New SEC Rule to Protect Investors from Identity Theft


The Securities and Exchange Commission adopted new rules requiring investment advisers, broker-dealers, mutual funds, and certain other entities regulated by the agency to adopt programs to detect red flags and prevent identity theft.

In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act amended the Fair Credit reporting Act to add the SEC to the list of federal agencies that must adopt and enforce identity theft red flags rules. In February 2012, the SEC proposed for public notice and comment identity theft red flags rules and guidelines and card issuer rules. Yesterday, the SEC issued the final rule.

Originally, it looked like investment advisers (and therefore private fund managers) might escape the rule. However, the final rule explicitly includes registered investment advisers as being subject to the rule.

Investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions. If such an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor.

The SEC concluded that the red flag program of a qualified custodian that maintains custody of an investor’s assets would not adequately protect individuals holding transaction accounts with an adviser. The adviser could give an order to withdraw assets, but at the direction of an impostor. However, an adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account, because the adviser would not be making the payments to third parties.

Does this apply to private funds?

Private fund managers may directly or indirectly hold transaction accounts. According to the SEC rule, if an individual invests money in a private fund, and the adviser to the fund has the authority to direct the individual’s investment proceeds (such as distributions) to third parties, then that adviser would indirectly hold a transaction account. The SEC concludes that a private fund adviser would hold a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor.

I’m not sure that I agree with the SEC conclusion. However, I do agree that funds need to make sure that distributions are not re-directed improperly. Private fund managers will have to put some effort into this.

This rule is going to take some time to figure out how it applies in the context of fund operations. The subscription agreement and partnership agreement for a fund may not explicitly address if an investor can direct distributions to a third party account. I think that would be an unusual restriction.

The SEC-mandated program under rule should include policies and procedures designed to:

  • Identify relevant types of identity theft red flags.
  • Detect the occurrence of those red flags.
  • Respond appropriately to the detected red flags.
  • Periodically update the identity theft program.

The rules require entities to provide such things as staff training and oversight of service providers. The rules include guidelines and examples of red flags to help firms administer their programs.

The final rules will become effective 30 days after publication in the Federal Register. The compliance date for the final rules will be six months after their effective date.