1371SEC and CFTC Adopt Final Identity Theft Red Flags Rules
- Apr 11, 2013The Securities and Exchange Commission and the Commodity Futures Trading Commission have jointly adopted rules requiring affected entities to develop and implement written identity theft prevention programs that are designed to detect, prevent, and mitigate identity theft in connection with covered accounts. Release Nos. 34-69359, IA-3582, IC-30456 (Apr. 10, 2013). The new rules will apply to most investment companies, broker-dealers, and futures commission merchants, some other regulated entities, and a surprisingly large number of investment advisers. In particular, the SEC expects most investment advisers to private funds to be subject to the rules. Most investment companies and broker-dealers currently have identity theft prevention programs, because they were required by Federal Trade Commission rules; the Dodd-Frank Act transferred rulemaking and enforcement responsibilities to the SEC and the CFTC, effective July 21, 2011, with respect to the entities subject to each agency's enforcement authority. Although investment advisers were similarly subject to the FTC rules in theory, the FTC did not focus on investment advisers, which in many cases will have to adopt an identity theft program for the first time.
The substantive rules, which are required by the Fair Credit Reporting Act, are largely unchanged from the FTC rules, but the SEC and CFTC provided examples and guidance on the rules' coverage in the adopting release. Determining applicability is a two-step process. First, an entity must determine if it is a "financial institution" or a "creditor," as those terms are defined in the FCRA. If it is a financial institution or creditor, then it is required to determine periodically if it offers or maintains "covered accounts" (i.e., accounts that present a risk of identity theft or are personal accounts that permit multiple transactions). If it does offer or maintain covered accounts, then it must develop and implement a written identity theft prevention program, sometimes referred to as a "red flags" program because of the requirement to identify and detect red flags.
For most SEC- and CFTC-regulated entities, the greater risk is that they are "financial institutions." A "financial institution" includes any person that, directly or indirectly, holds a transaction account belonging to a consumer. A "transaction account" includes an account on which the account holder is permitted to make withdrawals for the purpose of making payments or transfers to third persons or others. The SEC's examples include (i) a broker-dealer that offers custodial accounts; (ii) a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and (iii) an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties. In particular, a private fund adviser would hold a transaction account if it has the authority to direct an investor's redemption proceeds to other persons upon instructions received from the investor. The SEC estimates that all broker-dealers, open-end investment companies, and employees' securities companies are likely to qualify as financial institutions or creditors, as are most private fund advisers and about 16% of other investment advisers. Of course, some of these entities will not have to adopt a red flags program, if they determine that they have no consumer accounts and are not at risk of identity theft.
While the CFTC adopted the rules seriatim, without a meeting, the SEC adoption was at an open meeting chaired by Mary Jo White, who was sworn in as Chairman earlier that morning. I suppose that if you're going to have to chair an open meeting an hour after you take office, at least let it be one with a unanimous vote, as in this case. All of the SEC Commissioners, including former Chairman Elisse Walter, said that they looked forward to working with White.
The new rules will be effective 30 days after publication in the Federal Register, and the compliance date will be six months after the effective date. If an entity already has a program in place that meets the requirements of the final rules, its board is not required to reapprove the existing program. The adopting release is available online at
John M. Baker
Stradley Ronon Stevens & Young, LLP
1250 Connecticut Avenue, NW, Suite 500
Washington, DC 20036
FundLaw Listowner http://groups.yahoo.com/group/FundLaw/