The SEC and CFTC recently issued joint Identity Theft Red Flags Rules (the “Rules”), which are rules and guidelines requiring certain financial institutions worldwide to adopt comprehensive data security programs to detect red flags and prevent identity theft. Pursuant to the Rules, covered entities must develop and implement a written, board-approved program which identifies and detects the relevant warning signs – or “red flags” – of identity theft. Given the Rules’ potential breadth and scope, SEC-registered investment advisers, broker-dealers, mutual funds, commodity pool operators, commodity trading advisors and futures commission merchants should carefully consider whether and how the Rules apply to their organizations. In addition, all companies should keep in mind that certain state laws may require adoption of privacy practices and procedures to limit the risk of identity theft and to protect against loss of consumers’ personal information.

To Whom do the Red Flags Rules Apply?

The Red Flags Rules further the SEC’s and CFTC’s efforts to protect consumers from identity theft. Covered entities are required to develop and implement a program of identity theft prevention for combating identity theft.

General Considerations

Section 615(e)(1)(A) and (B) of the Fair Credit Reporting Act (the “FCRA”), as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”),¹ requires that the SEC and the CFTC (each, an “Agency” and, collectively, the “Agencies”) jointly establish and maintain guidelines for “financial institutions” and “creditors” regarding identity theft.² The Rules apply to any financial institution or creditor that offers or maintains “covered accounts” and is subject to SEC or CFTC enforcement authority. As a result, the Rules may affect SEC-registered investment advisers, broker-dealers or mutual funds, and entities subject to supervision by the CFTC as commodity pool operators, commodity trading advisors or futures commission merchants that meet the definition of financial institution or creditor.

A financial institution is defined as any “person that, directly or indirectly, holds a transaction account . . . belonging to a consumer.”³ A transaction account includes any account on which an individual is permitted to “make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”⁴ A creditor is defined as an entity that “regularly and in the course of business . . . advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.”⁵ The SEC Rule expressly indicates this would include brokers or dealers who offer margin accounts, securities lending services and short selling services. The Rules list those entities the SEC and CFTC consider most likely to be deemed financial institutions or creditors.⁶

As discussed above, the Rules apply only to financial institutions and creditors offering or maintaining “covered accounts.” The Rules define a covered account as (1) an account offered or maintained primarily for “personal, family, or household purposes” designed to permit multiple payments or transactions, or (2) “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers . . . of identity theft.”⁷ The SEC and CFTC emphasize that covered accounts must represent a continuing relationship between the person and financial institution or creditor to obtain a product or service for personal, family or household purposes. The Agencies explain that where accounts are not primarily for personal, family or household use, a financial institution or creditor may implement a program under the Rules addressing only those accounts that present a reasonably foreseeable risk of identity theft.

In adopting the Rules, the SEC and CFTC expressly acknowledged that entities deemed to be a financial institution or creditor which already have adopted a written identity theft prevention program pursuant to rules adopted by other federal agencies are not required to seek board re-approval of such program provided the program otherwise meets the requirements of the Rules.

Special Considerations for Investment Advisers

Despite receiving numerous comments requesting that investment advisers be excluded from the scope of the Rules, the SEC expressly declined to do so.⁸ In declining to exclude investment advisers, the SEC explained that an adviser who retains the ability to “direct transfers or payments from an individual investor’s account” to a third party upon the investor’s instructions, holds a transaction account for purposes of the Rules. The SEC attempted to clarify this position through two examples. Under the Rules, an investment adviser authorized to direct payments from an individual investor’s account (whether or not such investor’s funds are held with a qualified custodian) to a third party would be deemed to hold a transaction account. In the SEC’s view, the same outcome would likely apply to a private fund adviser authorized to direct investment proceeds, including redemption and distribution payments, to a third party. The SEC noted that an investment adviser with authority to withdraw funds from an individual investor’s account to pay the adviser’s fee would not be deemed to hold a transaction account for purposes of the Rules.

The SEC and CFTC clarified in the adopting release that the Rules do not create any additional identity theft program requirements beyond those already imposed by rules adopted by other federal agencies (including the Federal Trade Commission (the “FTC”)), and do not expand the scope of such rules. Nonetheless, the application of the “financial institution” and “transaction account” definitions in the Rules to investment advisers, and the illustrative examples of such terms as applied to investment advisers in the adopting release, may cause certain investment advisers that had previously concluded they were not required to adopt an identity theft prevention program pursuant to other federal agencies’ rules to adopt a red flag program under the Rules.

What are the “Red Flags” of Identity Theft?

The Rules define a red flag as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” The Rules do not specifically identify relevant red flags, but rather allow covered entities to determine relevant red flags, based on (1) the types of covered accounts offered or maintained; (2) the methods provided to open covered accounts; (3) the methods provided to access covered accounts; and (4) previous experiences with identity theft. Thus, creditors and financial institutions will need to review their databases and security programs to analyze possible points of entry. Creditors and financial institutions will also need to assess: any previous warnings of identity theft; whether competitors have experienced identity theft; whether there has been unusual account activity; and whether consumer reporting agencies have issued any fraud detection alerts. The Rules provide covered entities with a list of several identity theft red flags for consideration. Accordingly, entities should examine the examples provided in the Rules and determine if any apply.

What Type of Program is Required?

Covered entities must institute a written, board-approved identity theft program that provides a means for identifying, detecting, preventing and mitigating theft of their customers’ personal information. More specifically, subject financial institutions and creditors must have a Program that allows them to: (1) identify relevant patterns, practices, and specific activities that are “red flags” signaling possible identity theft and incorporate those red flags into the Program; (2) detect red flags that have been incorporated into the Program; (3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and (4) ensure that the Program is updated periodically to reflect changes in risks of identity theft.

The Rules also compel: board approval of the initial written Program; ensuring oversight of the development, implementation and administration of the Program; training for staff; and oversight of any service providers. Covered entities are permitted to tailor their Programs to their operations so long as the Program is appropriate to the size and complexity of the creditor or financial institution and the nature and scope of its activities. Companies should therefore consider the types of customer information stored. If a covered entity maintains background personal information in addition to social security number and bank account information, then the Program must account for the importance of that information and identity thieves’ ability to use it for improper purposes. Companies should further consider how the information is maintained, whether the data is segregated into different databases, whether it is encrypted and how it is encrypted. Analysis and incorporation of relevant existing processes and procedures that control reasonably foreseeable risks to customers’ identity may be useful.

What Oversight is Required over Service Providers?

Organizations that engage service providers must ensure that the providers conduct their activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. If a third-party service provider loses customers’ personal information, the financial institution may be found to have run afoul of the Rules if it failed to exercise appropriate and effective oversight over the service provider arrangement.

Conclusion

Organizations are encouraged to review the Rules and analyze any processes or procedures currently in place. All organizations present a unique set of customers, security needs and variable risks. The size and scope of an organization and the nature of its business will determine what security measures are appropriate. Taking an objective hard look at your organization is step one in avoiding an enforcement action, ensuring the continued patronage of your customers, and protecting your customers from the very serious risks of identity theft.