Update on FINRA’s New Rep-Recruit Customer Notice Rule 2273

Following up on our previous post from last month, this past Monday, FINRA released Regulatory Notice 16-18 (Notice), announcing the effective date of November 11, 2016 for the new rule and providing the format and text of the required Educational Communication to be given to prior customers of newly recruited representatives seeking to transfer accounts to the new firm. The Notice and Educational Communication can be accessed by clicking here. The Communication is in Exhibit B of the Notice.

Recruitment of New Rep Disclosure – New FINRA Rule 2273 for Customer Notice Requirement (Includes a brief addendum regarding the Recruitment Compensation Disclosure Requirement under the new DOL Fiduciary Rule)



On March 23, 2016, the SEC approved new FINRA Rule 2273, which establishes an obligation for a member firm to deliver to certain retail customers an educational communication in connection with newly recruited reps soliciting or encouraging their former customers to transfer their accounts to the new firm. FINRA hasn’t announced an effective date yet, but we are expecting it sometime between now and late September of this year.

While not an earthshaking new rule, it will require some planning and thought as firms will be required update their policies, procedures, and supervisory systems to ensure delivery of a FINRA-produced educational communication (Notice) to former customers of transferring reps who are encouraged or solicited by their reps to transfer their accounts to the new firm. Former customers are defined as any retail customer that had a securities or investment advisory account assigned to a rep at the rep’s former firm. Institutional accounts are excluded, except when such accounts are held by a natural person.  Additionally, Rule 2273 would not apply if the rep transferred to a non-member firm (e.g., an investment adviser or a bank) or associated with a member firm solely as an investment adviser representative.

Since the Notice is a FINRA-produced communication, firms have no flexibility (or responsibility) for the content of the Notice to be provided to such potential new customers. FINRA tells us that the as-yet-to-be-produced Notice is meant to highlight the potential implications of transferring assets to the recruiting firm, as well as to suggest specific questions the customer may want ask in order to make an informed decision whether to transfer his or her account or remain with the current firm.  Specifically, the Notice is intended to highlight these four areas:

1) The role that possible conflicts of interest may have between the rep and the customer moving to the new firm in light of any financial incentives (i.e., recruitment bonuses or enhanced payout rates) the rep received for changing firms.

 2) The costs to customers for assets not directly transferrable to the new firm or that may be incurred to liquidate and move those assets; whether the customer will otherwise incur inactivity fees to leave the assets with the current firm;

 3) Other potential costs related to transferring assets to the new firm, including potential taxes, as well as differences in the pricing structure and fees imposed between the customer’s current firm and the new firm;

4) Differences in products and services between the customer’s current firm and the new firm.

Delivery Notice Triggers and Methods of Delivery

The rule requires the delivery of the Notice at or shortly after the time of first contact. This means that if the first contact is in writing via email or snail mail, the Notice must accompany the written communication.  However, if the first contact is via email or another electronic means, the new firm must at least provide a hyperlink directly to the Notice with a brief message as to why it’s included.  If the first contact is orally by phone or in person, either the new firm or the rep must send it no later than three business days after the initial contact or with any other communication sent by the new firm to the rep’s former customer in connection with a potential transfer of assets, whichever is sooner.  Additionally, when contact is made orally, the rep or the firm has to inform the former customer that he or she will be receiving the Notice and that the Notice contains important considerations for determining whether to transfer assets to the rep’s new firm.

In situations where a former client initiates contact with the new firm without a first contact by the rep or the new firm, Notice must still be provided, though in those circumstances, it can be provided with the account transfer approval documentation.

Time Limit and Exception

The Notice delivery requirement continues for three months following the date that the rep begins employment or otherwise associates with the new firm. The only exception to not delivering the Notice is when the rep initiates contact to move the account and the former client indicates no interest in moving. However, if the former client has a change of heart, then the Notice must be delivered if it’s within the three-month time limit.


As with any other public communications, the delivery of the Notice will require amending written supervisory procedures to ensure that the Notice and the delivery requirements come within the purview of the firm’s supervisory system. While FINRA has not specified supervisory procedures to be implemented, they do expect that members can implement a system reasonably designed to achieve compliance with the delivery requirements through training, spot checks, certifications, logs, or other measures.

