On February 28, 2012, the SEC and the CFTC jointly proposed rules that would require funds and advisers to affirmatively combat identity theft. The proposed rules would require registered investment companies, investment advisers, commodity pool operators ("CPOs"), commodity trading advisors ("CTAs"), and other SEC- or CFTC-regulated entities to create programs to detect and respond to red flags. The proposed rules would also establish special requirements for certain credit and debit card issuers to assess the validity of notifications of changes of address in certain circumstances.
COVERED FINANCIAL INSTITUTIONS AND ACCOUNTS. The SEC's proposed rules and guidelines would apply to a financial institution or creditor, as defined by the Fair Credit Reporting Act of 1970 (the "FCRA"), including SEC-registered investment companies, investment advisers, brokers, dealers, and other entities registered under the Securities Exchange Act of 1934. The CFTC's proposed rule would apply to CPOs, CTAs, futures commission merchants, introducing brokers, swap dealers, major swap participants, and retail foreign exchange dealers.
A "covered account" would include any account "that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft." The SEC's proposed definition includes, for example, a brokerage account with a broker-dealer and an account maintained by a mutual fund that permits wire transfers or other payments to third parties. The CFTC's proposed definition of a "covered account" includes a margin account as an example.
REQUIRED IDENTITY THEFT PROGRAM. The proposed rules would require covered entities to adopt a written identity theft program ("Program") that would include reasonable policies and procedures designed to: (1) identify relevant red flags; (2) detect the occurrence of red flags; (3) respond appropriately to the detected red flags; and (4) provide for periodic updates.
The joint proposal includes guidelines and examples of red flags to assist covered entities in developing and implementing a Program in compliance with the proposed rules.
The proposed guidelines clarify that a covered entity may incorporate into its Program its existing policies and procedures that control reasonably foreseeable risks of identity theft.
Identifying and Detecting Red Flags. The proposed guidelines identify the following risk factors for a financial institution to consider in identifying red flags: (1) the types of covered accounts offered; (2) the methods provided to open the accounts; (3) the methods provided to access the accounts; and (4) previous experiences with identity theft. The proposing release acknowledges that, for example, red flags relevant to margin accounts may differ from those relevant to advisory accounts.
The proposed guidelines also identify categories of red flags that financial institutions must consider including in their Programs, including unusual use of, or other suspicious activity related to, a covered account.
In addition, the proposed guidelines provide examples of policies and procedures that a financial institution must consider including in its Program for detecting red flags, such as: (1) in the case of opening a covered account, obtaining identifying information about, and verifying the identity of, the person opening the account; and (2) in the case of existing covered accounts, authenticating customer identities, monitoring transactions, and verifying the validity of change-of-address requests.
Reporting to the Board of Directors. The proposed guidelines would require a covered entity to report at least annually to its board of directors, board committee, or to a designated senior management employee on compliance with the proposed rules. The report would address, among other things: the effectiveness of the policies and procedures; service provider arrangements; incidents involving identity theft and management's response; and recommendations for changes to the Program.
DODD-FRANK ACT AND FAIR CREDIT REPORTING ACT. Section 1088 of the Dodd-Frank Act transferred authority over certain parts of the FCRA from the Federal Trade Commission ("FTC") to the SEC and CFTC. In particular, the Dodd-Frank Act amended the FCRA by adding the SEC and the CFTC to the list of federal agencies required to jointly prescribe and enforce identity theft red-flag rules and guidelines and credit/debit card issuer rules for entities they regulate.1
The joint proposal by the SEC and the CFTC is similar to final rules and guidelines adopted in 2007 by the FTC and the other federal financial regulatory agencies previously required to adopt such rules. The SEC and the CFTC noted that most of the entities over which they have jurisdiction are likely already in compliance with the 2007 rules. According to the Commissions, the proposal does not contain any new requirements not in the 2007 rules, and does not expand the scope of the 2007 rules to include new entities. The Commissions stated that the joint proposal contains examples and minor language changes intended to help entities "discern whether and how the identity theft rules and guidelines apply to their circumstances."
DEADLINE FOR COMMENTS. Comments on the proposal must be received by the SEC or the CFTC on or before May 7, 2012.
Identity Theft Red Flags Rules, SEC Release No. IC-29969 (Feb. 28, 2012) available at http://www.sec.gov/rules/proposed/2012/ic-29969.pdf
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
