In April, the Securities and Exchange Commission (the “SEC”) and the Commodity Futures Trading Commission (the “CFTC”) jointly issued an adopting release (the “Adopting Release”), which included new identity theft red flags rules (the “Red Flags Rules”). Under the Red Flags Rules, certain entities that are regulated by the SEC or CFTC are required to develop and implement written identity theft prevention programs designed to detect, prevent and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The compliance date for the Red Flags Rules is November 20, 2013. We believe impacted entities (e.g., broker-dealers, registered investment companies and registered investment advisers) should begin work now to prepare for the compliance date. This QuickStudy covers only the sections of the Adopting Release and the Red Flags Rules that relate to entities regulated by the SEC (the “SEC Rules”). It does not cover the sections of the Adopting Release and the Red Flags Rules relating to entities regulated by the CFTC or credit/debit card issuers.

Background

The Dodd-Frank Wall Street Reform and Consumer Protection Act amended the Fair Credit Reporting Act (as amended in 2003, the “FCRA”) to add the SEC and CFTC to the list of federal agencies that must jointly adopt and individually enforce identity theft red flags rules. The SEC and CFTC had not been included among the list of federal agencies previously required to issue red flags rules and guidelines (such agencies, the “Original Agencies”). The Original Agencies’ red flags rules, which were released in 2007 (the “2007 Rules”) did, however, apply to entities regulated by the SEC and CFTC. As noted in the Adopting Release, the Red Flags Rules do not include requirements that were not included in the 2007 Rules, nor do they expand the scope of the existing red flags rules to include new categories of entities. However, the Adopting Release includes a note that the SEC Rules and the Adopting Release contain examples and “minor language changes” that may lead entities that had previously concluded they were outside the scope of the 2007 Rules to reconsider whether they are subject to red flags regulations. For many impacted entities, the substance of the items required by the Red Flags Rules is likely already included in know your customer or anti-money laundering policies and procedures. With the adoption of the Red Flags Rules, however, impacted entities will be required to adopt a separate policy directed specifically at the Red Flags Rules.

Applicability

The Red Flags Rules require that a “financial institution” or “creditor” that offers or maintains “covered accounts” establish an identity theft red flags program designed to detect, prevent and mitigate identity theft. “Financial institution” is defined by reference to the FCRA definition, which includes banks, credit unions and any other person that, directly or indirectly, holds a transaction account belonging to an individual.

The SEC Rules apply to a financial institution or creditor that is:

  • A broker, dealer or any other person that is registered or required to be registered under the Securities Exchange Act of 1934;
  • An investment company that is registered or required to be registered under the Investment Company Act of 1940, that has elected to be regulated as a business development company under that Act, or that operates as an employees’ securities company under that Act; or
  • An investment adviser that is registered or required to be registered under the Investment Advisers Act of 1940.

Included in the Adopting Release is a non-exhaustive list of examples of SEC-regulated entities that could fall within the meaning of “financial institution” because they hold transaction accounts belonging to individuals:

  • A broker-dealer that offers custodial accounts;
  • A registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and
  • An investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.

The definition of “creditor” is also defined by reference to the FCRA, which in turn refers to the definition of credit in the Equal Credit Opportunity Act, namely, a “person that regularly extends, renews or continues credit, or makes those arrangements, that regularly and in the course of business…advances funds to or on behalf of a person for expenses incidental to a service provided by the creditor to that person….” The SEC specifically noted that investment advisers potentially could qualify as creditors if they “advance funds” to an investor that are not for expenses incidental to services provided by that adviser.

“Covered account” is defined as:

  • An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and
  • Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

The SEC’s definition includes, as examples of a covered account, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties.

Identity Theft Prevention Program Requirements and Administration

Parties required to implement or maintain a program must include “reasonable policies and procedures” to:

  • Identify the types of red flags that are relevant to the covered accounts that the subject institution maintains, and incorporate those red flags into the subject institution’s program;
  • Detect the red flags that have been incorporated into the subject institution’s program;
  • Respond to any red flags that are detected; and
  • Periodically update the program to reflect changes in risks to customers and to the safety and soundness of the subject intuition.

The program must be appropriate to the size and complexity of the subject institution and the nature and scope of its activities. The initial program must be approved by the subject institution’s board of directors or an appropriate committee thereof. The oversight, development, implementation and administration of the program must involve the subject institution’s board of directors or an appropriate committee thereof, or a designated employee at the level of senior management. Further, staff must be trained as necessary to implement the program, and service provider arrangements must be subject to appropriate and effective oversight.

Compliance Date

As noted above, parties subject to the scope of the Red Flags Rules are required to be in compliance with the Red Flags Rules by November 20, 2013.

Conclusion

Broker-dealers, investment companies and investment advisers who have not yet done so should review their business and operations to determine if they may be required to implement the red flags procedures under the Red Flags Rules. Broker-dealers, investment companies and investment advisers that believe they are outside the scope of the Red Flags Rules should consider revising their compliance procedures and manuals to provide for a regular review of their business practices to determine if, in the future, the Red Flags Rules become applicable.