***DOL’s New Requirement to Disclose Recruitment Bonuses Paid to Brokers***

The prior proposal for FINRA Rule 2273 required a recruiting member firm to disclose to previous customers the ranges of recruitment compensation that their rep received or would have received in connection with changing firms and the basis for the compensation (i.e., asset-based or production-based). FINRA withdrew that component in the final rule.  However, for broker-dealers who wish to continue to provide commission-based services to ERISA Plans and IRA accounts, the Department of Labor’s new Fiduciary Rule has a provision under its Best Interest Contract exemption (BIC) that will require such firms to disclose and post on their websites recruitment bonuses paid to reps along with the rep’s compensation grid.  Additionally, the compensation grid disclosure will be required for all reps doing ERISA and IRA business, not just the recruited reps.

While not yet in effect, the new DOL rule is complex and has unresolved questions such as when does the payment of a recruitment bonus require compliance with the BIC exemption and how does one comply with regard to past transactions? We’ll post more about this in the future. In the interim, if you have any questions or need help with designing your supervisory system to comply with the new FINRA rule, don’t hesitate to contact me at 616-752-2526 or ddawe@wnj.com.

A Mere Two Months Away – FINRA Rule Requiring Website Hyperlinks to BrokerCheck

With all the buzz circulating these days on the impending DOL fiduciary rule, a recent FINRA rule change deserves a specific mention so firms are not caught by surprise. Effective on June 6, a mere two months from now, a new amendment to Rule2210 (the Communications with the Public Rule) will require retooling of all retail broker-dealer initial website landing pages to include a “readily apparent reference and hyperlink” to BrokerCheck.

Which Firm Webpages are Required to Post This?

In addition to the main retail landing page (usually the home page), New FINRA Rule 2210(d)(8)(A) requires any other webpage that includes a professional profile of one or more registered persons who conduct business with retail investors to have their own separate, but “readily apparent reference and hyperlink” to BrokerCheck. This part of the requirement will be of particular importance to independent reps and rep firms that host or sponsor rep-specific webpages or websites. Each such page will require its own “readily apparent reference and hyperlink.”

What is a “Readily Apparent Reference and Hyperlink” to BrokerCheck?

The FINRA Notice uses this phrase repeatedly and on purpose. It will require some careful thought and planning on the part of web designers and developers. On page three of the adopting notice RN 15-50, FINRA says to determine what they mean by this phrase, members should adopt “the perspective of a reasonable retail investor” and pay attention to placement, font size and font color. Are the reference and hyperlink visible as soon as a person lands on the website or only after significant scrolling down the page or below the screen? If they are below the screen, is notice provided that more follows below? Are they buried in a long paragraph or easily seen by an offset on the page? Are the reference and hyperlink in the same font size as the body text or hard to read micro type? How about the colors? Do the colors contrast or blend in with the background colors making them difficult to see? While FINRA doesn’t give an exhaustive list, they do state in no uncertain terms that putting the reference and hyperlink in a footer would not satisfy the “readily apparent” standard set out by this rule. Therefore, it wouldn’t be appropriate to place it in the footer with the Member FINRA/SIPC hyperlink, business continuity and order routing disclosures, privacy notice, or other disclosures that one typically finds there.

Exceptions and Exclusions

The only two exceptions to the requirements of the rule are: 1) firms that do not provide products or services to retail investors; and 2) a directory or list of registered representatives limited only to names and contact information. Anything beyond contact information triggers the “readily apparent reference and hyperlink” requirement. See FINRA Rule 4512(c) for who is not considered a “retail investor.”

Also excluded from the rule are communications appearing on third-party social networking sites such as Twitter and LinkedIn. These were specifically mentioned in the Notice announcing the approval of the rule. However, the Notice leaves the door open to further rule changes for social media by qualifying the exclusion with an “At this time,” clause. It also leaves unanswered questions about firm or rep sponsored Facebook pages specifically set up to promote a rep or a firm’s business. Firms and reps could be proactive now and place the “readily apparent reference and hyperlink” on those kinds of third-party social media pages.

Examples of “Readily Apparent References and Hyperlinks”

FINRA indicates that either a simple hyperlink to the BrokerCheck home page or a rep-specific “deep-link” will satisfy the hyperlinking requirement, though by itself, a mere hyperlink might not provide the “readily apparent reference.” However, FINRA is making a page of icons and other resources available to members to use for hyperlinking purposes. You can find them by clicking here.

Remember, June 6 is the date when the rule takes effect. If you’d like to discuss your particular advertising questions, please feel free to contact me at 616-752-2526 or ddawe@wnj.com.

