On April 10th, the Securities and Exchange Commission (“SEC”) and the Commodity Futures Trading Commission (“CFTC”) jointly approved a final rule requiring broker-dealers, mutual funds, federally registered investment advisers, and certain other regulated entities to adopt programs designed to detect and address identity theft. The final rule release is available online by clicking here. These rules are similar to joint rules previously approved by other entities under the Fair Credit Reporting Act of 1970 (“FCRA”), including the Federal Trade Commission and banking regulators. Thus, the rules may offer few additional requirements for certain entities. Any entities not already covered by such rules, however, such as broker-dealers and federally registered investment advisers, must now establish identity theft programs that comply with the new regulations.
The program should be appropriate to the size and complexity of the covered entity and the nature and scope of its business. The program must consist of policies and procedures that:
- Identify relevant types of identity theft red flags;
- Detect the occurrence of those red flags;
- Respond appropriately to detected red flags; and
- Periodically update the program.
Additional rules have been finalized for companies that issue debit or credit cards. These rules are not covered by this release.
Types of Red Flags. A red flag is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Red flags will be different for each entity, but the release offered three risk factors to consider:
(i) the types of accounts a covered entity offers or maintains;
(ii) the methods it provides to open or access its covered accounts; and
(iii) its previous experiences with identity theft.
Specific red flags might derive from a number of sources, including:
- Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
- Presentation of suspicious documents, such as documents that appear to have been altered or forged;
- Presentations of suspicious personal identifying information, such as a suspicious address change;
- Unusual use of, or other suspicious activity related to, a covered account; and
- Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the covered entity.
Detecting Red Flags.
Covered entities must write policies and procedures designed to detect the red flags it has identified; these policies will vary depending on the types of accounts maintained by the covered entity and how they are administered. The release stresses that entities already subject to other identity theft regulations, such as those under the FCRA, should consider combining policies.
Preventing and Mitigating Identity Theft. Policies and procedures should address howthe entity will respond to red flags. Possible responses should take into account all relevant factors and determine an appropriate response commensurate with the degree of risk posed by each red flag.
Updating the Program. The policies and procedures should address how often the program will be updated. The release lists five factors to help entities write an appropriate update policy:
- The experiences of the covered entity with identity theft;
- Changes in methods of identity theft;
- Changes in methods to detect, prevent, and mitigate identity theft;
- Changes in the types of accounts that the entity offers or maintains; and
- Changes in the business arrangements of the entity, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements.
Administering the Program.
The release identifies other procedures that must be followed. These include appointing either a board committee or member of senior management to oversee the identity theft program. For many entities, this will likely be the Chief Compliance Officer. In addition to delegating tasks and monitoring the program, this designee must also report, at least annually, to the board of directors and will also be responsible for providing reasonable oversight of service providers.
Application to Mutual Funds
The new identity theft rules essentially mirror rules previously put in place by the Federal Trade Commission. Accordingly, for mutual funds registered under the Investment Company Act of 1940 that have already adopted FTC-compliant identity-theft prevention policies, little additional action will likely need to be taken as a result of these new rules. However, the regulator responsible for overseeing those funds’ implementation of the programs will shift from the FTC to the SEC.
The final rules will become effective 30 days after their publication in the Federal Register, with a compliance date six months later. This means that broker-dealers, federally registered investment advisers, and other covered entities should begin preparing policies and procedures that comply with the new identity theft rules. This process will involve drafting and testing new policies, ensuring they comply with the new rules, and then seeking board approval. The process will also require staff training. For entities that already have such policies, the policies should be reviewed to make sure they cover the guidelines provided by the SEC.
Steps to Take Now
Prior to preparing or considering enhancements to procedures and developing systems to apply them, federally registered investment advisers, broker-dealers, mutual funds and other covered entities should perform a business and compliance system analysis of the following: (1) the day-to-day functions relevant to the new rule which the firm and service providers perform for clients, such as account opening, address changes, providing and amending security codes, orders from third parties and check requests; (2) the current safeguards relating to the new rule, if any, the firm and its service providers may already have in place relating to (i) accessing accounts by internal staff, clients and third parties, and (ii) responding to red flags such as unusual transaction requests, transfers of investments or funds, and other unusual activity, or reports from a consumer rating agency; and (3) the availability of staff to ensure compliance with the rule. After the analysis is performed, written procedures should be enhanced or created, and reasonable systems developed to apply them, to prevent and detect identity theft activities. The procedures should name persons within the firm, including the Chief Compliance Officer or his or her designee, responsible for performing specific duties to prevent and detect violations. While preparing the new procedures and developing systems, it is important to keep in mind that both will be subject to rule-imposed annual internal reviews to determine if they are functioning properly. So thinking ahead to the compliance tests that will be performed at year-end will be an important consideration at the procedures developmental stage.
Once the procedures are developed, a training outline to provide guidance to the firm’s staff about red flags, expectations and duties should be created. Both the procedures and training guide should be approved by the firm’s board of directors, or a committee of the board, along with any future amendments to the procedures. Also, at least annually, the board should be apprised of the performance of the firm’s identity theft program to include violations detected and the adequacy of service providers’ systems to comply with the identity theft rule. Staff training should occur before the rule’s effective date — and periodically thereafter — as determined by the compliance staff. The procedures, amendments thereto, board minutes and the training guides all should be kept as a permanent record of the firm’s identity theft compliance system.