Businesses in the financial industry, and in particular SEC-registered broker-dealers and investment advisers, must comply with increasingly stringent federal requirements concerning information security.
In this regard, two regulatory developments bear noting. On November 9, 2007, the Federal Trade Commission (“FTC”) and the federal banking agencies adopted regulations (the “Red Flag Rules”) requiring financial institutions and creditors to implement identity theft prevention programs that identify and detect “Red Flags” indicating possible fraudulent activity. In addition, on March 4, 2008, the Securities and Exchange Commission (“SEC”) proposed amendments to Regulation S-P under the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act (the “FCRA”) that would bolster the requirements covering customer information security applicable to financial businesses under the SEC’s jurisdiction.
The Red Flags Rules
The Red Flag Rules were promulgated pursuant to the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). Sections 114 and 315 of FACTA require financial institutions and creditors to develop and implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft and other fraudulent activity in relation to customer accounts. The Program must contain reasonable policies and procedures to identify, detect, and respond to Red Flags, and must be periodically updated to reflect risks related to identity theft.
Section 621 of the FCRA provides that the Red Flag Rules are enforceable by the FTC against any person not regulated by another agency identified therein, “irrespective of whether that person… meets any other jurisdictional tests in the Federal Trade Commission Act.” The SEC is not one of the other agencies identified.
The Red Flag Rules apply to “financial institutions” and “creditors” carrying “covered accounts.” The term “financial institution” is defined under the Red Flag Rules in accordance with the FCRA, and includes a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that holds a “transaction account” belonging to a consumer. A “transaction account” is in turn defined as a deposit account from which the owner makes payments or transfers.
The term “creditor” expands the reach of the Red Flag Rules beyond the banking sector. For purposes of the Red Flag Rules, “creditor” means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.
The Red Flag Rules apply a twopronged definition to the term “covered account.” That term includes any account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions (i.e., consumer accounts). The definition also encompasses, however, “any other account” that a “financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” This second element of the definition of “covered accounts” targets small business and sole proprietorship accounts, which are presumably more vulnerable to identity theft and other fraudulent activity than accounts carried on behalf of large businesses or sophisticated parties.
The Red Flag Rules went into effect on January 1, 2008, and businesses should be in compliance by November 1, 2008. Failure to comply may result in enforcement action by the FTC, including civil liability for nominal, actual or punitive damages, and attorneys' fees.
Although the Red Flag Rules do not specify the contents of a regulated entity’s Identity Theft Prevention Program, the FTC has issued “Guidelines” to assist in its design. The Guidelines identify 26 possible Red Flags, falling into five categories: (i) alerts, notifications, or warnings from a consumer reporting agency; (ii) suspicious documents; (iii) suspicious personally identifying information (e.g., a social security number that does not match the Social Security Administration’s Death Master File); (iv) unusual use of—or suspicious activity relating to—a covered account; and (v) notice from customers, victims of identity theft, law enforcement, or other persons regarding possible identity theft in connection with covered accounts held by financial institution or creditor. Although the Guidelines are not mandatory, the Guidelines likely will be used as the standard against which the adequacy of an Identity Theft Prevention Program is measured. The Guidelines are available at http://www.ftc.gov/os/fedreg/2007/november/ 071109redflags.pdf.
Applicability to Broker- Dealers and Investment Advisers
Under the definitions described above, the Red Flag Rules could apply to an SEC-registered broker-dealer carrying customer accounts. Such brokerdealers could potentially be subject to different and/or inconsistent requirements under the Red Flag Rules and under Regulation S-P.
The FTC’s intent to apply Red Flag Rules to brokerage accounts and investment advisory activities incidental to brokerage transactions is reflected in the commentary to the Rules’ adoption; it notes that identity theft could affect accounts other than consumer accounts, and concludes that Section 114 of FACTA is intended to cover any relationship to obtain a product or service that an account holder or customer may have “with a creditor” including “fiduciary, agency, custodial and brokerage accounts and investment advisory activities.” In addition, the FTC issued a broadly worded Business Alert in June 2008, clarifying that Red Flag rules could apply to checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. As indicated above, a “covered account” can also be any account “for which there is a foreseeable risk of identity theft…”
Although, under SEC Rule 206(4)-2, a registered investment adviser is generally barred from holding client assets (and therefore from carrying “covered accounts”) unless the investment adviser is a “qualified custodian” such as a bank or an account-carrying broker-dealer, the Red Flag Rules could apply to investment advisers in certain limited instances such as in the case of dually registered entities.
As we indicated in a Client Alert that we issued in April 2008, the SEC recently adopted amendments to Regulation S-P that would require financial institutions under the SEC’s jurisdiction to design and implement comprehensive information security programs. As originally adopted, Regulation S-P requires those businesses to implement policies and regulatory procedures to safeguard, from an administrative, technical, and physical perspective, customer records and information. Under the proposed amendments, broker-dealers, investment companies, and investment advisors registered with the SEC must develop, implement, and maintain a comprehensive “information security program” that, among others, identifies the staff responsible for coordinating the security program; identifies the documentation reasonably necessary to address identified risks; includes protocols for testing or other monitoring of the program’s effectiveness; provides for ongoing staff training; allows for oversight of third party service providers; and provides for continuous evaluation and adjustments in light of testing results and technological changes. These requirements could overlap, and in certain instances could conflict, with the requirements under the Red Flag Rules.