Identity theft is a serious problem. Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act increased the scope of firms that would be subject to federal regulatory requirements on identity theft rules. The Securities Exchange Commission and the Commodities Futures Trading Commission just published a proposed rule addressing that new scope.
Section 10889(a)(8), (10) of Dodd-Frank amended the Fair Credit Reporting Act by adding the CFTC and SEC to the list of federal agencies required to create and enforce identity red flag theft rules. The new rule proposal would require SEC-regulated entities to adopt a written identity theft program that would include reasonable policies and procedures to:
- Identify relevant red flags.
- Detect the occurrence of red flags.
- Respond appropriately to the detected red flags.
- Periodically update the program.
The proposed rule would include guidelines and examples of red flags to help firms administer their programs.
As newly registered investment adviser, this looked like a daunting prospect. The rule does list specific entities in its definition of “financial institution.” That means investment advisers and private fund managers are not excluded.
However, the requirements are further limited to a “transaction account: a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third parties or others.” 12 U.S.C. 461(b)(1)(C).
Smartly, the SEC recognizes that most registered investment advisers (and private fund managers) are unlikely to hold transaction accounts and would not qualify as a “financial institution”. One of the questions soliciting comments in the proposed rule is whether the rule should “omit investment advisers or any other SEC-registered entity from the list of entities covered by the proposed rule?”
I think it makes sense to look at the account itself and not just the institution. Particularly in the case of private fund managers, there is usual limited windows when cash can come out of the accounts and be returned to investors.
Even if the limited partner interests are not a transaction account. It may make sense to look at the final rule as a model for some internal policies and procedures.
- Proposed Identity Theft Red Flags Rules IC-29969 (pdf)
- SEC Proposes Rules To Help Prevent And Detect Identity Theft – SEC press release