Identity theft is a serious privacy and security problem that has escalated in recent years as more and more business functions move online. To keep pace with this emerging risk, US regulators have been requiring companies to build governance structures with systemic controls rather than ad hoc processes. To this end, the Securities and Exchange Commission (SEC) recently adopted Regulation S-ID (Reg S-ID), a comprehensive set of rules requiring certain entities it regulates to implement an identity theft program (Program) to detect, prevent and respond to identity theft.1 These "Red Flags" rules only apply to SEC-regulated entities, that meet the definition of "financial institution"2 or "creditor"3 under the Fair Credit Reporting Act (FCRA) and are very similar to the Red Flags rules adopted by the Federal Trade Commission (FTC).
Entities Subject to Regulation S-ID
According to the final rule, SEC regulated entities that could fall within the meaning of the term "financial institution" could include:
- a broker, dealer or any other person that is registered or required to be registered under the Securities Exchange Act of 1934 (Exchange Act);
- an investment company that is registered or required to be registered under the Investment Company Act of 1940 (Investment Company Act), that has elected to be regulated as a business development company under the Investment Company Act, or that operates as an employees' securities company under the Investment Company Act; or
- an investment adviser that is registered or required to be registered under the Investment Advisers Act of 1940 (Investment Advisers Act).
More specifically, because the definition of "financial institution" focuses on entities that hold "transaction accounts" belonging to individuals, examples of SEC regulated entities that may be subject to Reg S-ID include, but are not limited to: a broker-dealer that offers custodial accounts; a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.
Requirements of Regulation S-ID
The SEC adopted Reg S-ID jointly with the Commodities Futures Trading Commission (CFTC) under rulemaking authority delegated to both agencies under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. New SEC Chairman Mary Jo White called the new rules "a common sense response to the growing threat of identity theft to all American's who invest, save or borrow money." Regulation S-ID was approved unanimously.
Although there are no surprises in this final rulemaking, the requirements will be brand new for certain broker-dealers, investment companies, and investment advisers registered under the Investment Advisers Act, such as private fund and hedge fund advisers. Under Reg S-ID, broker dealers, mutual funds, investment advisers, and certain other entities must implement a Program to:
- identify relevant types of identity theft red flags,
- detect the occurrence of those red flags,
- respond appropriately to detected red flags,
- train staff on identity theft policies and procedures,
- oversee vendors compliance with these rules,
- periodically update the identity theft program, and
- take actions to mitigate credit and debit card fraud (card issuers only).
Like the FTC's Red Flags rules, Reg S-ID allows for flexibility in how entities identify and manage identity theft risks that are specific to their business. This is designed to keep the rules dynamic as technology and risk profiles change over time. Categories of red flags that should be considered include alerts, notifications, or other warnings received from consumer reporting agencies or service providers, suspicious identifying information and or documentation, suspicious activity related to a covered account and notice from customers, victims of identify theft, law enforcement authorities or other persons regarding possible identity theft.
Financial institutions must create a written Program that is approved by either their Board of Directors, a committee of the Board, or if the entity does not have a Board, from a designated senior management employee. A Chief Compliance Officer can be designated with responsibility for oversight of the Program. We counsel clients addressing these issues to consider creating a compliance project plan to ensure that business process owners have documented and repeatable policies and procedures for detecting, preventing and responding to identity theft risks. Periodic and regular monitoring of Program performance, as well as revalidating policies and procedures, are all best practices in building a sustainable Program. Finally, because of the sensitive nature of these issues, an annual update to the Board of Directors would be another strong pillar in a governance framework.
Reg S-ID will be effective 30 days after its publication in the Federal Register. Affected entities are required to be in compliance with Reg S-ID six months after its effective date.