Identity theft is a serious privacy and security problem that has escalated in recent years as more and more business functions move online. To keep pace with this emerging risk, US regulators have been requiring companies to build governance structures with systemic controls rather than ad hoc processes. To this end, the Securities and Exchange Commission (SEC) recently adopted Regulation S-ID (Reg S-ID), a comprehensive set of rules requiring certain entities it regulates to implement an identity theft program (Program) to detect, prevent and respond to identity theft.1 These "Red Flags" rules only apply to SEC-regulated entities, that meet the definition of "financial institution"2 or "creditor"3 under the Fair Credit Reporting Act (FCRA) and are very similar to the Red Flags rules adopted by the Federal Trade Commission (FTC).
Entities Subject to Regulation S-ID
According to the final rule, SEC regulated entities that could fall within the meaning of the term "financial institution" could include:
- a broker, dealer or any other person that is registered or required to be registered under the Securities Exchange Act of 1934 (Exchange Act);
- an investment company that is registered or required to be registered under the Investment Company Act of 1940 (Investment Company Act), that has elected to be regulated as a business development company under the Investment Company Act, or that operates as an employees' securities company under the Investment Company Act; or
- an investment adviser that is registered or required to be registered under the Investment Advisers Act of 1940 (Investment Advisers Act).
More specifically, because the definition of "financial institution" focuses on entities that hold "transaction accounts" belonging to individuals, examples of SEC regulated entities that may be subject to Reg S-ID include, but are not limited to: a broker-dealer that offers custodial accounts; a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.
Requirements of Regulation S-ID
The SEC adopted Reg S-ID jointly with the Commodities Futures Trading Commission (CFTC) under rulemaking authority delegated to both agencies under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. New SEC Chairman Mary Jo White called the new rules "a common sense response to the growing threat of identity theft to all American's who invest, save or borrow money." Regulation S-ID was approved unanimously.
Although there are no surprises in this final rulemaking, the requirements will be brand new for certain broker-dealers, investment companies, and investment advisers registered under the Investment Advisers Act, such as private fund and hedge fund advisers. Under Reg S-ID, broker dealers, mutual funds, investment advisers, and certain other entities must implement a Program to:
- identify relevant types of identity theft red flags,
- detect the occurrence of those red flags,
- respond appropriately to detected red flags,
- train staff on identity theft policies and procedures,
- oversee vendors compliance with these rules,
- periodically update the identity theft program, and
- take actions to mitigate credit and debit card fraud (card issuers only).
Like the FTC's Red Flags rules, Reg S-ID allows for flexibility in how entities identify and manage identity theft risks that are specific to their business. This is designed to keep the rules dynamic as technology and risk profiles change over time. Categories of red flags that should be considered include alerts, notifications, or other warnings received from consumer reporting agencies or service providers, suspicious identifying information and or documentation, suspicious activity related to a covered account and notice from customers, victims of identify theft, law enforcement authorities or other persons regarding possible identity theft.
Financial institutions must create a written Program that is approved by either their Board of Directors, a committee of the Board, or if the entity does not have a Board, from a designated senior management employee. A Chief Compliance Officer can be designated with responsibility for oversight of the Program. We counsel clients addressing these issues to consider creating a compliance project plan to ensure that business process owners have documented and repeatable policies and procedures for detecting, preventing and responding to identity theft risks. Periodic and regular monitoring of Program performance, as well as revalidating policies and procedures, are all best practices in building a sustainable Program. Finally, because of the sensitive nature of these issues, an annual update to the Board of Directors would be another strong pillar in a governance framework.
Reg S-ID will be effective 30 days after its publication in the Federal Register. Affected entities are required to be in compliance with Reg S-ID six months after its effective date.
The final rule defines the term "financial institution" in the final rules by reference to the definition of the term in section 603(t) of the FCRA. That section defines a financial institution to include certain banks and credit unions, and "any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer." Section 19(b) of the Federal Reserve Act defines "transaction account" to include an "account on which the ...account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payment or transfers to third persons or others." Section 603(c) of the FCRA defines "consumer" as an individual; thus, to qualify as a financial institution, an entity must hold a transaction account belonging to an individual.
The FCRA defines "creditor," by reference to the Equal Credit Opportunity Act ("ECOA"), as a person that regularly extends, renews or continues credit, or makes those arrangements that "regularly and in the course of business...advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person." The FCRA excludes from this definition a creditor that "advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person...."
Dentons is a global firm driven to provide you with the competitive edge in an increasingly complex and interconnected marketplace. We were formed by the March 2013 combination of international law firm Salans LLP, Canadian law firm Fraser Milner Casgrain LLP (FMC) and international law firm SNR Denton.
Dentons is built on the solid foundations of three highly regarded law firms. Each built its outstanding reputation and valued clientele by responding to the local, regional and national needs of a broad spectrum of clients of all sizes – individuals; entrepreneurs; small businesses and start-ups; local, regional and national governments and government agencies; and mid-sized and larger private and public corporations, including international and global entities.
Now clients benefit from more than 2,500 lawyers and professionals in 79 locations in 52 countries across Africa, Asia Pacific, Canada, Central Asia, Europe, the Middle East, Russia and the CIS, the UK and the US who are committed to challenging the status quo to offer creative, actionable business and legal solutions.
Learn more at www.dentons.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.