Client Alerts

Final SEC and CFTC Red Flag Rules Require Compliance by November 2013

By: Frances Floriano Goins and Michael A. Marrero

About: Cybersecurity & Privacy

May 2013 – On April 19, 2013 the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) jointly published final rules mandating that certain “financial institutions” and “creditors” must implement programs to detect, prevent, and mitigate identity theft (the “Red Flag Rules”). The SEC’s rules are applicable to brokers, dealers, or other persons registered or required to be registered under the Securities Exchange Act of 1934, investment companies, and investment advisers; provided that such “persons” (i.e., individual persons and entities) are “financial institutions” or “creditors” and maintain “covered accounts.” The CFTC’s rules are applicable to “creditors” and “financial institutions” that maintain “covered accounts.” The scope of each of these sets of final rules is limited to persons subject to enforcement by the respective final rules’ commission. Both final rules also provide that “covered accounts” are generally either accounts maintained on behalf of a customer that could pose the risk of identity theft to the customer or personal accounts that permit multiple payments. Examples of “covered accounts” include margin and brokerage accounts with a broker-dealer. The Red Flag Rules become effective on May 20, 2013, and require compliance by November 20, 2013.

Who Must Comply with the Red Flag Rules?

Any financial institution or creditor that is subject to the jurisdiction of either the SEC or CFTC that maintains a covered account must comply.  The SEC and CFTC define “financial institution” and “creditor” as follows:

  • Financial Institution – A “financial institution” is a state or national bank, savings association, credit union, mutual savings bank, or any person that, directly or indirectly, holds transaction accounts for a consumer. The CFTC definition of “financial institution” includes futures commission merchants, retail foreign, exchange dealers, swap dealer, or major swap participants.
  • Creditor – The SEC defines “creditor” as a party that regularly extends or arranges for the extension of credit, subject to certain other limitations (the definition of “creditor” from the Fair Credit Reporting Act). The CFTC defines “creditor” the same way as the SEC, but the CFTC’s definition also includes certain futures commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity pool operators, introducing brokers, swap dealers, and other major swap participants.

Establishing a Prevention Program

The Red Flag Rules require that financial institutions and creditors subject to these rules implement a written Identity Theft Prevention Program (the “Program”) that includes reasonable policies and procedures that address the following elements:

  1. Identification – Identification of any pattern, practice, or activity that indicates the possible existence of identity theft related to any covered account.
  2. Detection – Detection of any such pattern, practice or activity that indicates the possible existence of identity theft.
  3. Respond – Responding to any potential instances of identity theft.
  4. Update – Updating the Program periodically to ensure that it reflects and addresses current risks to customers and the entity maintaining the covered account.

The financial institution’s or creditor’s board of directors (or an appropriate board committee) must approve the written Program, and the board of directors or a senior manager must oversee the development, implementation, and administration of the Program.

Please note that  the Red Flag Rules also require financial institutions and creditors to oversee their relationships with service providers to ensure that the service providers are able to detect any potential pattern, practice, or activity of identity theft and provide training to their own employees to ensure effective implementation (or update) of the Program.

Assuring Timely Compliance

Any party subject to the jurisdiction of the SEC or the CFTC must make a determination as to whether it will be subject to the Red Flag Rules. If so, the institution must begin preparing a Program or updating any existing Program and assessing contractual terms with service providers to enable it to comply with the Red Flag Rule requirements by November 20, 2013.

If you have any questions or would like additional information, please contact Ulmer & Berne LLP.