The SEC and the CFTC jointly issued final Red Flags Rules on April 10, 2013. While the Red Flags Rules issued by the SEC and the CFTC are largely similar to the Red Flags Rules adopted by the Federal Trade Commission (“FTC”) under the Fair Credit Reporting Act (“FCRA”) in 2007, the Commissions acknowledged that the adopting release and the final Red Flags Rules contain certain guidance, examples, and minor language changes which may lead some SEC- and CFTC-regulated entities that previously had concluded that the FTC Red Flags Rules were not applicable to them to now determine that the SEC and CFTC Red Flags Rules are, in fact, applicable to them. All SEC- and CFTC-regulated entities that determine they fall within the rules’ scope must adopt and implement a red flags rules program intended to help detect identity fraud by November 20, 2013.
SEC- and CFTC-regulated entities to which the Red Flags Rules apply are those that may be considered “financial institutions” or “creditors” under FCRA. Those financial institutions or creditors that maintain “covered accounts” need to adopt identity theft red flags programs. The SEC has stated that SEC-regulated entities likely to qualify as financial institutions or creditors and maintain covered accounts include “most registered brokers, dealers, and investment companies, and some registered investment advisers.” For instance, an investment adviser may be considered a “financial institution” subject to the Red Flags Rules if it: (a) has the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the instructions of such individuals, (b) has the authority, by power of attorney or otherwise, to withdraw money from an individual investor’s accounts and direct payments to third parties according to such investor’s instructions, or (c) has the authority, pursuant to an arrangement with the private fund or individual, to direct such individual investor’s investment proceeds to third parties. Institutions, including investment advisers, that offer margin accounts or accounts that permit wire transfers or other payments to third parties also may be subject to the Red Flags Rules.
Administratively, the Red Flags Rules require that (i) any red flags identity theft protection program be approved, if not already in place, by the board of directors, an appropriate committee thereof, or senior management of an entity if there is no board; (ii) there be high-level involvement in the oversight of the red flags program; (iii) staff be trained to implement the red flags program; and (iv) there be oversight of service provider arrangements with respect to red flags programs (i.e., compliance cannot be completely delegated to service providers). An organization’s red flags program also should be appropriately tailored to the organization’s size and complexity, minimally designed to (i) identify relevant patterns, practices, or specific activities that indicate possible identity theft, or red flags; (ii) detect red flags; (iii) respond appropriately to any red flags detected; and (iv) update the organization’s red flags program from time to time to reflect changes in risks from identity theft. The full text of the Red Flags Rules is available here.