Certain broker-dealers will soon be subject to regulations requiring the implementation of detailed procedures to mitigate the risks associated with identity theft.
On November 9, 2007, the Federal Trade Commission (“FTC”) and the banking agencies adopted regulations (the “Red Flag Rules”) under the Fair and Accurate Credit Transactions Act of 2003 requiring financial institutions and creditors to implement written identity theft prevention programs that identify and detect “red flags” indicating possible fraudulent activity.
In November 2008, the Financial Industry Regulatory Authority (“FINRA”) issued a Regulatory Notice to its member firms discussing the Red Flag Rules. Although FINRA does not have rule-making or interpretive jurisdiction over the Red Flag Rules, the FTC and FINRA intend to coordinate their efforts in addressing industry-wide questions concerning the applicability of the Red Flag Rules in the broker-dealer context.
Whether a Given Broker-Dealer Is Affected
As discussed in an October 2008 Client Alert, the Red Flag Rules apply to “financial institutions” and “creditors” carrying “covered accounts.” Thus, an analysis of whether a broker-dealer is affected by the Red Flag Rules requires an analysis of the applicability of the terms “financial institution,” “creditor” and “covered account” to that broker-dealer.
The term “financial institution” is defined as a depository institution or any other person holding a “transaction account” belonging to a “consumer.” A “transaction account” in turn means a deposit account from which the owner makes payments or transfers. The term “consumer,” however, only includes individuals. Thus, as FINRA indicates, a brokerdealer solely servicing institutional clients would not be deemed a financial institution.
A broker-dealer servicing institutional clients could, however, be deemed a “creditor,” and could for that reason be subject to the Red Flag Rules. For purposes of the Red Flag Rules, the term “creditor” means any person who regularly extends, renews, or continues credit or regularly arranges for the extension of credit. According to FINRA, any broker-dealer that provides its customers with margin (i.e., a form of credit) or arranges any type of loan or other forms of credit for its customers is a “creditor” for purposes of the Red Flag Rules.
For a broker-dealer that is either a “financial institution” or a “creditor,” it must then be determined whether that broker-dealer carries “covered accounts.” “Covered account” means (1) an account offered or maintained primarily for personal, family, or household purposes that is designed to permit multiple payments or transactions (e.g., a retail margin account), or (2) any other account for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. Under clause (2), an accountcarrying broker-dealer that solely services institutional clients may still be subject to the Red Flag Rules if that broker-dealer's client accounts pose a reasonably foreseeable risk to its clients as a result of identity theft or to the soundness of the firm as a result of identity theft. While the twopronged definition of “covered accounts” could apply in the context of account-carrying broker-dealers, non-account carrying broker-dealers, or under-$250,000 broker-dealers for net capital purposes, would generally not be subject to the Red Flag Rules.
Notably, FINRA cautions that brokerdealers deeming themselves not currently subject to the Red Flag Rules should have procedures in place to reassess that determination in the event that the broker-dealer’s circumstances change—if, for example, the broker-dealer adds a new line of business.
Identity Theft Prevention Programs Are Required
A broker-dealer subject to the Red Flag Rules must develop, implement and administer a written Identity Theft Prevention Program (a “Program”) that is appropriate to the size and complexity of its business. As discussed in our October 2008 Client Alert, without mandating the specific contents of such Programs, the FTC has issued “Guidelines” to assist in their design. In the broker-dealer context, the Program must: (1) identify red flags indicating the risk of identity theft related to covered accounts; (2) detect red flags that the Program identifies; (3) respond appropriately to red flags as they are detected; and (4) ensure the Program is periodically updated to reflect developing identity theft risks.
In designing and updating its Program, a broker-dealer should undertake a risk assessment that considers both the methods it provides to open accounts and the methods it provides to access accounts as well as its previous experiences with identity theft and identity theft prevention. The Program should supplement a broker-dealer’s existing anti-money laundering compliance protocols.
A broker-dealer’s Program should be reviewed and approved by the firm’s board of directors or a senior manager, e.g., the Chief Compliance Officer. The board of directors or senior personnel should also supervise its administration. Staff should be appropriately trained, as necessary, to effectively implement the Program. The broker-dealer should also supervise third-party service providers playing a role in the implementation of the Program, and should require at a minimum that such service providers have appropriate procedures of their own to detect, prevent and mitigate the risk of identity theft.
Compliance Deadline Extended
The FTC initially mandated that businesses subject to the Red Flag Rules develop and implement Programs by November 1, 2008. Recently, it extended the deadline to May 1, 2009.