Deadline Approaching for FTC Red Flags Rule
- Many financial institutions and creditors are required, under a Federal Trade Commission rule commonly known as the "red flags" rule, to develop and implement a written Identity Theft Prevention Program. 72 Fed. Reg. 63718 (Nov. 9, 2007) (adopting 16 C.F.R. § 681.2). The rule applies to broker-dealers that are "creditors," and it now appears likely that it also applies to most mutual funds. Implementation of a program, which requires action by a board or committee, is required by November 1, 2008, so there is only a month and a half remaining.
A little background is necessary to understand why, if the rule applies to most funds, so many of them have not yet taken action to adopt an identity theft program. The statutory authority for the program is under section 114 of the Fair and Accurate Credit Transactions Act of 2003, and the FTC and bank regulators adopted implementing rules last year. The entities subject to the rules are creditors and "financial institutions." A "financial institution" is defined as any of certain depository institutions, "or any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer." A consumer, for this purpose, is an individual.
Section 19(b) of the Federal Reserve Act, 12 U.S.C. § 461(b), defines "transaction account" for purposes of depository institutions' reserve requirements. The depository institutions subject to these requirements include foreign bank branches and certain mortgage lenders, which are not otherwise included in the FACTA definition of "financial institution." So is the effect of this definition just to pick up foreign bank branches and mortgage lenders, when they have transaction accounts belonging to individuals? Or does it include any entity that holds at least one account that belongs to a consumer and is similar to the transaction accounts held by depository institutions?
When it adopted the red flags rule, the FTC seemed quite clear: "the only financial institutions over which the FTC has jurisdictions are state-chartered credit unions." (Other depository institutions were subject to the counterpart rules adopted by the bank regulators.) Mutual funds, it seemed, had nothing to worry about. The FTC in June issued an FTC Business Alert saying its jurisdiction also included "certain other entities that hold consumer transaction accounts," but that didn't seem to raise any concerns either - it looked like the FTC had just realized that it also needed to worry about Federal Home Loan Bank members that make long-term home mortgage loans.
On July 17, however, the Investment Company Institute issued an Urgent Memorandum warning that the FTC rule appears to apply to investment companies that hold transaction accounts. Apparently the FTC staff had some misgivings about the earlier position; it is thought that at some point the FTC will formalize its new position that the affected financial institutions are not limited to depository institutions. Meanwhile, the fund industry as a whole is treating the rule as applicable to mutual funds that hold consumer transaction accounts, so any funds that hold consumer transaction accounts and fail to implement an identity theft program risk becoming outliers that are not in compliance with industry-standard policies and procedures.
In general, a transaction account is an account that may be used to provide funds directly or indirectly for the purpose of making payments or transfers to third persons or others. The Board of Governors of the Federal Reserve System has statutory authority to adopt regulations expanding on this definition, and it has done so. 12 C.F.R. § 204.2(e). Any ability to write checks will make an account a transaction account. More significantly, an account is a transaction account if the consumer can make more than six transfers per month to third parties, using preauthorized transfers or telephone, electronic data, or faxed instructions. It is the ability to make more than six transfers per month that is determinative, not whether that ability actually is utilized. Of course, there are a great many funds that allow their holders to make wire or ACH transfers to their bank, which is a third party under Federal Reserve guidance. An account may also be a transaction account if the consumer can make more than six exchanges per month into another account at the same institution (except when the exchange is ordered by mail or in person).
It seems likely, therefore, that the majority of mutual funds will be "financial institutions" subject to the red flags rule, unless they limit their holders of record to institutional investors and financial intermediaries. Some funds, particularly those that have only a few individual holders (e.g., employees of the investment manager), may want to limit their shareholders' ability to make transactions so that they will not be subject to the rule.
If a fund is subject to the red flags rule, it is not just subject to it with respect to consumer accounts. The rule also applies to any other account for which there is a reasonably foreseeable risk from identity theft. Financial institutions are required periodically to conduct risk assessments to determine whether they offer or maintain such accounts.
Financial institutions and creditors that offer or maintain one or more covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The program must include reasonable policies and procedures to identity relevant red flags, detect and respond appropriately to any red flags, and ensure the program is updated periodically. The program must be approved by the board or an appropriate committee by November 1; the board or committee may act by unanimous consent, rather than holding a special meeting. The program may incorporate, as appropriate, existing policies, procedures, and other arrangements.
The joint release of the FTC and banking regulators, adopting the red flags rule, is online at
John M. Baker <JMB@...>
Stradley Ronon Stevens & Young, LLP http://www.stradley.com
1220 19th Street NW, Suite 600
Washington DC 20036
FundLaw Listowner http://groups.yahoo.com/group/fundlaw