Annual Privacy Notice Requirement Rule Change


On December 4, 2015, the Fixing America’s Surface Transportation Act (the FAST Act) became effective and, among other things, amended the Gramm-Leach-Bliley Act (GLBA). The FAST Act provides an exception to the annual privacy notice requirement for certain financial institutions meeting essentially just two conditions, both of which many broker/dealers and investment advisers already to meet. First, the firm must only share nonpublic personal information within the GLBA exceptions that do not have an opt-out right. These exceptions include, but are not limited to, sharing information with non-affiliated third parties for the purposes of performing services for or functions on behalf of the firm (e.g., crucial service providers like clearing firms, custodians, portfolio management systems). Second, the firm must not have changed its privacy policies or procedures with respect to the disclosures of nonpublic personal information since the last privacy notice was made to clients. If your firm meets both of these exceptions, then it no longer needs to send annual privacy notices unless there were changes to its privacy policies or in its disclosure practices for nonpublic personal information with third parties such that a consumer would have the right to opt-out.

Of course, the initial privacy notice requirement has not changed. If you’d like to discuss your particular circumstances to see whether your firm meets the conditions for the exception to the annual notice requirement, please feel free to contact me at 616-752-2526 or ddawe@wnj.com.

Cybersecurity, security breaches, and potential client identity theft concerns remain high among regulators.

Today, the Securities and Exchange Commission reported the results of its 2014 cybersecurity examination sweep of brokers-dealers and investment advisers. The SEC also warned investors about cybersecurity threats at brokerage and investment advisory firms and suggested how investors could better protect their online investment accounts.SEC Chair Mary Jo White said: “Cybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC.”

The SEC’s investor bulletin provides useful tips to help investors safeguard online investment accounts. Those include:

  • Pick a “strong” password
  • Use two-step verification (if available on the website)
  • Exercise caution when using public networks and wireless connections

Click here for the latest SEC information on cybersecurity.

Warner Norcross & Judd has provided extensive guidance about protecting against and preparing for cybersecurity threats. Click here to read our materials.

Contact Shane B. Hansen (616.752.2145 or shansen@wnj.com) or any other member of the Funds and Investment Services Group at Warner Norcross to learn more about how broker-dealers and investment advisers can better prepare you or your company for cyber-attacks and the regulatory requirements that may be triggers when they occur.

For Our Broker-Dealer Friends and Other Interested Persons: This Just in from FINRA: Industry-Wide Business Continuity Testing Slated for Saturday, October 25, 2014

“On Saturday, October 25, 2014, from approximately 9 a.m., Eastern Time (ET) to 1 p.m., ET, the Securities Industry and Financial Markets Association (SIFMA) will conduct an industry-wide business continuity test. The FINRA systems for reporting corporate and agency debt and securitized products transactions will be available for firms to connect and test trade reporting functions. The system will reflect a business/trade date of Saturday, October 25, 2014.

This test provides the opportunity for firms, markets and utilities to verify their ability to operate through an emergency using backup sites, recovery facilities and backup communications capabilities. The test will simulate a disaster scenario and will allow customers to use the appropriate backup connectivity method to the FINRA TRACE system.

Note: A formal FINRA test script is not available; users are encouraged to ensure connectivity and to utilize normal trade reporting functions during the test.

Additional details for the test can be found on the SIFMA website.

If you have questions, please send an email to FINRA Product Management or call (866) 899-2107.”

Our two cents: If you plan on participating, don’t forget to document the who, what, where, and when of your testing for your firm’s records.


Asked and Answered: Private Placement Sales and Tricky Trust Questions from the SEC’s Q&A’s

Broker-dealers who sell private placements often encounter tricky questions related to accredited investor status in certain transactions.  For example, a client recently asked whether an irrevocable trust with less than $5 million in assets could still be considered an accredited investor by virtue of the fact that the trustee and the beneficiary are both natural persons and meet the criteria for being accredited investors. 

First, without delving into too much detail, let’s back up a couple of steps for a quick review.  Remember that when it comes to individuals, whether as trustees, beneficiaries, or grantors, the updated Reg D Rule 501(a) generally defines an accredited investor as: (1) “any natural person whose individual net worth, or joint net worth with his/her spouse, at the time of purchase exceeds $1 million – excluding equity in the individual’s principal residence. See Rule 501(a)(5) for the particulars; (2) any natural person with individual income exceeding $200,000 in each of the last two most recent years, or joint income with a spouse exceeding $300,000 in each of the two most recent years, and has a reasonable expectation of reaching the same income in the current year; or (3) a director, executive officer or general partner of the company selling the securities, or a director, executive officer or general partner of a general partner of the company selling the securities.

