On April 10, 2013, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) jointly issued final rules and guidelines (Final Rules) requiring broker-dealers, investment companies, investment advisers, and other SEC-regulated and CFTC-regulated entities to create programs to detect and respond appropriately to "red flags" commonly associated with identity theft. Pursuant to the Final Rules, a “financial institution” that offers or maintains “covered accounts” must develop and implement a written Identity Theft Prevention Program (the Program) to detect, prevent and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts.
Entities That Must Establish a Program
The Final Rules define the term “financial institution” by reference to the definition of the term in section 603(t) of the Fair Credit Reporting Act of 1970. That section defines a financial institution to include certain banks and credit unions, and any other person that, directly or indirectly, holds a transaction account belonging to a consumer.
The adopting release highlighted the following SEC-registered entities that likely would fall under the “financial institution” definition: (i) a broker-dealer that offers custodial accounts; (ii) a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and (iii) an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.
The CFTC’s definition of “financial institution” also specifies that the term includes any futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer, or major swap participant that directly or indirectly holds a transaction account belonging to a consumer.
Under the Final Rules, a financial institution must establish a red flags Program if it offers or maintains “covered accounts.” A “covered account” is defined as (i) an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, and (ii) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution from identity theft. The SEC’s definition includes, as examples of a covered account, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties. The CFTC’s definition includes a margin account as an example of a covered account.
Establishing a Program
The Final Rules are meant to provide each financial institution with examples and suggestions on how to create and implement a Program. A Program should be tailored to the institution’s size, complexity and nature of its operations, including incorporating any previously existing policies, procedures and other arrangements the institution utilized to protect against identity theft.
The Final Rules provide four basic elements that must be included in a Program. The Program must contain “reasonable policies and procedures” to: (i) identify relevant red flags for covered accounts and incorporate those red flags into the Program, (ii) detect the red flags that the Program incorporates; (iii) respond appropriately to any red flags that they detect; and (iv) periodically update the Program to reflect changes in risks to customers or to the safety and soundness of the financial institution from identity theft.
Administration of the Program
The Final Rules specify certain steps that financial institutions must take to administer its Program. The financial institution must obtain approval of the initial written Program by the institution’s board of directors or a committee of the board, ensure oversight of the development, implementation and administration of the Program and provide training to select staff members to effectively implement the Program. Finally, the financial institution must exercise appropriate and effective oversight of service provider arrangements to ensure that the service provider activity in connection with the financial institution’s covered accounts is conducted in accordance with the Program.
Appendix B—Interagency Guidelines on Identity Theft Program
The adopting release includes an Appendix B with the Final Rules in order to further assist each financial institution in creating and implementing the Program. Please refer to the link below to access the adopting release, which includes these guidelines starting at page 88.
Effective Date and Compliance Date
The Final Rules will become effective 30 days after publication in the Federal Register. The compliance date for the Final Rules will be six months after their effective date. As such, the compliance date is likely to be sometime in November 2013.