The Securities and Exchange Commission is requiring that many financial advisors be ready to take action if they see their clients may be threatened by identity theft.
The new rules apply to financial advisors who are authorized to move funds for clients to third parties, and those advisors must have a written plan to deal with potential identity theft, says Luis Salazar, a legal expert on privacy and identity theft issues. The new rules are similar to those that require banks and other financial institutions to watch for potential identity theft on behalf of their customers.
The SEC regulations that will go into effect after being published in the Federal Register will require firms to set up "red flag" files to track what they are doing to prevent identity theft, says Salazar, founding partner of the law firm of Salazar Jackson in Miami, Fla.
“You would want to do this anyway as a best practice on behalf of your clients, but now it will be required, as it is of banks and other financial institutions,” Salazar says.
Advisory firms must specify what red flags they are using to spot potential identity theft and how they respond to a red flag.
The red flag rules will need to be developed by senior management, the board of directors or the compliance department and will have to be updated periodically. Firms that do not need to comply because they aren't authorized to move clients’ money will need to show that they review periodically whether their status has changed to make them subject to the new regulations.
There are a number of red flags an advisor can watch for, Salazar says. Instructions coming from a client with a new e-mail address could set off a warning light. A client saying he changed addresses or that he wants money invested in a place where it has never been invested before could be warnings. If a check of a client’s credit history shows numerous requests for credit reports, it could be a red flag.
“The response to a red flag for the advisor could be as simple as picking up the telephone to call the client and asking him if the new e-mail address is legitimate,” Salazar says. “Or it could be as extreme as calling the police.”
The firm's report will need to show steps taken to protect clients from identity theft, to detect attempts at identity theft and to mitigate the results.
“Estimates of how many people are the victims of identity theft each year vary widely,” Salazar says, “but, if it happens, the effects can follow a person forever in some cases.”
The U.S. Department of Justice estimates 7 percent of U.S. households are the victims of identity theft each year and 8.6 million individuals are victims. Loss estimates range from $13 billion annually and up. Identity theft is described as one of the fastest-growing types of crime.
Each firm that has transaction accounts of clients needs to have an effective training program in place for staff members. If an outside service provider is hired to make sure the firm meets the new regulations, the firm must maintain oversight so that the firm is still legally responsible for compliance with the rules.
“You cannot take things for granted,” Salazar says. “Think about the ways someone could access your clients’ accounts and then write a plan to be on the lookout for identity theft.”