Second, with regard to trusts, Reg D Rule 501(a)(7) states that any trust (revocable or irrevocable) can be an accredited investor: (1) if the trust has total assets in excess of $5 million and was not formed for the specific purpose of acquiring the securities and whose investment decisions are directed by a knowledgeable person with experience in financial and business matters capable of evaluating the risks and merits of the prospective investment; or (2) a trust whose trustee is a bank.  See Rules 501(a)(1) and 506(b)(2)(ii), as well as SEC Release 33-6455 (March 3, 1983) if you want to dig deeper.

Stated differently, the question is whether the accredited status of a trustee or a beneficiary can be attributed to a small trust in order for the trust to purchase the securities that it otherwise wouldn’t be qualified to buy standing on its own merits.  Fortunately, this kind of question has come up before in SEC Q&A’s that were recently updated and posted on July 3, 2014. They follow below (with emphasis added). You can find the whole 141-page document from the SEC’s website here. It’s a compilation of updated compliance and disclosure interpretations of the rules adopted under the Securities Act, so it covers a lot of ground. 

Question 255.19

Question: May a trust qualify as an accredited investor under Rule 501(a)(1)?

Answer: Only indirectly. Although a trust standing alone cannot be accredited under Rule 501(a)(1), if a bank is its trustee and makes the investment on behalf of the trust, the trust will in effect be accredited by virtue of the provision in Rule 501(a)(1) that accredits a bank acting in a fiduciary capacity. Furthermore, a trust having a bank as a co-trustee is an accredited investor as interpreted under Rule 501(a)(1) so long as the bank is “acting” in its fiduciary capacity on behalf of the trust in reference to the investment decision and the trust follows the bank’s direction. See the Nemo Capital Partners L.P. no-action letter (Mar. 11, 1987) issued by the Division. [Jan. 26, 2009]

Question 255.20

Question: A trustee of a trust has a net worth of $1,500,000. Is the trustee’s purchase of securities for the trust that of an accredited investor under Rule 501(a)(5)?

 Answer: No. Except where a bank is a trustee, the trust is deemed the purchaser, not the trustee. The trust is not a “natural” person. [Jan. 26,2009]

 Question 255.21

Question: May a trust be accredited under Rule 501(a)(8) if all of its beneficiaries are accredited investors?

Answer: Generally, no. Rule 501(a)(8) accredits any entity if all of its “equity owners” are accredited investors. This provision does not apply to the beneficiaries of a conventional trust. The result may be different, however, in the case of certain non-conventional trusts where, as a result of powers retained by the grantors, a trust as a legal entity would be deemed not to exist. The result also would be different in the case of a business trust, a real estate investment trust, or other similar entities. Thus, where the grantors of a revocable trust are accredited investors under Rule 501(a)(5) (e.g., the net worth of each exceeds $1,000,000) and the trust may be amended or revoked at any time by the grantors, the trust as a legal entity would be deemed not to exist, and the trust would be deemed accredited, because the grantors would be deemed the equity owners of the trust’s assets. See the Lawrence B. Rabkin, Esq. no-action letter (July 16, 1982) issued by the Division. [Jan. 26, 2009]

So, unless the trustee is a bank and the bank is making the investment decision, generally the answer is negative.  However, with respect to accredited grantors who retain powers to amend or revoke a revocable trust, the answer is different since they would be treated essentially as “equity owners” under Rule 501(a)(8) and the trust would be deemed “not to exist,” thus allowing the issuer of the securities to look past the trust and rely on the accredited status of the grantor(s).

While not part of the original question, what if the grantor of an irrevocable trust is an accredited investor?  Does the same answer obtain?  Only if certain narrow conditions are met. See below for details.

Question: Are there circumstances under which the grantor of an irrevocable trust would be considered the equity owner of the trust under Rule 501(a)(8)?

