May 7, 2012 marks the end of the comment period for the proposed identity theft red flags rules and guidelines issued jointly by the Securities and Exchange Commission and the Commodities Future Trading Commission. The Proposed Rules, which would apply to certain broker-dealers, investment companies, investment advisers, futures commission merchants, commodity pool operators, introducing brokers, and other SEC- and CFTC-regulated entities, are substantially similar to the identity theft red flags rules and guidelines issued in 2007 by the Federal Trade Commission and the federal banking agencies ("FTC Red Flags Rules") pursuant to the Fair and Accurate Credit Transactions Act ("FACTA"), which amended the Fair Credit Reporting Act ("FCRA").
The Dodd-Frank Wall Street Reform and Consumer Protection Act further amended the FCRA and transferred rulemaking and enforcement authority over the identity theft red flags rules to the SEC and CFTC with respect to the entities under their jurisdiction.
However, because the FTC Red Flags Rules were not specific to the securities industry and there was some confusion as to which entities were subject to their requirements, the Proposed Rules should help clarify the circumstances in which the red flags requirements apply.
The Proposed Rules, like the FTC Red Flags Rules, apply to "financial institutions" and "creditors" that offer or maintain "covered accounts," including all accounts that "a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions" as well as "any other account … for which there is a reasonably foreseeable risk to customers … from identity theft." The Proposed Rules clarify that the term "financial institution" includes any "futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer, or major swap participant that directly or indirectly holds a transaction account belonging to a consumer." The Proposed Rules also apply to broker-dealers, registered investment advisers, and registered investment companies that meet the definitions of "financial institution" or "creditor" under the FCRA. Additionally, under the Proposed Rules, "covered accounts" include margin accounts and brokerage or mutual fund accounts that permit wire transfers or other payments to third parties.
- identify relevant "red flags," which are patterns, practices, or specific activities that indicate the possible existence of identity theft in connection with a covered account;
- detect red flags that have been incorporated into the program;
- respond appropriately to any red flags that are detected; and
- update the program periodically to reflect changes in risk.
The initial written program must be approved by the board of directors or a committee of the board of directors, and the board or senior management must be involved in the oversight and administration of the program. In addition, the program must provide for appropriate staff training and oversight of service provider arrangements.