In 2003, Congress amended the Fair Credit Reporting Act (FCRA) to require the Federal Trade Commission (FTC) and banking regulators to jointly adopt identity theft red flags rules and guidelines. At that time, the FCRA did not require or authorize the SEC or CFTC to adopt identity theft rules. Instead, the FTC had authority to adopt and enforce these rules with respect to SEC- and CFTC regulated entities. The Dodd-Frank Act of 2010 amended the FCRA to transfer identity theft rulemaking responsibility and enforcement authority from the FTC to the SEC and CFTC for entities they regulate.
The SEC and CFTC jointly adopted rules and guidelines that require certain regulated entities that are subject to the SEC's or CFTC's enforcement authority to develop and implement a written program designed to detect, prevent, and mitigate identity theft in connection with certain accounts.
The SEC's rules are substantially similar to the FTC's identity theft rules, which applied to SEC-regulated entities when they were adopted. Therefore, entities subject to the SEC's rules should already be in compliance with the rules' requirements. However, the rules and the rules' adopting release do contain examples and minor language changes designed to help guide entities in complying with the rules, which according to the SEC may lead some entities that had not previously complied with the FTC's rules to determine that they fall within the scope of the SEC's rules. All SEC-regulated entities that fall within the rules' scope must comply with the rules by November 20, 2013.
Entities Subject to the Identity Theft Red Flags Rules.
The SEC's identity theft red flags rules apply to SEC-regulated entities that qualify as financial institutions or creditors under the FCRA and require those financial institutions and creditors that maintain covered accounts to adopt identity theft programs. SEC regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts include most registered brokers, dealers, and investment companies, and some registered investment advisers.
Financial Institutions. An SEC-regulated entity will generally qualify as a financial institution if it holds a transaction account belonging to an individual. An account may be a transaction account if the individual account owner can personally make payments or transfers of money from his or her account to third parties, or can direct the SEC-regulated entity to make such payments or transfers to third parties.
Creditors. An SEC-regulated entity will generally qualify as a creditor if it advances or loans money to consumers. However, an entity will not qualify as a creditor if it advances money for expenses incidental to a service provided by the entity.
Covered Accounts. A covered account is generally: (1) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; or (2) any other account that poses a reasonably foreseeable risk to customers of identity theft.
Identity Theft Red Flags Rules.
The SEC's identity theft red flags rules require regulated entities to adopt a written identity theft program that includes policies and procedures designed to:
- identify relevant types of identity theft red flags;
- detect the occurrence of those red flags;
- respond appropriately to the detected red flags; and
- periodically update the identity theft program.
Entities that are required to adopt identity theft programs also must provide for the administration of the program, including staff training and oversight of service providers. The rules do not single out specific red flags as mandatory, require specific policies and procedures to identify possible red flags or provide a specific method of detecting red flags. The rules do, however, include guidelines and examples of red flags to help firms administer their programs. An identity theft program should be appropriate to the size and complexity of the entity and the nature and scope of its activities.
Sources: Identity Theft Red Flags Rules: A Small Entity Compliance Guide (www.sec.gov/info/smallbus/secg/identity-theft-red-flag-secg.htm); Identity Theft Red Flags Rule, SEC Release No. IA-3582, IC-30456 (April 10, 2013).