On April 10, 2013, the CFTC and SEC jointly issued final rules under Section 615(e) of the Fair Credit Reporting Act (the "FCRA") which require entities subject to the Commissions' respective enforcement authority to establish written policies and procedures to prevent identity theft. Though the final rules are substantially similar to existing identity theft regulations, they expand and clarify the SEC and CFTC's responsibility regarding oversight and enforcement of identity theft rules. The final rules become effective on May 20, 2013, and compliance by SEC and/or CFTC-regulated entities will be required as of November 20, 2013.
In 2003, Congress adopted Section 615(e) of the FCRA to provide rulemaking authority regarding identity theft to several banking agencies and the Federal Trade Commission. This authority, however, did not extend to the CFTC and the SEC. Rather, entities regulated by the Commissions were historically subject to the identity theft rules adopted by other agencies. As part of the Dodd-Frank Act, Congress amended Section 615(e) of the FCRA to specifically include the CFTC and the SEC among the regulatory agencies tasked with issuing rules to prevent identity theft.
As amended by the Dodd-Frank Act, Section 615(e) of the FCRA requires that the Commissions jointly establish and maintain guidelines for "financial institutions" and "creditors" regarding identity theft, and adopt rules regarding the establishment of reasonable policies and procedures for entities implementing those guidelines. Under the final rules, a financial institution or creditor that offers or maintains "covered accounts" must establish a written identity theft red flags program to prevent identity theft (an "Identity Theft Prevention Program"). More specifically, the final rules specify (i) which financial institutions and creditors must develop and implement an Identity Theft Prevention Program; (ii) the objectives of an Identity Theft Prevention Program; (iii) the elements that an Identity Theft Prevention Program must contain, and (iv) the steps financial institutions and creditors need to take to administer an Identity Theft Prevention Program. Set forth below is a summary of each of these requirements.
- Who Must Adopt an Identity Theft Prevention Program
As stated above, certain "financial institutions" and "creditors" regulated by the Commissions must adopt an Identity Theft Prevention Program if they offer "covered accounts." Under the final rules, a "financial institution" is defined to include banks and credit unions, and any other person that, directly or indirectly, holds a "transaction account" belonging to an individual consumer. In turn, the term "transaction account" is defined to include any account on which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for purposes of making payments or transfers to third persons or others. Examples of financial institutions or persons holding a transaction account for an individual consumer would include (i) a broker-dealer that offers custodial accounts; (ii) a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and (iii) an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties. With respect to investment advisers, the final rules clarify that an investment adviser that has authority to withdraw money from an investor's account solely to deduct advisory fees would not hold a transaction account because the adviser would not be making the payments to third parties.
Under the final rules, a "creditor" is defined with reference to the Equal Credit Opportunity Act to mean a person that regularly extends, renews or continues credit, or makes similar arrangements, and that regularly in the course of business advances funds to or on behalf of a person based on an obligation of the person to repay the funds in cash or with pledged collateral. The CFTC also specifically included within this definition futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers and major swap participants that regularly extend or make credit arrangements with their clients or, if acting as an assignee for the original creditor, participate in the decision to renew or continue credit to clients. By contrast, the SEC's rules apply to SEC-registered (i) broker-dealers, (ii) investment companies, and (iii) investment advisers. The term "creditor" does not, however, include an entity that advances funds for expenses incidental to a service provided by the entity to that customer (e.g., lawyers, doctors or other businesses that bill in arrears for services provided).
In turn, each financial institution and creditor must periodically determine whether it offers or maintains "covered accounts." The term "covered account" is defined as (i) an account that a financial institution or creditor offers or maintains primarily for personal, family or household purposes that involves multiple payments or transactions; and (ii) any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers, or to the safety of such financial institution or creditor from identity theft. Examples of covered accounts include a margin account with a futures commission merchant, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties.
- Objectives of an Identity Theft Prevention Program
Each financial institution and creditor that offers or maintains at least one covered account must develop and implement an Identity Theft Prevention Program designed to detect, prevent, and mitigate identity theft in connection with the opening of such account or any existing account. The final rules allow financial institutions and creditors to tailor their respective Identity Theft Prevention Programs based on their size and complexity.
Most significantly, the final rules also require financial institutions and creditors to take steps to ensure that the activities of their service providers are conducted in accordance with such institution's or creditor's Identity Theft Prevention Program. In particular, the Commissions stated that financial institutions and creditors should contractually require their service providers to provide documentation demonstrating such service provider's compliance with the institution's or creditor's Identity Theft Prevention Program.
- Required Elements of an Identity Theft Prevention Program
The final rules establish four elements that financial institutions and creditors must include in an Identity Theft Prevention Program. These elements, which are identical to those adopted by other governmental agencies in 2007, include reasonable policies and procedures to: (i) identify relevant red flags; (ii) detect these red flags; (iii) respond to any red flags detected; and (iv) update an Identity Theft Prevention Program to reflect changes in risks to customers and the safety of the financial institution or creditor from identity theft.
Recognizing the changing nature of identity theft, the final rules do not single out specific red flags that an Identity Theft Prevention Program should address. Rather, the final rules include a list of factors that financial institutions and creditors should consider when identifying potential identity theft red flags. These factors include: (i) the types of covered accounts offered; (ii) the methods of opening or accessing covered accounts; and (iii) previous experience with identity theft.
In addition, the Commissions' guidelines identify five categories of red flags that financial institutions and creditors should consider, including in their Identity Theft Prevention Programs. These categories include: (i) alerts or other warnings received from consumer reporting agencies or service providers; (ii) presentation of suspicious documents by a customer (e.g., altered or forged documents); (iii) presentation of suspicious personal identifying information by a customer (e.g., a suspicious address change); (iv) unusual use of, or other suspicious activity related to, a covered account (e.g., a fictitious address on a covered account); and (v) notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.
- Administering an Identity Theft Prevention Program
The final rules also provide guidance to financial institutions and creditors regarding the administration of an Identity Theft Prevention Program. In particular, the rules require that a financial institution or creditor obtain approval of its initial Identity Theft Prevention Program from such institution's or creditor's board of directors, or a designated senior management employee (e.g., chief compliance officer), provided that if an institution or creditor already has an Identity Theft Prevention Program, such program need not be reapproved unless it does not comply with the final rules.
Though the final rules are similar in substance to existing identity theft regulations, they formally provide rulemaking and enforcement authority to the Commissions in respect of the entities they regulate. Broker-dealers, investment advisers and other entities subject to the Commissions' regulations should carefully review their existing identity theft programs to ensure that they comply with the final rules in advance of November 20, 2013.