On April 10, the Securities and Exchange Commission (SEC) and
the Commodity Futures Trading Commission (CFTC) (together, the
Commissions) jointly adopted rules and guidelines that require
certain entities subject to their enforcement authorities to
develop compliance programs to protect investors from identity
theft. [1] The new Identity Theft Red Flags Rules,
adopted pursuant to the Dodd-Frank Act, which amends the Fair
Credit Reporting Act (FCRA), are similar to existing identity theft
rules enforced by the Federal Trade Commission (FTC) and federal
banking regulators.
The Red Flags Rules require "financial institutions"
[2] and "creditors" [3] that hold
certain covered accounts to develop and implement a written
identity theft prevention program. The program must provide for
identification and detection of and responses to patterns,
practices or specific activities -- known as "red flags"
-- that could indicate identity theft.
The entities regulated by the SEC that are most likely to be
financial institutions and creditors include broker-dealers
offering custodial accounts, investment companies permitting
investor wire transfers and check writing, and investment advisers
permitting payments out of transaction accounts. The entities most
likely to be covered within the CFTC's regulatory scope include
futures commission merchants, retail foreign exchange dealers,
commodity trading advisers, commodity pool operators, introducing
brokers, swap dealers and major swap participants.
Covered Account
Once the determination is made that the entity is a financial
institution or creditor, a decision must then be made about whether
the entity maintains any "covered accounts." The term
"covered account" encompasses two types of accounts: one
maintained primarily for personal, family or household purposes
that involves or is designed to permit multiple payments or
transactions; and the second includes any other account for which
there is a foreseeable risk of identity theft. This second type is
governed by a risk-based analysis, and each entity must make its
own determination of whether its accounts meet the definition. The
Commissions' guidance on the second type of account provides
that the entity should conduct a risk evaluation that considers
both the methods it employs to open or access its accounts and its
previous experience with identity theft.
Elements of Identity Theft Prevention
Program
The Red Flags Rules are meant to be flexible and provide a covered
entity with the opportunity to design and implement a program that
is appropriate to its size and the nature of its operations.
Therefore, a large company with several types of accounts may need
a complex program, while a small, low-risk business may be able to
adopt a streamlined program. Regardless of the nature of a
business, the program must include five elements:
- Identification of Red Flags. Identify relevant patterns, practices and specific forms of activity that are red flags signaling possible identity theft. Consider the nature of the business and the type of identity theft to which it might be vulnerable.
- Detection of Red Flags. Establish policies and procedures to detect identified red flags.
- Response to Red Flags. Include prevention, mitigation and appropriate actions once red flags are detected.
- Periodic Review and Updating. Address how management will periodically re-evaluate and update the program, where necessary, to address new and evolving threats. This includes re-evaluation to determine whether changes in the business have caused the entity or account to fall under the purview of the Red Flags Rules.
- Administration of Program. The program must initially be approved by the board of directors or, if the entity does not have a board, by a senior-level manager. It must specify who is responsible for implementing and administering the program, including approving necessary changes. Finally, it must include appropriate training for staff.
The obligations of an entity to comply with the Red Flags Rules
also apply even if the entity outsources parts of its operations.
Therefore, the entity must specify how it will ensure and monitor
compliance with the program by external service providers.
Compliance Date
The Red Flags Rules will become effective 30 days after publication
in the Federal Register, and the compliance date will be
six months after the effective date (around November 15).
Implementation
Despite the fact that many of the entities described above have
been subject to similar rules administered by the FTC in the past,
these rules will be new for others, particularly certain private
fund advisers recently registered with the SEC.
It is essential that entities regulated by the Commissions
correctly determine whether they fall under the definition of
"financial institution" or "creditor" and, if
so, whether they maintain "covered accounts." Entities so
designated should design and implement appropriate identity theft
prevention programs. Even in the absence of a legal obligation,
implementing a program containing elements of the rules would help
companies mitigate the risk of identity theft and reduce their
overall exposure.
Implementation of an identity theft prevention program starts with
an analysis of risks to the secure maintenance of confidential
information. Such risk analysis would evaluate the likelihood and
severity of a data breach. The results of the risk assessment would
help to prioritize the risk areas (e.g., portable devices, offshore
business associates, lack of encryption) that would be targeted for
the implementation of controls (e.g., policies, processes,
training) to manage identified risks.
Companies should review or implement policies, processes and
systems to prevent, detect, contain and correct intentional or
accidental misuse, disclosure, modification or destruction of
confidential information. Further, companies should review
third-party service provider agreements to ensure that they contain
contractual undertakings to protect confidential information
entrusted to such providers and give companies the right to enforce
data protection standards. In addition, relevant employees and
service providers should be provided with training on ways to
protect confidential information (e.g., not leaving sensitive
information unattended at workstations or on an open computer
screen, and ensuring that e-mail containing such information is
encrypted). Finally, employees and service providers need to be
aware of personal sanctions for violating data security
standards.
Footnotes
[2] Section 603(t) of the FCRA defines "financial institution" to include certain banks and credit unions and "any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer."
[3] The FCRA defines "creditor" for the purpose of these rules as a creditor as defined in the Equal Credit Opportunity Act (i.e., a person that regularly extends, renews or continues credit, or makes those arrangements) that "regularly and in the course of business...advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person."
www.daypitney.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.