Hogan Lovells 2024 Election Impact and Congressional Outlook Report
May 7, 2012 marks the end of the comment period for the proposed identity theft red flags rules and guidelines issued jointly by the Securities and Exchange Commission and the Commodities Future Trading Commission. The Proposed Rules, which would apply to certain broker-dealers, investment companies, investment advisers, futures commission merchants, commodity pool operators, introducing brokers, and other SEC- and CFTC-regulated entities, are substantially similar to the identity theft red flags rules and guidelines issued in 2007 by the Federal Trade Commission and the federal banking agencies ("FTC Red Flags Rules") pursuant to the Fair and Accurate Credit Transactions Act ("FACTA"), which amended the Fair Credit Reporting Act ("FCRA").
The Dodd-Frank Wall Street Reform and Consumer Protection Act further amended the FCRA and transferred rulemaking and enforcement authority over the identity theft red flags rules to the SEC and CFTC with respect to the entities under their jurisdiction.
Importantly, the Proposed Rules do not contain new requirements that are were not already included in the FTC Red Flags Rules, nor do they expand the scope of those rules to cover entities that were not previously subject to their requirements. The SEC and CFTC noted in the preamble to the Proposed Rules that most of the entities over which they have jurisdiction are likely to already be in compliance with the FTC Red Flags Rules to the extent their activities fall within the scope of those regulations. Thus, these entities would not need to implement new red flags programs in response to the Proposed Rules. However, because the FTC Red Flags Rules were not specific to the securities industry and there was some confusion as to which entities were subject to their requirements, the Proposed Rules should help clarify the circumstances in which the red flags requirements apply.
"However, because the FTC Red Flags Rules were not specific to the securities industry and there was some confusion as to which entities were subject to their requirements, the Proposed Rules should help clarify the circumstances in which the red flags requirements apply. "
The Proposed Rules, like the FTC Red Flags Rules, apply to "financial institutions" and "creditors" that offer or maintain "covered accounts," including all accounts that "a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions" as well as "any other account … for which there is a reasonably foreseeable risk to customers … from identity theft." The Proposed Rules clarify that the term "financial institution" includes any "futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer, or major swap participant that directly or indirectly holds a transaction account belonging to a consumer." The Proposed Rules also apply to broker-dealers, registered investment advisers, and registered investment companies that meet the definitions of "financial institution" or "creditor" under the FCRA. Additionally, under the Proposed Rules, "covered accounts" include margin accounts and brokerage or mutual fund accounts that permit wire transfers or other payments to third parties.
Under the Proposed Rules, each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. If so, the entity must develop and maintain a written identity theft prevention program that includes reasonable policies and procedures to:
identify relevant "red flags," which are patterns, practices, or specific activities that indicate the possible existence of identity theft in connection with a covered account;
detect red flags that have been incorporated into the program;
respond appropriately to any red flags that are detected; and
update the program periodically to reflect changes in risk.
The initial written program must be approved by the board of directors or a committee of the board of directors, and the board or senior management must be involved in the oversight and administration of the program. In addition, the program must provide for appropriate staff training and oversight of service provider arrangements.
Entities that are regulated by the SEC or CFTC but have not implemented an identity theft prevention program under the FTC Red Flags Rules should evaluate whether the Proposed Rules apply to their circumstances.
A copy of the Proposed Rules is available here. As noted, comments on the Proposed Rules are due by May 7.
Authored by Michael Epshteyn