Impact of the SEC and CFTC Issuing Final Identity Theft “Red Flag” Rules

by K&L Gates LLP

On April 19, 2013, the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC” and, together with the SEC, the “Commissions”) published final rules (“Red Flag Rules”) in the Federal Register (the “Adopting Release”) requiring each “financial institution” or “creditor” that offers a ”covered account” to develop and implement by November 20, 2013 a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts and the opening of new accounts (a “Program”). The Red Flag Rules serve as the SEC and CFTC versions of the “red flag” rules that the banking regulators and the Federal Trade Commission (“FTC”) adopted in 2007 (the “Joint Red Flag Rules”) and in effect transfer jurisdiction from the FTC to the Commissions for entities under their regulation. For entities that adopted programs under the Joint Red Flag Rules, little will change; however, based on statements in the Adopting Release, entities such as investment advisers, commodity pool operators and commodity trading advisors that did not previously comply with the Joint Red Flag Rules will need to carefully assess whether they fall within the scope of the Red Flag Rules.

In general, the Red Flag Rules do not contain new substantive requirements and are substantially similar to the red flag rules issued by the FTC. The Commissions expressly noted in the Adopting Release that entities subject to their respective enforcement authorities, whose activities fall within the scope of the Red Flag Rules, should already be in compliance with the Joint Red Flag Rules. Therefore, to the extent that broker-dealers, registered investment companies, investment advisers, futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers and major swap participants are already in compliance with the Joint Red Flag Rules and have adopted a Program, little will change with respect their current compliance obligations or Programs. Entities that are already in compliance with the Joint Red Flag Rules should review their Program and update them as necessary (e.g., to change rule citations from the FTC to SEC/ CFTC versions of the rules).

The Adopting Release does contain examples and minor language changes designed to help guide entities within the SEC’s enforcement authority in complying with the new rules and in assessing whether they are required to adopt a Program under the Red Flag Rules. Most notably and as discussed below, the Adopting Release describes a number of examples in which a registered investment adviser would be subject to the Red Flag Rules and would be required to adopt and implement a Program. 

Recently registered commodity pool operators and commodity trading advisors, as well as dually registered entities (i.e., entities that are subject to both SEC and CFTC regulation with respect to their activities), also should consider the applicability of the Red Flag Rules, especially if they had not implemented a Program under the Joint Red Flag Rules. Similarly, if a commodity pool operator or commodity trading advisor had not implemented a Program under the Joint Red Flag Rules in the past, they should consider whether the Red Flag Rules as articulated by the CFTC apply to them going forward.

Determining Whether the Red Flag Rules Apply. Unlike a number of regulations that apply simply on the basis of an entity being registered with the SEC or CFTC, determining whether an entity is subject to the Red Flag Rules requires a two step analysis. First, for the Red Flag Rules to apply, the entity must meet the definition of “financial institution” or “creditor.” Second, the entity must offer and maintain one or more “covered accounts.” If an entity meets both prongs, then it will need to adopt a Program. If the entity meets only the first prong, then the entity is not required to adopt a Program but will need to periodically assess its accounts and relationships to determine whether it has covered accounts. Therefore, allowing a customer to do something new, such as send account proceeds to a third party, may trigger the Program requirement, even if the financial institution or creditor was not subject to the rule before.

Examples of SEC and CFTC Regulated Entities that are Financial Institutions and/or Creditors for Purposes of the Red Flag Rules. Like the Joint Red Flag Rules, the Red Flag Rules apply to “financial institutions” and “creditors.”  In general, “financial institution” includes “any other person that, directly or indirectly, holds a transaction account belonging to a consumer.” “Transaction account” includes “an account on which the. . . account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”

The Adopting Release lists the following as illustrative examples of an SEC-regulated entity that could fall within the meaning of the term “financial institution”: (i) a broker-dealer that offers custodial accounts; (ii) a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and (iii) an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payment or transfers out of those accounts to third parties.”

Tracking the Joint Red Flag Rules, the Commissions’ definitions of “creditor” refer to the definition of “creditor” in the Fair Credit Reporting Act. The CFTC definition of creditor in the Red Flag Rules states that creditor includes any futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer, or major swap participant that regularly extends, renews, or continues credit; regularly arranges for the extension, renewal, or continuation of credit; or in acting as an assignee of an original creditor, participates in the decision to extend, renew, or continue credit.

Applicability to SEC Registered Investment Advisers and CFTC Registered Commodity Pool Operators and Commodity Trading Advisors. In the view of the regulators, investment advisers that have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risk of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risk of identity theft and loss of assets as consumers holding accounts with other financial institutions. If an adviser does not have a program in place to verify investors’ identities and detect identity theft red flags, another individual may deceive the adviser by posing as an investor or client. Although not expressed in the Adopting Release, as a practical matter, commodity pool operators and commodity trading advisors face the same types of potential risks with respect to identity theft.

