Waive the Red Flag - SEC and CFTC Issue Identity Theft Red Flag Rules

On April 10, the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) approved a final rule requiring broker-dealers, registered investment companies, investment advisors, and other “financial institutions” and “creditors” regulated by the SEC or CFTC to set up programs to flag and deter identity theft.

The new SEC and CFTC rules are substantially similar to the identity theft red flags rules issued by the Federal Trade Commission and banking regulators (the “Agencies”) in 2007 under the Fair and Accurate Credit Transactions Act (“FACTA”) amendments to the Fair Credit Reporting Act (“FCRA”). The new SEC and CFTC rules were prompted by 2010 Dodd-Frank Act amendments to FCRA section 615(e) that require the SEC and CFTC to adopt and enforce red flags rules as well.

The new rules do not add new requirements or include new categories of entities beyond the Agencies’ rules. The new rules, however, contain “examples and minor language changes designed to help guide entities within the SEC’s enforcement authority in complying with the rules, which may lead some entities that had not previously complied with the Agencies to determine that they fall within the scope of” the new rules. So, for most entities, the new rules will offer no additional requirements. Entities not covered by previous identity theft rules, however, will have to establish programs to comply with new rules and should represent and warrant that they comply when they enter into co-brand agreements with partner banks and financial institutions.

Entities that offer or maintain accounts covered by the rule must develop and implement a written identity theft program appropriate for the size and complexity of the entity.  The program must contain four elements: Identification of red flags, detection of red flags, risk-based responses to red flags, and periodic updating of the program. The program must be overseen by an entity’s board of directors, a committee of the board, or a designated senior management employee. The program must also provide for staff training.

Under the command of the Dodd-Frank Act, the SEC and CFTC also released rules to assess the validity of notices of address change under FCRA section 615(e)(1)(c) that theoretically apply to credit and debit card issuers subject to SEC or CFTC enforcement authority.

Importantly, the SEC and CFTC opined that, as a practical matter, no entities under their enforcement authority would be subject to these rules because those entities do not issue debit or credit cards – the cards are issued by the partner bank or financial institution.

The final rules become effective 30 days after publication in the Federal Register. Affected entities will then have six months to comply with the new rule.

The final rule release is available on the SEC’s website.