Answer: The grantor of an irrevocable trust with the following characteristics could be considered the equity owner of the trust: (1) The trust was a grantor trust for federal tax purposes. The grantor was the sole funding source of the trust. The grantor would be taxed on all income of the trust during at least the first 15 years following the investment and would be taxed on any sale of trust assets during that period. During this period, all of the assets of the trust would be includable in the grantor’s estate for federal estate tax purposes. (2) The grantor was a co-trustee of the trust and had total investment discretion on behalf of the trust at the time the investment decision was made. (3) The terms of the trust provided that the entire amount of the grantor’s contribution to the trust plus a fixed rate of return on the contribution would be paid to the grantor (or his estate) before any payments could be made to the beneficiaries of the trust.  (4) The trust was established by the grantor for family estate planning purposes to facilitate the distribution of his estate. In order to effectuate the estate planning goals, the trust was irrevocable.  (5) Creditors of the grantor would be able to reach the grantor’s interest in the trust at all times.  See the Herbert S. Wander no-action letter (Nov. 25, 1983) and the Herrick, Feinstein LLP no-action letter (Jan. 5, 2001) issued by the Division. [Jan. 26, 2009]

We’ll take a look at other Reg D transaction questions in subsequent posts.

The Blue Ribbon of Stupid

At least for the recent past, this award has to go to the broker-dealer and its AML Compliance Officer (“AMLCO”) out East, who were both sanctioned by FINRA for easily avoidable AML violations. The combined fine was $200,000 with a three-month suspension for the AMLCO. Among the patterns of noncompliance with AML rules and the firm’s own written AML procedures, they ignored “red flags” of trading activity in customer accounts that were specified in their own policies and procedures. Specifically, these were customers with multiple accounts, customers with securities-related disciplinary histories who were in the process of receiving SEC sanctions, customers transacting in numerous penny stocks, and customers doing obviously questionable third-party wires related to the penny stock liquidations.

FINRA found that they turned a blind eye to the liquidations and the wiring activity, including ignoring their clearing firm’s exception reports and warning notices of unsavory clients, all of which they received throughout the period and would have easily helped them address the situation had they not ignored them. Instead, the AMLCO only looked at daily trade reports, which, barring a photographic memory, are useless to detect any long-term patterns of suspicious activity.

Additionally, even though the firm had written AML procedures to respond to FinCEN 314(a) requests, they ignored them entirely.

The firm had numerous flagrantly suspicious clients and transactions, all of which they ignored. As an example (and you can’t make this stuff up!) – an account for a citizen of India, who resided in the Philippines, whose registered agent was located in Samoa; the person with trading authority had a listed address in Panama and conducted business in Canada! From June 2008 through October 2009, the account did significant trading and wire activity related to 50 different penny stocks, deposited over 46 million shares of penny stocks, liquidated over 31 million shares, and wired out $12.5 million through 19 wires to a bank account located in Barbados, a jurisdiction where this client had no known personal connections.

Fortunately, as of now – and in spite of the fines – the firm filed the Form-BDW to withdraw from registration as a BD and go out of business.

So, what’s the takeaway from this rather obvious enforcement case? Follow your written AML compliance program policies and procedures. If you have red flag polices (and you should) make sure you follow them, and never turn a blind-eye to following up on suspicious customers and transactions until they’re resolved or shut down. File Suspicious Activity Reports whenever necessary and document your investigations along the way.

We’ll take a look at other interesting and informative enforcement actions in subsequent postings.

Important Dates re: Identity Theft Red Flag Rules of Regulation S-ID

Regulation S-ID, which we wrote about on April 15, becomes effective on May 20, 2013.  All affected firms must be in compliance with the new rules by November 20, 2013. It’s not too soon to review the impact of this new rule on your firm and amend or add policies and procedures for compliance. Feel free to contact me at ddawe@wnj.com for assistance.

SEC Adopts Identity Theft Red Flags Rules

As recently as last week, on Wednesday, April 10, the SEC adopted new Regulation S-ID, the Identity Theft Red Flag Rule (available for download by clicking here), which requires certain investment advisers (including Private Fund sponsors), broker-dealers, and mutual funds to develop and implement a written identity theft prevention program (“Program”) to detect red flags and prevent identity theft. Regulation S-ID now applies to any investment adviser that “directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.”  Lest you think that you are an adviser that doesn’t directly or indirectly hold these transaction accounts for clients because you don’t have custody of client assets but use a third-party custodian, the “SEC has concluded otherwise.” In the adopting release, the SEC makes clear that:

 “Investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions.  If such an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor.  The red flags program of a bank or other qualified custodian that maintains physical custody of an investor’s assets would not adequately protect individuals holding transaction accounts with such advisers because the adviser could give an order to withdraw assets, but at the direction of an impostor.” (Emphasis added.) 

