Do the Red Flag Rules of the FTC and the federal banking agencies apply to broker-dealers registered with the SEC? The short answer seems to be “Yes.”
The Red Flag Rules require “financial institutions” and “creditors” with “covered accounts” to protect against identity theft by implementing written programs designed to detect and prevent identity theft.
The definition of “creditor” includes anyone who arranges for the extension of credit, which presumably includes a broker-dealer that extends credit in a margin account for the purchase of securities. The definition of “financial institution” includes anyone who directly or indirectly holds a “transaction account” belonging to a consumer, which is further defined to include an account on which an account holder can make withdrawals by negotiable instrument, payment orders, telephone transfers, or similar items. Accordingly, a broker-dealer that offers a check-writing feature as part of a brokerage account may be a financial institution.
Finally, a “covered account” is one maintained primarily for personal, family or household purposes, which could include accounts held by retail customers of a broker-dealer.
That broker-dealers must comply with the Red Flag Rules is not a bad thing; however, broker-dealers must also soon comply with proposed SEC amendments to Regulation S-P. The amendments require the implementation of an information security program designed to safeguard customer records and information. The Red Flag Rules and Regulation S-P do not necessarily conflict, although adherence to both could create overlap and inefficiencies.