Regulation S-ID: SEC and CFTC Impose New Identify Theft Regulations Requiring Investment Advisory Firms to Consider Updates to Policies and Procedures
On April 10, 2013, the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission jointly adopted and announced new identity regulations, which are being imposed pursuant to their respective authority under Dodd-Frank Act and the Fair Credit Reporting Act (“FCRA”).
In this context, a “Red Flag” is a “pattern, practice, or specific activity that indicates the possible existence of identity theft.” 
Who is Affected?
Generally speaking, the SEC’s updated regulations (“Regulation S-ID”) will apply to investment advisory firms deemed to have custody of client funds or securities for the purposes of ADV Part 1, Item 9 and ADV Part 2A, Item 15, who are subject to annual surprise examinations.
More specifically, Regulation S-ID will affect broker dealers, investment companies, and investment advisory firms that are required to be registered under the Investment Advisers Act of 1940, which also meet the definition of: “financial institution” or “creditor”  under the FCRA, and which maintain or offers “covered accounts.” (each, an “Affected Entity,” and collectively, the “Affected Entities”).
While the definition of “creditor” generally does not apply to most investment advisory firms, the term “financial institution” may apply to firms that report having custody on form ADV because under the FRCA, a “financial institution” is:
a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer. 
A “transaction account” is:
a deposit or account on which the depositor or account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others. Such term includes demand deposits, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. 
The term “covered account,” is intentionally flexible, which basically describes any account: designed to permit multiple payments or transactions” and “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” 
In short, if an investment advisory firm has the capacity to withdraw funds from client accounts and transfer those funds to unrelated third parties, (commonly defined as having custody ) that firm generally has a “transaction account” and therefore meets the definition of a “financial institution” for the purposes of the updated Red Flag Requirements.
When Will Regulation S-ID Take Effect?
The final rules will become effective thirty days after publication in the Federal Register, and the compliance date will be six months after the effective date. Affected Entities should therefore anticipate the compliance deadline to take effect approximately between November and December 2013.
How Should Affected Investment Advisory Firms Comply with Regulation S-ID?
Step 1: Develop Policies and Procedures to Identify and Respond to Identity Theft Red Flags
Affected Entities are required to adopt policies and procedures designed to detect and address “reasonably foreseeable risks” from identity theft.” (the “Red Flag Policies”).
The Red Flag Policies should be tailored to an Affected Entity’s business model, the type of accounts maintained for its clients; its methods to open or access the affected accounts; and its prior experiences with identity theft.
Affected Entities are also required to consider inclusion of the following in the Red Flag Policies, as appropriate:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers;
- Presentation of suspicious documents, such as documents that appear to have been altered or forged;
- Presentation of suspicious personal identifying information, such as a suspicious address change;
- Unusual use of, or other suspicious activity related to, a covered account; and
- Notice from customers, victims of identity theft, law enforcement authorities, or others persons regarding possible identity theft.
Step 2. Develop Oversight Plan
Next, Affected Entities should involve and obtain approval of the Red Flag Policies from either its board of directors, an appropriate committee of the board of directors, or from a designated senior management employee, as appropriate.
Those parties should develop and approve an oversight plan, which:
- Assigns specific responsibility for the Red Flag Policies’ implementation, to an individual or committee, who will report to the board of directors or designated senior management employee as appropriate;
- Assigns specific responsibility to issue reports prepared by staff [generally, the Chief Compliance Officer] about the Affected Entity’s compliance with Regulation S-ID;
- Provides for the approval of material changes to the Red Flag Policies as necessary to address changing identity theft risks;
- Ensures that outside service providers comply with the developed Red Flag Policies;
- Provides for periodic reviews and updates to the Red Flag Policies with respect to:
- Provides for staff training to detect and respond to identity theft red flags as they arise.
a. The experiences of the Affected Entity with identity theft;
b. Changes in methods of identity theft;
c. Changes in methods to detect, prevent, and mitigate identity theft;
d. Changes in the types of accounts that the Affected Entity offers or maintains;
e. Changes in the business arrangements of the Affected Entity, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements; and
Step 3. Implement Red Flag Policies
As part of its Red Flag Policy program, the Affected Entity will be required to appropriately respond to identity theft red flags, which could but do not necessarily include the following:
- Monitoring a covered account for evidence of identity theft;
- Contacting the customer;
- Changing any passwords, security codes, or other security devices that permit access to a covered account;
- Reopening a covered account with a new account number;
- Not opening a new covered account;
- Closing an existing covered account;
- Not attempting to collect on a covered account or not selling a covered account to a debt collector;
- Notifying law enforcement; or
- Determining that no response is warranted under the particular circumstances.
Step 4. Update Red Flag Policies as Necessary
Finally, in conformity with its oversight plan, the Affected Entity is required to periodically review and update the Red Flag Policies with respect to:
- The experiences of the Affected Entity with identity theft;
- Changes in methods of identity theft;
- Changes in methods to detect, prevent, and mitigate identity theft;
- Changes in the types of accounts that the Affected Entity offers or maintains; and
- Changes in the business arrangements of the Affected Entity, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
As the prospect of new and more effective means of identity theft develop, investment advisory firms are compelled to react appropriately. The development and implementation of Red Flag Policies is therefore critical to an Affected Entity’s ongoing compliance program.
 17 CFR § 248.201(b)(10)
 Under the FCRA, a “creditor” is: “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.” 15 U.S.C. § 1681; 15 U.S.C. §1681A(r)(5).
 15 U.S.C. § 1681A(t)
 12 U.S.C. § 461 C
 17 CFR § 248.201(b)(3)
 Among other reasons, an investment advisory firm generally has “custody” under 17 CFR § 275.206(4)-2(d)(2) if: it or a related person has direct or indirect possession of client funds or securities; any arrangement (including a general power of attorney) under which the related person is authorized or permitted to withdraw client funds or securities maintained with a custodian upon the related person’s instruction to the custodian; and any capacity (such as general partner of a limited partnership, managing member of a limited liability company or a comparable position for another type of pooled investment vehicle, or trustee of a trust) that gives the investment advisory firm or its related person legal ownership of or access to client funds or securities.
 SEC Release Nos. 34-69359, IA-3582, IC-30456.