A number of commenters on the proposed rule argued that investment advisers do not “hold” transaction accounts because they do not have custody of client assets (i.e., the assets are custodied at a bank or broker-dealer) and thus would not be “financial institutions” and thus subject to the Red Flag Rules. As stated in the Adopting Release, the SEC has concluded otherwise. For example, the SEC states that even if an investor’s assets are physically held with a qualified custodian, an adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account. An adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account because the adviser would not be making payments to third parties.

It appears that, like SEC-registered investment advisers that do not have custody, commodity pool operators and commodity trading advisors would be treated as potentially having transaction accounts even though by law they cannot have custody of client assets (generally, the assets must be held at a futures commission merchant).

Thus, investment advisers, commodity pool operators and commodity trading advisors that do not currently maintain a Program should revisit the question of whether they are required to adopt one.

Registered Investment Advisers to Private Funds. In the Adopting Release, the SEC explicitly stated that registered investment advisers to private funds also may, under certain circumstances, directly or indirectly hold transaction accounts. If an individual invests money in a private fund, and the adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that adviser would indirectly hold a transaction account. For example, a private fund adviser would hold a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor. Again, investment advisers to private funds that do not currently maintain a Program should revisit the question of whether they are required to adopt one. The same is true for commodity pool operators that currently do not maintain a Program.

Which Financial Institutions and/or Creditors Must Implement a Program. Under the Red Flag Rules, a financial institution or creditor must establish a Program if it offers or maintains “covered accounts.” Account is defined as a continuing relationship established by a person with a financial institution or creditor to obtain a product or services for personal, family, household or business purposes (e.g., a brokerage account or mutual fund account). The Commissions define the term “covered account” as:  (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The CFTC’s definition includes a margin account as an example of a covered account, and the SEC’s definition includes, as examples of a covered account, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties.

The Red Flag Rules require all financial institutions and creditors to assess whether they offer or maintain covered accounts and must do so periodically. As part of this determination, they must conduct a risk assessment that takes into consideration: (i) the methods it provides to open accounts, (ii) the methods it provides to access its accounts; and (iii) its previous experience with identity theft. The Adopting Release notes that financial institutions and creditors should consider whether a reasonably foreseeable risk of identity theft may exist in connection with accounts opened or accessed remotely, such as through the internet or by telephone. Even if they determine that they do not need a Program, they need to periodically reassess that decision to account for changes in their business model, accounts, or identity theft experience.

Required Elements of a Program. A Program must include reasonable policies and procedures to:

  • Identify relevant “red flags” for covered accounts and incorporate those red flags into the Program;
  • Detect red flags that have been incorporated into the Program;
  • Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
  • Ensure that the Program (including the red flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the entity from identity theft.

A “red flag” is a pattern, practice, or specific activity that indicates the possible existence of identity theft. Guidelines in the appendix to the Red Flag Rules include a number of examples of red flags. The examples include inconsistencies in personal indentifying information, incomplete account opening information, changes in account usage, adding an authorized person to an account shortly after the account address has changed, and mail being returned as undeliverable although transactions continue.

Like anti-money laundering programs, the Program adopted must be appropriate to the size and complexity of the entity and the nature and scope of its activities. Entities subject to the Red Flag Rules can leverage their anti-money laundering programs, policies and procedures to safeguard customer records and information under Regulation S-P, the CFTC’s privacy rules and internal anti-fraud policies and procedures in order to develop their Program. Although the Red Flag Rules do not have a “reporting component,” information developed during the course of the Program may trigger a reporting requirement under the suspicious activity reporting requirements applicable to broker-dealers, CFTC registered introducing brokers and mutual funds or under state privacy laws.

The Program must be approved by the entity’s board of directors, an appropriate committee of the board of directors, or, if the entity does not have a board, a designated senior management employee. The rules also provide that the entity must involve the board of directors, an appropriate committee thereof, or a designated senior management employee (e.g., the chief compliance officer) in the oversight, development, implementation and administration of the Program. Furthermore, the rules provide that the entity must train staff, as necessary, to effectively implement the Program. Finally, entities must exercise appropriate and effective oversight of service provider arrangements. The Adopting Release provides little guidance on what such oversight of service providers means in practice.

Conclusion. Entities subject to the Commissions’ enforcement authority that believe they were not subject to the Joint Red Flag Rules should reassess whether they are subject to the Red Flag Rules in light of the information provided in the Adopting Release. Entities that have already adopted a Program pursuant to the Joint Red Flag Rules should review their Programs and update them as necessary.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© K&L Gates LLP | Attorney Advertising

Written by:

K&L Gates LLP

K&L Gates LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.