On April 10, 2013, the Commodity Futures Trading Commission (the “CFTC”) and the Securities and Exchange Commission (the “SEC,” and together with the CFTC, the “Commissions”) issued final rules and guidelines (the “Rules”) that will require “financial institutions” and certain “creditors” that fall under their respective jurisdictions (including commodity pool operators, commodity trading advisors, registered broker-dealers, registered investment companies (“RICs”), business development companies, employees’ securities companies and registered investment advisers) and that offer or maintain “covered accounts,” to develop written identity theft prevention programs. Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Commissions were added to the list of federal agencies that are required to issue rules to prevent identity theft. The Rules are substantially similar to final rules and guidelines that were issued jointly in 2007 by the Office of the Comptroller of the Currency, the Federal Reserve and other agencies, and are substantively similar to the rules proposed by the Commissions on February 28, 2012, as previously discussed in the March 21, 2012 Investment Management Regulatory Update and the March 7, 2012 Davis Polk Client Memorandum, CFTC and SEC Jointly Propose Identity Theft Rules. In their adopting release, the Commissions noted that it is likely that most of the financial institutions and creditors covered by the Rules already comply with the existing rules regarding identity theft prevention, and therefore may only be required to supplement programs already in place.

Financial Institutions. The Commissions defined “financial institution” in the Rules by reference to the definition of such term in the Fair Credit Reporting Act of 1970 (“FCRA”), which includes an entity that directly or indirectly holds a transaction account belonging to an individual. In this context, “transaction account” includes an “account on which the . . . account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.” According to the Commissions’ adopting release, the definition specifically includes (i) a broker-dealer that offers custodial accounts, (ii) a RIC that allows investors to make wire transfers to others or offers check-writing privileges and (iii) an investment adviser that directly or indirectly holds transaction accounts and that is allowed to direct payments or transfers out of such accounts to third parties. According to the Commissions’ adopting release, an adviser that only has authority to withdraw money from an investor’s account to obtain advisory fees would not hold a “transaction account,” since payments would not be made to a third party.

Creditors. The Commissions also defined “creditor” in the Rules by reference to the definition of such term in the FCRA, which includes a creditor, as defined in the Equal Credit Opportunity Act, that “regularly and in the course of business . . . advances funds to or on behalf of a person, based on an obligation of the person to repay,” excluding funds for incidental services provided by the creditor. According to the Commissions’ adopting release, an adviser to a private fund would not be considered a creditor solely because its private funds regularly borrow money from third-party creditors, since the definition of “creditor” does not include indirect creditors.

Covered Accounts. Under the Rules, financial institutions and creditors are only required to implement an identity theft program if they offer or maintain “covered accounts.” The Rules define “covered accounts” as “(i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” The Rules require that financial institutions and creditors periodically determine whether they are maintaining or offering covered accounts.

Financial institutions and creditors that offer or maintain covered accounts are required to implement a written identity theft prevention program (a “Program”) that is designed to detect, prevent and mitigate identity theft in connection with the opening and maintenance of covered accounts. A program must be reasonably designed to:

  • identify and incorporate into the Program “red flags” (defined as patterns, practices or activities that indicate the possible existence of identity theft);
  • detect the existence of red flags incorporated into the Program;
  • appropriately respond to detected red flags in order to prevent and mitigate identity theft; and
  • update the Program periodically to reflect changes in risks of identity theft to customers and to the safety and soundness of the financial institution or creditor.

The Commissions’ adopting release also includes guidelines that entities must consider when implementing and administering any Program, which generally give instructions on how to identify red flags.

In addition, the Rules generally require, among other things, (i) board approval of the initial written Program, (ii) senior level oversight of its development, implementation and administration, (iii) annual compliance reports, (iv) staff training to effectively implement the Program and (v) steps to ensure that any service providers performing activities in connection with covered accounts employ reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft.

The Rules will become effective on May 20, 2013 and must be complied with by November 20, 2013.