The SEC and CFTC (the “Commissions”) jointly issued final rules that will (a) require “financial institutions” and “creditors” subject to a Commission’s jurisdiction to develop and implement a written identity theft prevention program addressing identity theft in connection with certain existing accounts or the opening of new accounts and (b) establish special requirements under which a credit or debit card issuer subject to a Commission’s jurisdiction would have to assess the validity of change of address notifications. The Commissions adopted the final rules because the Dodd-Frank Act amended the Fair Credit Reporting Act of 1970 (“FCRA”) to add the Commissions to the list of federal agencies required to jointly prescribe and enforce identity theft red flags rules and card issuer rules regarding certain changes of address. The final rules are substantially similar to identity theft rules and card issuer rules adopted in 2007 by the federal banking regulators and the FTC in response to prior amendments to FCRA. The final rules do, however, contain some examples and minor language changes designed to facilitate compliance by entities under the Commissions’ jurisdiction.
Transfer of Enforcement Authority to the Commissions. In broad terms, the primary effect of the final rules is to transfer to each Commission the enforcement of identity theft rules and card issuer rules as applied to the entities generally subject to that Commission’s enforcement authority. The Commissions’ joint release relating to the final rules observes that “[t]he Commissions recognize that entities subject to their respective enforcement authorities, whose activities fall within the scope of the rules, should already be in compliance with” the other agencies’ rules. The release adds that the final rules neither contain requirements not already included in the other agencies’ rules, nor expand the scope of those rules to include new categories of entities not already covered, although elsewhere in the release, as discussed below in greater detail, there is an expectation on the SEC’s part that certain investment advisers may determine in response to this rulemaking that they are subject to the SEC’s identity theft rule, Regulation S-ID.
Identity Theft Rules. In broad terms, a Commission’s identity theft rules apply to “financial institutions” and “creditors” subject to its enforcement authority. An entity that falls within either of these categories must periodically assess whether it maintains “covered accounts.” If it determines that it does, the entity must adopt an identity theft program with respect to those accounts in accordance with the Commission’s identity theft rule.
- A “financial institution” is defined to include, in addition to certain banks and credit unions, “any other person that, directly or indirectly, holds a transaction account . . . belonging to [an individual].” A “transaction account” is an “account on which the ... account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”
- A “creditor” is “a person that regularly extends, renews or continues credit, or makes those arrangements, that “regularly and in the course of business … advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person,” except for a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
- A “covered account” is: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers (which may be either individuals or entities) or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
Regulation S-ID and Investment Advisers. In a statement issued in connection with the SEC action adopting the final rules, SEC Commissioner Aguilar made the following observation:
There is one group of entities, however, that may not have existing identity theft red flag programs and will need to pay particular attention to the rules being adopted today. This group consists of investment advisers registered under the Investment Adviser Act — particularly the private fund and hedge fund advisers that are recent registrants with the SEC. [The formal release adopting the final rules] offers a number of examples and illustrations that may assist those entities in understanding, whether they qualify, and, if they do, what their responsibilities are under Regulation S-ID.
The adopting release itself states that “SEC staff anticipates that the following examples of circumstances in which certain entities, particularly investment advisers, may qualify as financial institutions may lead some of these entities that had not previously complied with the Agencies’ rules to now determine that they should comply with Regulation S-ID.” A related reference in the adopting release provides that, based on examination of IARD data, the SEC staff expects that certain private fund advisers could potentially be “financial institutions” and “creditors” subject to Regulation S-ID.
The adopting release provides (without further detail or explanation) the following examples of investment advisers that may fall within the definition of “financial institution” with respect to separate account and fund relationships:
- “[A]n investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties” could fall within the meaning of the term “financial institution” because it holds transaction accounts belonging to individuals.
- “[E]ven if an investor’s assets are physically held with a qualified custodian, an adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account.”
- “Registered investment advisers to private funds also may directly or indirectly hold transaction accounts. If an individual invests money in a private fund, and the adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that adviser would indirectly hold a transaction account. For example, a private fund adviser would hold a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor.”
The adopting release provides the following example of circumstances in the private fund context under which an investment adviser could be acting as a “creditor”:
- An investment adviser could potentially qualify as a creditor if it “advances funds” to an investor that are not for expenses incidental to services provided by that adviser. For example, a private fund adviser that regularly and in the ordinary course of business lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer, could qualify as a creditor.
Regulation S-ID and Exempt Reporting Advisers. The adopting release states that Regulation S-ID does not include within its scope entities that are not themselves registered or required to register with the SEC (with the exception of business development companies and employees’ securities companies), even if they register securities under the Securities Act of 1933 or the Securities Exchange Act of 1934, or report information under the federal securities laws. The adopting release cites investment advisers that rely on the venture capital fund and private fund adviser exemptions as examples of entities outside Regulation S-ID’s scope.
Credit Card Rules. A Commission’s final credit card rules apply to a person subject to its enforcement authority that issues a debit or credit card (“card issuer”). The release adopting the final rules notes that “the CFTC is not aware of any entities subject to its enforcement authority that issue debit or credit cards and, as a matter of practice, believes that it is highly unlikely that CFTC-regulated entities would issue debit or credit cards.” The adopting release goes on to observe that “the SEC understands that a number of entities within its enforcement authority issue cards in partnership with affiliated or unaffiliated banks and financial institutions, but that these cards are generally issued by the partner bank, and not by the SEC-regulated entity. The SEC therefore expects that no entities within its enforcement authority will be subject to the card issuer rules.”
Compliance Deadline. The final rules becomes effective 30 days after their forthcoming publication in the Federal Register; compliance is required six months later.