Pursuant to the Fair and Accurate Credit Transactions Act of 2003,1 a number of federal agencies in 2007 issued joint final identity theft rules and guidelines pertaining to the detection, prevention, and mitigation of identity theft for certain entities subject to the agencies’ enforcement authority.2 The entities subject to these rules were required to adopt and implement written identity theft prevention programs. On July 21, 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) added the Commodity Futures Trading Commission (“CFTC”) and the Securities and Exchange Commission (“SEC”) to the list of agencies required to promulgate rules and guidelines pertaining to identity theft red flags.3
The Newly Proposed Rules from the CFTC and SEC
On March 6, 2012, the CFTC and SEC jointly proposed identity theft red flags rules and guidelines for specific entities subject to their authority.4 These red flags rules and guidelines are substantially similar to the rules and guidelines adopted in 2007. They are “designed to help guide entities” in determining whether and how identity theft rules and guidelines apply to their particular circumstances “because of the increased likelihood that these entities open or maintain covered accounts, or pose a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.”
What Entities Will Be Subject to the CFTC and SEC Rules?
The CFTC has enumerated the following entities as now expressly subject to the scope of its proposed rule:
- futures commission merchants;
- retail foreign exchange dealers;
- commodity trading advisors;
- commodity pool operators;
- introducing brokers;
- swap dealers; and
- major swap participants.
Similarly, the SEC clarified that the scope of its proposed rule applied to any financial institution or creditor, as defined by the Fair Credit Reporting Act (“FCRA”),5 which includes:
- a broker, dealer or any other person registered or required to be registered under the Securities Exchange Act of 1934;
- an investment company that is registered or required to be registered under the Investment Company Act of 1940, that has elected to be regulated as a business development company under that Act, or that operates as an employees’ securities company under that Act; or
- an investment adviser that is registered or required to be registered under the Investment Advisers Act of 1940.
The Commissions request comments from potentially affected entities on the following issues:
- the periodic determination of whether a financial institution offers or maintains a “covered account”;
- the appropriate written program designed to detect, prevent and mitigate identify theft, according to the size and complexity of the financial institution involved;
the elements of the written program, including:
- policies and procedures to identify appropriate red flags;
- how to detect red flags;
- how to respond to red flags that are detected;
- periodic updates to reflect changes in risks to customers.
The five categories of red flags to be considered include:
- alerts or warnings received from customer reporting agencies;
- suspicious documents;
- suspicious personal identifying information;
- unusual use or activity in an account;
- notice from customers or law enforcement authorities regarding possible identify theft.
The proposed rules would require a financial institution to obtain approval of the written program from either its board of directors or an appropriate committee of the board.
The Commissions expressly acknowledged that these programs can be integrated with current compliance programs and procedures already in place.
The CFTC and SEC are currently seeking comments from interested parties before it promulgates a final rule. Any interested party may submit comments according to the methods detailed in the proposed rule itself.6 Comments must be received on or before May 7, 2012.