The Commodity Futures Trading Commission (“CFTC”) and the Securities and Exchange Commission (“SEC”) (together, the “Commissions”) recently issued final rules (the “Rules”) requiring certain entities that are subject to SEC or CFTC jurisdiction to develop and implement a written Identity Theft Prevention Program (the “Program”) that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Rules are substantially similar to the existing identity theft red flags rules and guidelines issued previously by the Federal Trade Commission and other agencies. Guidance and illustrations provided by the Commissions’ in their adopting release may, however, lead some registered investment advisers, commodity trading advisers (“CTAs”) and commodity pool operators (“CPOs”) to determine that they fall within the scope of the Rules.¹

The Rules were published in the Federal Register on April 19, 2013 and will have an effective date of May 20, 2013. The compliance date will be November 20, 2013.

Application of the Rules to registered advisers, CTAs and CPOs.

The SEC Rules apply to registered investment advisers, including registered advisers to private funds, meeting the definition of financial institution or creditor under the Rules.² The CFTC Rules apply to any CTA or CPO that directly or indirectly holds a transaction account belonging to a consumer.³ Any registered adviser, CTA or CPO meeting the definition of financial institution or creditor must adopt a Program with respect to any covered account.

Financial Institutions

Under the SEC rule, a financial institution is any person that directly or indirectly holds a transaction account belonging to a consumer, i.e., an individual. A transaction account is an account on which the account holder has check writing privileges or can make payments or transfers to third parties or others.

The SEC stated in the adopting release that a registered adviser would be considered a financial institution in the following circumstances because it directly or indirectly holds a transaction account.

• When the registered adviser has the ability (through agency, power of attorney or otherwise) to direct transfers or payments from an individual investor’s account to a third party. This applies even when the account is held at a qualified custodian.
• When the registered adviser has the authority, pursuant to an arrangement with a private fund or an individual investor in the fund, to direct the investor’s investment proceeds to other persons upon instructions received from the investor. Investment proceeds could include redemptions, distributions, dividends, interest or other proceeds.

The SEC clarified that a registered adviser with the authority to withdraw money from the account of a client or investor solely to deduct advisory fees would not be deemed to hold a transaction account because the investment adviser would not direct payments to a third party.

The CFTC included in its definition of financial institution, any CTA or CPO that directly or indirectly holds a transaction account belonging to a consumer. Therefore, CTAs and CPOs with the ability to direct transfers or payments from a consumer’s account to a third party will be required to implement a Program with respect to any covered account.

Creditors

A creditor is any person that regularly extends, renews or continues credit, or that regularly advances funds to or on behalf of a person based on the obligation of the person to repay the funds.

The adopting release notes that an entity that advances funds on behalf of a person, for expenses incidental to a service provided by the entity to that person, would not be considered a creditor. Therefore a creditor would likely not include a registered adviser, CTA or CPO that bills on a deferred basis if it does not “advance” funds to investors.

A registered adviser to a private fund may, however, qualify as a creditor if the adviser regularly lends money to permit investors to make an investment in the fund pending the receipt or clearance of an investor’s check or wire transfer.

Covered Accounts

As noted above, a registered adviser, CTA or CPO meeting the definition of a financial institution or a creditor must apply its Program to the covered accounts it offers or maintains.⁴ A covered account is (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Financial institutions and creditors should be aware of their ongoing obligation to periodically determine whether they offer or maintain covered accounts. Such determinations should include a risk assessment and financial institutions and creditors should be able to demonstrate that they have performed such periodic determinations.

Elements of the Program.

The Rules require each financial institution and creditor to develop a Program that includes reasonable policies and procedures (i) to identify relevant red flags for covered accounts and incorporate those red flags into its Program; (ii) to detect those red flags; (iii) to respond appropriately to any red flags that are detected; and (iv) to ensure that the Program (including the red flags determined to be relevant) is updated periodically to reflect changes in risks to customers, and to the safety and soundness of the financial institution or creditor, from identity theft.

Administration of the Program.

Proper administration of the Program has four additional requirements. The Rules require that a financial institution or creditor (i) obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors (or, if an entity does not have a board, from a senior management employee); (ii) must involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the Program; (iii) must train staff, as necessary, to effectively implement the Program; and (iv) must exercise appropriate and effective oversight of service provider arrangements.

The designated senior management employee responsible for the oversight, development, implementation and administration of a registered investment adviser’s Program may be the adviser’s chief compliance officer.

Guidelines.

The CFTC and the SEC jointly issued final guidelines intended to assist financial institutions and creditors in the formation and maintenance of their Programs. The guidelines set forth policies and procedures that financial institutions and creditors are required to consider and implement, if appropriate.

* * * *

If you have any questions about whether you may be required to implement an Identity Theft Prevention Program or require assistance implementing such a program, please contact an attorney in the Investment Management Group at Seward & Kissel LLP.

_______________________________________________________________

¹ The Dodd-Frank Act amended the Fair Credit Reporting Act of 1970 to transfer responsibility for identify theft rules and the enforcement of the rules from the Federal Trade Commission to the SEC and the CFTC with respect to the entities they regulate.

² Advisers that are not registered with the SEC, including exempt reporting advisers, are not within the scope of the SEC’s Rules and are not required to implement a Program.

³ The CFTC Rules apply to CTAs and CPOs regardless of whether they are required to register with the CFTC.

⁴ The covered account analysis includes all customer accounts, which may be individuals or business entities.