On April 10, 2013, CFTC and the SEC issued final rules and guidelines to require certain regulated entities to establish programs to address risks of identity theft. These rules and guidelines implement provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which amended section 615(e) of the Fair Credit Reporting Act (FCRA) and directed the Commissions to adopt rules requiring entities that are subject to the Commissions’ respective enforcement authorities to address identity theft. The rules require financial institutions to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The rules included guidelines to assist entities in the formulation and maintenance of programs that would satisfy the requirements of the rules.
The Rules Effective Date is May 19, 2013, and the Compliance Date is November 19, 2013.
The CFTC added new subpart C to part 162 of the CFTC’s regulations, and the SEC added new subpart C; Regulation S-ID: Identity Theft Red Flags to part 248 of the Securities Exchange Act of 1934, the Investment Company Act of 1940, and the Investment Advisers Act of 1940.
In February 2012, the Commissions jointly proposed for public notice and comment identity theft red flags rules and guidelines and card issuer rules.
The final rules are substantially similar to the proposed rules, and they do not exclude any entities registered with the Commissions from their scope. The SEC’s scope provides that the final rules apply to:
- A broker, dealer or any other person that is registered or required to be registered under the Exchange Act.
- An investment company that is registered or required to be registered under the Investment Company Act, that has elected to be regulated as a business development company, or that operates as an employees’ securities company under that Act.
- An investment adviser that is registered or required to be registered under the Investment Advisers Act.
As in the proposed rules, the Commissions defined the term “covered account” in the final rules as: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The CFTC’s definition includes a margin account as an example of a covered account. The SEC’s definition includes, as examples of a covered account, a brokerage account with a broker-dealer an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties.
The Commissions defined an “account” as a “continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.” The CFTC’s definition specifically includes an extension of credit, such as the purchase of property or services involving a deferred payment. The SEC’s definition includes, as examples of accounts, “a brokerage account, a mutual fund account (i.e., an account with an open-end investment company), and an investment advisory account.”
As proposed, the final rules require each financial institution to periodically determine whether it offers or maintains covered accounts. As a part of this periodic determination, a financial institution or creditor must conduct a risk assessment that takes into consideration: (1) the methods it provides to open its accounts; (2) the methods it provides to access its accounts; and (3) its previous experiences with identity theft. A financial institution should consider whether, for example, a reasonably foreseeable risk of identity theft could exist in connection with accounts it offers or maintains that may be opened or accessed remotely or through methods that do not require face-to-face contact, such as through email or the Internet, or by telephone. In addition, if financial institutions offer or maintain accounts that have been the target of identity theft, they should factor those experiences into their determination. The Commissions anticipate that entities will be able to demonstrate that they have complied with applicable requirements, including their recurring determinations regarding covered accounts. If a financial institution initially determines that it does not need to have a Program, it is required to periodically reassess whether it must develop and implement a Program in light of changes in the accounts that it offers or maintains and the various other factors set forth in the regulations.
The rules provide that each financial institution that offers or maintains one or more covered accounts must develop and implement a written Program designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These provisions also require that each Program be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. Thus, the final rules are designed to be scalable, by permitting Programs that take into account the operations of smaller institutions.
The final rules set out the four elements that financial institutions and creditors must include in their Programs. These elements are being adopted as proposed and are identical to the elements required under the FCRA Agencies’ final identity theft red flags rules.
The elements of the Program should be as follows:
(1) Develop a Program that includes reasonable policies and procedures to identify relevant red flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those red flags into the Program. Rather than singling out specific red flags as mandatory or requiring specific policies and procedures to identify possible red flags, this first element provides financial institutions and creditors with flexibility in determining which red flags are relevant to their businesses and the covered accounts they manage over time. The list of factors that a financial institution or creditor should consider are included in Section II of the guidelines, which appear at the end of the final rules. Given the changing nature of identity theft, the Commissions believe that this element allows financial institutions or creditors to respond and adapt to new forms of identity theft and the attendant risks as they arise.
(2) Implement reasonable policies and procedures to detect the red flags that the Program incorporates. This element does not provide a specific method of detection. Instead, Section III of the guidelines provides examples of various means to detect red flags.
(3) Implement reasonable policies and procedures to respond appropriately to any red flags that they detect. This element incorporates the requirement that a financial institution or creditor assess whether the red flags that are detected evidence a risk of identity theft and, if so, determine how to respond appropriately based on the degree of risk. Section IV of the guidelines sets out a list of aggravating factors and examples that a financial institution or creditor should consider in determining the appropriate response.
(4) Implement reasonable policies and procedures to periodically update the Program (including the red flags determined to be relevant), to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. As discussed above, financial institutions and creditors are required to determine which red flags are relevant to their businesses and the covered accounts they offer or maintain. The Commissions are requiring a periodic update, rather than immediate or continuous updates, to be parallel with the identity theft red flags rules of the Agencies and to avoid unnecessary regulatory burdens. Section V of the guidelines provides a set of factors that should cause a financial institution or creditor to update its Program.
The Program must be written and approved by either its board of directors, an appropriate committee of the board of directors, or if the entity does not have a board, from a designated senior management employee. However, if a financial institution has a Program in place, the board is not required to reapprove the existing Program in response to this requirement, provided the Program otherwise meets the requirements of the final rules.
In addition, financial institutions must involve the board of directors, an appropriate committee thereof, or a designated senior management employee in the oversight, development, implementation, and administration of the Program. The designated senior management employee who is responsible for the oversight of a broker-dealer’s, investment company’s or investment adviser’s Program may be the entity’s chief compliance officer. Also, they must train staff, as necessary, to effectively implement their Programs.
Finally, financial institutions must exercise appropriate and effective oversight of service provider arrangements. The Commissions believe that it is important that the rules address service provider arrangements so that financial institutions and creditors remain legally responsible for compliance with the rules, irrespective of whether such financial institutions and creditors outsource their identity theft red flags detection, prevention, and mitigation operations to a service provider. The final rules do not prescribe a specific manner in which appropriate and effective oversight of service provider arrangements must occur. Instead, the requirement provides flexibility to financial institutions and creditors in maintaining their service provider creditors are still required to fulfill their legal compliance obligations.