ARLINGTON, VA. -- Compliance experts are recommending that firms take a flexible, risk-based approach as they respond to the SEC's red flag rules, a new set of regulations for protecting clients against identity theft

Enacted last year, the red flags rules require entities that qualify as covered financial institutions or creditors maintaining covered accounts to implement an identity theft program. In its guidance, the SEC noted that "most registered brokers, dealers and investment companies, and some registered investment advisors" are likely to meet the threshold triggering the requirement to set up an identity theft program.

Firms that maintain any type of transaction account for their customers will often be subject to the red flags requirements, according to Jennifer Porter, senior counsel at the Investment Adviser Regulation Office in the SEC's Division of Investment Management.

"For advisors, I think it's helpful to keep in mind that you can have an indirect transaction account, so if you have authority to direct payment from the investor's account to a third party, you can potentially be implicated," Porter said during a panel discussion at the Investment Adviser Association's compliance summit.

The SEC, which adopted its red flag rules in concert with the Commodity Futures Trading Commission, set a compliance date of Nov. 20, 2013.


After a firm has made the determination that it is subject to the red flags rules, it must establish a program geared toward identifying, detecting and responding to identity theft warnings, and then periodically updating the program and maintaining a formal structure for administering it.

Speakers at the IAA conference emphasized the dynamic nature of the risks of identity theft, arguing that firms' programs must be able to adapt and respond accordingly. The SEC is not particularly prescriptive in its guidance for the red flags rules, and avoids mandates relating to specific warning signs or policies and procedures.

That means that a crucial part of the implementation of an identity theft program involves an ongoing review and periodic updates.

"We look at this as a minimum on an annual basis, because if you don't kind of get it into a regular cycle it's not going to be effective," said Karen Nash-Goetz, vice president at T. Rowe Price Associates.

Those reviews, Nash-Goetz suggested, must not be abstract exercises, but instead should draw on any recent experiences the firm has had in dealing with fraudsters, and would do well to incorporate lessons learned from the high-profile data breaches that are so often in the headlines.

"Part of your periodic updates should be a review of what's happened," she said. "I think in reviewing your program it's important to look back on your actual experiences."

Likewise, firms should review their identity theft programs each time they open a new line of business or take on a new kind of client, Nash-Goetz said.


The staff training that the SEC requires in its red flag rules is also an essential component of an advisory firm's identity theft program, according to Satish Kini, a partner with the law firm Debevoise & Plimpton, who pointed out that the personnel who deal directly with clients are, after all, the front lines of defense.

"Authenticate very carefully people who call up or people who email. These days with all the hacking that goes on, like, Yahoo and other accounts, oftentimes people who are criminals have access to a great deal of [clients'] data," Kini said. "And we see that repeatedly in terms of identity theft."

Nash-Goetz recommended that advisors align their red flags program with the anti-money laundering and customer identification programs they should already have in place. But she also emphasized the essential human element in any identity theft program, where advisors' intuition will be informed by the relationships they have developed with their clients.

"This is really the paying attention," she said. "What are normal patterns for your clients and how do you normally deal with them, and what's unusual?"

Read more: