SEC and CFTC Issue Identity Theft Red Flags Rules Applicable to Financial Institutions and Creditors

by Dechert LLP

The SEC and CFTC recently issued joint Identity Theft Red Flags Rules (the “Rules”), which are rules and guidelines requiring certain financial institutions worldwide to adopt comprehensive data security programs to detect red flags and prevent identity theft. Pursuant to the Rules, covered entities must develop and implement a written, board-approved program which identifies and detects the relevant warning signs – or “red flags” – of identity theft. Given the Rules’ potential breadth and scope, SEC-registered investment advisers, broker-dealers, mutual funds, commodity pool operators, commodity trading advisors and futures commission merchants should carefully consider whether and how the Rules apply to their organizations. In addition, all companies should keep in mind that certain state laws may require adoption of privacy practices and procedures to limit the risk of identity theft and to protect against loss of consumers’ personal information.

To Whom do the Red Flags Rules Apply?

The Red Flags Rules further the SEC’s and CFTC’s efforts to protect consumers from identity theft. Covered entities are required to develop and implement a program of identity theft prevention for combating identity theft.

General Considerations

Section 615(e)(1)(A) and (B) of the Fair Credit Reporting Act (the “FCRA”), as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”),1 requires that the SEC and the CFTC (each, an “Agency” and, collectively, the “Agencies”) jointly establish and maintain guidelines for “financial institutions” and “creditors” regarding identity theft.2 The Rules apply to any financial institution or creditor that offers or maintains “covered accounts” and is subject to SEC or CFTC enforcement authority. As a result, the Rules may affect SEC-registered investment advisers, broker-dealers or mutual funds, and entities subject to supervision by the CFTC as commodity pool operators, commodity trading advisors or futures commission merchants that meet the definition of financial institution or creditor.

A financial institution is defined as any “person that, directly or indirectly, holds a transaction account . . . belonging to a consumer.”3 A transaction account includes any account on which an individual is permitted to “make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”4 A creditor is defined as an entity that “regularly and in the course of business . . . advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.”5 The SEC Rule expressly indicates this would include brokers or dealers who offer margin accounts, securities lending services and short selling services. The Rules list those entities the SEC and CFTC consider most likely to be deemed financial institutions or creditors.6

As discussed above, the Rules apply only to financial institutions and creditors offering or maintaining “covered accounts.” The Rules define a covered account as (1) an account offered or maintained primarily for “personal, family, or household purposes” designed to permit multiple payments or transactions, or (2) “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers . . . of identity theft.”7 The SEC and CFTC emphasize that covered accounts must represent a continuing relationship between the person and financial institution or creditor to obtain a product or service for personal, family or household purposes. The Agencies explain that where accounts are not primarily for personal, family or household use, a financial institution or creditor may implement a program under the Rules addressing only those accounts that present a reasonably foreseeable risk of identity theft.

In adopting the Rules, the SEC and CFTC expressly acknowledged that entities deemed to be a financial institution or creditor which already have adopted a written identity theft prevention program pursuant to rules adopted by other federal agencies are not required to seek board re-approval of such program provided the program otherwise meets the requirements of the Rules.

Special Considerations for Investment Advisers

Despite receiving numerous comments requesting that investment advisers be excluded from the scope of the Rules, the SEC expressly declined to do so.8 In declining to exclude investment advisers, the SEC explained that an adviser who retains the ability to “direct transfers or payments from an individual investor’s account” to a third party upon the investor’s instructions, holds a transaction account for purposes of the Rules. The SEC attempted to clarify this position through two examples. Under the Rules, an investment adviser authorized to direct payments from an individual investor’s account (whether or not such investor’s funds are held with a qualified custodian) to a third party would be deemed to hold a transaction account. In the SEC’s view, the same outcome would likely apply to a private fund adviser authorized to direct investment proceeds, including redemption and distribution payments, to a third party. The SEC noted that an investment adviser with authority to withdraw funds from an individual investor’s account to pay the adviser’s fee would not be deemed to hold a transaction account for purposes of the Rules.

The SEC and CFTC clarified in the adopting release that the Rules do not create any additional identity theft program requirements beyond those already imposed by rules adopted by other federal agencies (including the Federal Trade Commission (the “FTC”)), and do not expand the scope of such rules. Nonetheless, the application of the “financial institution” and “transaction account” definitions in the Rules to investment advisers, and the illustrative examples of such terms as applied to investment advisers in the adopting release, may cause certain investment advisers that had previously concluded they were not required to adopt an identity theft prevention program pursuant to other federal agencies’ rules to adopt a red flag program under the Rules.

What are the “Red Flags” of Identity Theft?

The Rules define a red flag as “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” The Rules do not specifically identify relevant red flags, but rather allow covered entities to determine relevant red flags, based on (1) the types of covered accounts offered or maintained; (2) the methods provided to open covered accounts; (3) the methods provided to access covered accounts; and (4) previous experiences with identity theft. Thus, creditors and financial institutions will need to review their databases and security programs to analyze possible points of entry. Creditors and financial institutions will also need to assess: any previous warnings of identity theft; whether competitors have experienced identity theft; whether there has been unusual account activity; and whether consumer reporting agencies have issued any fraud detection alerts. The Rules provide covered entities with a list of several identity theft red flags for consideration. Accordingly, entities should examine the examples provided in the Rules and determine if any apply.

What Type of Program is Required?

Covered entities must institute a written, board-approved identity theft program that provides a means for identifying, detecting, preventing and mitigating theft of their customers’ personal information. More specifically, subject financial institutions and creditors must have a Program that allows them to: (1) identify relevant patterns, practices, and specific activities that are “red flags” signaling possible identity theft and incorporate those red flags into the Program; (2) detect red flags that have been incorporated into the Program; (3) respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and (4) ensure that the Program is updated periodically to reflect changes in risks of identity theft.

The Rules also compel: board approval of the initial written Program; ensuring oversight of the development, implementation and administration of the Program; training for staff; and oversight of any service providers. Covered entities are permitted to tailor their Programs to their operations so long as the Program is appropriate to the size and complexity of the creditor or financial institution and the nature and scope of its activities. Companies should therefore consider the types of customer information stored. If a covered entity maintains background personal information in addition to social security number and bank account information, then the Program must account for the importance of that information and identity thieves’ ability to use it for improper purposes. Companies should further consider how the information is maintained, whether the data is segregated into different databases, whether it is encrypted and how it is encrypted. Analysis and incorporation of relevant existing processes and procedures that control reasonably foreseeable risks to customers’ identity may be useful.

What Oversight is Required over Service Providers?

Organizations that engage service providers must ensure that the providers conduct their activities in accordance with reasonable policies and procedures designed to detect, prevent and mitigate the risk of identity theft. If a third-party service provider loses customers’ personal information, the financial institution may be found to have run afoul of the Rules if it failed to exercise appropriate and effective oversight over the service provider arrangement.


Organizations are encouraged to review the Rules and analyze any processes or procedures currently in place. All organizations present a unique set of customers, security needs and variable risks. The size and scope of an organization and the nature of its business will determine what security measures are appropriate. Taking an objective hard look at your organization is step one in avoiding an enforcement action, ensuring the continued patronage of your customers, and protecting your customers from the very serious risks of identity theft.


1 Pub. L. 111-203, 124 Stat. 1376 (2010).

2 See FCRA § 615(e)(1), 15 U.S.C. 1681m(e)(1). In addition, section 1088(a)(10)(A) of the Dodd-Frank Act added the Agencies to the list of federal administrative agencies responsible for enforcement of rules pursuant to section 621(b) of the FCRA. 15 U.S.C.
§ 1681s(b)(1)(F)–(G).

3 15 U.S.C. 1681a(t).

4 12 U.S.C. 461(b)(1)(C).

5 15 U.S.C. 1681m(e)(4)(A)(iii).

6 For example, the SEC explains that the Rules would apply to any “financial institution” or “creditor” registered or required to register as (i) a broker, dealer or otherwise under the Securities Exchange Act of 1934; (ii) an investment adviser registered (or required to be registered) under the Investment Advisers Act of 1940; or (iii) an investment company registered (or required to register) under the Investment Company Act of 1940, that elects to be treated as a business development company or that operates as an employees’ securities company. § 248.201(a). Thus, the Rules do not apply to such entities per se, but only to those that are otherwise financial institutions or creditors, based on their activities.

7 17 CFR § 162.30(b)(3) (CFTC) and § 248.201(b)(3) (SEC). The SEC’s definition of covered account specifically includes a brokerage account with a broker-dealer or an account maintained by a mutual fund that permits wire transfers or other payments to third parties.

8 Specifically, commenters argued that because an investment adviser generally does not “hold” transaction accounts, it could not be a financial institution under the Rules.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP

Dechert LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.