If the adviser has authority to withdraw money from a client’s account solely to deduct its own advisory fees, then the adviser would not be deemed to hold a transaction account.  However, if the adviser has the authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions (such as, for example, by a standing letter of instruction signed by the client, or by the firm acting as the agent for the client to pass instructions on to the custodial firm so that the custodial firm effects the transfer), then the SEC would deem the adviser to hold a transaction account and thus be subject to all the rules of Regulation S-ID and to have a written Program.  

Next Step: Applicable to All Investment Advisers:

The final rules under Regulation S-ID will become effective 30 days after publication in the Federal Register.  The compliance date for the final rules will be six months after their effective date.  So, it’s not too soon to start to make an assessment of whether and to what extent your investment adviser firm holds, directly or indirectly, transaction accounts with clients.

Next Step: For Investment Advisers Who Do Not Hold Client Transaction Accounts: 

If you conclude that you do not hold these kinds of accounts, then Regulation S-ID requires you to periodically reassess whether you must develop and implement a written Program.  At the very least, you will need to enhance your written compliance program policies and procedures to incorporate making this periodic assessment.  Perhaps the simplest way of doing that is by making it a component of the required annual review of your compliance program that you should already be conducting under Rule 206(4)-7 of the Advisers Act.    

Next Step:  For Investment Advisers Who Hold Direct or Indirect Client Transaction Accounts 

Begin now to inventory the types of transaction accounts you have with clients and the processes you use to make transfers of funds.  The SEC’s expectations in the adopting Release are that you will tailor your Program to the size and complexity of your firm and to the nature and scope of your transactional activities.  A “one-size-fits-all” approach, which is inherently unreasonable, won’t work.

The final rules provide direction regarding the development and administration of your Program in four areas: 

1.      The Program must be in writing and formally approved in writing by either the board of directors, an appropriate committee of the board of directors, or if the firm does not have a board, from a designated senior management employee.  This requirement highlights the responsibility of the most senior levels of management to formally approve the Program.

2.      The firm must involve the board of directors, an appropriate committee of the board, or a designated senior management employee (in the absence of a board) in the oversight, development, implementation, and administration of the Program. In many firms, that designated employee may be the Chief Compliance Officer.  That person must report to the board or other senior management, at least annually, on compliance by the firm with the Program, and the board or other senior management must approve any material changes, as necessary, to address changes in identity theft risks. 

3.      The firm must have an effective staff training program in place to implement the Program. 

4.      The firm must exercise appropriate and effective oversight of any service provider arrangements so that the firm remains legally responsible for compliance with the rules, irrespective of whether it outsources its identity theft red flags detection, prevention, and mitigation operations to a service provider.  For example, a firm that uses a service provider to open accounts on its behalf, could reserve for itself the responsibility to verify the identity of a person opening a new account, may direct the service provider to do so, or may use another service provider to verify identity.  The firm, however, remains ultimately responsible for ensuring that the activity is conducted in compliance with a Program that meets the requirements of the identity theft red flags rules.  

Four Required Program Elements

The final rules set out four elements that firms must include in their written Programs: 

1.      Relevant Red Flags Identification.  The Program’s written policies and procedures must be reasonably tailored to the firm to identify and incorporate relevant red flags.  Rather than identifying specific red flags in the rule release, the SEC provides flexibility in determining which red flags are relevant to a firm’s business.  Examples of red flags are provided in Section II of the release.  Given the changing nature of identity theft, the SEC believes that this element allows firms to respond and adapt to new forms of identity theft and risks as they arise. 

2.      Effective Detection of Red Flags.  The Program’s written policies and procedures must have reasonable policies and procedures to detect the red flags that the Program incorporates. As in Item 1 above, the SEC doesn’t mandate a specific method of detection but only provides examples of various means to detect them (cf. Section III of the guidelines).  

3.      Effective Response to Red Flags.  The Program’s written policies and procedures must have reasonable methods to respond to any red flags that are detected. The firm must be able to reasonably assess whether the red flags that are detected evidence a risk of identity theft and, if so, determine how to respond appropriately based on the degree of risk.  Section IV of the guidelines sets out a list of aggravating factors and examples that a firm should consider in determining an appropriate response.  

4.      Periodic Program Review and Updating.  The Program must have written policies and procedures to periodically update the Program (including the red flags determined to be relevant) to reflect the changes in risks to clients and to the safety and soundness of the firm from identity theft.    

It’s not too soon to start thinking about the impact of Regulation S-ID on your firm. Please feel free to contact any member of our group if you have any questions or concerns about this new regulation and its applicability to your firm.

Next Page »