May 2013 – On April 19, 2013 the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) jointly published final rules mandating that certain “financial institutions” and “creditors” must implement programs to detect, prevent, and mitigate identity theft (the “Red Flag Rules”). The SEC’s rules are applicable to brokers, dealers, or other persons registered or required to be registered under the Securities Exchange Act of 1934, investment companies, and investment advisers; provided that such “persons” (i.e., individual persons and entities) are “financial institutions” or “creditors” and maintain “covered accounts.” The CFTC’s rules are applicable to “creditors” and “financial institutions” that maintain “covered accounts.” The scope of each of these sets of final rules is limited to persons subject to enforcement by the respective final rules’ commission. Both final rules also provide that “covered accounts” are generally either accounts maintained on behalf of a customer that could pose the risk of identity theft to the customer or personal accounts that permit multiple payments. Examples of “covered accounts” include margin and brokerage accounts with a broker-dealer. The Red Flag Rules become effective on May 20, 2013, and require compliance by November 20, 2013.
Who Must Comply with the Red Flag Rules?
Any financial institution or creditor that is subject to the jurisdiction of either the SEC or CFTC that maintains a covered account must comply. The SEC and CFTC define “financial institution” and “creditor” as follows:
Establishing a Prevention Program
The Red Flag Rules require that financial institutions and creditors subject to these rules implement a written Identity Theft Prevention Program (the “Program”) that includes reasonable policies and procedures that address the following elements:
The financial institution’s or creditor’s board of directors (or an appropriate board committee) must approve the written Program, and the board of directors or a senior manager must oversee the development, implementation, and administration of the Program.
Please note that the Red Flag Rules also require financial institutions and creditors to oversee their relationships with service providers to ensure that the service providers are able to detect any potential pattern, practice, or activity of identity theft and provide training to their own employees to ensure effective implementation (or update) of the Program.
Assuring Timely Compliance
Any party subject to the jurisdiction of the SEC or the CFTC must make a determination as to whether it will be subject to the Red Flag Rules. If so, the institution must begin preparing a Program or updating any existing Program and assessing contractual terms with service providers to enable it to comply with the Red Flag Rule requirements by November 20, 2013.
If you have any questions or would like additional information, please contact Ulmer & Berne LLP.