Today the CFTC and the SEC jointly issued final rules that require regulated entities to adopt programs designed to prevent identity theft – so-called “red flags” rules.
Since 2003, the Fair Credit Reporting Act has authorized federal agencies responsible for banking regulations to implement programs to prevent identity theft and the FTC has been authorized to implement and enforce similar programs for entities regulated by the SEC and the CFTC. With respect to SEC- and CFTC-regulated entities, the Dodd-Frank Act transferred the rule-making authority and enforcement responsibility for the red flags rules from the FTC to SEC and CFTC, respectively.
These rules should not be surprising to anyone, as they are nearly identical to the rules that had already been adopted by other federal agencies under the FCRA back in 2007. Although the rules adopted by the SEC and CFTC do not expand the scope of the red flags rules that were already in place, the adopting release does contain “examples and minor language changes designed to help guide entities within the SEC’s enforcement authority in complying with the rules, which may lead some entities that had not previously complied with the Agencies’ rules to determine that they fall within the scope of the rules we are adopting today.”
On the SEC side of things, the red flags rules apply to entities that are regulated by the SEC and fall within the definition of “creditor” or “financial institution” under the FCRA. To qualify as a “financial institution,” generally speaking an entity must hold a transaction account belonging to an individual. The somewhat convoluted definition of “creditor” for purposes of the FCRA is a person that regularly extends, renews or continues credit, or makes those arrangements and “regularly and in the course of business … advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.” The most common types of SEC-regulated entities likely to fall subject to the red flags rules are broker-dealers holding custodial accounts, investment advisers that hold transaction accounts and are permitted to make payments to third parties out of those accounts, and registered investment companies that allow investors to make wire transfers to other parties or that offer check-writing privileges.
On the CFTC side, the red flags rules apply to entities that re regulated by the CFTC and fall within the definition of “creditor” or “financial institution” under the FCRA, provided that those terms also include any futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer, major swap participant, or any of the foregoing that are regularly involved in the extension, renewal, or continuance of credit.
The final rules require that entities subject to the rules adopt programs to deter identify theft and offer guidelines for such programs that should be considered by the entities as they formulate their own programs. The SEC press release accompanying the final rules nicely summarizes the substance of the red flags rules:
“The program should include policies and procedures designed to:
- Identify relevant types of identity theft red flags.
- Detect the occurrence of those red flags.
- Respond appropriately to the detected red flags.
- Periodically update the identity theft program.
The SEC’s rules apply only to SEC-regulated entities that meet the definition of ‘financial institution’ or ‘creditor’ under the FCRA.
The rules require entities to provide such things as staff training and oversight of service providers. The rules include guidelines and examples of red flags to help firms administer their programs.
The rules require entities that issue debit cards or credit cards to take certain precautionary actions when they receive a request for a new card soon after they receive a notification of a change of address for a consumer’s account.”