On April 10 the SEC adopted final identity theft Red Flags Rules that transfer identity theft jurisdiction for SEC regulated entities from the FTC to SEC. SEC regulated entities that meet the definition of “financial institution” or “creditor” under the Fair Credit Reporting Act are required to adopt policies and procedures to prevent identity theft related to certain accounts.
Going forward, it appears an investment adviser may be considered a “financial institution” if the adviser is permitted to direct payments or transfers out of client accounts to third parties. For example, according to the SEC, an adviser would have to adopt Red Flags policies and procedures if it has authority to withdraw money from a client’s account and direct payments to a third party according to a client’s instruction regardless of whether the assets are held by a custodian.
An investment adviser may be considered a “creditor” for purposes of the rules if it advances funds to or on behalf of someone, with the expectation that the person repays the funds (potentially to be repaid with pledged property). For example, the SEC noted that a private fund adviser could qualify as a “creditor” if it lends money to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer.
Advisers will likely have until November to ensure compliance with the new rules. We are actively monitoring this and will provide updates as we learn more. We will separately communicate with our clients to discuss how the new rules impact their compliance programs. In the meantime, please reach out to us with questions.