On April 10, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) (together, the Commissions) jointly adopted rules and guidelines that require certain entities subject to their enforcement authorities to develop compliance programs to protect investors from identity theft.  The new Identity Theft Red Flags Rules, adopted pursuant to the Dodd-Frank Act, which amends the Fair Credit Reporting Act (FCRA), are similar to existing identity theft rules enforced by the Federal Trade Commission (FTC) and federal banking regulators.
The Red Flags Rules require "financial institutions"  and "creditors"  that hold certain covered accounts to develop and implement a written identity theft prevention program. The program must provide for identification and detection of and responses to patterns, practices or specific activities -- known as "red flags" -- that could indicate identity theft.
The entities regulated by the SEC that are most likely to be financial institutions and creditors include broker-dealers offering custodial accounts, investment companies permitting investor wire transfers and check writing, and investment advisers permitting payments out of transaction accounts. The entities most likely to be covered within the CFTC's regulatory scope include futures commission merchants, retail foreign exchange dealers, commodity trading advisers, commodity pool operators, introducing brokers, swap dealers and major swap participants.
Once the determination is made that the entity is a financial institution or creditor, a decision must then be made about whether the entity maintains any "covered accounts." The term "covered account" encompasses two types of accounts: one maintained primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions; and the second includes any other account for which there is a foreseeable risk of identity theft. This second type is governed by a risk-based analysis, and each entity must make its own determination of whether its accounts meet the definition. The Commissions' guidance on the second type of account provides that the entity should conduct a risk evaluation that considers both the methods it employs to open or access its accounts and its previous experience with identity theft.
Elements of Identity Theft Prevention Program
The Red Flags Rules are meant to be flexible and provide a covered entity with the opportunity to design and implement a program that is appropriate to its size and the nature of its operations. Therefore, a large company with several types of accounts may need a complex program, while a small, low-risk business may be able to adopt a streamlined program. Regardless of the nature of a business, the program must include five elements:
- Identification of Red Flags. Identify relevant patterns, practices and specific forms of activity that are red flags signaling possible identity theft. Consider the nature of the business and the type of identity theft to which it might be vulnerable.
- Detection of Red Flags. Establish policies and procedures to detect identified red flags.
- Response to Red Flags. Include prevention, mitigation and appropriate actions once red flags are detected.
- Periodic Review and Updating. Address how management will periodically re-evaluate and update the program, where necessary, to address new and evolving threats. This includes re-evaluation to determine whether changes in the business have caused the entity or account to fall under the purview of the Red Flags Rules.
- Administration of Program. The program must initially be approved by the board of directors or, if the entity does not have a board, by a senior-level manager. It must specify who is responsible for implementing and administering the program, including approving necessary changes. Finally, it must include appropriate training for staff.
The obligations of an entity to comply with the Red Flags Rules also apply even if the entity outsources parts of its operations. Therefore, the entity must specify how it will ensure and monitor compliance with the program by external service providers.
The Red Flags Rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date (around November 15).
Despite the fact that many of the entities described above have been subject to similar rules administered by the FTC in the past, these rules will be new for others, particularly certain private fund advisers recently registered with the SEC.
It is essential that entities regulated by the Commissions correctly determine whether they fall under the definition of "financial institution" or "creditor" and, if so, whether they maintain "covered accounts." Entities so designated should design and implement appropriate identity theft prevention programs. Even in the absence of a legal obligation, implementing a program containing elements of the rules would help companies mitigate the risk of identity theft and reduce their overall exposure.
Implementation of an identity theft prevention program starts with an analysis of risks to the secure maintenance of confidential information. Such risk analysis would evaluate the likelihood and severity of a data breach. The results of the risk assessment would help to prioritize the risk areas (e.g., portable devices, offshore business associates, lack of encryption) that would be targeted for the implementation of controls (e.g., policies, processes, training) to manage identified risks.
Companies should review or implement policies, processes and systems to prevent, detect, contain and correct intentional or accidental misuse, disclosure, modification or destruction of confidential information. Further, companies should review third-party service provider agreements to ensure that they contain contractual undertakings to protect confidential information entrusted to such providers and give companies the right to enforce data protection standards. In addition, relevant employees and service providers should be provided with training on ways to protect confidential information (e.g., not leaving sensitive information unattended at workstations or on an open computer screen, and ensuring that e-mail containing such information is encrypted). Finally, employees and service providers need to be aware of personal sanctions for violating data security standards.