The SEC recently released final rules and guidelines, jointly with the CFTC, that require investment advisers and advisers to private funds to establish programs addressing risks of identity theft. Advisers are required to have an identity theft program if they hold transaction accounts directly or indirectly and have the ability to direct transfers or payments from accounts to third parties. This would include situations where upon instructions received from the investor, advisers direct transfers or distributions to third parties. The rules require these firms to have an identity theft prevention program that includes written policies to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts.
Adviser fees collected and directed to the firm alone would not require an identity theft program.
For advisers that must comply with the rules, their identify theft program should include the following by the compliance date of November 20, 2013:
- Policies and procedures that control reasonably foreseeable risks to customers and protect the firm from identity theft.
- Identify risk factors to consider for covered accounts. For example, the type of covered accounts a firm maintains, the method it provides to open or access its covered accounts and its previous experience with identity theft.
- Provide examples of policies and procedures a firm should follow in their program for the purpose of detecting red flags.
- To prevent and mitigate identity theft, the program should provide appropriate responses to the red flags detected.
- Firms should regularly update their program based on experiences, changes in methods of identity theft, changes in methods of detecting identity theft, and changes in business arrangements.
- There should be appropriate administration and oversight of the identity theft program, appropriate reporting to senior management, and oversight of any service provider agreements.