UPDATE: RIAs May be Required to Comply with Regulation S-ID Rules by November 20 (October 2013)
Attention RIAs who oversee compliance at their firm! In April 2013, the SEC adopted rules jointly with the Commodity Futures Trading Commission (CFTC) that require broker-dealers, mutual funds, investment advisers, and certain other entities defined as “financial institutions” or “creditors” regulated by the SEC and CFTC to adopt programs to prevent identity theft.
The rules, known as Regulation S-ID, expand rules initially enacted in 2007 by several federal agencies. Registered investment advisers (RIAs) may not have existing identity theft red flag programs and may need to pay particular attention.
RIAs would be considered “financial institutions” or “creditors” and subject to Regulation S-ID in the following circumstances, outlined in the rule:
- Financial Institutions: The RIA directly or indirectly, holds a transaction account belonging to an individual and is permitted to direct payments or transfers out of those accounts to third parties.
- For example, the rule would apply to RIAs who have the ability to direct transfers or payments from accounts that belong to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of individuals. Even if an investor’s assets are physically held with a qualified custodian, an adviser that has the authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account. An adviser, however, who has the authority to withdraw money from an investor’s account solely to deduct its own advisory fees does not hold a transaction account because the adviser would not be making payments to third parties.
- Creditors: The RIA regularly or in the course of business… advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from a specific property pledge on behalf of the person; further, the RIA advances funds to an investor that are not for expenses incidental to services provided by that adviser.
- For example, a private fund adviser that regularly and in the ordinary course of business lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer, could qualify as a creditor.
If you are a RIA considered to be a “financial institution” or a “creditor”, it is important to read and follow the rules to implement Regulation S-ID policies and procedures by November 20, 2013. Learn more about the requirements from Journal of Accountancy.
UPDATE: Obama Signs Law Exempting CPAs from Red Flags Rule (December 2010)
The Red Flag Program Clarification Act of 2010 signed into law on December 18th, gives CPAs a permanent exemption from requirements related to identity theft under the Federal Trade Commission’s Red Flags Rule. “The AICPA, with help from state CPA societies nationwide, worked tirelessly on this issue,” said AICPA President and CEO Barry Melancon. “The bill makes clear that CPAs and CPA firms are not classified as “creditors” for the purposes of the [FTC’s] Red Flags Rule” and should not be subject to steps the Institute called “onerous and unnecessary.” Read more from the Journal of Accountancy and the AICPA’s press release.
UPDATE: Senate Passes Bill Clarifying Red Flags Rule Application (December 2010)
On Nov. 30, the U.S. Senate unanimously passed the Red Flag Program Clarification Act of 2010 , which clarifies "creditors" for the purposes of the Federal Trade Commission's Red Flags rule. The bill states that CPAs in public practice, in addition to lawyers, doctors, dentists and other health care and service providers, are not classified as creditors as they do not "offer or maintain accounts that pose a reasonably foreseeable risk of identity theft." The bill now heads to a vote in the U.S. House of Representatives. The AICPA and state CPA societies have fought tirelessly for this clarification over the past year. For more information on the Red Flags rule, the AICPA's lawsuit to prevent its enforcement against CPAs and how the rule affects your practice, read the AICPA's statement on the Senate vote.
UPDATE: Red Flags Rule Enforcement Further Delayed (May 2010)
At the request of several Members of Congress, the Federal Trade Commission (“FTC”) announced, on May 28th, 2010, that it is further delaying enforcement of the “Red Flags” Rule (“Rule”) through December 31, 2010. The reasoning for the delay, according to the FTC’s press release, is to give time for Congress to consider legislation that would affect the scope of entities covered by the Rule. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the FTC will begin enforcement as of that effective date.
The FTC interprets the Rule, issued on November 9, 2007, to cover any public accounting firm which bills clients for services rendered, under the reasoning that a “creditor” includes “any entity that defers payments, even in the normal course of a traditional billing process”. Thus, if a public accounting firm bills clients monthly, this would be considered to be an extension of credit that requires the existence of an internal program, subject to inspection and review, designed to detect, prevent and mitigate client identity theft.
The AICPA does not believe there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered, and has a lawsuit pending in the United States District Court for the District of Columbia (District Court”) which seeks a bar against the application of the FTC rule to CPAs and accounting firms.
ADVOCACY: Red Flags Rule (April 2010)
In 2003, Congress passed legislation (Fair and Accurate Credit Transactions Act, or “FACTA”) intended to curb identity theft. Pursuant to this legislation, the FTC issued, on November 9, 2007, a “Red Flags” rule that requires “creditors” or “financial institutions” with “covered accounts” to have in place programs to assist in identifying a potential identity theft. Subsequent interpretations by the FTC made clear that the rule covers any CPA who bills clients for services rendered, under the reasoning that a “creditor” includes “any entity that defers payments, even in the normal course of a traditional billing process”. Thus, if a CPA bills clients monthly, this would be considered to be an extension of credit that requires the CPA to have an internal program, subject to inspection and review, designed to detect, prevent and mitigate client identity theft.
Enforcement of the rule has been postponed three times since the original November 1, 2008, effective date, with the current effective date of enforcement scheduled for June 1, 2010. In several instances, the AICPA requested that the FTC exempt CPAs from the regulation and on November 10, 2009, filed a lawsuit in the United States District Court for the District of Columbia (District Court”) seeking a bar against application of the FTC rule to CPAs and accounting firms, arguing, in part, that the FTC exceeded its statutory authority by extending the rule to regulate accountants. The AICPA does not believe there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered
While the current effective date continues to be June 1, 2010, the District Court issued an order on March 18, 2010 stipulating that the FTC “will continue to delay enforcement of the Red Flags Rule with respect to members of the AICPA engaged in the practice of public accountancy for ninety (90) days after the U.S. Court of Appeals for the District of Columbia Circuit (“Circuit Court”) renders an opinion in the American Bar Association’s case against the FTC. The American Bar Association, which similarly filed suit against the FTC on August 27, 2009, was granted a summary judgment (in its favor) on October 29, 2009. The FTC’s appeal to the Circuit Court is currently pending.