indirectly hold transaction accounts. For example, an adviser would be deemed to maintain a transaction account if an individual invests money in a private fund managed by the adviser and the adviser has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds to third parties (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account). The SEC offered the example of a private fund adviser holding a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor. On the other hand, the SEC commented that a private fund adviser may not hold a transaction account if such adviser has a narrowly-drafted power of attorney with an investor under which the adviser has no authority to redirect the investor’s investment proceeds to third parties or others upon instructions from the investor. To determine whether private fund advisers will be subject to the Red Flags Rules, such advisers should review their arrangements and power of attorneys with individual investors or the private funds they advise.
Similarly with financial institutions, the SEC discounted commenters and stated that investment advisors could be “creditors.” An investment adviser could potentially qualify as a creditor if it “advances funds” to an investor that are not for expenses incidental to services provided by that adviser. For example, a private fund adviser could be subject to the Red Flags Rules as a “creditor” if it regularly, and in the ordinary course of business, lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer. However, a private fund adviser would not qualify as a creditor and be subject to the Red Flags Rules solely because its private funds regularly borrow money from third-party creditors pending receipt of investor contributions.
Application of the Red Flags Rules to CPOs and CTAs
The application of the Red Flags Rules to CPOs and CTAs will be similar to that described above for investment advisers. Accordingly, CPOs and CTAs should note that even if they are not registered with the CFTC, they may be subject to the Red Flags Rules if they offer or maintain covered accounts.
Compliance with the Red Flags Rules
To meet a Program’s objectives of detecting, preventing, and mitigating identity theft, a Program needs to be appropriate for the size and complexity of the financial institution or creditor and the scope of such entity’s activities.
Elements of a Program
Programs must include four essential elements for compliance purposes. A program must include reasonable policies and procedures to: identify relevant “red flags,” or patterns, practices, or specific activities indicating possible existence of identity theft; detect the red flags; respond appropriately to any detected red flags; and periodically update the Program. Financial institutions and creditors have flexibility in determining which red flags are relevant for their business and the covered accounts they manage. The updating requirement should include a review of the red flags determined to be relevant and a review of policies and procedures to reflect changes in risks to customers and to the safety and soundness of the financial institution or the creditor from identity theft.
Administration of a Program
The Red Flags Rules also provide direction regarding the administration of a Program. First, a financial institution or creditor must obtain approval of the initial written Program from either its board of directors, an appropriate committee of the board of directors, or if the entity does not have a board, from a designated senior management employee (collectively, the “Oversight Persons,” and individually, the “Oversight Person”). Second, financial institutions and creditors are required to involve the Oversight Persons in the oversight, development, implementation, and administration of the Program. For a broker-dealer, investment company or investment adviser, the Oversight Person may be the chief compliance officer. Third, financial institutions and creditors must train staff, as necessary, to effectively implement their Programs. Finally, financial institutions and creditors must exercise appropriate and effective oversight of service provider arrangements through which detection, prevention, or mitigation operations have been outsourced.
Guidelines for a Program
Along with the Red Flags Rules themselves, the Commission issued guidelines for financial institutions and creditors to consider and include in their Programs. Such guidelines are meant to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the rules. The Commissions also issued a Supplement A to the guidelines to provide illustrative examples of red flags that financial institutions and creditors are required to consider incorporating into their Programs, as appropriate. These examples are flexible to allow tailoring of the red flags chosen for Programs to specific business operations.
The Red Flags Rules become effective on May 19, 2013. The compliance date for the Red Flags Rules is November 18, 2013.
O’Melveny & Myers is available to provide more information on the Red Flags Rules, assist with determining whether the Red Flags Rules apply, and provide guidance in establishing and maintaining a Program. For questions or additional information, please contact Heather Traeger at (202) 383-5232, Kris Easter at (202) 383-5364, or Matthew Cohen at (202) 383-5179.
 A copy of the final Red Flags Rules and related guidelines can be found at http://www.sec.gov/rules/final/2013/34-69359.pdf.
 The scope of the Red Flags Rules would not include SEC exempt reporting advisers because such entities are not registered or required to register with the SEC.
 Entities should be aware that, although the definition of financial institution captures only accounts offered to or maintained for individuals, the definition of covered accounts more broadly captures various business entities as well as individuals. This is because the definition of customer uses the term “person” rather than “individual.”
 Provided the Program otherwise meets the requirements of the Red Flags Rules, a board or senior management employee need not reapprove a Program already in place.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Heather Traeger, an O'Melveny partner licensed to practice law in the District of Columbia and Texas, Kris Easter, an O'Melveny counsel licensed to practice law in Texas, and Matthew Cohen, an O'Melveny associate licensed to practice law in the District of Columbia and California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2013 O'Melveny & Myers LLP. All Rights Reserved.
Thank you for your interest. Before you communicate with one of our attorneys, please note: Any comments our attorneys share with you are general information and not legal advice. No attorney-client relationship will exist between you or your business and O’Melveny or any of its attorneys unless conflicts have been cleared, our management has given its approval, and an engagement letter has been signed. Meanwhile, you agree: we have no duty to advise you or provide you with legal assistance; you will not divulge any confidences or send any confidential or sensitive information to our attorneys (we are not in a position to keep it confidential and might be required to convey it to our clients); and, you may not use this contact to attempt to disqualify O’Melveny from representing other clients adverse to you or your business. By clicking "accept" you acknowledge receipt and agree to all of the terms of this paragraph and our Disclaimer.